Transcript Planning an Active Directory Deployment

Planning an
Active Directory Deployment
Lesson 1
Directory Service
• A directory service is a repository of information
about the resources — hardware, software, and
human — that are connected to a network.
• Users, computers, and applications throughout
the network can access the repository for a
variety of purposes, including user authentication,
storage of configuration data, and even simple
white pages–style information lookups.
Active Directory
• Active Directory is the directory service that Microsoft
first introduced in Windows 2000 Server, and which they
have upgraded in each successive server operating
system release, including Windows Server 2008.
– Active Directory makes services and resources available.
– Provide authentication and authorization
• Authentication is the process of verifying a user’s identity.
• Authorization is the process of granting the user access
only to the resources he or she is permitted to use.
Active Directory Components
ITMT 2302 – Window Server 2008 Active Directory
Configuration
4
Domain
• A domain is a logical container of each network
component over which you have control and
organize in one respective entity.
• Each domain was hosted by at least one server
designated as a domain controller.
Active Directory Objects
• An Active Directory domain is a hierarchical structure
that takes the form of a tree, much like a file system.
• The domain consists of objects, each of which represents
a logical or physical resource.
• There are two basic classes of objects: container objects
and leaf objects.
– A container object, including domains, is one that can have
other objects subordinate to it.
– A leaf object can represent users, computers, groups,
applications, and other resources on the network.
Active Directory Attributes
• Every object consists of attributes, which store
information about the object.
• A container object has, as one of its attributes, a list of all
the other objects it contains.
• Leaf objects have attributes that contain specific
information about the specific resource the object
represents.
• Some attributes are created automatically, such as the
globally unique identifier (GUID) that the domain
controller assigns to each object when it creates it, while
administrators must supply information for other
attributes manually.
Active Directory Attributes
Directory Schema
• Different object types have different sets of attributes,
depending on their functions.
• The attributes each type of object can possess, both
required and optional, the type of data that can be
stored in each attribute, and the object’s place in the
directory tree are all defined in the directory schema.
• In Active Directory, unlike Windows NT domains, the
directory schema elements are extensible, enabling
applications to add their own object types to the
directory, or add attributes to existing object types.
Additional User Attributes for Microsoft Exchange
Organizational Unit (OU)
• A container object that functions in a subordinate
capacity to a domain, something like a subdomain, but
without the complete separation of security policies.
• As a container object, OUs can contain other OUs, as well
as leaf objects.
• You can apply separate Group Policy to an OU, and
delegate the administration of an OU as needed.
• However, an OU is still part of the domain and still
inherits policies and permissions from its parent objects.
Organizational Units
Groups
• Active Directory supports groups with varying
capabilities, as defined by the group type and the group
scope.
• There are two group types in Active Directory:
– Security groups — Administrators use security groups to
assign permissions and user rights to a collection of
objects. In the vast majority of cases, the term “group”
refers to a security group.
– Distribution groups — Applications use distribution groups
for non-security–related functions, such as sending email
messages to a collection of users.
Security Groups
• The security group is the type you use most often when
designing an Active Directory infrastructure.
• Within the security group type, there are three group
scopes:
– Domain local groups — Most often used to assign
permissions to resources in the same domain.
– Global groups — Most often used to organize users who
share similar network access requirements.
– Universal groups — Most often used to assign permissions
to related resources in multiple domains.
Group Nesting
AGULP
• A traditional mnemonic for remembering the
nesting capabilities of Active Directory groups.
• AGULP stands for:
– Accounts
– Global groups
– Universal groups
– domain Local groups
– Permissions
Domain Tree
• When designing an Active Directory
infrastructure, you might, in some cases, want to
create multiple domains.
• Active Directory scales upward from the domain
just as easily as it scales downward.
Internal Active Directory Domain Tree
Active Directory Domain Tree using an Internet Domain
Name
Forest
• An Active Directory forest consists of one or more
separate domain trees, which have the same twoway trust relationships between them as two
domains in the same tree.
• When you create the first domain on an Active
Directory network, you are in fact creating a new
forest, and that first domain becomes the forest
root domain.
Global Catalog
• Domains function as the hierarchical boundaries for the
Active Database as well.
• A domain controller maintains only the part of the Active
Directory database that defines that domain and its
objects.
• Active Directory clients still need a way to locate and
access the resources of other domains in the same forest.
• To make this possible, each forest has a global catalog,
which is a list of all of the objects in the forest, along with
a subset of each object’s attributes.
Functional Levels
• Every Active Directory forest has a functional
level, as does every domain.
• Functional levels are designed to provide
backwards compatibility in Active Directory
installations running domain controllers with
various versions of the Windows Server operating
system.
Domain Controllers
• Each domain on an Active Directory network should have
at least two domain controllers, to ensure that the Active
Directory database is available to clients at all times, and
to provide clients with ready access to a nearby domain
controller.
• How many domain controllers you install for each of your
domains, and where you locate them, is an important
part of designing an Active Directory infrastructure.
• Also important is an understanding of how and why the
domain controllers communicate — with each other and
with clients.
Lightweight Directory Access Protocol
(LDAP)
• The standard communications protocol for
directory service products, including Active
Directory.
• LDAP defines the format of the queries that Active
Directory clients send to domain controllers, as
well as providing a naming structure for uniquely
identifying objects in the directory.
Active Directory Replication
• Active Directory uses multiple-master replication.
• When a change is made to a domain object on
any domain controller, that change is replicated to
all of the other domain controllers.
Active Directory Replication
Read-Only Domain Controllers
• One of the new Active Directory features in
Windows Server 2008 is the ability to create a
Read-Only Domain Controller (RODC), which is a
domain controller that supports only incoming
replication traffic.
• As a result, it is not possible to create, modify, or
delete Active Directory objects using the RODC.
Sites
• To facilitate the replication process, Active Directory
includes another administrative division called the site.
• A site is defined as a collection of subnets that have good
connectivity between them.
• Good connectivity is understood to be at least T-1 speed
(1.544 megabits per second).
• Generally speaking, this means that a site consists of all
the local area networks (LANs) at a specific location.
• A different site would be a network at a remote location,
connected to the other site using a T-1 or slower WAN
technology.
Sites
• A site topology consists of three Active Directory
object types:
– Sites — A site object represents the group of subnets
at a single location, with good connectivity.
– Subnets — A subnet object represents an IP network
at a particular site.
– Site links — A site link object represents a WAN
connection between two sites.
Designing an Active Directory
Infrastructure
• The process of designing an Active Directory
infrastructure consists of the following basic
phases:
– Designing the domain name space.
– Designing the internal domain structure.
– Designing a site topology.
– Designing a Group Policy strategy.
Additional Active Directory Domains
• Reasons to Create:
– Isolated replication
– Unique domain policy
– Domain upgrades
• Reasons Not to Create:
– Size
– Administration
Designing a Tree Structure
• Includes how you are going to arrange the
domains to form a tree and deciding how you are
going to name your domains and which domain
will be the forest root.
Designing a Tree Structure
• If you plan to create domains corresponding to remote
sites or organizational divisions, the most common
practice is to make them all subdomains in the same
tree, with a single root domain at the top.
• The first domain you create in an Active Directory forest
— the forest root domain — is critical, because it has
special capabilities.
– The Schema Administrators group exists only in the forest
root domain, and the members of that group have the ability
to modify the Active Directory schema, which affects all of
the domains in the forest.
Internal Domain Structure
• Once you create a design for your Active Directory
domains and the trees and forests superior to
them, it is time to zoom in on each domain and
consider the hierarchy you want to create inside
it.
Organizational Units
• Creating OUs should be based on:
– Duplicating organization divisions.
– Assigning Group Policy Settings.
– Delegating administration.
Group Policies
• Group Policy is one of the most powerful features of
Active Directory.
• Using Group Policy, you can deploy hundreds of
configuration settings to large collections of users at
once.
• To deploy Group Policy settings, you must create group
policy objects (GPOs) and link them to Active Directory
domains, organizational units, or sites.
• Every object in the container to which the GPO is linked
receives the settings you configure in it.
Deploying Active Directory Domain
Services
• Although it does not actually convert the
computer into a domain controller, installing the
Active Directory Domain Services role prepares
the computer for the conversion process.
Summary
• A directory service is a repository of information
about the resources — hardware, software, and
human — that are connected to a network.
• Active Directory is the directory service that
Microsoft first introduced in Windows 2000
Server and that they have upgraded in each
successive server operating system release,
including Windows Server 2008.
Summary
• Users that are joined to an Active Directory
domain log on to the domain, not to an individual
computer or application, and are able to access
any resources in that domain for which
administrators have granted them the proper
permissions.
Summary
• In Active Directory, you can subdivide a domain into
organizational units and populate it with objects.
– You can also create multiple domains and group them into
sites, trees, and forests.
• An organizational unit (OU) is a container object that
functions in a subordinate capacity to a domain.
– OUs can contain other OUs, as well as leaf objects. You can
apply separate Group Policy to an OU and delegate the
administration of an OU as needed.
Summary
• Like organizational units, group objects are containers,
but groups are not full-fledged security divisions as OUs
are.
– You cannot apply Group Policy settings to a group object.
• When you create your first domain on an Active Directory
network, you are, in essence, creating the root of a
domain tree.
– You can populate the tree with additional domains as long
as they are part of the same contiguous namespace.
Summary
• An Active Directory forest consists of two or more
separate domain trees, which have the same twoway trust relationships between them as two
domains in the same tree.
• To facilitate the replication process, Active
Directory includes another administrative division
called the site.
• A site is defined as a collection of subnets that
have good connectivity between them.
Summary
• The overall objective in your Active Directory
design process should be to create as few
domains as possible.
Summary
• The design of a domain namespace should be
based on the structure of your organization.
• The most common structural paradigms used in
Active Directory designs are the geographic, in
which the domain structure is representative of
the organization’s physical locations, and the
political, in which the structure conforms to the
divisions or departments within your
organization.
Summary
• A critical difference between a domain tree hierarchy and
the OU hierarchy within a domain is inheritance.
• When you assign Group Policy settings to a domain, the
settings apply to all leaf objects in that domain, but not
to the subdomains that are subordinate to it.
• When you assign Group Policy settings to an OU, those
settings apply to all leaf objects in the OU, and the
settings are inherited by any subordinate OUs it contains.
Summary
• GPOs can contain Computer settings, which are
applied as the client computer boots, and User
settings, which are applied as the user logs on to
the domain.
• The application of Group Policy settings at too
many levels can slow down the boot and/or logon
processes substantially.
Summary
• Part of the internal domain design process
consists of deciding where you are going to
deploy GPOs and creating a hierarchy that does
not apply too many GPOs to individual leaf
objects.