Chapter 4 PowerPoint
Download
Report
Transcript Chapter 4 PowerPoint
Implementing Active
Directory
•
•
•
•
Planning Active Directory Implementation
Installing Active Directory
Operations Master Roles
Implementing an Organizational Unit Structure
1
Planning Active
Directory Implementation
•
•
•
•
Planning a Domain Structure
Planning a Domain Namespace
Planning an OU Structure
Planning a Site Structure
2
Planning a
Domain Structure
•
•
•
•
Logical and physical environment structure
Administrative requirements
Domain requirements
Domain organization needs
3
Functional and
Geographical Divisions
4
Assessing the
Logical Environment
•
Consider how the company conducts daily operations to
determine the logical structure of the organization.
•
Consider how the company operates functionally and
geographically.
5
Physical Environment
6
Assessing the Physical
Environment: Users
•
•
•
Number of employees
Growth rate
Plans for expansion
7
Assessing the Physical
Environment: Network
•
•
•
•
Organization of network connections
Network connection speed
Utilization of network connections
TCP/IP subnets
8
Administrative
Requirements
•
Centralized administration
•
• Single administrative team manages the network, users, and
security.
• This method is often used by smaller companies with fewer
locations or business functions.
Decentralized administration
•
• A number of administrators or administrative teams manage
the network, users, and security.
• Teams are divided by location or business function.
Customized administration
• Administration is centralized for some resources and
decentralized for others.
• The method of administration is dependent upon business
needs.
9
Domain Requirements
•
Start with a single domain which is the easiest domain structure
to administer.
•
Add domains only when the single domain model no longer
meets the needs of the company.
•
One domain can span multiple sites and contain millions of
objects.
•
•
Site and domain structures are separate and flexible.
•
No need exists to create separate domains merely to reflect the
company’s organization of divisions and departments.
•
Use OUs to model the organization’s management hierarchy for
delegation of administration.
Single domain can span multiple geographical sites; a single site
can include users and computers belonging to multiple domains.
10
Reasons to Create
More Than One Domain
•
•
•
•
•
•
•
Decentralized network administration
Replication control
Different password requirements between organizations
Massive number of objects
Different Internet domain names
International requirements
Internal political requirements
11
Assessing Domain
Organization Needs
•
Organize the domains into a tree or a forest hierarchy that fits
the organization’s needs.
•
Domains in trees and forests share the same configuration,
schema, and global catalog.
•
The two-way transitive trust relationship allows the domains to
share resources.
•
DNS name structure is the primary difference between domain
trees and forests.
•
Multiple domains should be set up in a single domain tree unless
the organization operates as a group of several entities.
•
Create a forest to combine organizations with unique domain
names and to separate DNS zones.
•
Each tree in the forest has its own unique namespace.
12
Planning a
Domain Namespace
•
•
•
Domains are named with DNS names.
Plan the DNS namespace before using DNS on the network.
Decisions must be made about how DNS is to be used and what
goals will be accomplished using DNS.
• Has a DNS domain name been previously chosen and
registered for the Internet?
• Will the company’s internal Active Directory namespace be
the same or different from its external Internet namespace?
• What naming requirements and guidelines must be followed
when choosing DNS domain names?
13
Choosing a
DNS Domain Name
•
First choose and register a unique parent DNS name that can be
used for hosting the organization on the Internet.
•
Before deciding on a parent DNS name for the organization,
perform a search to see if the name is already registered to
another entity.
•
The Internet DNS namespace is currently managed by Network
Solutions, Inc., though other domain name registrars are also
available.
•
Combine the parent DNS name with a location or organizational
name used within your organization to form other subdomain
names.
14
Same Internal and
External Namespaces
15
Advantages to Using the Same
Internal and External Namespaces
•
Tree name is consistent on both the internal private network and
the external public Internet.
•
The idea of a single logon name is extended to the public
Internet, allowing users to use the same logon name both
internally and externally.
16
Disadvantages to Using the Same
Internal and External Namespaces
•
•
The result is a more complex proxy configuration.
•
Care must be taken not to publish internal resources on the
external public Internet.
•
•
Duplication of efforts in managing resources could occur.
Proxy clients must be configured to know the difference
between internal and external resources.
Users will get a different view of internal and external resources
even though the namespace is the same.
17
Separate Internal and
External Namespaces
18
Advantages to Using Separate Internal
and External Namespaces
•
Because they are based on different domain names, the
difference between internal and external resources is clear.
•
The environment is more easily managed because no overlap or
duplication of effort occurs.
•
Configuration of proxy clients is simpler because exclusion lists
need to contain only a tree name when identifying external
resources.
19
Disadvantages to Using Separate
Internal and External Namespaces
•
•
Logon names are different from e-mail names.
Multiple names must be registered with an Internet DNS.
20
Microsoft Domain
Name Structure
21
Domain Naming
Requirements and Guidelines
•
•
Select a root domain name that will remain static.
•
•
Use standard DNS characters and Unicode characters.
•
•
•
Limit the number of domain levels.
•
Case-sensitive naming is not supported.
Use simple and precise domain names that are easy for users to
remember and enable users to search intuitively for resources.
Windows 2000 supports the following standard DNS characters:
A-Z, a-z, 0-9, and the hyphen (-), as defined in RFC 1035.
Use unique names.
Avoid lengthy domain names; can be up to 63 characters,
including the periods; total length cannot exceed 255 characters.
22
OU Structure
23
Business Function–Based
OU Structure
24
Geographical-Based
OU Structure
25
Business Function– and GeographicalBased OU Structure
26
Planning a Site Structure
•
A site is part of the Active Directory physical structure; a
combination of one or more IP subnets connected by a highly
reliable and fast network connection.
•
Site structure is concerned with the physical environment;
maintained separately from the logical environment, the domain
structure.
•
A single domain can include multiple sites; a single site can
include multiple domains or parts of multiple domains.
•
Main role of a site is to provide good network connectivity.
27
The Manner in which Sites Are Set Up
Affects Windows 2000 in Two Ways
•
Workstation logon and authentication: When a user logs on,
Windows 2000 will try to find a domain controller in the same
site as the user’s computer to service the user’s logon request
and subsequent requests for network information.
•
Directory replication: You can configure the schedule and path
for replication of a domain’s directory differently for inter-site
replication, as opposed to replication within a site.
28
Optimizing Workstation
Logon Traffic
•
Consider which domain controller(s) the workstations on a given
subnet should use.
•
To have a particular workstation log on only to a specific set of
domain controllers, define sites so that only those domain
controllers are in the same subnet as that workstation.
29
Optimizing Directory
Replication
•
Consider where the domain controllers and the network
connections between the domain controllers will be located.
•
Each domain controller must participate in directory replication
with the other domain controllers in its domain.
•
Configure sites so that replication occurs at times and intervals
that will not interfere with network performance.
•
Consider establishing a bridgehead server to provide criteria for
choosing which domain controller should be preferred as the
recipient for inter-site replication.
30
Designing a Site Structure
•
A simple LAN can be a single site, because connections typically
are fast.
•
Establish a separate site with its own domain controllers when
domain controllers are not responding fast enough to meet the
needs of the users.
•
Determining what is fast enough depends on the criteria for
network performance.
•
Inadequate performance is more common when deployments
span a wide geographic range.
•
Other inadequacies may be attributed to poor network design
and implementation.
31
Installing Active Directory
•
•
•
•
•
•
The Active Directory Installation Wizard
Configuring DNS for Active Directory
The Database and Shared System Volume
Domain Modes
Removing Active Directory Services from a DC
Practice: Installing Active Directory
32
Active Directory
Installation Wizard
•
Run DCPROMO from the command prompt or run Configure
Your Server on the Administrative Tools menu of the Start menu
to launch the wizard.
•
The wizard runs on a stand-alone server and aids in the process
of installing Active Directory and creating a new domain
controller.
•
During the installation process, the choice must be made to add
the new domain controller to an existing domain or create the
first domain controller for a new domain.
33
Wizard Can Perform the
Following Tasks
•
•
•
•
•
•
•
•
Add a domain controller to an existing domain
Create the first domain controller of a new domain
Create a new child domain
Create a new domain tree
Install a DNS server
Create the database and database log files
Create the shared system volume
Remove Active Directory services from a domain controller
34
Configuring DNS
for Active Directory
•
•
Active Directory uses DNS to find domain controllers.
•
•
LDAP is the protocol used to query and update Active Directory.
•
•
DNS can be installed without Active Directory.
•
Manual configuration of DNS to support Active Directory is not
needed unless using a DNS server other than Windows 2000 or
using a special configuration.
•
Manually configure DNS using the DNS console.
A client queries DNS for resource records that provide the
names and IP addresses for the LDAP servers for the domain.
Active Directory cannot be installed without DNS on the
network.
Configure Windows 2000 DNS server automatically using the
Active Directory Installation Wizard.
35
Database and Shared
System Volume
•
Installing Active Directory creates the database and database
log files, as well as the shared system volume.
•
Replication of the shared system volume occurs on the same
schedule as replication of the Active Directory.
•
File replication to or from the newly created system volume may
not be noticed until two replication periods have elapsed,
typically 10 minutes.
•
The first file replication period updates the configuration of other
system volumes so that they are aware of the newly created
system volume.
36
Database and
Database Log Files
•
•
•
The database is the directory for the new domain.
Default location is systemroot\NTDS.
Place the database and log file on separate hard disks.
37
Shared System Volume
•
A folder structure that exists on all Windows 2000 domain
controllers.
•
Stores scripts and some of the group policy objects for both the
current domain and the enterprise.
•
•
Default location is systemroot\SYSVOL.
Must be located on a partition or volume formatted with NTFS
5.0.
38
Domain Modes
•
Mixed mode
•
• Domain controller is set to run in mixed mode when it is first
installed or upgraded.
• Allows the domain controller to interact with any domain
controllers in the domain that are running previous versions
of Windows NT.
Switch to native mode
• When all domain controllers in the domain run Windows
2000 Server.
• When no more pre-Windows 2000 domain controllers are
planned to be added to the domain.
39
Removing Active Directory
Services from a Domain Controller
•
Remove Active Directory by running DCPROMO from the Run
dialog box.
•
If the domain controller is the last domain controller in the
domain, it will become a stand-alone server.
•
Removing Active Directory from all domain controllers in the
domain also deletes the directory database for the domain; the
domain no longer exists.
•
Computers joined to this domain can no longer log on to the
domain or use domain services.
40
Operations Master Roles
•
•
•
•
•
•
•
Operations Master Rolls
Forest-Wide Operations Master Roles
Domain-Wide Operations Master Roles
Planning Operations Master Locations
Identifying Operations Master Role Assignments
Transferring Operations Master Role Assignments
Responding to Operations Master Failures
41
Purpose of Operations
Master Roles
•
Active Directory supports multimaster replication of the Active
Directory database between all domain controllers in the
domain.
•
Some changes are impractical to perform in multimaster fashion;
one or more domain controllers can be assigned to perform
operations that are single-master operations.
•
Single-master operations are not permitted to occur at different
places in a network at the same time.
42
Forest-Wide
Operations Master Roles
•
Schema master
•
• Controls all updates and modifications to the schema
• Must be accessed to update the schema of the forest
• Can be only one in the entire forest
Domain naming master
• Controls the addition or removal of domains in the forest
• Can be only one in the entire forest
43
Domain-Wide
Operations Master Roles
•
•
•
Relative ID master
PDC emulator
Infrastructure master
44
Relative ID Master Role
•
Allocates sequences of relative IDs to each of the various
domain controllers in its domain.
•
Only one domain controller acts as the relative ID master in
each domain in the forest.
•
Whenever a domain controller creates a user, group, or
computer object, it assigns the object a unique security ID
(SID).
•
SID consists of a domain SID, plus a relative ID that is unique
for each SID created within the domain.
•
To move an object between domains you must initiate the move
on the domain controller acting as the relative ID master of the
domain that currently contains the object.
45
Primary Domain Controller
(PDC) Emulator Role
•
Acts as a Windows NT PDC, if the domain contains computers
operating without Windows 2000 client software or if it contains
BDCs.
•
Processes password changes from clients and replicates updates
to the BDCs.
•
Receives preferential replication of password changes performed
by other domain controllers in the domain once all systems are
upgraded to Windows 2000 and the Windows 2000 domain is
operating in native mode.
•
If a logon authentication fails at another domain controller due
to a bad password, that domain controller will forward the
authentication request to the PDC emulator before rejecting the
logon attempt.
•
Only one domain controller acts as the PDC emulator in each
domain in the forest.
46
Infrastructure Master Role
•
Responsible for updating the group-to-user references whenever
the members of groups are renamed or changed.
•
When renaming or moving a member of a group and that
member resides in a different domain from the group, the group
may temporarily appear not to contain that member.
•
Responsible for updating the group so that it knows the new
name or location of the member.
•
•
Distributes the update via multimaster replication.
•
Only one domain controller acts as the infrastructure master in
each domain.
No compromise to security during the time between the member
rename and the group update.
47
Operations Master Role
Default Distribution in a Forest
48
Relative Identifier Master
and PDC Emulator
•
In typical domains, assign both the relative identifier master and
PDC emulator roles to the operations master domain controller.
•
In very large domains, reduce the peak load on the PDC
emulator by placing these roles on separate domain controllers,
both of which are direct replication partners of the standby
operations master domain controller.
•
Keep the two roles together unless the load on the operations
master domain controller justifies separating the roles.
49
Infrastructure Master and
Global Catalog
•
The infrastructure master role should not be assigned to the
domain controller that is hosting the global catalog unless only
one domain controller exists in the domain.
•
Assign the infrastructure master role to any domain controller
that is well connected to a global catalog in the same site.
•
If the infrastructure master and global catalog are on the same
domain controller, the infrastructure master will not function.
•
The infrastructure master will never find data that is out of date,
so it will never replicate any changes to the other domain
controllers in the domain.
•
If all the domain controllers in a domain are also hosting the
global catalog, they all will have the current data, and which
domain controller holds the infrastructure master role does not
matter.
50
Planning the Operations
Master Roles for the Forest
•
After all the domain roles have been planned for each domain,
consider the forest roles.
•
Schema master and domain naming master roles should always
be assigned to the same domain controller.
•
For best performance, assign them to a domain controller that is
well connected to the computers used by the administrator or
group responsible for schema updates and creation of new
domains.
•
•
The load of these operations master roles is very light.
Place these roles on the operations master domain controller of
one of the domains in the forest.
51
Planning for Growth
•
Normally, it is not necessary to change the locations of the
various operations master roles as the forest grows.
•
Review the plan and revise the operations master role
assignments when planning to decommission a domain
controller, change the global catalog status of a domain
controller, or reduce the connectivity of parts of your network.
52
Responding to
Operations Master Failures
•
•
•
•
•
Schema Master Failure
Domain Naming Master Failure
Relative ID Master Failure
PDC Emulator Failure
Infrastructure Master Failure
53
Operations Master
Failure Overview
•
Some of the operations master roles are crucial to the operation
of the network.
•
Others can be unavailable for some time before their absence
becomes a problem.
•
If an operations master is not available due to computer failure
or network problems, seize the operations master role, also
known as forcing a transfer.
•
Before forcing the transfer, first determine the cause and
expected duration of the computer or network failure.
•
If the cause is a networking problem or a server failure that will
be resolved soon, wait for the role holder to become available
again.
•
Seizing an operations master role is a drastic step that should be
considered only if the current operations master will never be
available again.
54
Schema Master Failure
•
Temporary loss of the schema operations master is not visible to
network users.
•
If unavailable for an unacceptable length of time, seize the role
to the standby operations master.
•
Seizing this role is a step that should be taken only when the
failure is permanent.
55
Domain Naming
Master Failure
•
Temporary loss of the domain naming master is not visible to
network users.
•
If unavailable for an unacceptable length of time, seize the role
to the standby operations master.
•
Seizing this role is a step that should be taken only when the
failure is permanent.
56
Relative ID Master Failure
•
Temporary loss of the relative identifier operations master is not
visible to network users.
•
If unavailable for an unacceptable length of time, seize the role
to the standby operations master.
•
Seizing this role is a step that should be taken only when the
failure is permanent.
57
PDC Emulator Failure
•
•
•
This loss affects network users.
•
When the original PDC emulator master is returned to service,
return the role to the original domain controller.
You may need to immediately seize the role.
Seize the PDC emulator master role to the standby operations
master if it is unavailable for an unacceptable length of time and
its domain has clients without Windows 2000 client software, or
if it contains Windows NT BDCs.
58
Infrastructure
Master Failure
•
Temporary loss of the infrastructure operations master is not
visible to network users.
•
If unavailable for an unacceptable length of time, seize the role
to a domain controller that is not a global catalog but is well
connected to a global catalog, ideally in the same site as the
current global catalog.
•
When the original infrastructure master is returned to service,
transfer the role back to the original domain controller.
59
Implementing
an OU Structure
•
•
•
Creating OUs
Setting OU Properties
Practice: Creating an OU
60
OU Structure Overview
•
Create OUs that mirror the organization’s functional or business
structure.
•
•
Each domain can implement its own OU hierarchy.
•
Use Active Directory Users and Computers console to create
OUs.
•
An OU is always created on the first available domain controller
that is contacted by MMC, and then the OU is replicated to all
domain controllers.
If the enterprise contains several domains, create OU structures
within each domain independent of the structures in the other
domains.
61
OU Properties Dialog Box
62
Setting OU Properties
•
A set of default properties is associated with each OU that is
created.
•
•
These properties equate to the object attributes.
•
•
Provide detailed property definitions for each OU that is created.
Use the properties that are defined for an OU to search for OUs
in the directory.
The tabs in the OU Properties dialog box contain information
about each OU.
63