Advanced Active Directory Deployments

1
Advanced Active Directory Deployments
Rick Claus IT Pro Advisor Microsoft
Canada rclaus_at_microsoft.com http//blogs.technet.
com/rclaus
2
What Will We Cover?

• Multiple Forest Design
• Multiple Domain Design
• Site Design

3
Helpful Experience

• Experience with Active Directory concepts
• Experience administering Active Directory
• Experience supporting TCP/IP networks

Level 200
4
Agenda

• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology

5
Designing Forests
6
Service Administrator Authority
7
Reasons for Multiple Forests
Organizational Reasons
8
Autonomy vs. Isolation
Service Autonomy
Data Autonomy
Service isolation
Data isolation
9
Forest Design Considerations
10
Organizational Forest Model
Organizational Forest
Organizational Forest
11
Resource Forest Model
12
Restricted-Access Forest Model
13
Scenario Same Corporation
Physically unsecured domain controllers
Application that requires a different schema
Dedicated Connection
14
Scenario Different Corporations
15
Scenario Perimeter Network
16
Mapping Requirements to Models
Requirements
Solution Join an existing forest for data
autonomy
17
Mapping Requirements to Models
Requirements
Solution Use an organizational or resource
forest for service isolation
18
Mapping Requirements to Models
Requirements
Solution Use an organizational forest or domain
and reconfigure the firewall for service autonomy
with limited connectivity
19
Agenda

• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology

20
Forest Trusts

• Domain controllers running Windows Server 2003

• DNS infrastructure

• Windows Server 2003 Forest Functional Level

• Enterprise Admin privileges

21
Authentication across Forests
DC3
DC2
DC4
GC
DC1
22
Authorization across Forests
Can browse and search principals
Use UPN or NT 4.0 name
Use NT 4.0 name
Use NT 4.0 name
23
Restricting Forest Scope Scenario 1
Disable DomainInfo or TopLevelName
Not Trusted
24
Restricting Forest Scope Scenario 2
Contoso.com
Fabrikam.com
25
Other Forest Considerations
26
Smart Cards and Forest Trusts
Contoso.com
Fabrikam.com
27
Agenda

• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology

28
Active Directory Domains
Active Directory Partition
Administrative Functions

• User identity
• Authentication
• Trust relationships
• Replication

Domain
29
Factors that Impact Domain Model
128K ISDN
T1
30
Reasons for Multiple Domains

• Administrative considerations (politics)
• Unique policies
• Network traffic
• Network connectivity
• Capacity
• International differences
• In-place upgrade of existing domains

31
Design Recommendations
If deploying more than one domain, remember
32
Domain Cost Implications
33
Domain Models Single Domain
34
Domain Models Regional
Forest Root
Regional Domain
Regional Domain
Regional Domain
35
Domain Models Organizational
Corp
Division 2
Division 3
Division 1
36
Determining the Number of Domains
37
Agenda

• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology

38
Site Functions
Domain
Site 1
Site 3
Site 2
39
Typical Network Topologies
40
Active Directory Replication
London Site
Tilbury Site
41
DC Placement Forest Root
Hub Site Network Hub Datacenter
Hub and Spoke Site Topology
Spoke Site
Spoke Site
http//www.microsoft.com/technet/prodtechnol/windo
wsserver2003/library/DepKit/4af3271a-4407-4ca5-9cd
5-e05b79046d08.mspx
42
DC Placement Regional
43
Global Catalog Placement
44
Operations Masters Review
Domain Roles
Forest Roles
PDC Emulator
Schema Master
RID Master
Domain Name Master
Infrastructure
45
Operations Masters Guidelines
http//www.microsoft.com/technet/prodtechnol/windo
wsserver2003/library/DepKit/edeba401-7f51-4717-91b
d-ddb1dca8a327.mspx
46
Operations Masters Placement

• Single-domain forest
• Make all DCs into GCs
• Leave roles on first DC
• Forest root domain (multiple domains)
• Move roles to second DC
• Dont make the second DC a GC
• Regional child domain
• Leave roles on first DC
• Dont make the second DC a GC

47
Creating Sites
48
Site Links
Site1-Site2
Site1-Site3
Site2-Site3
49
Site Link Cost
KBps 256 Cost 425
KBps 9.6 Cost 1024
KBps 256 Cost 425
50
Site Link Schedule
Site1-Site2 Cost 425
Site1-Site3 Cost 1024
Site2-Site3 Cost 425
51
Site Link Interval
52
Site Links Transitivity
West Coast
East Coast
Hub Site A
Site C
Site H
Hub Site B
A-C
B-H
A-B
A-D
B-G
A-E
B-F
Site D
Site E
Site F
Site G

• IP network is not fully routed
• You wish to control replication traffic

Disable if
53
Site Link Bridge Design
West Coast
East Coast
Hub Site A
Site C
Site H
Hub Site B
A-C
B-H
A-B
A-D
B-G
A-E
B-F
Site D
Site E
Site F
Site G
West Site Link Bridge
East Site Link Bridge
54
Session Summary

• Keep designs as simple as possible.
• Weigh benefits versus costs.
• Plan carefully.

55
For More Information

• Visit TechNet at www.microsoft.ca/technet
• Visit the following URL for additional information

www.microsoft.com/technet/ADD-03
56
Questions?
Rick Claus IT Pro Advisor Microsoft
Canada rclaus_at_microsoft.com http//blogs.technet.
com/rclaus