Logical vs Physical AD Structre

advertisement
Concepts
• Active Directory Domain Services (AD DS)
• Logical structure
• Physical structure
• Organizational units
• Delegation of control
• Groups
Active Directory Domain Services
Logical Structure
• Forest; Tree; Domain; Organizational Unit; Groups
Physical Structure
• Physical layout of your domain which can determine replication
• Multiple sites (remote offices)
• Multiple domain controllers (DCs)
• How Replication occurs
• Replication of updates to Active Directory objects are transmitted between multiple
domain controllers to keep replicas of directory partitions synchronized. Multiple
domains are common in large organizations, as are multiple sites in disparate
locations. In addition, domain controllers for the same domain are commonly placed
in more than one site.
• HUH?
• Replication makes sure that all DCs have an “up to date” copy of the Active
Directory database
Active Directory Domain Services
Replication can be managed through Active Directory Sites and Services
Active Directory Domain Services
• By default, replication occurs every 180
minutes.
• Replication can be forced between DC’s
• Replication schedule can be modified
• Large domains should have regular
replication
•
Many changes within the domain
• Small (static) domains do not require a high
frequency of replications
•
Very little change on the domain
Active Directory Domain Services
Active Directory Domain Services
Active Directory replication topology has the following dependencies:
• Routable IP infrastructure. The replication topology is dependent upon a
routable IP infrastructure from which you can map IP subnet address ranges to
site objects. This mapping generates the information that is used by client
workstations to communicate with domain controllers that are close by, when
there is a choice, rather than those that are located across WAN links.
• DNS. The Domain Name System (DNS) resolves DNS names to IP addresses.
Active Directory replication topology requires that DNS is properly designed
and deployed so that domain controllers can correctly resolve the DNS names
of replication partners.
• DNS also stores service (SRV) resource records that provide site affinity
information to clients searching for domain controllers, including domain
controllers that are searching for replication partners. Every domain controller
registers these records so that they can be located according to site.
Active Directory Domain Services
Active Directory replication topology has the following dependencies(cont):
• Net Logon service. Net Logon is required for DNS registrations.
• Remote Procedure Call (RPC). Active Directory replication requires IP
connectivity and RPC to transfer updates between replication partners within
sites
• Inter-site Messaging. Inter-site Messaging is required for SMTP intersite
replication and for site coverage calculations
Active Directory Domain Services
Domains
Domains are units of replication. All of the domain controllers in a particular
domain can receive changes and replicate those changes to all other domain
controllers in the domain. Each domain in Active Directory is identified by a
Domain Name System (DNS) domain name and requires one or more
domain controllers.
One or more domains that share a common schema and global catalog are
referred to as a forest. The first domain in a forest is referred to as the forest
root domain.
A single domain can span multiple physical locations or sites and can contain
millions of objects. Site structure and domain structure are separate and
flexible. A single domain can span multiple geographical sites, and a single
site can include users and computers belonging to multiple domains.
Active Directory Domain Services
A domain provides several benefits:
Organizing Objects
Using organizational units helps you manage the accounts and resources in the
domain. You can then assign Group Policy settings and place users, groups, and
computers into the organizational units. Using a single domain greatly simplifies
administrative overhead.
Publishing resources and information about domain objects
A domain stores only the information about objects located in that domain, so by
creating multiple domains, you are partitioning or segmenting the directory to
better serve a disparate user base. When using multiple domains, you can scale
the Active Directory service to accommodate your administrative and directory
publishing requirements
Applying a Group Policy object to the domain consolidates resource and security
management
A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes
how domain resources can be accessed, configured, and used. These policies are
applied only within the domain and not across domains
Active Directory Domain Services
A domain provides several benefits:
• Delegating authority eliminates the need for a number of administrators with
broad administrative authority.
Using delegated authority in conjunction with Group Policy objects and group
memberships enables you to assign an administrator rights and permissions to
manage objects in an entire domain or in one or more organizational units
within the domain.
• Security policies and settings (such as user rights and password policies) do not
cross from one domain to another.
Each domain has its own security policies and trust relationships with other
domains. However, the forest is the final security boundary.
• Each domain stores only the information about the objects located in that
domain.
By partitioning the directory this way, Active Directory can scale to very large
numbers of objects.
How many domains?
Simple is best – use one if you can
Plus
• Single “Security Boundary”
• Central Administration
Minus
• All roles (schema master, RID master, etc) in “exposed” domain
• Need physical structure (sites, site-links, subnets) if have WAN links
Multiple Domains
Some reasons to create more than one domain are:
• Different password requirements between departments or divisions
• Massive numbers of objects
• Decentralized network administration
• More control of replication
Although using a single domain for an entire network has several
advantages, to meet additional scalability, security, or replication
requirements you may consider creating one or more domains for your
organization.
Organizational Units
•
Organizational units are Active
Directory containers into which you
can place users, groups, computers,
and other organizational units. An
organizational unit cannot contain
objects from other domains.
•
An organizational unit is the smallest
scope or unit to which you can assign
Group Policy settings or delegate
administrative authority. Using
organizational units, you can create
containers within a domain that
represent the hierarchical, logical
structures within your organization.
You can then manage the
configuration and use of accounts
and resources based on your
organizational model.
Organizational Units
• You can use organizational units to create an administrative model that
can be scaled to any size. A user can have administrative authority for all
organizational units in a domain or for a single organizational unit. An
administrator of an organizational unit does not need to have
administrative authority for any other organizational units in the domain.
Groups
Domain Local
• Used to assign rights/permissions to resources in that domain
• Can contain users/DL/Global groups from any domain in forest
Global
• Groups users in that domain together logically
• Added to member list of Domain Local to get rights
Universal
• Groups users from any domain in forest together
• Assign rights to resources in any domain in forest
Groups
Terms to research
 Function Levels
 Operations roles
 Flexible Single Master of Operations (FIZZMO) or Operations
Masters/Roles
 Site links
Additional Resources
• http://technet.microsoft.com/en-us/library/cc780856(WS.10).aspx
• http://technet.microsoft.com
Download