Module 2: Designing a Directory Services Infrastructure.

Module 2: Module 2: Designing Designing a Directory Services a Directory Services

InfrastructureInfrastructure

AgendaAgenda

Introduction to Designing a Directory Services Introduction to Designing a Directory Services InfrastructureInfrastructure

DNS and Active DirectoryDNS and Active Directory Designing a DNS Naming Strategy for Active Designing a DNS Naming Strategy for Active

DirectoryDirectory Designing an Active Directory DomainDesigning an Active Directory Domain

Designing the Initial Active Directory DomainDesigning the Initial Active Directory Domain Planning for Security GroupsPlanning for Security Groups Planning for OUsPlanning for OUs

Designing a Multiple-Domain StructureDesigning a Multiple-Domain Structure Planning for Multiple-Domain TreesPlanning for Multiple-Domain Trees Planning for Multiple-Tree ForestsPlanning for Multiple-Tree Forests Planning for Multiple ForestsPlanning for Multiple Forests

Managing Operations Master RolesManaging Operations Master Roles

Conducting an Organizational Conducting an Organizational AnalysisAnalysis

Identifying Organizational NeedsIdentifying Organizational Needs Making Design ChoicesMaking Design Choices Planning GuidelinesPlanning Guidelines

Identifying Organizational Identifying Organizational NeedsNeeds

Determine the Goals of the OrganizationDetermine the Goals of the Organization Analyze the Administrative ModelAnalyze the Administrative Model Anticipate Growth and ReorganizationAnticipate Growth and Reorganization Document the Gathered InformationDocument the Gathered Information

Making Design ChoicesMaking Design Choices

Decision PointsDecision Points ImplicationsImplications Risks and CostsRisks and Costs TradeoffsTradeoffs

Planning GuidelinesPlanning Guidelines

Remember Business NeedsRemember Business Needs Maintain a Clear VisionMaintain a Clear Vision Make Solid Tradeoff DecisionsMake Solid Tradeoff Decisions Create a Simple DesignCreate a Simple Design Test the DesignTest the Design

Architectural Elements of Architectural Elements of Active DirectoryActive Directory

Designing a Naming StrategyDesigning a Naming Strategy Designing an Active Directory DomainDesigning an Active Directory Domain Designing Multiple DomainsDesigning Multiple Domains Designing a Site Topology Designing a Site Topology Designing for Delegation of Designing for Delegation of

Administrative AuthorityAdministrative Authority Designing for Group PolicyDesigning for Group Policy Designing Schema ModificationsDesigning Schema Modifications

Designing a Naming StrategyDesigning a Naming Strategy Active Directory Uses DNS as Active Directory Uses DNS as

Naming ServiceNaming Service Internet Presence a Determining Internet Presence a Determining

Factor in Selecting Domain NamesFactor in Selecting Domain Names

Domain Name SystemDomain Name System(DNS)(DNS)


nwtraders.msftnwtraders.msft

Designing an Active Directory Designing an Active Directory DomainDomain

Create OUs to Create OUs to Support Delegation Support Delegation and Group Policyand Group Policy

Create OU Structure Create OU Structure to Reflect to Reflect Administrative ModelAdministrative Model

Carefully Name the Carefully Name the First DomainFirst Domain

OUOU

OUOU OUOU

OUOU

OUOU OUOU

First Domain

First Domain

nwtraders.msft

Administered Separately But May Share Administered Separately But May Share ResourcesResources

More Complex To ManageMore Complex To Manage

Designing Multiple DomainsDesigning Multiple Domains


us.nwtraders.msftus.nwtraders.msft europe.nwtraders.msfteurope.nwtraders.msft

ChildDomain

RootRoot

ChildDomain

Designing a Site TopologyDesigning a Site Topology

Sites Define Sites Define Physical Physical Structure of Structure of Active DirectoryActive Directory

Use Sites to Use Sites to Control Network Control Network Traffic FlowTraffic Flow


Redmond Site

Charlotte Site

Designing for Delegation of Designing for Delegation of Administrative Authority Administrative Authority

Relieves Burden of Relieves Burden of Centralized ManagementCentralized Management

Separates administrative Separates administrative Authority from Rest of Authority from Rest of NetworkNetwork

Domain

nwtraders.msft

na.nwtraders.msft

asia.nwtraders.msft

MfgMfgMfgMfg

researchresearchresearchresearch

HRHRHRHR

recruitingrecruitingrecruitingrecruiting

trainingtrainingtrainingtraining

Group Policy Objects Group Policy Objects Apply Configurations Apply Configurations to Sites, Domains, and to Sites, Domains, and OUsOUs

Group Policy Is Group Policy Is Inherited In Active Inherited In Active Directory HierarchyDirectory Hierarchy

Designing for Group PolicyDesigning for Group Policy

Site

GPO

DomainDomain

OUOUOUOU

Designing Schema ModificationsDesigning Schema Modifications

Schema Defines Objects and Schema Defines Objects and Attributes in Active DirectoryAttributes in Active Directory

Changing the Schema Can Changing the Schema Can Affect the Entire NetworkAffect the Entire Network

Create a Schema Create a Schema Modification Policy to Modification Policy to Manage ChangesManage Changes

SchemaSchema

AgendaAgenda







Introduction to the Role of DNS Introduction to the Role of DNS in Active Directoryin Active Directory Name ResolutionName Resolution

DNS translates computer names to IP addressesDNS translates computer names to IP addresses Computers use DNS to locate each other on the Computers use DNS to locate each other on the

networknetwork Naming Convention for Windows 2000 DomainsNaming Convention for Windows 2000 Domains

Windows 2000 uses DNS naming standards for Windows 2000 uses DNS naming standards for domain namesdomain names

DNS domains and Active Directory domains share a DNS domains and Active Directory domains share a common hierarchical naming structurecommon hierarchical naming structure

Locating the Physical Components of Active Locating the Physical Components of Active DirectoryDirectory DNS identifies domain controllers by the services DNS identifies domain controllers by the services

they providethey provide Computers use DNS to locate domain controllers and Computers use DNS to locate domain controllers and

global catalog serversglobal catalog servers

DNS and Active Directory DNS and Active Directory NamespacesNamespaces

microsoft.com

sales. microsoft.com

training. microsoft.com

training

microsoft

DNS Namespace

Active Directory Namespace

= DNS node (domain or computer) = Active Directory domain

sales

computer1

(DNS root domain)““.”.”““.”.”

com.com.com.com.

Internet

DNS Host Names and Windows DNS Host Names and Windows 2000 Computer Names2000 Computer Names

DNS host record and Active Directory object represent the same physical computer

DNS allows computers to locate domain controllers within Active Directory

Active DirectoryActive Directory

training.microsoft.com

Builtin

Computers

Computer1

Computer2

““.”.”““.”.”

com.com.com.com.

salessales trainingtrainingtrainingtraining

computer1computer1computer1computer1

microsoftmicrosoftmicrosoftmicrosoft

FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1

FQDN = computer1.training.microsoft.comWindows 2000 Computer Name = Computer1

AgendaAgenda







Identifying Business NeedsIdentifying Business Needs

Main Business Needs that Impact a Main Business Needs that Impact a Naming Strategy:Naming Strategy: Intended Scope of Active DirectoryIntended Scope of Active Directory Internet PresenceInternet Presence

Distinguishing Between DNS Distinguishing Between DNS and Active Directoryand Active Directory



contoso.msftcontoso.msft

DNS Servers Store Resource Records

Active Directory Servers Store Domain Objects

Planning Active Directory Planning Active Directory Domain NamesDomain Names

Determining the Scope of Active DirectoryDetermining the Scope of Active DirectoryDesigning the Naming HierarchyDesigning the Naming HierarchyChoosing Active Directory Domain NamesChoosing Active Directory Domain Names

Determining the Scope of Determining the Scope of Active DirectoryActive Directory

DNS Name Should Represent Entire DNS Name Should Represent Entire OrganizationOrganization HeadquartersHeadquarters Branch LocationsBranch Locations Business PartnersBusiness Partners

Active Directory Name Can Be Internet NameActive Directory Name Can Be Internet Name Register Name with ICANNRegister Name with ICANN

Designing the Naming HierarchyDesigning the Naming Hierarchy

DNS Name: contoso.msft

namerica.contoso.msft

DNS Name: namerica.contoso.msft

DNS Name: europe.contoso.msft

ChildChild ChildChild

RootRoot

contoso.msft

europe.contoso.msft

Choosing Active Directory Choosing Active Directory Domain NamesDomain Names

Choose a Root Domain Name Unique to Choose a Root Domain Name Unique to the Internetthe Internet

Conform to DNS Naming RegulationsConform to DNS Naming RegulationsRegister Your DNS Domain NameRegister Your DNS Domain NameChoose Meaningful, Stable, Scalable Choose Meaningful, Stable, Scalable

NamesNamesUse An Existing DNS Domain NameUse An Existing DNS Domain Name

Designing a DNS Naming Designing a DNS Naming Strategy for Active DirectoryStrategy for Active DirectoryMaking Initial Naming DecisionsMaking Initial Naming DecisionsUsing a Delegated Subdomain Name for Using a Delegated Subdomain Name for

the Internal Networkthe Internal NetworkUsing a Single DNS Name for Public and Using a Single DNS Name for Public and

Private NetworksPrivate NetworksUsing a Different DNS Name for Public Using a Different DNS Name for Public

and Private Networksand Private NetworksDesign GuidelinesDesign Guidelines

Making Initial Naming Making Initial Naming DecisionsDecisions

Registering the DNS Root NameRegistering the DNS Root NameDesigning with an Existing DNS Designing with an Existing DNS

ImplementationImplementationDetermining Internal and External Determining Internal and External

Naming StrategiesNaming StrategiesMeeting Requirements of the DNS Meeting Requirements of the DNS

DesignDesignAssuring Client Name ResolutionAssuring Client Name Resolution

Using a Delegated Subdomain Using a Delegated Subdomain Name for the Internal NetworkName for the Internal Network

Zone 2

Zone 1

contoso.msft

ad.contoso.msft

FirewallFirewallFirewallFirewall

Create a New DNS Zone Create a New DNS Zone in New Domainin New Domain

Configure Authoritative Configure Authoritative DNS Server in Existing DNS Server in Existing DNS Domain to Delegate DNS Domain to Delegate to New Domainto New Domain

Create Active Directory Create Active Directory Forest Root in New Forest Root in New DomainDomain

Using a Single DNS Domain Name for Public and Private Networks

Private Internal Network

Zone for contoso.msftwith internal servers

Zone for contoso.msftwith internal servers


Zone for contoso.msftwithout internal servers


Public Internet

Using a Different DNS Name for Using a Different DNS Name for Public and Private NetworksPublic and Private Networks

Public Internet

Private Internal Network




Zone for contosoltd.msft

Zone for contosoltd.msft

Design GuidelinesDesign Guidelines

Naming Strategies Include:Naming Strategies Include:Delegated Subdomain for the Internal Delegated Subdomain for the Internal

NetworkNetworkSingle DNS Name for Public and Private Single DNS Name for Public and Private

NetworksNetworksDifferent DNS Name for Public and Private Different DNS Name for Public and Private

NetworksNetworks

AgendaAgenda








Before Designing a Domain, You Should:Before Designing a Domain, You Should:Identify Administrative Strategy Identify Administrative Strategy Identify Security NeedsIdentify Security NeedsPlan for Growth and FlexibilityPlan for Growth and Flexibility

Designing the Initial Active Designing the Initial Active Directory DomainDirectory Domain

OUOU

OUOU OUOU

OUOU

OUOU OUOU

First DomainFirst Domain

nwtraders.msft

Active DirectoryActive Directory

Planning for Security GroupsPlanning for Security Groups

Deciding Which Security Group to UseDeciding Which Security Group to UsePlanning for Nested GroupsPlanning for Nested GroupsDesign GuidelinesDesign Guidelines

Deciding Which Security Group Deciding Which Security Group to Useto Use

Domain Local GroupDomain Local GroupDomain Local GroupDomain Local Group

Members from any domain in the forest Use for access to resources in one domain

Members from any domain in the forest Use for access to resources in one domain

Global GroupGlobal GroupGlobal GroupGlobal Group

Members from own domain only Use for access to resources in any domain

Members from own domain only Use for access to resources in any domain

Universal GroupUniversal GroupUniversal GroupUniversal Group

Members from any domain in the forest Use for access to resources in any domain

Members from any domain in the forest Use for access to resources in any domain

Planning for Nested GroupsPlanning for Nested GroupsWhen Nesting, You Should:

Minimize Levels of Nesting

Document Group Membership

Worldwide Managers Group

Worldwide Managers Group Northeast Managers

Mid-Atlantic Managers

Southwest Managers


Payroll Clerks

Human Resources

Change

HR Clerks Benefits

HR ManagersHR Admins

Full Control

Add Users to Global Groups

Add Global Groups to Domain Local Groups

Assign Permissions to Domain Local Groups

Planning for OUs Planning for OUs

Planning Upper-Level OU StrategiesPlanning Upper-Level OU StrategiesPlanning Lower-Level OU StrategiesPlanning Lower-Level OU StrategiesDesign GuidelinesDesign Guidelines

Planning Upper-Level OU Planning Upper-Level OU StrategiesStrategies

nwtraders.msft

Root DomainRoot

Domain

First Level

SecondLevel

ThirdLevel

NorthNorthAmericaAmerica AsiaAsia

SalesSales HRHR

CanadaCanada

MfgMfg HRHR

JapanJapan

SalesSales HRHR

ChinaChina

ITIT HRHR

MexicoMexico

Planning Lower-Level OU Planning Lower-Level OU StrategiesStrategies

nwtraders.msft

Root DomainRoot

Domain

First Level

SecondLevel

ThirdLevel

NorthNorthAmericaAmerica AsiaAsia

SalesSales HRHR

CanadaCanada

MfgMfg HRHR

JapanJapan

SalesSales HRHR

ChinaChina

ITIT HRHR

MexicoMexico


When Designing the OU Structure:When Designing the OU Structure: Choose Stable Upper-Level OU Names That Choose Stable Upper-Level OU Names That

are Meaningful to Administratorsare Meaningful to Administrators Create Lower-Level OUs to Support Group Create Lower-Level OUs to Support Group

PolicyPolicy Test the OU Structure and Make Changes Test the OU Structure and Make Changes

Based On EvaluationBased On Evaluation

AgendaAgenda







Characteristics of Multiple Characteristics of Multiple DomainsDomains

Reduce Replication Traffic

Maintain Separate and Distinct Security Policies Between Domains

Preserve the Domain Structure of Earlier Versions of Windows NT

Separate Administrative Control

Transitive Trusts in Windows 2000Transitive Trusts in Windows 2000

Parent-Child Trust

Parent-Child Trust

Tree-Root Trust

Domain Trusts Created by default Transitive Two-Way

Domain 1Domain 1

Domain ADomain A

Domain BDomain B

Domain CDomain C

Tree Two Tree One

Forest

Forest Root Domain

How Trusts WorkHow Trusts Work

Tree One

Tree Two

Domain 1

Forest

Domain ADomain A

Domain BDomain B

User

Tree Root Domain

Forest Root Domain

Trusted Domain Trusting Domain

Trusting Domain

Domain 2

Domain C

How Kerberos V5 WorksHow Kerberos V5 Works


marketing.contoso.msft

Forest Root DomainKDC


KDC

Server

KDC

sales.nwtraders.msft

Client

KDC

Kerberos Authentication

22

Session Ticket

11

33

44

55

Shortcut Trusts in Windows Shortcut Trusts in Windows 20002000

Tree One

Tree Two

Domain 1

Forest

Domain ADomain A

Domain BDomain B

Tree Root Domain

Forest Root Domain

Trusted Domain Trusting Domain

Trusting Domain

Domain 2

Domain C

Shortcut Trust

Nontransitive Trusts in Nontransitive Trusts in Windows 2000Windows 2000

Nontransitive Trust

Nontransitive Trusts Manually created One-way


Forest

Nontransitive Trust Exists Between A Windows 2000 domain and a

Windows NT domain Two Windows 2000 domains in

two forests A Windows 2000 domain and a

Kerberos V5 realm

DomainDomain

sales.contoso.msftmarketing.contoso.msft

The Global CatalogThe Global Catalog

The Global Catalog and the Logon ProcessThe Global Catalog and the Logon ProcessCreating a Global Catalog ServerCreating a Global Catalog Server

The Global Catalog and the The Global Catalog and the Logon ProcessLogon Process

Global Catalog Provides Universal group membership

information for the account Domain information when using

user principal names during logon

User Logon

Domain

DomainDomain

Domain Domain

Global Catalog Server

Problem: Logon and GC Problem: Logon and GC DependencyDependency

During the logon process the During the logon process the security access token is security access token is constructedconstructed

Security Access Token

User SIDGroup SIDs

Membership details in logon domain

A user’s universal group membershipA user’s universal group membershipchanges by:changes by:•Adding the user to a universal groupAdding the user to a universal group•Adding a global group of which the user is a Adding a global group of which the user is a membermember•Nesting appropriate global and universal Nesting appropriate global and universal groups groups

BuiltinBuiltinDomain LocalDomain LocalGlobalGlobal

UniversalUniversal

GC

Membership details in GC

Strategies for Using Groups in Strategies for Using Groups in Trees and ForestsTrees and Forests

Universal Groups and ReplicationUniversal Groups and ReplicationNesting Strategy Using Universal GroupsNesting Strategy Using Universal Groups

Universal Groups and Universal Groups and ReplicationReplication


Universal Group

. . . And Replicated to All Global Catalog Servers in the Forest

All Membership Changes in the Universal Group Are Updated in the Global Catalog . . .

The use of universal groups to limit replication to a domain

The membership in universal groups to other groups rather than user accounts

Changes to the membership to reduce the frequency of replication

Reduce Replication Traffic by Minimizing

Nesting Strategy Using Nesting Strategy Using Universal GroupsUniversal Groups

Add User Accounts into Global Groups

Global GroupUsers

Add Global Groups from Each Domain into Universal Groups Global Group Universal Group

Nest Global Groups(optional)

Global Group Global Group

Add Universal Groups into Domain Local Groups in Each Domain Universal Group Domain Local Group

DLG

Assign Permissions to the Domain Local Group in Each Domain PermissionsDomain Local Group

DLG


Reasons to Maintain a Single DomainReasons to Maintain a Single DomainReasons to Create Multiple DomainsReasons to Create Multiple DomainsReasons for multiple-tree forestReasons for multiple-tree forestReasons for multiple forestReasons for multiple forest

Reasons to Maintain a Single Reasons to Maintain a Single DomainDomain

Ease of ManagementEase of ManagementEasier DelegationEasier DelegationFewer Members in Fewer Members in

Domain Admins Domain Admins GroupGroup

Object Capacity Same Object Capacity Same as Multiple Domain as Multiple Domain StructureStructure

OUOUOUOU

OUOUOUOU OUOUOUOU

Reasons to Create Multiple Reasons to Create Multiple DomainsDomains

Reasons for Using a Reasons for Using a Multiple-Domain Tree:Multiple-Domain Tree: Distinct domain-level Distinct domain-level

policiespolicies Tighter administrative Tighter administrative

controlcontrol Decentralized administrationDecentralized administration Separation and control of Separation and control of

affiliate relationshipsaffiliate relationships Reduced replication trafficReduced replication traffic

OUOUOUOU

OUOUOUOU OUOUOUOU

OUOUOUOU

OUOUOUOU OUOUOUOU

OUOUOUOU

OUOUOUOU OUOUOUOU

OUOUOUOU

OUOUOUOU OUOUOUOU

Planning for Multiple-Domain Planning for Multiple-Domain TreesTrees

Characteristics of Multiple-Domain TreesCharacteristics of Multiple-Domain TreesCreating an Empty Root DomainCreating an Empty Root DomainDesign GuidelinesDesign Guidelines

Characteristics of Multiple-Characteristics of Multiple-Domain TreesDomain Trees

Child

Domain


us.nwtraders.msftus.nwtraders.msft

sales.us.nwtraders.msftsales.us.nwtraders.msft

Child Domain

Child Domain

europe.nwtraders.msfteurope.nwtraders.msft

RootRootRootRoot

Transitive Trusts Exist Between All Domains

Creating an Empty Root Creating an Empty Root DomainDomain

Child Domain


usa.nwtraders.msftusa.nwtraders.msft

Child Domain

europe.nwtraders.msfteurope.nwtraders.msft

RootRootRootRoot

Enterprise Admin is Sole User in Root Domain

Enterprise Admin is Sole User in Root Domain


Design Needs that May Require a Multiple-Design Needs that May Require a Multiple-Domain Tree:Domain Tree:

Distinct Security BoundariesDistinct Security BoundariesBandwidth Constraints on WAN LinksBandwidth Constraints on WAN LinksLegal Reasons for Separate DomainsLegal Reasons for Separate DomainsDistinct Domain-Level Group Policy Distinct Domain-Level Group Policy

SettingsSettings

Planning for Multiple-Tree Planning for Multiple-Tree ForestsForests

Characteristics of Multiple-Tree ForestsCharacteristics of Multiple-Tree ForestsDesign GuidelinesDesign Guidelines

Characteristics of a Multiple-Characteristics of a Multiple-Tree ForestTree Forest

Tree 2

RootRootRootRoot

ChildChild

ChildChild


domainB.domainA.nwtraders.msftdomainB.domainA.nwtraders.msft

Transitive Trust Relationship Created Between Roots

Tree 1

RootRootRootRoot

ChildChild


ChildChild

domain3.contoso.msftdomain3.contoso.msftdomain2.contoso.msftdomain2.contoso.msft

domainA.nwtraders.msftdomainA.nwtraders.msft


Consider Using a Multiple-Tree Forest When Consider Using a Multiple-Tree Forest When You Need:You Need:

Distinct DNS names for Public IdentitiesDistinct DNS names for Public IdentitiesCentralized Control Among All Active Centralized Control Among All Active

Directory Trees and DomainsDirectory Trees and Domains

Planning for Multiple ForestsPlanning for Multiple Forests

Characteristics of Multiple ForestsCharacteristics of Multiple ForestsDesign GuidelinesDesign Guidelines

Characteristics of Multiple Characteristics of Multiple ForestsForests

Tree 1

Tree 2

RootRootRootRoot

ChildChild

RootRootRootRoot

ChildChild

ChildChild


ChildChild

domain3.contoso.msftdomain3.contoso.msft


domainB.domainA.nwtraders.msftdomainB.domainA.nwtraders.msft

domain2.contoso.msftdomain2.contoso.msft

One-Way External Trusts Established Among Specified

Domains Only

domainA.nwtraders.msftdomainA.nwtraders.msft


Design Multiple Forests When:Design Multiple Forests When:You Do Not Want a Common SchemaYou Do Not Want a Common SchemaYou Do Not Want a Global DirectoryYou Do Not Want a Global DirectoryYou Need Limited Partner or Affiliate You Need Limited Partner or Affiliate

RelationshipsRelationships

AgendaAgenda







Introduction to Operations Introduction to Operations MastersMasters

Only a Domain Controller That Holds a Specific Operations Master Role Can Perform Associated Active Directory Changes

Changes Made by an Operations Master Are Replicated to Other Domain Controllers

Any Domain Controller Can Hold an Operations Master Role Operations Master Roles Can Be Moved to Other Domain Controllers

Replication

Single Master Operations

Operations Master

Operations Master RolesOperations Master Roles

Operations Master Default LocationsOperations Master Default LocationsSchema MasterSchema MasterDomain Naming MasterDomain Naming MasterPDC EmulatorPDC EmulatorRID MasterRID MasterInfrastructure MasterInfrastructure Master

Operations Master Default Operations Master Default LocationsLocations

First Domain Controller in the Forest Root Domain

Domain-wide Roles RID master PDC emulator Infrastructure master

Forest-wide Roles Schema master Domain naming

master

Domain-wide Roles RID master PDC emulator Infrastructure master

Schema MasterSchema Master Controls All Updates to the SchemaControls All Updates to the Schema Replicates Updates to All Domain Controllers in Replicates Updates to All Domain Controllers in

the Forestthe Forest Allows Only the Members of the Schema Admin Allows Only the Members of the Schema Admin

Group to Make Modifications to the SchemaGroup to Make Modifications to the Schema

Schema MasterReplication

Domain Naming MasterDomain Naming Master

Controls the Addition or Removal of Controls the Addition or Removal of Domains in the ForestDomains in the Forest

New Domain

Domain Naming Master


PDC Emulator PDC Emulator Acts As a PDC to Support Windows NT BDCs and

Pre-Windows 2000-based Client Computers

Updates Password Changes from Pre-Windows 2000-based Client Computers

Minimizes Replication Latency for Password Changes for Windows 2000-based Client Computers

Manages Time Synchronization

Prevents the Possibilities of Overwriting GPOs

Client Computer Running Pre-Windows 2000 Version of Windows

PDC Emulator

Windows NT BDC

RID MasterRID MasterAllocates Blocks of RIDs to Each Domain

Controller in Its Domain

Prevents Object Duplication if Objects Move from One Domain Controller to Another

Move

Object SID = Domain SID + RIDObject SID = Domain SID + RID

RID Master

Block of RIDsBlock of RIDs

Move

RID Allocation

Infrastructure MasterInfrastructure Master

Updates References to Objects and Group Memberships from Other Domains

Infrastructure Master

Global Group Nested into Domain Local Group

Move

GUID SIDNew DN

GUID SIDNew DN

Group Membership List

Group Membership List

Operations Masters DependenciesOperations Masters Dependencies

Forest wide operations master rolesForest wide operations master roles Schema master: low performance impactSchema master: low performance impact Domain naming master: low performance impact, must be GCDomain naming master: low performance impact, must be GC

Domain wide operations master rolesDomain wide operations master roles PDC operations master: low performance impact PDC operations master: low performance impact

(root domain only)(root domain only) RID pool operations master: low performance impactRID pool operations master: low performance impact Infrastructure master: low performance impact, Infrastructure master: low performance impact,

must not be a GCmust not be a GC Best practiceBest practice

First DC in forest root domain is a GC and has all operation First DC in forest root domain is a GC and has all operation master roles by defaultmaster roles by default Leave GC service and forest wide operation master roles Leave GC service and forest wide operation master roles

on first DCon first DC Do not add GC service to second DC in forest root domain and Do not add GC service to second DC in forest root domain and

move all domain wide operations master roles to second DCmove all domain wide operations master roles to second DC Monitor these two DCs very closelyMonitor these two DCs very closely

Operations Master Offline ScenariosOperations Master Offline Scenarios

If you don’t need the operations master online, If you don’t need the operations master online, do nothingdo nothing Having the Schema, Domain Naming master and Infrastructure Having the Schema, Domain Naming master and Infrastructure

master off-line for a short time does not affect the DSmaster off-line for a short time does not affect the DS RID pool owner should be brought back within hours, RID pool owner should be brought back within hours,

but bulk-operations (migrations) might need it earlierbut bulk-operations (migrations) might need it earlier PDC emulator must be onlinePDC emulator must be online

If operations master down-time is planned and either very long, If operations master down-time is planned and either very long, or master is needed, transfer operations master roleor master is needed, transfer operations master role

Only seize operations master roles if the original operations Only seize operations master roles if the original operations master can never be brought back, master can never be brought back, or the role is needed urgentlyor the role is needed urgently Installation of the OS of the operations master Installation of the OS of the operations master

can never come back online anymorecan never come back online anymore Server has to be re-installed, but same name can Server has to be re-installed, but same name can

be reused againbe reused again

Module 2: Designing a Directory Services Infrastructure.

Documents

Transcript of Module 2: Designing a Directory Services Infrastructure.