1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design

2. Guide to MCSE 70-294, Enhanced2 Objectives Choose the best DNS name for a domain Make Active Directory forest design decisions Make Active Directory domain design decisions Understand the roles and describe the characteristics of trusts

3. Guide to MCSE 70-294, Enhanced3 Objectives (continued) Describe the role and characteristics of organizational units Understand the different functionality levels of Active Directory and how to upgrade Windows NT and 2000 domains

4. Guide to MCSE 70-294, Enhanced4 Choosing a DNS Name for Active Directory DNS defines namespace used by Active Directory Choosing DNS name of domain Not a decision to take lightly Don’t put off until last minute DNS name Used extensively throughout domain Affects every member of domain

5. Guide to MCSE 70-294, Enhanced5 What Makes a Good DNS Name? Meaningful Scalable Should represent entire business Support current and future plans

6. Guide to MCSE 70-294, Enhanced6 Making the Name Meaningful and Scalable DNS name chosen for first domain created in tree Part of DNS names for all child domains Represent whole of enterprise Allow for future growth

7. Guide to MCSE 70-294, Enhanced7 Two Common Uses for DNS: Internet Presence and Active Directory Namespace used by Active Directory Internet presence: Web site email e-commerce

8. Guide to MCSE 70-294, Enhanced8 Choosing How DNS Names for Internet and Active Directory Are Related Choices: Use the same DNS name for both Use completely different names altogether Delegate subdomain from Internet name for Active Directory

9. Guide to MCSE 70-294, Enhanced9 Using the Same DNS Name for Active Directory and Internet Presence Requires complicated steps to prevent confidential data from being made available publicly Not recommended Can use technique called split DNS

10. Guide to MCSE 70-294, Enhanced10 Split DNS

11. Guide to MCSE 70-294, Enhanced11 Using Completely Different Names for Active Directory and Internet Presence No possibility of conflict Management of names and hosts for Internet is completely separate from Active Directory Designers must ensure that internal clients can resolve both: Internal names to support Active Directory External names to access Internet resources

12. Guide to MCSE 70-294, Enhanced12 Using Completely Different Names for Active Directory and Internet Presence (continued)

13. Guide to MCSE 70-294, Enhanced13 Delegating a Subdomain from the Internet Presence Subdomain for Active Directory Uses separate zones to keep Active Directory and Internet presence apart Subdomain is delegated from existing Internet presence name Simple to set up No client configuration required

14. Guide to MCSE 70-294, Enhanced14 Delegating a Subdomain from the Internet Presence Subdomain for Active Directory (continued)

15. Guide to MCSE 70-294, Enhanced15 Best Practices for Choosing a DNS Name Delegated subdomain recommended Windows 2000 Server: Microsoft recommended that all domain controllers act as DNS servers Mostly true with Windows Server 2003 as well DomainDnsZones Active Directory application partition in Windows Server 2003 Can affect DNS server placement

16. Guide to MCSE 70-294, Enhanced16 Designing Forests Start with forests Work down to domains Tackle most important issues first

17. Guide to MCSE 70-294, Enhanced17 Activity 5-1: Demoting a domain controller Objective: Learn how a domain controller can be demoted back to a standalone server Demote the domain controller Required for other chapter Activities

18. Guide to MCSE 70-294, Enhanced18 Characteristics of a Forest Implementation of Active Directory Represents one single Active Directory installation Viewed as collection of domains Security and administrative boundary

19. Guide to MCSE 70-294, Enhanced19 Characteristics of a Forest (continued) All domains in a forest share: Centrally controlled schema Common configuration Single global catalog Complete trust relationships

20. Guide to MCSE 70-294, Enhanced20 How Many Forests? Not usually need to create more than one forest for an organization Create multiple forests: Only when one of items shared within a forest cannot be shared without violating a business objective

21. Guide to MCSE 70-294, Enhanced21 Designing Domains Important part of planning Active Directory deployment: Determining number of domains that are needed Reasons for creating more than one domain: Organizational Administrative Technical

22. Guide to MCSE 70-294, Enhanced22 Functions of a Domain Most important characteristic of a domain: Replication boundary Main functions of a domain include: Authentication Policy-based administration Setting account policies for user accounts Directory for publishing shared resources Administrative boundary

23. Guide to MCSE 70-294, Enhanced23 Is It a Security Boundary? User is authenticated only by his or her own domain Domain is only part of a forest Shares information about security principals Do not depend on domain as security boundary

24. Guide to MCSE 70-294, Enhanced24 Which Works Better: Single or Multiple Domains? Advantages of a single domain: Easier to manage Easier to delegate authority and apply group policies on organizational units Requires fewer hardware resources Such as domain controllers Requires fewer domain administrators Less work for current staff

25. Guide to MCSE 70-294, Enhanced25 Which Works Better: Single or Multiple Domains? (continued) Advantages of multiple domains: Each can have distinct set of Administrators Policies Data owners Provide tighter administrative control Support a decentralized administrative structure Organizational reasons Technical reasons

26. Guide to MCSE 70-294, Enhanced26 Using a Dedicated Forest Root Microsoft recommends: Forest root domain completely dedicated to managing the infrastructure of forest No regular users should be created in the forest root domain Single child domain created under forest root Handles all user and resource objects

27. Guide to MCSE 70-294, Enhanced27 Using a Dedicated Forest Root (continued) Microsoft recommends that an organization use one domain Unless business needs dictate otherwise Create domains based on geography Microsoft views Active Directory from point of view of large corporations Best practices not always best for small organizations

28. Guide to MCSE 70-294, Enhanced28 Activity 5-3: Promoting an Additional Domain Controller in an Existing Domain Objective: Learn how to promote an additional domain controller in an existing Active Directory domain Promote another domain controller to promote redundancy and performance

29. Guide to MCSE 70-294, Enhanced29 Understanding and Implementing Trust Relationships Trust relationship Gives user in one domain the ability to access resource in another No need for separate credentials for each domain Terminology Trusting domain trusts the trusted domain to authenticate a user

30. Guide to MCSE 70-294, Enhanced30 Transitive Trusts Used to determine if trust extends outside two domains in which trust is formed A trusts B, B trusts C, therefore A trusts C

31. Guide to MCSE 70-294, Enhanced31 Transitive Trusts (continued) Two-way, transitive trust Domain A trusts domain B, and domain B trusts domain A Created automatically between domains in forest Cannot be removed Trusts are established on a domain-to-domain level

32. Guide to MCSE 70-294, Enhanced32 Trust Relationships

33. Guide to MCSE 70-294, Enhanced33 Transitive Trusts (continued) Shortcut Trusts Allow quicker authentication of security credentials Points one domain directly to another Forest trusts Allow trust relationship to be established between two forests Can be one-way or two-way Transitive

34. Guide to MCSE 70-294, Enhanced34 Forest Trusts

35. Guide to MCSE 70-294, Enhanced35 Transitive Trusts (continued) Realm Trusts Used to create trust relationship between: Non-Windows Kerberos realm Windows domain Transitive or nontransitive One-way or two-way

36. Guide to MCSE 70-294, Enhanced36 Nontransitive Trusts Trust between two domains Does not extend outside two domains trust is directly between External Trusts Used between Windows Server 2003 domain and Windows NT domain One-way by default

37. Guide to MCSE 70-294, Enhanced37 Example External Trust

38. Guide to MCSE 70-294, Enhanced38 Designing Organizational Units Organizational unit (OU) Used to group objects within domain into hierarchical structure Not administrative or replication boundary Division within directory structure Allows for delegation of administration Controls scope of policy application

39. Guide to MCSE 70-294, Enhanced39 Best Practices for Designing Organizational Units OUs comparatively easy to restructure Use organizational units to organize objects Can be nested within one another Microsoft recommends that nesting not be more than 10 levels deep

40. Guide to MCSE 70-294, Enhanced40 Activity 5-4: Creating Organizational Units Objective: Learn how to create new organizational units and nested organizational units Use the Active Directory Users and Computers console to create a new OU

41. Guide to MCSE 70-294, Enhanced41 Best Practices for Designing Organizational Units Organizing Organizational Units by location Works best when administrative authority is different between locations Organizing Organizational Units by function Works best when each department or division of company has its own administrative control

42. Guide to MCSE 70-294, Enhanced42 Best Practices for Designing Organizational Units (continued) Organizing Organizational Units by location and function Allows for benefits of location-based and function- based hierarchies

43. Guide to MCSE 70-294, Enhanced43 Upgrading Windows NT or Windows 2000 Domains Number of different methods for integrating Windows Server 2003 into existing network Should understand each in order to choose best method for a given situation

44. Guide to MCSE 70-294, Enhanced44 Active Directory Functional Levels Active Directory functionality varies Depending on version of Windows used on domain controllers Domain functional levels: Windows 2000 mixed Windows 2000 native Windows Server 2003 interim Windows Server 2003

45. Guide to MCSE 70-294, Enhanced45 Active Directory Functional Levels (continued) Forest functional levels: Windows 2000 Windows Server 2003 interim Windows Server 2003

46. Guide to MCSE 70-294, Enhanced46 Upgrading Windows NT Domains Windows NT domains Not organized in tree structure like Active Directory domains Independent of one another Trust relationships are one-way, nontransitive trusts Does not perform replication between domains Replication within domain is automatic

47. Guide to MCSE 70-294, Enhanced47 Upgrading Windows NT Domains (continued) Migrating to Active Directory Must decide whether existing domain structure is adequate for needs If not, create new design Migrate existing information First domain upgraded becomes forest root domain Must be PDC

48. Guide to MCSE 70-294, Enhanced48 Upgrading Windows 2000 Domains Easy Because Active Directory has already been designed and implemented May also decide to restructure existing domains Use ADMT to migrate: Users Groups Computer accounts

49. Guide to MCSE 70-294, Enhanced49 Summary DNS name should be meaningful and represent entire operation Forest is an “instance” of Active Directory Domain is replication and administrative boundary Forest root domain is central point for trust relationships

50. Guide to MCSE 70-294, Enhanced50 Summary (continued) Trusts automatically established between domains in a forest are only created between a child domain and its parent They are two-way and transitive They can be followed up and down tree structures in forest Active Directory is capable of different functionality levels at domain and forest levels