Operating System Chapter 1 Overview of Planning Active Directory for Branch Office Environments Planning Guide Abstract This chapter presents the purpose and scope of this Active Directory Branch Office Planning Guide. The following chapters discuss the concepts and steps necessary to plan for a deployment of the Microsoft® Windows® 2000 operating system and Windows 2000 Active Directory™ service in a branch office environment. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Active Directory, and Microsoft SQL Server, are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions. 1200 CONTENTS INTRODUCTION .......................................................................... 1 Concepts 1 Chapter Overview 1 SCOPE ......................................................................................... 4 Branch Office 4 Large Number of Locations with Domain Controllers 4 Small Number of Users Per Location 4 Large Number of Domain Controllers 4 Slow Network Connectivity to Branch Locations 6 Management Models for Handling Branch Office Scenarios 6 Managing Users and Groups 7 Managing Group Policies in a Distributed Environment 7 MORE INFORMATION .................................................................. 9 Resource Centers on the Web 9 Publications 9 White Papers 9 SUMMARY ................................................................................. 10 INTRODUCTION Microsoft® Windows® 2000 is a relatively new operating system, capable of being deployed in both large and small corporate environments. While the Windows 2000 Resource Kit is the first resource for companies planning to deploy Windows 2000, in corporate branch environments, additional planning, configuring, and monitoring is necessary to ensure a smooth branch office deployment. The objective of this guide is to present a recommended method of planning the deployment of Windows 2000 Active Directory™ service in a branch office environment. Note that the Active Directory Deployment and Operations Guide is a companion to this guide. It uses the plan developed here and guides the reader, step by step, through the Windows 2000 branch office deployment, providing scripts to simplify and speed the process. Although this guide discusses branch office deployments, much of the information can be adapted to other environments, including the sections on staging domain controllers, monitoring domain controllers, and the associated scripts. A branch office deployment, in terms of this guide, is one where there are numerous branch offices, with slow links to a corporate hub or data center. While this guide focuses on the planning for a simple hub and spoke deployment, the planning can be extended to a more complex, multilevel multi-hub and spoke deployment. For the more complex environment, breaking the corporate network design into smaller hub and spoke modules will allow you to use the guidelines and configuration presented here and in the Active Directory Deployment and Operations Guide. Concepts This guide is written for readers who have an understanding of Windows 2000, Active Directory, Domain Name System (DNS), and replication as can be found in the Windows 2000 Resource Kit, and other recommended White Papers (see More Information at the end of this chapter for a list of resources). We have, however, included a review of basic concepts and terms. This is not intended to replace the aforementioned resources; it is not possible to summarize all of the prerequisite knowledge assumed in the presentation of this paper. The objective of this guide is to build on information presented elsewhere, and to omit information that is available in other Microsoft sources. Chapter Overview This guide consists of six chapters, each dealing with a specific aspect of planning an Active Directory branch office deployment. Chapter 2 – Structural Planning for Branch Office Environments This chapter will guide you through the process of planning the logical structure for your Active Directory branch office environment. Topics covered include: Structural Planning Domain Controller and Global Catalog Placement DNS Design Recommendations Active Directory Branch Office Planning Guide 1.1 Determining the Number of Sites Chapter 3 – Planning Replication for Branch Office Environments This chapter will guide you through the process of planning your bridgehead servers and connection objects, based on Active Directory and File Replication Service (FRS) replication. Topics covered include: Replication Fundamentals Components of the Replication Topology Determining the Choice of Bridgehead Servers Determining the Number of Bridgehead Servers Configuring Replication Topology for Large Branch Office Deployments Using KCC with a Small Number of Sites (<100) Chapter 4 – Planning the Hub Site for Branch Office Environments This chapter will guide you through the process of planning your hub site, including building and maintaining your root and branch office domains. Topics covered include: Data Center Strategy Building the Root Domain Building the Branch Office Domain Monitoring and Key Performance Indicators Server Sizing Disaster Recovery Firewalls Chapter 5 – Planning the Staging Site for Branch Office Environments This chapter will guide you through the process of planning your staging site. Topics covered include: Best Practices for Building a Staging Site Configuring the Replication topology Capacity Planning Software Installed on Domain Controllers Monitoring Chapter 6 – Building the Forest Root Domain and Central Hub Site This chapter will guide you through the process of planning how to build, verify, and monitor branch office domain controllers. This includes everything from installation at the staging site through moving the domain controller to its branch office. Topics covered include: 1.2 Active Directory Branch Office Planning Guide Design Considerations Installing Software Promoting the Server to a Domain Controller Preparing the Computer for Transport Alternative Configuration Documentation Post-Deployment Active Directory Branch Office Planning Guide 1.3 SCOPE Branch Office The characteristics of a branch office deployment as discussed in this guide include most, if not all, of the following: A large number of locations with domain controllers. A small number of users per location. A large number of domain controllers. A hub and spoke network topology. Slow network connectivity to the branch office locations. Large Number of Locations with Domain Controllers The fact that a deployment has a large number of locations with domain controllers does not necessarily make it a branch office deployment in the context of this guide. In some large deployments the network may provide reliable, medium to high speed network connections which can be used to log on users over the wide area network (WAN). In this case, a small number of domain controllers could be installed in a data center or hub and there is no need for domain controllers in all remote locations. Since a centralized deployment model like this is less complex and easier to operate and monitor, it is preferred, but only if the network can be trusted to handle user logon operations at all times. In the cases where the WAN cannot be trusted for logons 24 hours a day and 7 days a week, planning and deployment require more thought. In most cases, a domain controller has to be installed in the remote locations. Planning Chapter 2, “Structural Planning for Branch Office Environments,“ presents when to put domain controllers into a remote location. Small Number of Users Per Location Another feature of the branch office deployment discussed in this guide is that there are a small number of users in each branch location. Examples of companies that meet these conditions are insurance companies and banks. Insurance companies frequently have a large number of subsidiaries and branches, each with a small number of employees. Again, small in the context of this guide means between 10 and 50 users of computers and network services. Large Number of Domain Controllers A large number of domain controllers implies that there may be a need for a staging site, which may or may not be contracted out, and that the number of branches to which domain controllers are being deployed is more than 100. Hub-Spoke Topology Usually in branch environments the topology is comprised of one or more hub locations, and spokes that extend from the hub or hubs, as indicated in the following figure. 1.4 Active Directory Branch Office Planning Guide Branch Office Scenario TCP/IP & DNS Settings FSMO Role Placement ROOT1- GC (SM, DNM FSMO Roles) corp.hay-buv.com (RRAS - Network Router) 10.10.1.1 DNS P: 10.10.1.2 DNS A: 10.10.1.3 ROOT2 - DC (IM, RID, PDC FSMO Roles) corp.hay-buv.com 10.10.1.2 DNS P: 10.10.1.1 DNS A: 10.10.1.3 ROOT3 - DC corp.hay-buv.com 10.10.1.3 DNS P: 10.10.1.1 DNS A: 10.10.1.2 HUBDC1 - DC (IM, RID, PDC FSMO Roles) branches.corp.hay-buv-com 10.10.20.99 DNS P: 10.10.20.99 BH3 - GC DNS A: 10.10.20.1 BH1 - GC branches.corp.hay-buv.com BH2 - GC branches.corp.hay-buv-com 10.10.20.3 branches.corp.hay-buv.com 10.10.20.1 DNS P: 10.10.20.3 10.10.20.2 DNS P: 10.10.20.1 DNS A: 10.10.20.1 DNS P: 10.10.20.2 DNS A: 10.10.20.2 DNS A: 10.10.20.1 Site-HUB Staging - GC branches.corp.hay-buv.com 10.10.30.1 DNS P: 10.10.30.1 DNS A: 10.10.20.1 Site-Stage Branch Office Site-Branch1 BODC1 DC 10.10.21.1 DNS P: 10.10.21.1 DNS A: 10.10.20.1 Branch Office Site-Branch2 BODC2 DC 10.10.22.1 DNS P: 10.10.22.1 DNS A: 10.10.20.2 Branch Office Site-Branch3 Branch Office Site-Branch4 Branch Office Site-Branch5 BODC3 DC 10.10.23.1 DNS P: 10.10.23.1 DNS A: 10.10.20.3 BODC4 DC 10.10.24.1 DNS P: 10.10.24.1 DNS A: 10.10.20.1 BODC5 DC 10.10.25.1 DNS P: 10.10.25.1 DNS A: 10.10.20.2 All branch office domain controllers are part of branches.corp.hay-buv.com domain. The simple hub and spoke topology shown above is used for all discussions in this guide, that is, a single hub with slow links to the branches, acting as spokes. This Active Directory Planning Guide steps you through the process of planning the above environment. The accompanying Active Directory Deployment and Operations Guide then steps you through the process of building the above environment. There is little explicit discussion of planning for a complex topology as shown in the following diagram. Active Directory Branch Office Planning Guide 1.5 Figure 2. Complex Hub and Spoke Topology For the complex hub and spoke case, you can use the planning presented here for each hub and its spokes, as well as the deployment procedures presented in the Active Directory Deployment and Operations Guide. Each set of hub and spokes can then be combined in a larger hub and spokes design, in a nested or layered fashion. Slow Network Connectivity to Branch Locations A common scenario in a branch office environment is that locations are often linked to the corporate data-center or hub by slow WAN links. For our scenario a slow link is defined as a link with a line speed between 19.2 kilobits and 64 kilobits. Such a link could be either a dial-up link or a leased line. To plan the right topology when working over slow links, you should know the following: The real available bandwidth over 24 hours The stability of the link What other services are going to use the link (such as Exchange, Backup, Systems Network Architecture (SNA), Microsoft SQL Server™, or Internet access) Management Models for Handling Branch Office Scenarios There are basically two different management models to consider in a Windows 2000 deployment scenario: centralized and decentralized. According to the centralized management model, changes are made at a corporate level and replicated to the branches. With the decentralized approach, changes are mostly made at the branches and are replicated through a hub to the rest of the domain 1.6 Active Directory Branch Office Planning Guide and the forest. Management of users and groups, as well as Group Policy management should be considered in light of these two models, since each will have significant effects on replication traffic, and therefore on the load on domain controllers. Managing Users and Groups When managing users and groups, there are pros and cons to each model. There are advantages and disadvantages to a centralized management model— where all objects in the organization are managed by one central IT organization: Advantages Disadvantages Good security control and policy enforcement Success varies directly with the availability and speed of the local area network (LAN) or WAN. Easy automation of common management tasks from a single source point Propagation changes are timeconsuming, depending on the replication infrastructure and the replication schedules. Problems can be fixed quickly Time to react and to fix issues might be longer. In contrast, in the decentralized management model the IT organization is divided into smaller divisions based on geographical, political, or organizational needs, and management of users and groups is distributed. The tradeoffs in this situation are as follows: Advantages Disadvantages IT organization tends to be closer to the “customer” Automation of tasks needs to be coordinated Less replication traffic inboundfrom hub to the branches More replication traffic inboundfrom branches to the hubs Managing Group Policies in a Distributed Environment As with user and group management, Group Policy management can be centralized or decentralized. In the centralized approach, all Group Policies are created by administration staff in the data centers (or hubs) and flow from the data centers to the branch offices. Changes will never occur at the branch level. Typically, there is no local personnel with complete administrator rights available in the branch. In a decentralized environment, the regional IT organizations will have the knowledge and ability to add to the group policies and be able to override certain settings. Just as with decentralized user and group creation, this will cause more replication to originate at the branches, causing more inbound replication traffic at Active Directory Branch Office Planning Guide 1.7 the hub site. Warning: The biggest problem with decentralized group policy management is that the changes are focused on the Primary Domain Controller (PDC) Emulator for the domain, which is located at the hub. We recommend, therefore, that you centralize the creation of Group Policies. For the purposes of the planning discussions in this guide, assume a centralized model. Realize, however, that where your organization’s administration model differs, you must consider the effect this has on your replication traffic patterns. The purpose of this guide is to present the basic building blocks of the planning process, which will enable you to complete a plan that suits your organization, and its administrative and network structure. 1.8 Active Directory Branch Office Planning Guide MORE INFORMATION Resource Centers on the Web For more information, refer to the following external resources on the Internet at microsoft.com. Windows 2000 Technical Library: http://www.microsoft.com/windows2000/library/ Windows 2000 Technologies Index http://www.microsoft.com/windows2000/library/technologies/default.asp TechNet: Windows 2000 Technology Center http://www.microsoft.com/technet/win2000/win2ksrv/default.asp MSDN: Windows 2000 Development Center http://msdn.microsoft.com/windows2000/ Microsoft Press Online: Windows 2000 http://mspress.microsoft.com/windows2000/ Microsoft Training and Certification Course http://www.microsoft.com/train_cert/winmoc/win2000_data.htm Microsoft Training and Certification Windows 2000 Learning Center http://www.microsoft.com/train_cert/learncenter/win2000/default.htm Publications Windows 2000 Resource Kit (Microsoft Press) Building Enterprise Active Directory Services, Notes from the Field (Microsoft Press) Optimizing Network Traffic, Notes from the Field (Microsoft Press) White Papers Windows 2000 Domain Name System Overview http://www.microsoft.com/windows2000/library/howitworks/communications /nameadrmgmt/dnsover.asp Windows 2000 Domain Name System White Paper http://www.microsoft.com/windows2000/library/howitworks/communications /nameadrmgmt/w2kdns.asp Windows 2000 Active Directory http://www.microsoft.com/windows2000/library/technologies/activedirectory /default.asp Active Directory Branch Office Planning Guide 1.9 SUMMARY 1.10 Active Directory Branch Office Planning Guide While this guide is focused on the planning for a branch office deployment within the parameters defined in this chapter (a large number of locations with domain controllers, where each location has a small number of users and has slow WAN connectivity) the issues and concepts discussed here are frequently relevant in other scenarios. The following chapters discuss the structural planning considerations, the planning needed for replication, and the planning that should take place to have a successful hub site and staging site. Quality assurance steps are presented, including monitoring. While the specifics of this guide relate to large branch office deployments, the general concepts and issues are helpful in many other scenarios.