Transcript Domains
Module 1: Introduction
to Designing a Directory
Services Infrastructure
Overview
Role of Active Directory in an Enterprise
Conducting an Organizational Analysis
Architectural Elements of Active Directory
This module provides the basic context and terminology
for the course. It starts by describing how Microsoft®
Windows® 2000 Active Directory™ directory service
works in an enterprise network environment. Prior to
designing the Active Directory structure, the architect
must first identify the administrative and business goals
of an organization. General guidelines for identifying
business needs are provided, and a framework for
making good design choices is discussed. Finally, an
overview of the architectural elements of Active
Directory is presented.
At the end of this module, you will be able to:
Describe Active Directory in Windows 2000.
Explain the importance of determining business needs
prior to designing an Active Directory infrastructure.
Describe the architectural elements used in the design
of the Active Directory infrastructure.
Role of Active Directory in an Enterprise
Domains and OUs Form
Hierarchical Structures
Multiple Domains Can Form
Trees
Forests
Domain
Tree
OU
Domain
Domain
Forest
OU
OU
Domain
Objects
Tree
Domain
Domain
Active Directory in Windows 2000 is a network directory
service. Administrators use Active Directory to define,
arrange, and manage objects, such as user data,
printers, and servers, so that they are available to users
and applications throughout the organization. Objects in
Active Directory are logically organized into a
hierarchical structure.
The objects that create the overall structural hierarchy
in Active Directory are:
Domains. This is the core unit of Active Directory. A
domain is a container of objects that share security
requirements, replication processes, and administration.
Active Directory uses a multi-master replication model in
which all domain controllers are equal.
Organizational units (OUs). An OU is a container object
that is used to organize objects within a domain into
logical administrative groups. Within a domain, OUs form
a hierarchical structure based on the organization's
administrative model.
Multiple domains within a single Active Directory can
create additional structure in the form of:
Trees. A tree is a hierarchical arrangement of one or
more domains with a single root name. Domains within a
tree share a common root domain name and share
information through automatic trust relationships.
Forests. A forest is a collection of one or more trees.
Multiple trees within a forest do not share a common root
domain name, but share information through automatic
trust relationships. Multiple forests can share information
only through explicit trusts.
Conducting an Organizational Analysis
Identifying Organizational Needs
Making Design Choices
Planning Guidelines
Enterprise architects must design the Active Directory
directory service to meet the business needs of the
customer. The first step in meeting this goal is
performing an organizational analysis to determine the
business as well as the information technology (IT)
needs of the customer.
In this lesson you will learn about the following topics:
Identifying organizational needs
Making design choices
Planning guidelines
Identifying Organizational Needs
Determine the Goals of the Organization
Analyze the Administrative Model
Anticipate Growth and Reorganization
Document the Gathered Information
Identifying organizational needs consists of the
following steps:
Determine Goals of the Organization. As an architect,
you must identify and then prioritize the business needs
of an organization. Once you have identified the goals,
you must translate them into a design for the Active
Directory structure that meets those goals. In the
design, you must ensure that Active Directory meets the
business needs of the organization, instead of basing
the goals of the organization on the Active Directory
structure.
Analyze the Administrative Model. The Active Directory
directory service is designed to support the storage and
easy retrieval of information. The design must support
the administrative model. The administrators of an
organization support the enterprise. Therefore, you
need to design Active Directory to support administrator
needs. These needs may be different from the business
practices of the organization. Identify and analyze the
current administrative model, and determine if any
improvements can be made.
Anticipate Growth and Reorganization. An Active
Directory structure has an anticipated life span of three
to five years. When designing the Active Directory
structure, you must anticipate future growth and
reorganization, and then design Active Directory so it
can easily accommodate growth.
Document the Gathered Information. After your initial
organizational analysis, document your findings.
Documentation will guide you through the design
process and clarify any conflicts that may occur as you
design Active Directory.
Making Design Choices
Decision Points
Implications
Risks and Costs
Tradeoffs
When making design choices, identify the following
factors that will influence design:
Decision Points. You should filter information you
received from your organizational analysis.
Organizations can often provide too little or too much
information about their business needs. Careful
examination of your information will help you
incorporate only the most pertinent information into the
design of the Active Directory structure.
Implications. Be aware of the implications of making a
particular design decision, and possible alternatives to
the decision. There are often several ways to achieve an
intended outcome in the design of the Active Directory
structure. Knowing the implications of each possible
option will help guide your design choices.
Risks and Costs. Identifying risks before beginning the
design process gives you an opportunity to mitigate or
decrease possible problems. For example, if there are
limited resources for testing, then implementation of a
design can be scheduled for off-peak hours to mitigate
any unforeseen results of the implementation.
Tradeoffs. Every organization will have individuals or
departments with different goals for the project. Not all
goals may be achievable due to schedule and resource
constraints. By prioritizing goals and identifying
positive and negative characteristics of each goal, you
can make effective tradeoff decisions
Planning Guidelines
Remember Business Needs
Maintain a Clear Vision
Make Solid Tradeoff Decisions
Create a Simple Design
Test the Design
Remember Business Needs
When designing an Active Directory structure, ensure
that the business needs, rather than the technology,
determine the design. Only allow technology to
influence your design if the technology can provide a
more efficient means of doing business.
Maintain a Clear Vision
As your design progresses, maintain a clear vision of
your overall structure.
Make Solid Tradeoff Decisions
Carefully consider tradeoff decisions when faced with
design options.
Create a Simple Design
The best strategy is to create the simplest design
possible.
Test the Design
Finally, ensure that the design is adequately tested
before releasing the design to the team responsible for
implementing Active Directory.
Architectural Elements of Active Directory
Designing a Naming Strategy
Designing for Delegation of Administrative Authority
Designing Schema Modifications
Designing for Group Policy
Designing an Active Directory Domain
Designing Multiple Domains
Designing a Site Topology
An enterprise architect combines the various
architectural components of Active Directory to
design a directory services infrastructure that meets the
business needs of the organization.
To use these components effectively, you must
understand the capabilities of each component
and the design elements within Active Directory that
each component influences.
In this lesson you will learn about the following topics:
Designing a naming strategy
Designing for delegation of administrative authority
Designing schema modifications
Designing for group policy
Designing an active directory domain
Designing multiple domains
Designing a site topology
Designing a Naming Strategy
Active Directory Uses DNS as Naming Service
Internet Presence a Determining Factor in Selecting
Domain Names
Domain Name System
(DNS)
nwtraders.msft
Active Directory follows the Domain Name System (DNS)
standard as a basis for naming domains. Active Directory
also uses DNS as the domain locator service. You can use
DNS for name resolution of the organization's internal
resources, such as its intranet, and external resources,
such as the Internet.
An organization's current and planned presence on the
Internet will help determine Active Directory naming
strategies. Carefully selecting an inclusive DNS name for
the root domain is crucial, because a carefully selected
name may make it easier for users to access the network
over the Internet. The root domain name will also be
included in any child domains created from the root
domain.
DNS Basics
Designing for Delegation of Administrative Authority
Relieves Burden of
Centralized Management
Separates Administrative
Authority from Rest of
nwtraders.msft
Network
Domain
asia.nwtraders.msft
HR
Mfg
na.nwtraders.msft
recruiting
training
research
Delegating administrative authority in Active Directory
allows network administrators to grant administrative
control of objects in Active Directory to trusted users.
Delegating authority reduces the workload of a
centralized administrator, and also separates the
delegated authority from other areas of the network.
You can create a hierarchical structure of domains and
OUs that reflects the administrative model of an
organization. You can also delegate authority to
individual users and computers. By structuring the
Active Directory hierarchy and then managing the
permissions on the objects and properties in Active
Directory, you can precisely specify the accounts that
can access information in Active Directory and the level
of permissions that they can have. This precise
specification allows network administrators to delegate
specific authority over portions of Active Directory to
groups of users, without making its information
vulnerable to unauthorized access.
Designing Schema Modifications
Schema Defines Objects and Attributes
in Active Directory
Changing the Schema Can Affect the
Entire Network
Create a Schema Modification Policy to
Manage Changes
Schema
The Active Directory schema contains the definitions of
all objects, such as computers, users,
and printers, that are stored in Active Directory. The
definitions contained within the schema
define the classes of objects Active Directory may
contain, and the types of attributes each
object may or must have.
Schema modification includes adding or changing
object class or attribute definitions. Changing
the schema has implications that can affect the entire
network. Schema modifications are rare,
but an organization may have business needs that can
only be met by schema modification.
You will need to create a schema modification policy to
manage the modification process.
Designing for Group Policy
Group Policy Objects Apply
Configurations to Sites,
Domains, and OUs
Group Policy Is Inherited In
Active Directory Hierarchy
GPO
Site
OU
Domain
Group Policy is used to manage software configurations
and regulate security on computers and users in Active
Directory. A Group Policy object (GPO) is used to apply
Group Policy to users and computers in Active
Directory at the site, domain, and OU level.
You can design Active Directory to support the
application of Group Policy through delegation and by
the creation of lower-level OUs to contain users and
computers subject to particular GPOs. Group Policy is
also inherited through the site, domain, and OU
structure. By carefully designing the Active Directory
infrastructure, you can apply GPOs to intended users
and computers in upper-level domains or OUs so that
the GPOs will be inherited to lower-level domains and
OUs.
Designing an Active Directory Domain
Create OUs to
Support Delegation
and Group Policy
nwtraders.msft
Create OU Structure
to Reflect
Administrative Model
Carefully Name the
First Domain
First
Domain
OU
OU
OU
OU
OU
OU
The ongoing administrative tasks of an organization can
be simplified by initially planning how to organize
objects in a domain. A well-designed OU structure
comprised of upper- and lower-level OUs will allow
administrators to delegate authority and apply Group
Policy.
The first domain created in Active Directory is the root
domain of the entire forest. The first domain is also
referred to as the forest root. The forest root contains
the configuration and schema information for the forest.
Naming the first domain is an important design step,
since the first domain cannot be renamed.
Designing Multiple Domains
Administered Separately But May Share Resources
More Complex To Manage
nwtraders.msft
Root
Child
Domain
us.nwtraders.msft
Child
Domain
europe.nwtraders.msft
Domains, trees, and forests are bordered units within Microsoft
Windows 2000 Active Directory directory service. These units can
share resources but can also be administered separately. Most
business needs can be met
by a single domain structure. A single domain is simpler to manage,
and it is simple to delegate administrative authority. However, a
business may want to use multiple domains within Active Directory.
You will need to evaluate the need for a multiple-domain structure
and the implications of increasing the complexity of the Active
Directory structure before making this decision.
Domains can be arranged into multiple-domain trees, multiple-tree
forests, and multiple forests. The business drivers that require a
multiple-domain design will also affect the type of design you
create.
Designing a Site Topology
Sites Define Physical
Structure of Active
Directory
Use Sites to Control
Network Traffic Flow
Charlotte
Site
Redmond
Site
nwtraders.msft
Active Directory uses sites to define the physical
structure of the network. A site is a collection of wellconnected machines, based on Internet Protocol (IP)
subnets. A site definition is stored as a site object in
Active Directory. Collectively, all sites form a site
topology. Because sites represent the physical structure
of your network, they do not need to map to the logical
structure of the Active Directory.
You can use sites to control workstation logon traffic,
replication traffic, Distributed file system (Dfs) topology,
and File Replication service (FRS).
Excessive network traffic can occur between remote
locations due to frequent exchange of large amounts of
data and directory information. Designing an
appropriate site topology helps you better organize the
Windows 2000 network in your organization and
optimize the exchange of data and directory
information.
Review
Role of Active Directory in an Enterprise
Conducting an Organizational Analysis
Architectural Elements of Active Directory