Module 8: Planning for Windows Server 2008 Active Directory Services

Overview Plan for a Windows Server 2008 Active Directory Domain Services deployment Identify considerations when upgrading from a Windows Server 2003 to a Windows Server 2008 Active Directory infrastructure

Lesson: Planning for AD DS Deployment List key considerations for designing a Forest infrastructure List key considerations for designing a Domain infrastructure List key considerations for designing a Site topology List key considerations for designing the administrative infrastructure List key considerations for designing for Group Policy

Designing a Forest Infrastructure HR IT Finance Marketing HR IT Finance

Designing a Domain Infrastructure Review the Domain Models Determine the Number of Domains Determine Whether or not to Upgrade

Logical AD Components Namespace for an AD forest is discontiguous Single Schema Single Global Catalog Complete Trust Domain Model Forests A tree is contiguous namespace Trees

Logical AD Components When to add To placeholder or not Domains Used for delegation Used for Group Policy Don’t just mirror business units Organizational Units

AD – Design challenges Long term impacts of the design Mergers and acquisitions Other products such as Exchange (number of forests and GC’s) Political Try not to let politics shape your design Get buy in from divisions, management and IT Failure to fully analyze networking and replication Nesting OUs or groups too deeply Overly complex group policies Poor performance during Logon

Forests – Design Considerations There are three main forest models Organizational, resource, restricted access model Why do we care? With Exchange the GAL is per forest Factors affecting forest design Organizational structure requirements Operational requirements Legal requirements

AD Building Block The Schema is the building block of AD Active Directory services is a catalog of objects that reside in the forest It is not static – it can easily be extended (be careful!) Global Catalog consists of selected attributes from every object in the enterprise

Domain Design There are two main domain models Single domain and Regional domain models Why do we care? Management, amount of hardware required Factors affecting domain design Decentralized Admin Geographic locations DNS namespace Differing security and password policies

Designing a Site Topology Collect Network Information Plan DC Placement Create a Site Design Create a Site Link Design Create a Site Bridge Design

Sites Why create sites? Optimizes replication between domain controllers Locate the closest domain controller for client logon and directory searches Other applications use it to allocate local resources Multiple sites Site link bridges Link costs Link redundancy

Site Links Site links Connection for Active Directory replication Automatically creates connections between DC’s in each site called Bridgehead Servers Site link bridges Enable DC’s not directly connected by means of a communication link to replicate with each other

Sites Links Link costs Assign a cost (arbitrary number) to each site link Lower-cost are favored over higher-cost site links Link redundancy AD has no awareness of your physical network (this is a good thing!) Create a single site link and leave WAN redundancy to the routers

Sites Topologies Basic AD Network / Site Topologies  Ring  Hub and Spoke  Complex Hub and Spoke and Complex require careful planning

Designing the Administrative Infrastructure Group Admins : Full Control Group File Svr Admins: Full Control Group Print Svr Admins: Full Control ACL Settings for ResourceOU ResourceOU Domain Controllers Users Builtin Company Domain

Designing for Group Policy OU Domain Site GPO

What’s new in Vista with GPOs With the release of Vista, Microsoft has added several new areas that can be managed via GPOs and has expanded several existing areas such as  Antivirus  Device Installation  Deployed Printer Connections  User Account Protection Network Location Awareness

Lesson 2: Upgrade Considerations List preliminary AD DS installation steps Identify upgrade considerations for Read-Only Domain Controllers Identify upgrade considerations for AD DS and Server Core Use Server Manager wizards

Preliminary AD DS Installation Steps Extend the schema using adprep /forestprep For a Windows 2000 Server domain: adprep /domainprep /gpprep For a Windows 2003 domain: adprep /domainprep RODC: adprep /rodcprep Extend the schema using adprep /forestprep For a Windows 2000 Server domain: adprep /domainprep /gpprep For a Windows 2003 domain: adprep /domainprep RODC: adprep /rodcprep Strong password Correct network settings Latest security updates Strong password Correct network settings Latest security updates New Forest Existing Forest

Active Directory Upgrade Sequence Guide Before the upgrade of domain controllers  Prepare the forest  Prepare the domains Before upgrading a Windows Server 2003 domain controller

Read-Only Domain Controller

AD DS and Server Core Server Core