Chapter 4
Outline
Planning Stage
Domain structure Domain namespace
Plan
OU structure
Site structure
Domain namespace
OU structure
Site structure
As a core unit of logical structure in AD, it need to be planned carefully It must consider a company: Logical and physical environment Administrative requirements Domain requirements Domain organization needs
Logical Structure
Understand how your company conducts daily operations to determine the logical structure of your organization. Consider how the company operates functionally and geographically.
Physical Structure
To assess user requirements, for each functional and geographical division determine: The number of employees The growth rate Plans for expansion
To assess network requirements, for each geographical division determine: How network connections are organized Network connection speed How network connections are utilized TCP/IP subnets
Administrative requirements
Centralized administration. A single administrative team provides network services. Smaller companies with fewer locations or business functions often use this method.
Decentralized administration. A number of administrators or administrative teams provide network services. Teams may be divided by location or business function.
Customized administration. The administration of some resources is centralized and it is decentralized for others, depending on business needs.
Domain Requirements
A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains
Each domain, you can model your organization's management hierarchy for delegation or administration using OUs for this purpose, which will act as logical containers for other objects. You can then assign group policy and place users, groups, and computers into the OUs
Decentralized network administration Replication control Different password requirements between organizations Massive numbers of objects Different Internet domain names International requirements Internal political requirements
Must organize the domains into a hierarchy that fits the needs of the organization if the organization need more than 1 domain.
Arrange domains into a tree or a forest depending on the Company's business needs. As domains are placed in a tree or forest hierarchy, the twoway transitive trust relationship allows the domains to share resources.
Must first choose and register a unique parent DNS name can be used for hosting your organization on the Internet. Perform a search to see if the name is already registered to another entity Once you have chosen your parent DNS name, you can combine this name with a location or organizational name used within your organization to form other subdomain names.
Plan an OU Structure
Domain namespace
OU structure
Site structure
OUs allow you to model your organization in a meaningful and manageable way and to assign an appropriate local authority as administrator at any hierarchical level
Consider creating an OU if you want to do the following:
Reflect your company's structure and organization within a domain. Without OUs, all users are maintained and displayed in a single list, regardless of a user's department, location, or role.
Delegate administrative control over network resources, but maintain the ability to manage them. You can grant administrative permissions to users or groups of users at the OU level.
Accommodate potential changes in your company's organizational structure. You can reorganize users between OUs easily, whereas reorganizing users between domains generally requires more time and effort.
Group objects to allow administrators to locate similar network resources easily, to simplify security, and to perform any administrative tasks. For example, you could group all user accounts for temporary employees into an OU called TempEmployees.
Restrict visibility of network resources in Active Directory. Users can view only the objects for which they have access.
Planning an OU hierarchy:
There are many ways to structure OUs for your company. It is important to determine what model will be used as a base for the OU hierarchy. Consider the following models for classifying OUs in the OU hierarchy:
Business Function-based OU
Geographical-based OU
Domain namespace
OU structure
Site structure
A single domain can include multiple sites, and a single site can include multiple domains or parts of multiple domains
The way in which you set up your sites affects Windows 2000 in two ways:
When a user logs on, Windows 2000 will try to find a DC in the same site as the user's computer to service the user's logon request and subsequent requests for network information. You can configure the schedule and path for replication of a domain's directory differently for inter-site replication, as opposed to replication within a site. Generally, you should set replication between sites to be less frequent than replication within a site.
Directory replication.
When planning sites, consider which domain controller(s) the workstations on a given subnet should use. To have a particular workstation only log on to a specific set of domain controllers, define the sites so that only those domain controllers are in the same subnet as that workstation
When planning sites, consider where the domain controllers and the network connections between the domain controllers will be located. Because each domain controller must participate in directory replication with the other domain controllers in its domain, configure sites so that replication occurs at times and intervals that will not interfere with network performance
Review the information you gathered when determining domain structure, including site locations, network speed, how network connections are organized, network connection speed, how network connections are utilized, and TCP/IP subnets.
If the network area requires workstation logon controls or directory replication, the area should be set up as a site.
Identify the link types, speeds, and utilization that exist so the links can be determined as site link objects. A site link object contains the schedule that determines when replication can occur between the sites that it connects.
For each site link object, determine the cost and schedule
The lowest cost site link performs replication; determine the priority of each link by setting the cost (default cost is 100; lower cost provides a higher priority). Replication occurs every 3 hours by default; set the schedule according to your needs.
Installing AD
Mixed mode When you first install or upgrade a domain controller to Windows 2000 Server, the domain controller is set to run in mixed mode. Mixed mode allows the domain controller to interact with any domain controllers in the domain that are running previous versions of Windows NT.
Native Mode When all the domain controllers in the domain run Windows 2000 Server, and you do not plan to add any more preWindows 2000 domain controllers to the domain, you can switch the domain from mixed mode to native mode.
Support for pre-Windows 2000 replication ceases. Because pre-Windows 2000 replication is gone, you can no longer have any domain controllers in your domain that are not running Windows 2000 Server.
You can no longer add new pre-Windows 2000 domain controllers to the domain.
The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers begin acting as peers.
Operation Masters
An operation master refers to a domain controller that is responsible for a particular role. Multimaster replication happens when some changes are replicated across all of the domains in the forest. To avoid replication conflicts, assign a single domain controller as a single master replication. In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.
Five roles: Schema master Domain naming master Primary domain controller emulator (PDC) Relative identifier master Infrastructure master
Forest-wide roles
Schema master
Controls all updates to the schema which contains the master list of object classes and attributes Controls the addition or removal of domains in the forest
Only one schema and one domain naming master in the entire forest
Domain-wide roles
Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running MS Windows NT within a mixed-mode domain. This type of domain has DCs that run Windpows NT 4.0 PDC emulator is the first DC that you create in a new domain Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (which is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain
Infrastructure master
When an objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the objects globally unique identifier (GUID), distinguished name and a SID. AD periodically updates the distinguished name and a SID whenever object moves within and between domain and the deletion of the object.
Each domain in a forest has its own PDC emulator, RID master and infrastructure master.