Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture

Live Meeting Information... Feedback Panel Questions & Answers Blog -

Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture

PurposePurpose: To provide design guidance for Microsoft Windows Server 2008 Active Directory Agenda Determine process for Active Directory design Assist designers in the decision-making process Provide design assistance based on best- practice and real-world experience

Active Directory Design Overview Forest and domain design Organizational Units (OUs) Group Policy Objects (GPOs) Security Groups Domain Controller Placement (inc. RODC) Sites Topology Domain Controller Configuration DNS

Active Directory in Microsoft Infrastructure Optimization

Tips for the Planning Process Considerations at each design phase ComplexityCost Fault Tolerance PerformanceScalabilitySecurity

Contoso Network Infrastructure Ireland 1000 Users Development London 6,000 Users Head Office India 1500 Users Development London LAN Bristol Fail Over Data Centre Manchester Data Centre Manchester LAN Manchester 25,000 Users Call Centre Glasgow LAN Glasgow 25,000 Users Manufacturing 1MB to 8MB ADSL Remote VPN Users 3,000 York 100 Users Newcastle 350 Users Edinburgh 400 Users Birmingham 750 Users Reading 350 Users Oxford 250 Users Exeter 500 Users Paris 20 Users Tokyo 10 Users New York 30 Users 1MB 512KB 10MB 2MB 1GB 1MB 10MB 100MB 1GB

How Many Forests? Option 1: Single Forest Option 2: Multiple Forests Multiple Forest Drivers Multiple Schemas Resource Forests Forest Administrator Distrust Legal Regulations for Application or Data Access Requirements to be disconnected for long periods (e.g. Military) Determine the Number of Forests

Single Organizational Forest Model Exchange Users Workstations Applications SharePoint

Multiple Organizational Forest Model Exchange Users Workstations Applications SharePoint Exchange Users Workstations Applications SharePoint Forest Trust

Shared Resource Forest Model Exchange SharePoint Users Workstations Applications Users Workstations Applications Forest Trust

Shared Account Forest Model Exchange Users Workstations Applications SharePoint Restricted Data and Applications Forest Trust

Determine the Number of Domains How many Domains? Option 1: Single Domain Option 2: Multiple Domains Multiple Domain drivers Large number of frequently changing attributes Reduced replication traffic Control replication traffic over slow links Preserve legacy active directory

Forest and Domain Functional Levels 2003 interim FFL Linked Value Replication Different replication compression ratios Improved KCC 2003 FFL Forest Trusts ( + with Selective Authentication) Deactivation of attributes within the Schema Domain Rename RODC (2008 OS only with schema updates) 2008 DFL Fine Grained Password Policies DFS-R for Sysvol Last Interactive logon information

Fine-Grained Password Policies msDS-PSOAppliesTo msDS-PSOApplied Attributes msDS-PasswordSettingsPrecedence msDS-PasswordReversibleEncryptionEnabled msDS-PasswordHistoryLength msDS-PasswordComplexityEnabled msDS-MinimumPasswordLength msDS-MinimumPasswordAge msDS-MaximumPasswordAge msDS-LockoutThreshold msDS-LockoutObservationWindow msDS-LockoutDuration PSO Application Lowest Precedence Value or PSO GUID msDS-ResultantPso – identifies which PSO RSOP Calculation User and Global Group Links Included User will override group Best to only assign users to 1 PSO Global Group

Assign Domain Names Assign the NetBIOS Name Maximum effective length of 15 characters Use a NetBIOS name that is unique across organisation Assign DNS Name Ensure uniqueness by not duplicating existing registered Internet domain names Register all domain names with Internic Name should not represent business unit or division Avoid using single-label names

Organisational Units Choose an OU Design: Task 1: Design OU Configuration for Delegation of Administration Task 2: Design OU Configuration for Group Policy Application Other OU (and container) related recommended practices Do not move DCs out of the Domain Controllers OU Do not move built-in users and groups from users container OUs and child objects now protected from accidental deletion by default in 2008

Contoso Organisational Unit Design

Group Policy Objects Very powerful, but consider management of group policies in design Best practices Specify user and computer settings in separate GPOs Use many small GPOs with few settings each rather than fewer large GPOs with many settings Make GPO descriptive for its purpose Do not unlink Default Domain and DDC policies Advanced Group Policy Management Change Control Workflow V3.0 (2008) increases granular permissions

Advanced Group Policy Management 3.0 RTM September 2008 Next version 2.5 Current version Enable group policy change management Provides granular administrative control Reduce risk of widespread failureReduce risk of widespread failure Versioning, history & rollback of group policy changes Role-based administration & templates Workflow Offline editingOffline editing

Advanced Group Policy Management - Reporting Difference Reports Settings reports

Group Policy Preferences

Security Groups Group Scope Account groups – for group users and computers GlobalUniversal Resource groups – for controlling rights and permissions Domain Local Built-in Local Complex Group nesting makes audit and reconciliation more difficult

Domain Controller Placement Placement of the Domain Controllers: Hub Locations Satellite (Branch) Locations Heavily dictated by network and application requirements Global Catalog (GC) Very few reasons now not to make all DCs a GC Read-Only Domain Controllers New in Windows Server 2008 (Read-Only AD and no passwords) Primarily a security feature to mitigate against high risk sites

RODC Deployment Consider the following: Application needs – Exchange? Applications make Write / Read back calls? Site topology – BASL turned off? Password Replication Policy – which model for you? Remember no cached accounts means more WAN / HUB DC impact Cache computer and User accounts Deployment: Start with min 2 x 2008 RW Hub DCs Add 2008 RWDC to NS records (for RSO) Delegate deployment – don’t use Domain Admins

Create the Site Design Option 1: create a logical site for each physical location Assign subnets for each physical location to corresponding site Site coverage Option 2: create a logical site only for physical locations with domain controllers Assign subnets for each physical location to most appropriate site depending on underlying network

Create a Site Link Design Site links map to underlying network Set cost and schedule Bridge all site links (on by default) Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers) Generally not recommended for Branch Office – KCC overheads Use Repadmin /siteoptions to disable! Custom Site Link Bridges Use when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers

Contoso Network Infrastructure Revisited Ireland 1000 Users Development London 6,000 Users Head Office India 1500 Users Development London LAN Bristol Fail Over Data Centre Manchester Data Centre Manchester LAN Manchester 25,000 Users Call Centre Glasgow LAN Glasgow 25,000 Users Manufacturing 1MB to 8MB ADSL Remote VPN Users 3,000 York 100 Users Newcastle 350 Users Edinburgh 400 Users Birmingham 750 Users Reading 350 Users Oxford 250 Users Exeter 500 Users Paris 20 Users Tokyo 10 Users New York 30 Users 1MB 512KB 10MB 2MB 1GB 1MB 10MB 100MB 1GB

Active Directory Replication Topology KCC automatically manages based on site link design Applies to Active Directory and Sysvol replication Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests Sysvol can be migrated to DFS-R once DFL is at 2008 FRS VVJoins are inherently inefficient DFS-R Sysvol eliminates inefficiency in FRS VVJoins Migration is simple 4 step process for upgraded forests

Domain Controller Configuration 64-bit supports much larger addressable memory space Allow enough memory for entire Active Directory database to be cached Think about 64 bit now, 32 bit will be unavailable in several years time CPU and query performance Disk configuration Keep database and logs on separate physical drives for better performance Running RODCs on Hyper-V Never snapshot a DC – even RODC

DNS Critical for Active Directory AD-integrated DNS recommended Consider Forwarding model Root hints can introduce additional management overhead. Forwarding is recommended approach for AD New in Windows Server 2008 Storage of Conditional Forwarding settings in Active Directory

What’s Next? Discuss, Rinse, Repeat Implement your design Test and refine design along the way

Summary and Conclusion Organizations should base the design of their Active Directory infrastructure on business and technical requirements Considerations should include: The scope of the network and environment Technical requirements and considerations Additional business requirements Designing an Active Directory infrastructure to meet these requirements Validating the overall approach

Questions and Answers Please enter your questions using the Q&A panel for the presenters!

Thank you for attending this TechNet Event Find these slides at: Visit our blog at: Register for the next session, Messaging, at: D= &Culture=en-GB Please fill out your evaluations!