Anda di halaman 1dari 32

IMPLEMENTING ACTIVE DIRECTORY

Chapter 4

Outline

Planning Stage
Domain structure Domain namespace

Plan
OU structure

Site structure

Design Stage Install AD Stage

Plan a Domain Structure

Domain structure Plan

Domain namespace

OU structure

Site structure

As a core unit of logical structure in AD, it need to be planned carefully It must consider a company: Logical and physical environment Administrative requirements Domain requirements Domain organization needs

Logical Structure

Understand how your company conducts daily operations to determine the logical structure of your organization. Consider how the company operates functionally and geographically.

Physical Structure

Determine the technical requirements for implementing Active Directory


Must consider your company's user and network requirements so you can determine the logical requirements for implementing Active Directory

To assess user requirements, for each functional and geographical division determine: The number of employees The growth rate Plans for expansion

To assess network requirements, for each geographical division determine: How network connections are organized Network connection speed How network connections are utilized TCP/IP subnets

Administrative requirements

Identify the method of network administration used by your company:

Centralized administration. A single administrative team provides network services. Smaller companies with fewer locations or business functions often use this method.

Decentralized administration. A number of administrators or administrative teams provide network services. Teams may be divided by location or business function.
Customized administration. The administration of some resources is centralized and it is decentralized for others, depending on business needs.

Domain Requirements

The easiest domain structure to administer is a single domain.


Should start with a single domain and only add domains when the single domain model no longer meets your needs. One domain can span multiple sites and contain millions of objects

A single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains
Each domain, you can model your organization's management hierarchy for delegation or administration using OUs for this purpose, which will act as logical containers for other objects. You can then assign group policy and place users, groups, and computers into the OUs

There are some reasons to create more than one domain:


Decentralized network administration Replication control Different password requirements between organizations Massive numbers of objects Different Internet domain names International requirements Internal political requirements

Domain Organization Needs

Must organize the domains into a hierarchy that fits the needs of the organization if the organization need more than 1 domain.
Arrange domains into a tree or a forest depending on the Company's business needs. As domains are placed in a tree or forest hierarchy, the twoway transitive trust relationship allows the domains to share resources.

Planning Domain Namespace

Domain structure Plan OU structure

Domain namespace Site structure

Must first choose and register a unique parent DNS name can be used for hosting your organization on the Internet. Perform a search to see if the name is already registered to another entity Once you have chosen your parent DNS name, you can combine this name with a location or organizational name used within your organization to form other subdomain names.

Example microsoft.com and denver.microsoft.com

Same Internal and External namespace.

Example : Microsoft.com can be used internal and external company

Separate Internal and external namespace.

Example : Inside firewall msn.com Outside Firewall microsoft.com

Domain Naming Requirement and guidelines


Select a root domain name that will remain static Use simple and unique names Use standard DNS characters and Unicode characters. Limit the number of domain levels.

no more than five levels down the hierarchy.

Avoid lengthy domain names

Domain names can be up to 63 characters, including the periods

Plan an OU Structure

Domain structure Plan

Domain namespace

OU structure

Site structure

OUs allow you to model your organization in a meaningful and manageable way and to assign an appropriate local authority as administrator at any hierarchical level
Consider creating an OU if you want to do the following:

Reflect your company's structure and organization within a domain. Without OUs, all users are maintained and displayed in a single list, regardless of a user's department, location, or role.

Delegate administrative control over network resources, but maintain the ability to manage them. You can grant administrative permissions to users or groups of users at the OU level.
Accommodate potential changes in your company's organizational structure. You can reorganize users between OUs easily, whereas reorganizing users between domains generally requires more time and effort.

Group objects to allow administrators to locate similar network resources easily, to simplify security, and to perform any administrative tasks. For example, you could group all user accounts for temporary employees into an OU called TempEmployees.
Restrict visibility of network resources in Active Directory. Users can view only the objects for which they have access.

Planning an OU hierarchy:

There are many ways to structure OUs for your company. It is important to determine what model will be used as a base for the OU hierarchy. Consider the following models for classifying OUs in the OU hierarchy:

Business Function-based OU

Geographical-based OU

Business Function and Geographical- based OU

Plan a Site Structure

Domain structure Plan

Domain namespace

OU structure

Site structure

A single domain can include multiple sites, and a single site can include multiple domains or parts of multiple domains

The way in which you set up your sites affects Windows 2000 in two ways:

Workstation logon and authentication.

When a user logs on, Windows 2000 will try to find a DC in the same site as the user's computer to service the user's logon request and subsequent requests for network information. You can configure the schedule and path for replication of a domain's directory differently for inter-site replication, as opposed to replication within a site. Generally, you should set replication between sites to be less frequent than replication within a site.

Directory replication.

Optimizing Workstation Logon Traffic

When planning sites, consider which domain controller(s) the workstations on a given subnet should use. To have a particular workstation only log on to a specific set of domain controllers, define the sites so that only those domain controllers are in the same subnet as that workstation

Optimizing Directory Replication

When planning sites, consider where the domain controllers and the network connections between the domain controllers will be located. Because each domain controller must participate in directory replication with the other domain controllers in its domain, configure sites so that replication occurs at times and intervals that will not interfere with network performance

Designing a Site Structure


Follow these steps to design a site structure for an organization with multiple physical locations:

Assess the physical environment

Review the information you gathered when determining domain structure, including site locations, network speed, how network connections are organized, network connection speed, how network connections are utilized, and TCP/IP subnets.

Determine the physical locations that form domains

Determine which physical locations are involved in each domain.

Determine which areas of the network should be sites

If the network area requires workstation logon controls or directory replication, the area should be set up as a site.

Identify the physical links connecting sites

Identify the link types, speeds, and utilization that exist so the links can be determined as site link objects. A site link object contains the schedule that determines when replication can occur between the sites that it connects.

For each site link object, determine the cost and schedule

The lowest cost site link performs replication; determine the priority of each link by setting the cost (default cost is 100; lower cost provides a higher priority). Replication occurs every 3 hours by default; set the schedule according to your needs.

Provide redundancy by configuring a site link bridge

A site link bridge provides fault tolerance for replication.

Installing AD

Domain mode can be divided into:


Mixed mode Native mode

Mixed mode When you first install or upgrade a domain controller to Windows 2000 Server, the domain controller is set to run in mixed mode. Mixed mode allows the domain controller to interact with any domain controllers in the domain that are running previous versions of Windows NT.

Native Mode When all the domain controllers in the domain run Windows 2000 Server, and you do not plan to add any more preWindows 2000 domain controllers to the domain, you can switch the domain from mixed mode to native mode.

During the conversion from mixed mode to native mode

Support for pre-Windows 2000 replication ceases. Because pre-Windows 2000 replication is gone, you can no longer have any domain controllers in your domain that are not running Windows 2000 Server.
You can no longer add new pre-Windows 2000 domain controllers to the domain.

The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers begin acting as peers.

Operation Masters

An operation master refers to a domain controller that is responsible for a particular role. Multimaster replication happens when some changes are replicated across all of the domains in the forest. To avoid replication conflicts, assign a single domain controller as a single master replication. In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.

Five roles: Schema master Domain naming master Primary domain controller emulator (PDC) Relative identifier master Infrastructure master

Forest-wide roles

Schema master

Controls all updates to the schema which contains the master list of object classes and attributes Controls the addition or removal of domains in the forest

Domain naming master

Only one schema and one domain naming master in the entire forest

Domain-wide roles

Primary domain controller emulator (PDC)


Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running MS Windows NT within a mixed-mode domain. This type of domain has DCs that run Windpows NT 4.0 PDC emulator is the first DC that you create in a new domain Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (which is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain

Relative identifier master (RID master)

Infrastructure master

When an objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the objects globally unique identifier (GUID), distinguished name and a SID. AD periodically updates the distinguished name and a SID whenever object moves within and between domain and the deletion of the object.

Each domain in a forest has its own PDC emulator, RID master and infrastructure master.

Anda mungkin juga menyukai