Transcript Domains
Module 1: Introduction to Designing a Directory Services Infrastructure Overview Role of Active Directory in an Enterprise Conducting an Organizational Analysis Architectural Elements of Active Directory This module provides the basic context and terminology for the course. It starts by describing how Microsoft® Windows® 2000 Active Directory™ directory service works in an enterprise network environment. Prior to designing the Active Directory structure, the architect must first identify the administrative and business goals of an organization. General guidelines for identifying business needs are provided, and a framework for making good design choices is discussed. Finally, an overview of the architectural elements of Active Directory is presented. At the end of this module, you will be able to: Describe Active Directory in Windows 2000. Explain the importance of determining business needs prior to designing an Active Directory infrastructure. Describe the architectural elements used in the design of the Active Directory infrastructure. Role of Active Directory in an Enterprise Domains and OUs Form Hierarchical Structures Multiple Domains Can Form Trees Forests Domain Tree OU Domain Domain Forest OU OU Domain Objects Tree Domain Domain Active Directory in Windows 2000 is a network directory service. Administrators use Active Directory to define, arrange, and manage objects, such as user data, printers, and servers, so that they are available to users and applications throughout the organization. Objects in Active Directory are logically organized into a hierarchical structure. The objects that create the overall structural hierarchy in Active Directory are: Domains. This is the core unit of Active Directory. A domain is a container of objects that share security requirements, replication processes, and administration. Active Directory uses a multi-master replication model in which all domain controllers are equal. Organizational units (OUs). An OU is a container object that is used to organize objects within a domain into logical administrative groups. Within a domain, OUs form a hierarchical structure based on the organization's administrative model. Multiple domains within a single Active Directory can create additional structure in the form of: Trees. A tree is a hierarchical arrangement of one or more domains with a single root name. Domains within a tree share a common root domain name and share information through automatic trust relationships. Forests. A forest is a collection of one or more trees. Multiple trees within a forest do not share a common root domain name, but share information through automatic trust relationships. Multiple forests can share information only through explicit trusts. Conducting an Organizational Analysis Identifying Organizational Needs Making Design Choices Planning Guidelines Enterprise architects must design the Active Directory directory service to meet the business needs of the customer. The first step in meeting this goal is performing an organizational analysis to determine the business as well as the information technology (IT) needs of the customer. In this lesson you will learn about the following topics: Identifying organizational needs Making design choices Planning guidelines Identifying Organizational Needs Determine the Goals of the Organization Analyze the Administrative Model Anticipate Growth and Reorganization Document the Gathered Information Identifying organizational needs consists of the following steps: Determine Goals of the Organization. As an architect, you must identify and then prioritize the business needs of an organization. Once you have identified the goals, you must translate them into a design for the Active Directory structure that meets those goals. In the design, you must ensure that Active Directory meets the business needs of the organization, instead of basing the goals of the organization on the Active Directory structure. Analyze the Administrative Model. The Active Directory directory service is designed to support the storage and easy retrieval of information. The design must support the administrative model. The administrators of an organization support the enterprise. Therefore, you need to design Active Directory to support administrator needs. These needs may be different from the business practices of the organization. Identify and analyze the current administrative model, and determine if any improvements can be made. Anticipate Growth and Reorganization. An Active Directory structure has an anticipated life span of three to five years. When designing the Active Directory structure, you must anticipate future growth and reorganization, and then design Active Directory so it can easily accommodate growth. Document the Gathered Information. After your initial organizational analysis, document your findings. Documentation will guide you through the design process and clarify any conflicts that may occur as you design Active Directory. Making Design Choices Decision Points Implications Risks and Costs Tradeoffs When making design choices, identify the following factors that will influence design: Decision Points. You should filter information you received from your organizational analysis. Organizations can often provide too little or too much information about their business needs. Careful examination of your information will help you incorporate only the most pertinent information into the design of the Active Directory structure. Implications. Be aware of the implications of making a particular design decision, and possible alternatives to the decision. There are often several ways to achieve an intended outcome in the design of the Active Directory structure. Knowing the implications of each possible option will help guide your design choices. Risks and Costs. Identifying risks before beginning the design process gives you an opportunity to mitigate or decrease possible problems. For example, if there are limited resources for testing, then implementation of a design can be scheduled for off-peak hours to mitigate any unforeseen results of the implementation. Tradeoffs. Every organization will have individuals or departments with different goals for the project. Not all goals may be achievable due to schedule and resource constraints. By prioritizing goals and identifying positive and negative characteristics of each goal, you can make effective tradeoff decisions Planning Guidelines Remember Business Needs Maintain a Clear Vision Make Solid Tradeoff Decisions Create a Simple Design Test the Design Remember Business Needs When designing an Active Directory structure, ensure that the business needs, rather than the technology, determine the design. Only allow technology to influence your design if the technology can provide a more efficient means of doing business. Maintain a Clear Vision As your design progresses, maintain a clear vision of your overall structure. Make Solid Tradeoff Decisions Carefully consider tradeoff decisions when faced with design options. Create a Simple Design The best strategy is to create the simplest design possible. Test the Design Finally, ensure that the design is adequately tested before releasing the design to the team responsible for implementing Active Directory. Architectural Elements of Active Directory Designing a Naming Strategy Designing for Delegation of Administrative Authority Designing Schema Modifications Designing for Group Policy Designing an Active Directory Domain Designing Multiple Domains Designing a Site Topology An enterprise architect combines the various architectural components of Active Directory to design a directory services infrastructure that meets the business needs of the organization. To use these components effectively, you must understand the capabilities of each component and the design elements within Active Directory that each component influences. In this lesson you will learn about the following topics: Designing a naming strategy Designing for delegation of administrative authority Designing schema modifications Designing for group policy Designing an active directory domain Designing multiple domains Designing a site topology Designing a Naming Strategy Active Directory Uses DNS as Naming Service Internet Presence a Determining Factor in Selecting Domain Names Domain Name System (DNS) nwtraders.msft Active Directory follows the Domain Name System (DNS) standard as a basis for naming domains. Active Directory also uses DNS as the domain locator service. You can use DNS for name resolution of the organization's internal resources, such as its intranet, and external resources, such as the Internet. An organization's current and planned presence on the Internet will help determine Active Directory naming strategies. Carefully selecting an inclusive DNS name for the root domain is crucial, because a carefully selected name may make it easier for users to access the network over the Internet. The root domain name will also be included in any child domains created from the root domain. DNS Basics Designing for Delegation of Administrative Authority Relieves Burden of Centralized Management Separates Administrative Authority from Rest of nwtraders.msft Network Domain asia.nwtraders.msft HR Mfg na.nwtraders.msft recruiting training research Delegating administrative authority in Active Directory allows network administrators to grant administrative control of objects in Active Directory to trusted users. Delegating authority reduces the workload of a centralized administrator, and also separates the delegated authority from other areas of the network. You can create a hierarchical structure of domains and OUs that reflects the administrative model of an organization. You can also delegate authority to individual users and computers. By structuring the Active Directory hierarchy and then managing the permissions on the objects and properties in Active Directory, you can precisely specify the accounts that can access information in Active Directory and the level of permissions that they can have. This precise specification allows network administrators to delegate specific authority over portions of Active Directory to groups of users, without making its information vulnerable to unauthorized access. Designing Schema Modifications Schema Defines Objects and Attributes in Active Directory Changing the Schema Can Affect the Entire Network Create a Schema Modification Policy to Manage Changes Schema The Active Directory schema contains the definitions of all objects, such as computers, users, and printers, that are stored in Active Directory. The definitions contained within the schema define the classes of objects Active Directory may contain, and the types of attributes each object may or must have. Schema modification includes adding or changing object class or attribute definitions. Changing the schema has implications that can affect the entire network. Schema modifications are rare, but an organization may have business needs that can only be met by schema modification. You will need to create a schema modification policy to manage the modification process. Designing for Group Policy Group Policy Objects Apply Configurations to Sites, Domains, and OUs Group Policy Is Inherited In Active Directory Hierarchy GPO Site OU Domain Group Policy is used to manage software configurations and regulate security on computers and users in Active Directory. A Group Policy object (GPO) is used to apply Group Policy to users and computers in Active Directory at the site, domain, and OU level. You can design Active Directory to support the application of Group Policy through delegation and by the creation of lower-level OUs to contain users and computers subject to particular GPOs. Group Policy is also inherited through the site, domain, and OU structure. By carefully designing the Active Directory infrastructure, you can apply GPOs to intended users and computers in upper-level domains or OUs so that the GPOs will be inherited to lower-level domains and OUs. Designing an Active Directory Domain Create OUs to Support Delegation and Group Policy nwtraders.msft Create OU Structure to Reflect Administrative Model Carefully Name the First Domain First Domain OU OU OU OU OU OU The ongoing administrative tasks of an organization can be simplified by initially planning how to organize objects in a domain. A well-designed OU structure comprised of upper- and lower-level OUs will allow administrators to delegate authority and apply Group Policy. The first domain created in Active Directory is the root domain of the entire forest. The first domain is also referred to as the forest root. The forest root contains the configuration and schema information for the forest. Naming the first domain is an important design step, since the first domain cannot be renamed. Designing Multiple Domains Administered Separately But May Share Resources More Complex To Manage nwtraders.msft Root Child Domain us.nwtraders.msft Child Domain europe.nwtraders.msft Domains, trees, and forests are bordered units within Microsoft Windows 2000 Active Directory directory service. These units can share resources but can also be administered separately. Most business needs can be met by a single domain structure. A single domain is simpler to manage, and it is simple to delegate administrative authority. However, a business may want to use multiple domains within Active Directory. You will need to evaluate the need for a multiple-domain structure and the implications of increasing the complexity of the Active Directory structure before making this decision. Domains can be arranged into multiple-domain trees, multiple-tree forests, and multiple forests. The business drivers that require a multiple-domain design will also affect the type of design you create. Designing a Site Topology Sites Define Physical Structure of Active Directory Use Sites to Control Network Traffic Flow Charlotte Site Redmond Site nwtraders.msft Active Directory uses sites to define the physical structure of the network. A site is a collection of wellconnected machines, based on Internet Protocol (IP) subnets. A site definition is stored as a site object in Active Directory. Collectively, all sites form a site topology. Because sites represent the physical structure of your network, they do not need to map to the logical structure of the Active Directory. You can use sites to control workstation logon traffic, replication traffic, Distributed file system (Dfs) topology, and File Replication service (FRS). Excessive network traffic can occur between remote locations due to frequent exchange of large amounts of data and directory information. Designing an appropriate site topology helps you better organize the Windows 2000 network in your organization and optimize the exchange of data and directory information. Review Role of Active Directory in an Enterprise Conducting an Organizational Analysis Architectural Elements of Active Directory