Advanced Active Directory Deployments
Download
Report
Transcript Advanced Active Directory Deployments
Advanced Active Directory
Deployments
Rick Claus
IT Pro Advisor
Microsoft Canada
[email protected]
http://blogs.technet.com/rclaus
What Will We Cover?
• Multiple Forest Design
• Multiple Domain Design
• Site Design
Helpful Experience
• Experience with Active Directory concepts
• Experience administering Active Directory
• Experience supporting TCP/IP networks
Level 200
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Designing Forests
• Shared directory
Forests
• Security boundary
• Identify business requirements
Forest
Design
• Determine number of forests
Service Administrator Authority
Service administrators have full access
You should ensure they can be trusted
Reasons for Multiple Forests
Generic Reasons
Organizational
Reasons
Legal
Autonomy
Asset
isolation
Operational
Structure
Autonomy vs. Isolation
Autonomy
Service Autonomy
Data Autonomy
Isolation
Service isolation
Data isolation
Forest Design Considerations
• Isolation requirements limit choices
• Allow enough negotiation time
• Consider the cost benefit
• Avoid co-ownership by two IT orgs
• Avoid outsourcing to multiple partners
Organizational Forest Model
Key
Forest trust
User
accounts
Organizational Forest
Organizational Forest
Resource
servers
Resource Forest Model
Key
Forest Trust
User
accounts
Organizational
Forest
Resource
servers
Resource Forest
Service
accounts
Alternate
user
accounts
Resource Forest
Restricted-Access Forest Model
Key
User
accounts
Resource
servers
Organizational Forest
Restricted-Access
Forest
Servers
with
classified
data
Scenario: Same Corporation
Plant.contoso.com
Physically
unsecured
domain
controllers
Application
that requires a
different
schema
Dedicated
Connection
Contoso.com
hr.contoso.com
Scenario: Different Corporations
Internet
Firewall
Contoso.com
Firewall
Fabrikam.com
Scenario: Perimeter Network
Passport
Firewall
Internet
Web App
Perimeter
Firewall
DMZ.Contoso.com
Internal
Contoso.com
Mapping Requirements to Models
Requirements:
Limited
Data
Connectivit Isolation
y
No
No
Data
Autonomy
Service
Isolation
Service
Autonomy
Yes
No
No
Solution: Join an existing
forest for data autonomy
Mapping Requirements to Models
Requirements:
Limited
Data
Connectivit Isolation
y
No
No
Data
Autonomy
Service
Isolation
Service
Autonomy
N/A
Yes
N/A
Solution: Use an organizational
or resource forest for service
isolation
Mapping Requirements to Models
Requirements:
Limited
Data
Data
Connectivit Isolation Autonomy
y
Yes
No
N/A
Solution: Use an organizational
forest or domain and
reconfigure the firewall for
service autonomy with limited
connectivity
Service
Isolation
Service
Autonomy
No
Yes
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Forest Trusts
Corp.Fabrikam.com
Corp.Contoso.com
Requirements
• Domain controllers running Windows Server 2003
• DNS infrastructure
• Windows Server 2003 Forest Functional Level
• Enterprise Admin privileges
Authentication across Forests
Corp.Fabrikam.com
DC3
Corp.Contoso.com
DC2
DC4
DC1
GC
Authorization across Forests
Windows XP SP2 and Windows Server 2003
Can browse and search principals
Windows 2000
Use UPN or NT 4.0 name
Windows NT 4.0 and earlier
Use NT 4.0 name
Exchange Server 5.5 and SQL Server 2000
Use NT 4.0 name
Restricting Forest Scope: Scenario 1
Fabrikam.com
Contoso.com
Disable DomainInfo or TopLevelName
Not Trusted
Restricting Forest Scope: Scenario 2
Forest Trust
Contoso.com
Allowed to
authenticate
Fabrikam.com
Other Forest Considerations
Forest Trust
Recommended
Contoso.com
Fabrikam.com
Not Recommended
Contoso.com
Plant.contoso.com
Smart Cards and Forest Trusts
PKI Trust
Forest Trust
Contoso.com
Fabrikam.com
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Active Directory Domains
Active Directory Partition
Administrative Functions
• User identity
• Authentication
• Trust relationships
• Replication
Domain
Factors that Impact Domain Model
Network Capacity
128K
ISDN
T1
Number of Users
Reasons for Multiple Domains
•
•
•
•
•
•
•
Administrative considerations (politics)
Unique policies
Network traffic
Network connectivity
Capacity
International differences
In-place upgrade of existing domains
Design Recommendations
If deploying more than one domain, remember:
Minimize
Minimize
Number of domains
Depth of the domain hierarchy
Choose
A reorganization-proof design
Deploy
At least two DCs per domain
Deploy
Transient domains during migration
Domain Cost Implications
• Management
• Consistency
• User moves
Domain Models: Single Domain
Domain Models: Regional
Forest Root
Regional
Domain
Regional
Domain
Regional
Domain
Domain Models: Organizational
Corp
Central IT Team
Enterprise Admins
Domain Admins
Schema Admins
Div 1 IT Team
Domain Admins
Division 1
Div 2 IT Team
Domain Admins
Division 2
Div 3 IT Team
Domain Admins
Division 3
Determining the Number of Domains
Slowest link
connecting a DC
(KBps)
Max users by % bandwidth
available
1%
5%
10%
28.8K
10,000
25,000
40,000
56K
10,000
50,000
100,000
256
50,000
100,000
100,000
1500 (T1)
100,000
100,000
100,000
Agenda
• Designing Multiple Forests
• Implementing Multiple Forests
• Designing Multiple Domains
• Designing a Site Topology
Site Functions
Domain
Site 1
Site 3
Site 2
Typical Network Topologies
Site
Site
Site
Site
Site
Site
Hub
Site
Site
Site
Ring Topology
Hub and Spoke Topology
Hub
Site
Hub
Site
Site
Complex Topology
Active Directory Replication
London Site
DC-1
DC-2
DC-3
Tilbury Site
Intrasite replication
connection over LAN
Intersite replication
connection over WAN
DC-4
DC-5
DC Placement: Forest Root
Hub Site
Hub and Spoke
Site Topology
Network Hub
Datacenter
Root DC
Spoke Site
Spoke Site
Root DC
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/l
ibrary/DepKit/4af3271a-4407-4ca5-9cd5-e05b79046d08.mspx
DC Placement: Regional
No
No
Yes
Yes
Are DCs
physically
secure?
Admin for
DCs?
Yes
Yes
WAN link
stable?
Logon
good?
No
No
No
24x7
required?
Yes
Place
DC
Do not
place
DC
Global Catalog Placement
No
No
App that
requires a
GC?
Yes
> 100
Users?
Yes
No
No
WAN link
to GC
Roaming
users?
Yes
Do not
place
GC
Yes
Place
GC
Place DC and
enable UGMC
Operations Masters Review
Domain Roles
Forest Roles
PDC Emulator
Schema Master
RID Master
Domain Name Master
Infrastructure
Operations Masters Guidelines
Server/Role
All
Rule
Place on highly reliable networks
First Server
Place near largest number of users
Standby
Designate one immediately
Infrastructure
Master
PDC Emulator
Do not place it on a GC*
Place near largest number of users
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
DepKit/edeba401-7f51-4717-91bd-ddb1dca8a327.mspx
Operations Masters Placement
• Single-domain forest
Make all DCs into GCs
Leave roles on first DC
• Forest root domain (multiple domains)
Move roles to second DC
Don’t make the second DC a GC
• Regional child domain
Leave roles on first DC
Don’t make the second DC a GC
Creating Sites
No
Is DC at
location?
No
Site required
by apps?
Yes
Yes
Create site for
location
Include subnet of
location in the
closest site
Site Links
Site 2
Site1-Site2
Site 1
Site1-Site3
Default-FirstSite2-Site3
Site-Link
Connection Transports
• RPC over IP
• SMTP
Site 3
Site Link Cost
Available KBps
Cost
9.6
1042
19.2
798
38.4
644
56
586
64
567
128
486
256
425
512
378
1024
340
KBps: 256
2048
309
Cost: 425
4096
283
Site1-Site2
Site1-Site3
KBps: 256
KBps: 9.6
Cost: 425
Cost: 1024
Site2-Site3
Site Link Schedule
Site 2
Site1-Site2
Site 1
Cost: 425
Site1-Site3
Cost: 1024
Site2-Site3
Cost: 425
Not available from
8:00 A.M. to 6:00
P.M.
Site 3
Site Link Interval
Site 1
Schedule:
Interval:
Replication
occurs:
Site 2
8:00AM-10:00AM
30 minutes
4 times
Site Links Transitivity
West Coast
Hub Site A
Site C
A-C
A-D
Site D
Disable if:
East Coast
Hub Site B
A-B
A-E
Site E
B-F
Site F
B-H
Site H
B-G
Site G
• IP network is not fully routed
• You wish to control replication traffic
Site Link Bridge Design
West Coast
East Coast
Hub Site A
Site C
Hub Site B
A-C
A-D
Site D
A-B
A-E
Site E
West Site Link Bridge
B-F
Site F
B-H
Site H
B-G
Site G
East Site Link Bridge
Session Summary
• Keep designs as simple as possible.
• Weigh benefits versus costs.
• Plan carefully.
For More Information
Visit TechNet at
www.microsoft.ca/technet
Visit the following URL for additional information
www.microsoft.com/technet/ADD-03
Questions?
Rick Claus
IT Pro Advisor
Microsoft Canada
[email protected]
http://blogs.technet.com/rclaus