Logical and Physical Network Design 1

Active Directory Objects Objects Represent Network Resources (Users,Groups,Computers,Printers) Attributes Store Information About an Object 2 Attributes First Name Last Name Logon Name First Name Last Name Logon Name Attributes Printer Name Printer Location Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall Attribute Value Attribute Value Objects Printers Users Printer3

3 Active Directory Schema Objects Class Examples Objects Class Examples Printers Computers Users Attributes of Users Might Contain: accountExpires department distinguishedName middleName accountExpires department distinguishedName middleName List of Attributes accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName … Attribute Examples Attribute Examples Active Directory Schema Is: Dynamically Available Dynamically Updateable Protected by DACLs

4 Active Directory Components Logical components of the Active Directory –Provide a way to design and administer the hierarchical, logical structure of the network –Include Domains and organizational units Trees and forests A global catalog

5 Active Directory Components (Continued) Windows Server 2008 domain –Logically structured organization of objects that Are part of a network, and Share a common directory database Each domain –Has a unique name –Is organized in levels –Is administered as a unit with common rules and procedures –Is defined by an IP address on the Internet

6 Active Directory Domains Boundary of Authentication Boundary of Policies Boundary of Replication CONTOSO.COM

Characteristics of Multiple Domains Reduce Replication Traffic Maintain Separate and Distinct Security Policies Between Domains Separate Administrative Control Geographic basis Large number of objects Los Angeles Seattle Chicago New York

8 Active Directory Components (Continued) An organizational unit (OU) –A logical container used to organize objects within a single domain Benefits of using OUs –Easier to locate and manage the Active Directory objects –Define more advanced features by applying Group Policy to an OU –Delegate administrative control over OUs

9 An Active Directory Domain and OU structure

10 Active Directory Components (Continued) Trees and forests –Forest root domain First Active Directory domain created in an organization –Tree Hierarchical collection of domains that share a contiguous DNS namespace

What Is a Tree? Parent Domain Child Domain Contiguous Namespace sales.contoso.msft Parent Child New Domain Tree Root Domain & Forest Root Domain contoso.msft sales.contoso.msft a two-way, transitive trust relationship

12 Active Directory Components (Continued) –Whenever a child domain is created, a two-way, transitive trust relationship is automatically created between the child and parent domains Transitive trust –All other trusted domains implicitly trust one another

13 Active Directory Components (Continued) Forest –Collection of trees that do not share a contiguous DNS naming structure –The trees in a forest share a single Active Directory schema Enterprise Admins –Special user group –Allows members to manage objects throughout the entire forest

14 Example of an Active Directory forest

What Is the Forest Root Domain? The Forest Root Domain Is the First Domain Created in a Forest contoso.msft Forest Forest Root Domain nwtraders.msft Tree Tree Root Domain Global Catalog Configuration and Schema Enterprise Admins Schema Admins marketing.nwtraders.msftsales.contoso.msft Tree

16 Active Directory Components (Continued) Global catalog –Index and partial replica of the objects and attributes most frequently used throughout the entire Active Directory structure –Replicated to any server within the forest that is configured to be a global catalog server –The first domain controller in Active Directory automatically becomes a global catalog server –Additional domain controllers can also be configured to be global catalog servers

Global Catalog Global Catalog Server Global Catalog Subset of the Attributes of All Objects Domain QueriesQueries Group membership when user logs on Group membership when user logs on

18 Active Directory Physical Structure Relates to the actual connectivity of the physical network –Domain Controllers –Sites

Domain Controller 19 A domain controller is a server containing a copy of the Active Directory. All domain controllers are peers, and maintain replicated versions of the Active Directory for their domains. The domain controller plays an important role in both the logical and physical structure of the Active Directory. It organizes all the domain's object data in a logical and hierarchical data store. It also authenticates users, provides responses to queries about network objects, and replicates directory services. (The physical structure provides the means to transmit this data through well-connected sites.)

Domain Controllers roles 20

Domain Controllers Domain Controller Domain ReplicationReplication User1 User2 User1 User2 = A Writeable Copy of the Active Directory Database Reasons for Creating Multiple Domain Controllers: it is recommended that each domain and each site have more than one domain controller to provide logical and physical structure redundancy and fault tolerance.

Sites Sites: Optimize replication traffic Enable users to log on to a domain controller by using a reliable, high-speed connection Site IP subnet Los Angeles Seattle Chicago New York Combination of one or more Internet Protocol (IP) subnets connected by a high-speed connection WAN Link

Active Directory Physical Structure (Continued) Aims regarding replication –Make sure that any modification to the Active Directory database is replicated as quickly as possible between domain controllers –Make sure that replication does not saturate the available network bandwidth 23

24 Active Directory Physical Structure (Continued) A site link –A configurable object that represents a low- bandwidth or unreliable/occasional connection between sites –Can be adjusted for Replication availability »Using the Schedule onSite Links Bandwidth costs »Higher Cost Numbers Represent Lower Priority Replication Paths Replication frequency »by Setting the Number of Minutes Between

25 The site structure of Dovercorp.net

Domains & sites 26 No formal relationship exists between the boundaries of a site or domain. sites and domains do not have to maintain the same namespace. Sites Can Contain –All domain controllers in a single domain –Some of the domain controllers in a single domain –Domain controllers from different domains

Sites and Domains CONTOSO.COM Site A Site B US.CONTOSO.COM

References Hands-On Microsoft Windows Server 2003 Administration, Dan DiNicolo InformIT: Understand Active Directory partIII, Microsoft TechNote, Active Directory Structure and Storage Technologies, us/library/cc759186(WS.10).aspx Microsoft TechNote,Introduction to Active Directory, ea e/Introduzione_a_Active_Directory.PPT Active Directory Fundumentals, damentals/ITPROADD-01%2075%20minute%20version.ppt. And much more.. 28