Active Directory design recommended practices Mark Cribben Consultant
Agenda Forest design principles Domain design principles Name space design recommendations Site / Physical design OU design Base security considerations Branch scenarios Management
Forest design principles Identify security boundaries – The forest is the security boundary Start with single forest. Considerations: – Acquisition and divesting pattern of the organisation – Schema ownership – Security – Legal considerations (typical in banking scenarios but by no means exclusive to them.)
Domain design principles Start with a single domain. Considerations are: – Replication boundaries – Account policy requirements – Political So what about a placeholder / empty forest root domain? – Design recommendations changed within 18 months of Windows 2000 launching but the message seems to be taking a long time to get out. – There is no additional security to be gained through an empty forest root domain.
Name space design How to name an AD – So what’s in a name? How important is it after all? Where to put name servers – Understand the importance of _msdcs. zone How to replicate DNS information – Where possible try and use AD integrated as it increases the security and reduces the management of replicating the information – Allows for multi master DNS How to configure the DC’s and clients – Advice is different for Windows 2000 and Windows Server 2003 DC’s – Clients should be configured to use their local DNS server as the primary. Nearest hub / data centre as the alternate
Site / Physical design (1) Identify your deployment model: – Centralised – Distributed – Branch – Combination Define sites and subnets. Consider: – Data Centre failure – Redundancy – Client and application needs
Site / Physical design (2) Domain controllers: – Location – Security – Function – Administration Designing for discovery and failover – SRV registration strategy – Autositecoverage decisions
Site / Physical design (3) Replication: – Load balancing on BH Servers – Schedule and Interval – Compression value – TombstoneLifetime
OU design OU’s have two primary roles: – Delegation of admin – Application of Group Policy Most common (sensible!) OU design approaches: – Device / object type Try to avoid: – Too many OUs / levels of nesting – Following your org chart
Branch Scenarios Bear in mind that Branch Office does not automatically mean retail banking! Primarily a scenario where you have lots of remote locations that have users but not necessarily a large number of them or good quality, high bandwidth connections. Key issues: – Administration – Placement of Domain Controllers / GC’s – Applications at the remote site – Available bandwidth – Replication including BH Server load balancing, replication scheduling, convergence
Management Do not even think about deploying Active Directory without providing management support. – We have seen too many situations where customers have problems that could so easily have been avoided with even a basic monitoring solution / process! Managing the Directory Service: – MOM is an option – If MOM cannot be deployed then provide processes, scripts and tools to allow ongoing management Group Policy – At the very least install GPMC!
©2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Welcome to this TechNet Event FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources FREE quarterly technical magazine We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: To subscribe to the newsletter or just to find out more, please visit or speak to a Microsoft representative during the break