JC
Uploaded byJohn Carlo Catacutan
PPTX, PDF3,217 views

Designing the active directory logical structure

This document provides guidance on designing the logical structure of Active Directory. It discusses designing forests, domains, and organizational units (OUs) to simplify management, optimize performance, and delegate administration appropriately. The key steps are: 1. Identify project teams and assign roles like executive sponsor, architect and manager. 2. Design forests based on autonomy and isolation needs. Common models are organizational, resource and restricted access forests. 3. Design domains considering models like single or regional domains. 4. Integrate Active Directory with the existing DNS infrastructure. 5. Design OUs to delegate control over resources to appropriate administrators.

Embed presentation

Downloaded 113 times
Designing the Active Directory Logical Structure
Active Directory Logical Structure Design • Simplified management of Windows networks that contain large numbers of objects. • A consolidated domain structure and reduced administration costs. • The ability to delegate administrative control over resources as appropriate. • Reduced impact on network bandwidth
Active Directory Logical Structure Design • Simplified resource sharing. • Optimal search performance. • Low total cost of ownership.
Process for Designing the Active Directory Logical Structure 1. Identify the project deployment project participants 2. Create a forest design 3. Create a domain design for each forest 4. Create a DNS infrastructure to support Active Directory for each forest 5. Design organization units for delegation of administration for each forest.
1. Identifying the Deployment Project Participants • The first step in establishing an Active Directory deployment project is to establish the design and deployment project teams who will be responsible for managing the design phase and deployment phase of the Active Directory project cycle..
1.1 Defining Project-Specific Roles • An important step in establishing the project teams is to identify the individuals who are to hold project- specific roles. These include the executive sponsor, the project architect, and the project manager. • These individuals establish channels of communication throughout the organization, build project schedules, and identify the individuals who will be members of the project teams, beginning with the various owners.
1.1 Defining Project-Specific Roles • Executive sponsor – understands the business value of the deployment, supports the project at the executive level, and can help resolve conflicts across the organization. • Project architect – The architect provides technical expertise to assist with the process of designing and deploying Active Directory
1.1 Defining Project-Specific Roles • Project manager – facilitates cooperation across business units and between technology management groups. – someone from within the organization who is familiar with the operational policies of the IT group and the design requirements for the groups that are preparing to deploy Active Directory – oversees the entire deployment project, beginning with design and continuing through implementation, and makes sure that the project stays on schedule and within budget
1.2 Establishing Owners and Administrators • Owners – are held accountable by management for making sure that deployment tasks are completed and that Active Directory design specifications meet the needs of the organization. Owners do not necessarily have access to or manipulate the directory infrastructure directly.
1.2 Establishing Owners and Administrators • Administrators – are the individuals responsible for completing the required deployment tasks. Administrators have the network access and permissions necessary to manipulate the directory and its infrastructure.
Two Types of Owners • Service owners – are responsible for the planning and long-term maintenance of the Active Directory infrastructure, and ensuring that the directory continues to function, and that the goals established in service level agreements are maintained. • Data owners – are responsible for the maintenance of the information stored in the directory. This includes user and computer account management and management of local resources, such as member servers and workstations.
Two Types of Administrators • Service administrators – implement policy decisions made by service owners and handle the day-to-day tasks associated with maintaining the directory service and infrastructure. • Data administrators – are users within a domain who are responsible for maintaining data that is stored in Active Directory and maintaining computers that are members of their domain.
Service and Data Owners for Active Directory • Forest owner – typically a senior IT manager in the organization, who is responsible for the Active Directory deployment process and who is ultimately accountable for maintaining service delivery within the forest after the deployment is complete. • Active Directory DNS owner – is an individual who has a thorough understanding of the existing DNS infrastructure and the existing namespace of the organization.
Service and Data Owners for Active Directory • Site topology owner – is familiar with the physical structure of the network of the organization, including the mapping of individual subnets, routers, and the areas of the network that are connected by means of slow links • OU owner – is responsible for managing data stored in the directory. This individual needs to be familiar with the operational and security policies that are in place on the network.
1.3 Building Project Teams • The Active Directory project teams are temporary groups that are responsible for completing Active Directory design and deployment tasks. When the Active Directory deployment project is complete, the owners assume responsibility for the directory and the project teams can disband.
1.3 Building Project Teams • Identifying Potential Forest Owners – the IT group is generally the forest owner and therefore the potential forest owner for any future deployments. • Establishing a Design Team – responsible for gathering all of the information needed to make decisions about the Active Directory logical structure design. • Establishing a Deployment Team – responsible for testing and implementing the Active Directory logical structure design.
1.3 Building Project Teams • Document the Design and Deployment Teams – Document the names of and contact information for the people who will participate in the design and deployment of Active Directory. Identify who will be responsible for each role on the design and deployment teams.
2. Creating a Forest Design • Identifying Forest Design Requirements • Determine the number of Forest • Document the Design and Deployment Teams
2.1 Identifying Forest Design Requirements • This involves determining how much autonomy the groups in your organization need to manage their network resources, and whether each group needs to isolate their resources on the network from other groups.
2.1 Identifying Forest Design Requirements Types of requirements • Organizational structure requirements • Operational requirements • Legal Requirements
Autonomy vs. Isolation • Autonomy. – Autonomy involves independent but not exclusive control of a resource. When you achieve autonomy, administrators have the authority to manage resources independently; however, administrators with greater authority exist who also have control over those resources and can take control away if necessary.
Autonomy vs. Isolation • Service autonomy. – This type of autonomy involves control over all or part of service management. • Data autonomy. – This type of autonomy involves control over all or part of the data stored in the directory or on member computers joined to the directory.
Autonomy vs. Isolation • Isolation. – involves independent and exclusive control of a resource. When you achieve isolation, administrators have the authority to manage a resource independently and no other administrators can take control of the resource away
Autonomy vs. Isolation • Service isolation – This type of isolation prevents administrators other than those specifically designated to control service management from controlling or interfering with service management. • Data isolation – This type of isolation prevents administrators other than those specifically designated to control or view data from controlling or viewing a subset of data in the directory or on member computers joined to the directory.
2. Determining the Number of Forests Required • In order to determine the number of forests that you must deploy, you need to carefully identify and evaluate the isolation and autonomy requirements for each group in your organization and map those requirements to the appropriate forest design models.
Forest Design Models • Organizational Forest Model • Resource Forest Model • Restricted Access Forest Model
Organizational Forest Model • In the organizational forest model, user accounts and resources are contained in the forest and managed independently. The organizational forest can be used to provide service autonomy, service isolation, or data isolation, if the forest is configured to prevent access to anyone outside the forest.
Organizational Forest Model
Resource Forest Model • In the resource forest model, a separate forest is used to manage resources. Resource forests do not contain user accounts other than those required for service administration and those required to provide alternate access to the resources in that forest if the user accounts in the organizational forest become unavailable.
Resource Forest Model
Restricted Access Forest Model • In the restricted access forest model, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization.
Restricted Access Forest Model
Type of Service Management • Management of domain controller operations – Creating and removing domain controllers. – Monitoring the functioning of domain controllers. – Managing services that are running on domain controllers. – Backing up and restoring the directory.
Type of Service Management • Configuration of domain-wide settings – Creating domain and domain user account policies, such as password, Kerberos, and account lockout policies. – Creating and applying domain-wide Group Policies.
Type of Service Management • Delegation of data-level administration – Creating OUs and delegating administration. – Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix • Management of external trusts – Establishing trust relationships with domains outside the forest.
2.3 Documenting the Forest Design • The proposed forest design should be documented. Include in your documentation the name of the group for which the forest is designed, the contact information for the forest owner, the type of forest for each forest that you include, and the requirements that each forest is designed to meet.
3. Creating a Domain Design • Reviewing the Domain Models • Determine the number of domains required • Determine whether to upgrade existing or deploy new domains • Assign domain names • Select the forest root domain
3.1 Reviewing the Domain Models • The amount of available capacity on your network that you are willing to allocate to Active Directory. • The number of users in your organization.
Domain Design Models • Single Domain Model – It is the easiest to administer and the least expensive to maintain. It consists of a forest that contains a single domain. • Regional Domain Model – enables you to maintain a stable environment over time. Base the regions used to define domains in your model on stable elements such as continental boundaries.
3.2 Determining the Number of Domains Required • Every forest starts with a single domain. The maximum number of users that a single domain forest can contain is based on the slowest link that must accommodate replication between domain controllers and the available bandwidth that you want to allocate to Active Directory.
Maximum Number of Users in a Single Domain
3.4 Determining Whether to Upgrade Existing or Deploy New Domains • Each domain in your design will either be a new domain or an existing domain that has been upgraded in place. Users from existing domains that you do not upgrade in place must be migrated into new domains.
3.5 Assigning Domain Names • You must assign a name to every domain in your plan. Active Directory domains have two types of names: DNS names and NetBIOS names. In general, both names are visible to end users. The DNS names of Active Directory domains include two parts, a prefix and a suffix.
Selecting the Forest Root Domain • The first domain that you deploy in an Active Directory forest is called the forest root domain. • Selecting the forest root domain involves determining whether one of the Active Directory domains in your domain design can function as the forest root domain, or whether you need to deploy a dedicated forest root domain.
Choosing a Regional or Dedicated Forest Root Domain • A dedicated forest root domain is a domain that is created specifically to function as the forest root. It does not contain any user accounts other than the service administrator accounts for the forest root domain, and it does not represent any region in your domain structure.
Choosing a Regional or Dedicated Forest Root Domain • If you choose not to deploy a dedicated forest root domain, then you must select a regional domain to function as the forest root domain. This domain is the parent domain of all the other regional domains and will be the first domain that you deploy.
Assigning the Forest Root Domain Name • The forest root domain name is also the name of the forest. The forest root name is a DNS name that consists of a prefix and a suffix in the form of prefix.suffix. For example, an organization might have the forest root name corp.contoso.com. In this example, corp is the prefix and contoso.com is the suffix.
4. Designing a DNS Infrastructure to Support Active Directory • Review DNS concepts • Review DNS and Active Directory • Integrate Active Directory into an existing DNS infrastructure • Document your DNS infrastructure design
5. Designing Organizational Units for Delegation of Administration • Review organizational unit design concepts • Delegate administration using OU objects • Create account OUs • Document the organizational unit design for each domain • Apply Group Policy to OUs

More Related Content

PPTX
Microsoft Active Directory.pptx
bymasbulosoke
 
PDF
Mastering Active Directory_ Design, deploy, and protect Active Directory Doma...
byYogeshwaran R
 
PPT
Active directory slides
byTimothy Moffatt
 
PPT
Active Directory Training
byNishad Sukumaran
 
PPTX
Active Directory component
bykuldeep singh shishodia
 
PPT
Active directory and application
byaminpathan11
 
PDF
Microsoft Windows Server 2022 Overview
byDavid J Rosenthal
 
PPT
Active directory ii
bydeshvikas
 
Microsoft Active Directory.pptx
bymasbulosoke
 
Mastering Active Directory_ Design, deploy, and protect Active Directory Doma...
byYogeshwaran R
 
Active directory slides
byTimothy Moffatt
 
Active Directory Training
byNishad Sukumaran
 
Active Directory component
bykuldeep singh shishodia
 
Active directory and application
byaminpathan11
 
Microsoft Windows Server 2022 Overview
byDavid J Rosenthal
 
Active directory ii
bydeshvikas
 

What's hot

PPT
Active directory
bydeshvikas
 
PDF
Windows server 2016 storage step by step complete lab
byAhmed Abdelwahed
 
PDF
Intro to DNS
byThousandEyes
 
PPTX
Windows Server 2019.pptx
bymasbulosoke
 
PPT
Active directory domain services
byIGZ Software house
 
PDF
Active Directory Upgrade
bySpiffy
 
PPTX
What is active directory
byAdeel Khurram
 
PPTX
02-Active Directory Domain Services.pptx
byAdiWidyanto2
 
PPT
Samba server configuration
byRohit Phulsunge
 
PPTX
Domain name system
byNifras Ismail
 
PPTX
VMware vSphere vsan EN.pptx
byCH431
 
PPTX
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
PPTX
Network and System Administration Power Point
bykemal678348
 
PPTX
Presentation on dns
byAnand Grewal
 
PPT
active-directory-domain-services
by202066
 
PDF
DNS - Domain Name System
byPeter R. Egli
 
PPTX
Dns 2
byTech_MX
 
PPT
Chapter09 Implementing And Using Group Policy
byRaja Waseem Akhtar
 
PPTX
DNS Record
bykangting21
 
PDF
Windows Server 2019 -InspireTech 2019
byDiana Carolina Torres Viasus
 
Active directory
bydeshvikas
 
Windows server 2016 storage step by step complete lab
byAhmed Abdelwahed
 
Intro to DNS
byThousandEyes
 
Windows Server 2019.pptx
bymasbulosoke
 
Active directory domain services
byIGZ Software house
 
Active Directory Upgrade
bySpiffy
 
What is active directory
byAdeel Khurram
 
02-Active Directory Domain Services.pptx
byAdiWidyanto2
 
Samba server configuration
byRohit Phulsunge
 
Domain name system
byNifras Ismail
 
VMware vSphere vsan EN.pptx
byCH431
 
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
Network and System Administration Power Point
bykemal678348
 
Presentation on dns
byAnand Grewal
 
active-directory-domain-services
by202066
 
DNS - Domain Name System
byPeter R. Egli
 
Dns 2
byTech_MX
 
Chapter09 Implementing And Using Group Policy
byRaja Waseem Akhtar
 
DNS Record
bykangting21
 
Windows Server 2019 -InspireTech 2019
byDiana Carolina Torres Viasus
 

Viewers also liked

PDF
Active Directory Proposal
byMJ Ferdous
 
PPT
Active Directory
bySandeep Kapadane
 
PPTX
Introduction to Active Directory
bythoms1i
 
PDF
windows-active-directory-password-settings-objects
bySanjay Pather
 
PPTX
Presentación Servicio WDS
byredesIIunivo
 
PPT
Windows Server 2008 Active Directory Guide
bywebhostingguy
 
PPTX
Advanced Directory Services Windows Server 2012
byВиталий Стародубцев
 
PPTX
Active directory ds ws2008 r2
byMICTT Palma
 
PPTX
WDS
byPurisada Sine
 
PPT
Active directory installation windows 2003 1
bytameemyousaf
 
PPT
70 640 Lesson01 Ppt 041009
byCoffeyville Community College
 
DOC
Firewall
byMuuluu
 
PPT
Active directory
byMuuluu
 
PPT
1.2 active directory
byMuuluu
 
PPT
Workgroup vs domain
bytameemyousaf
 
PPTX
Windows Server 2008 Active Directory
byanilinvns
 
PDF
Domain Modeling
byHarsh Jegadeesan
 
Active Directory Proposal
byMJ Ferdous
 
Active Directory
bySandeep Kapadane
 
Introduction to Active Directory
bythoms1i
 
windows-active-directory-password-settings-objects
bySanjay Pather
 
Presentación Servicio WDS
byredesIIunivo
 
Windows Server 2008 Active Directory Guide
bywebhostingguy
 
Advanced Directory Services Windows Server 2012
byВиталий Стародубцев
 
Active directory ds ws2008 r2
byMICTT Palma
 
WDS
byPurisada Sine
 
Active directory installation windows 2003 1
bytameemyousaf
 
70 640 Lesson01 Ppt 041009
byCoffeyville Community College
 
Firewall
byMuuluu
 
Active directory
byMuuluu
 
1.2 active directory
byMuuluu
 
Workgroup vs domain
bytameemyousaf
 
Windows Server 2008 Active Directory
byanilinvns
 
Domain Modeling
byHarsh Jegadeesan
 

Similar to Designing the active directory logical structure

PDF
Complete ad troubleshooting
byapshirame
 
PPT
Active diirecotry
byPradeesh Stanislavose
 
PPT
70 640 Lesson02 Ppt 041009
byCoffeyville Community College
 
PDF
Please follow the data and description Active Directory In gen.pdf
byapleathers
 
PDF
Active Directory Designing Deploying And Running Active Directory 4e 4e Brian...
byveseljbabsii
 
PDF
AD-Design Deploying.pdf
byYogeshwaran R
 
PDF
Ms active directory_design_guide
byvamsi1986
 
PDF
chapter01-introductiontowindowsserver2003-090505014519-phpapp02.pdf
byKhadijaTahir29
 
PDF
Proposal For Their Integration Of Windows Server
byBrenda Higgins
 
PPTX
Authorisation.pptx
bykarthikvcyber
 
PDF
Active directory basics
byCouploa Couploa
 
PPT
Chapter01 Introduction To Windows Server 2003
byRaja Waseem Akhtar
 
PPTX
Building active directory lab for red teaming
byn|u - The Open Security Community
 
PPTX
2 Configuring Windows Server 2003.pptx
byMitikuAbebe2
 
PPTX
MCSA 70-412 Chapter 04
byComputer Networking
 
PPTX
Topics on computer hardware and networking for faculties
byraje63
 
PPTX
Activedirecotryfundamentals
byShekhar Singh
 
PPT
Active Directory Fundamentals Training.ppt
byPeterBendana
 
PPT
active directory fundamental for the beginner
byRivelynN
 
PPTX
teste
bymvpjordao
 
Complete ad troubleshooting
byapshirame
 
Active diirecotry
byPradeesh Stanislavose
 
70 640 Lesson02 Ppt 041009
byCoffeyville Community College
 
Please follow the data and description Active Directory In gen.pdf
byapleathers
 
Active Directory Designing Deploying And Running Active Directory 4e 4e Brian...
byveseljbabsii
 
AD-Design Deploying.pdf
byYogeshwaran R
 
Ms active directory_design_guide
byvamsi1986
 
chapter01-introductiontowindowsserver2003-090505014519-phpapp02.pdf
byKhadijaTahir29
 
Proposal For Their Integration Of Windows Server
byBrenda Higgins
 
Authorisation.pptx
bykarthikvcyber
 
Active directory basics
byCouploa Couploa
 
Chapter01 Introduction To Windows Server 2003
byRaja Waseem Akhtar
 
Building active directory lab for red teaming
byn|u - The Open Security Community
 
2 Configuring Windows Server 2003.pptx
byMitikuAbebe2
 
MCSA 70-412 Chapter 04
byComputer Networking
 
Topics on computer hardware and networking for faculties
byraje63
 
Activedirecotryfundamentals
byShekhar Singh
 
Active Directory Fundamentals Training.ppt
byPeterBendana
 
active directory fundamental for the beginner
byRivelynN
 
teste
bymvpjordao
 

More from John Carlo Catacutan

PPTX
Reporting c
byJohn Carlo Catacutan
 
PDF
Chapter 1 introduction to statistics
byJohn Carlo Catacutan
 
PPTX
Operating system basics
byJohn Carlo Catacutan
 
PPT
Discuss open sourcelicensing
byJohn Carlo Catacutan
 
PPT
Os concepts
byJohn Carlo Catacutan
 
PPT
Ad fundamentals 1
byJohn Carlo Catacutan
 
Reporting c
byJohn Carlo Catacutan
 
Chapter 1 introduction to statistics
byJohn Carlo Catacutan
 
Operating system basics
byJohn Carlo Catacutan
 
Discuss open sourcelicensing
byJohn Carlo Catacutan
 
Os concepts
byJohn Carlo Catacutan
 
Ad fundamentals 1
byJohn Carlo Catacutan
 

Recently uploaded

PPTX
Blue and Green Illustrative How to Save Water Presentation_20260215_155432_00...
byanaghavp003
 
PDF
Biodata. CV / Resume Personal Detail.pdf
byhelnajoju2003
 
PDF
Learn about different finance career pathways here!
byIan Chong
 
PPTX
HandsOn Training Server 2024 - 2025 - rev4.pptx
bymuhammadikhsan665221
 
PPTX
Indian Ports Association Recruitment – Apply Online for Latest IPA Jobsin India
byobcjobssocial
 
PPTX
WORK IMMERSION ACCOMPLISHMENT REPORT.pptx
byAlvinEvangelista6
 
PPTX
Cloud Computing Certification Course – Industry-Focused Training
byPatil sagar
 
PPTX
Artificial Intelligence for Your Job Search
byBruce Bennett
 
PDF
The 13 Forces Behind the Persona - Express Yourself - Tonia Lutuc
bylutuctonia
 
PDF
ELISA, MICRO ARRAY TECHNIQUE, SDS PAGE, WESTERN BLOTIING
byShalima
 
PPTX
Entomology Presentation insect neck sclerites
byahmadalikhattak7033
 
PPTX
classification of the plants........pptx
byhelnajoju2003
 
PDF
KidsCodelab STEM Career Symposium - Original.pdf
byottaosawa
 
DOCX
Health Question for Practice , Class 8.docx
byKrishna Devkota, Mid-West University , Narayan Multiple Campus, Dailekh-Nepal
 
PPTX
Government Jobs After Diploma in Civil Engineering (2026 Guide).pptx
bytanishaecampusapp
 
PDF
Ict 1 .pdf@#₹%&*-=()!"':+/?.123456789012
byranjishatm1997
 
PPTX
grade 7 topic in English week 1 quarter 4. DAY 1 AND 2
byRuffaMedina
 
DOCX
Sigve Hamilton Aspelund International courses .docx
bySigve Hamilton Aspelund
 
DOCX
astra.docx sojfpoadfm;LMFpojefo;PJMQ3OPFop2f3OPJEMOP
byamruthapatel23
 
PPTX
HRRiskManagementPresentationpptxaaa.pptx
byCaptAjayBhardwaj
 
Blue and Green Illustrative How to Save Water Presentation_20260215_155432_00...
byanaghavp003
 
Biodata. CV / Resume Personal Detail.pdf
byhelnajoju2003
 
Learn about different finance career pathways here!
byIan Chong
 
HandsOn Training Server 2024 - 2025 - rev4.pptx
bymuhammadikhsan665221
 
Indian Ports Association Recruitment – Apply Online for Latest IPA Jobsin India
byobcjobssocial
 
WORK IMMERSION ACCOMPLISHMENT REPORT.pptx
byAlvinEvangelista6
 
Cloud Computing Certification Course – Industry-Focused Training
byPatil sagar
 
Artificial Intelligence for Your Job Search
byBruce Bennett
 
The 13 Forces Behind the Persona - Express Yourself - Tonia Lutuc
bylutuctonia
 
ELISA, MICRO ARRAY TECHNIQUE, SDS PAGE, WESTERN BLOTIING
byShalima
 
Entomology Presentation insect neck sclerites
byahmadalikhattak7033
 
classification of the plants........pptx
byhelnajoju2003
 
KidsCodelab STEM Career Symposium - Original.pdf
byottaosawa
 
Health Question for Practice , Class 8.docx
byKrishna Devkota, Mid-West University , Narayan Multiple Campus, Dailekh-Nepal
 
Government Jobs After Diploma in Civil Engineering (2026 Guide).pptx
bytanishaecampusapp
 
Ict 1 .pdf@#₹%&*-=()!"':+/?.123456789012
byranjishatm1997
 
grade 7 topic in English week 1 quarter 4. DAY 1 AND 2
byRuffaMedina
 
Sigve Hamilton Aspelund International courses .docx
bySigve Hamilton Aspelund
 
astra.docx sojfpoadfm;LMFpojefo;PJMQ3OPFop2f3OPJEMOP
byamruthapatel23
 
HRRiskManagementPresentationpptxaaa.pptx
byCaptAjayBhardwaj
 

Designing the active directory logical structure

  • 1.
    Designing the ActiveDirectory Logical Structure
  • 2.
    Active Directory LogicalStructure Design • Simplified management of Windows networks that contain large numbers of objects. • A consolidated domain structure and reduced administration costs. • The ability to delegate administrative control over resources as appropriate. • Reduced impact on network bandwidth
  • 3.
    Active Directory LogicalStructure Design • Simplified resource sharing. • Optimal search performance. • Low total cost of ownership.
  • 4.
    Process for Designingthe Active Directory Logical Structure 1. Identify the project deployment project participants 2. Create a forest design 3. Create a domain design for each forest 4. Create a DNS infrastructure to support Active Directory for each forest 5. Design organization units for delegation of administration for each forest.
  • 5.
    1. Identifying theDeployment Project Participants • The first step in establishing an Active Directory deployment project is to establish the design and deployment project teams who will be responsible for managing the design phase and deployment phase of the Active Directory project cycle..
  • 6.
    1.1 Defining Project-SpecificRoles • An important step in establishing the project teams is to identify the individuals who are to hold project- specific roles. These include the executive sponsor, the project architect, and the project manager. • These individuals establish channels of communication throughout the organization, build project schedules, and identify the individuals who will be members of the project teams, beginning with the various owners.
  • 7.
    1.1 Defining Project-SpecificRoles • Executive sponsor – understands the business value of the deployment, supports the project at the executive level, and can help resolve conflicts across the organization. • Project architect – The architect provides technical expertise to assist with the process of designing and deploying Active Directory
  • 8.
    1.1 Defining Project-SpecificRoles • Project manager – facilitates cooperation across business units and between technology management groups. – someone from within the organization who is familiar with the operational policies of the IT group and the design requirements for the groups that are preparing to deploy Active Directory – oversees the entire deployment project, beginning with design and continuing through implementation, and makes sure that the project stays on schedule and within budget
  • 9.
    1.2 Establishing Ownersand Administrators • Owners – are held accountable by management for making sure that deployment tasks are completed and that Active Directory design specifications meet the needs of the organization. Owners do not necessarily have access to or manipulate the directory infrastructure directly.
  • 10.
    1.2 Establishing Ownersand Administrators • Administrators – are the individuals responsible for completing the required deployment tasks. Administrators have the network access and permissions necessary to manipulate the directory and its infrastructure.
  • 11.
    Two Types ofOwners • Service owners – are responsible for the planning and long-term maintenance of the Active Directory infrastructure, and ensuring that the directory continues to function, and that the goals established in service level agreements are maintained. • Data owners – are responsible for the maintenance of the information stored in the directory. This includes user and computer account management and management of local resources, such as member servers and workstations.
  • 12.
    Two Types ofAdministrators • Service administrators – implement policy decisions made by service owners and handle the day-to-day tasks associated with maintaining the directory service and infrastructure. • Data administrators – are users within a domain who are responsible for maintaining data that is stored in Active Directory and maintaining computers that are members of their domain.
  • 13.
    Service and DataOwners for Active Directory • Forest owner – typically a senior IT manager in the organization, who is responsible for the Active Directory deployment process and who is ultimately accountable for maintaining service delivery within the forest after the deployment is complete. • Active Directory DNS owner – is an individual who has a thorough understanding of the existing DNS infrastructure and the existing namespace of the organization.
  • 14.
    Service and DataOwners for Active Directory • Site topology owner – is familiar with the physical structure of the network of the organization, including the mapping of individual subnets, routers, and the areas of the network that are connected by means of slow links • OU owner – is responsible for managing data stored in the directory. This individual needs to be familiar with the operational and security policies that are in place on the network.
  • 15.
    1.3 Building ProjectTeams • The Active Directory project teams are temporary groups that are responsible for completing Active Directory design and deployment tasks. When the Active Directory deployment project is complete, the owners assume responsibility for the directory and the project teams can disband.
  • 16.
    1.3 Building ProjectTeams • Identifying Potential Forest Owners – the IT group is generally the forest owner and therefore the potential forest owner for any future deployments. • Establishing a Design Team – responsible for gathering all of the information needed to make decisions about the Active Directory logical structure design. • Establishing a Deployment Team – responsible for testing and implementing the Active Directory logical structure design.
  • 17.
    1.3 Building ProjectTeams • Document the Design and Deployment Teams – Document the names of and contact information for the people who will participate in the design and deployment of Active Directory. Identify who will be responsible for each role on the design and deployment teams.
  • 18.
    2. Creating aForest Design • Identifying Forest Design Requirements • Determine the number of Forest • Document the Design and Deployment Teams
  • 19.
    2.1 Identifying ForestDesign Requirements • This involves determining how much autonomy the groups in your organization need to manage their network resources, and whether each group needs to isolate their resources on the network from other groups.
  • 20.
    2.1 Identifying ForestDesign Requirements Types of requirements • Organizational structure requirements • Operational requirements • Legal Requirements
  • 21.
    Autonomy vs. Isolation •Autonomy. – Autonomy involves independent but not exclusive control of a resource. When you achieve autonomy, administrators have the authority to manage resources independently; however, administrators with greater authority exist who also have control over those resources and can take control away if necessary.
  • 22.
    Autonomy vs. Isolation •Service autonomy. – This type of autonomy involves control over all or part of service management. • Data autonomy. – This type of autonomy involves control over all or part of the data stored in the directory or on member computers joined to the directory.
  • 23.
    Autonomy vs. Isolation •Isolation. – involves independent and exclusive control of a resource. When you achieve isolation, administrators have the authority to manage a resource independently and no other administrators can take control of the resource away
  • 24.
    Autonomy vs. Isolation •Service isolation – This type of isolation prevents administrators other than those specifically designated to control service management from controlling or interfering with service management. • Data isolation – This type of isolation prevents administrators other than those specifically designated to control or view data from controlling or viewing a subset of data in the directory or on member computers joined to the directory.
  • 25.
    2. Determining theNumber of Forests Required • In order to determine the number of forests that you must deploy, you need to carefully identify and evaluate the isolation and autonomy requirements for each group in your organization and map those requirements to the appropriate forest design models.
  • 26.
    Forest Design Models •Organizational Forest Model • Resource Forest Model • Restricted Access Forest Model
  • 27.
    Organizational Forest Model •In the organizational forest model, user accounts and resources are contained in the forest and managed independently. The organizational forest can be used to provide service autonomy, service isolation, or data isolation, if the forest is configured to prevent access to anyone outside the forest.
  • 28.
  • 29.
    Resource Forest Model •In the resource forest model, a separate forest is used to manage resources. Resource forests do not contain user accounts other than those required for service administration and those required to provide alternate access to the resources in that forest if the user accounts in the organizational forest become unavailable.
  • 30.
  • 31.
    Restricted Access ForestModel • In the restricted access forest model, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization.
  • 32.
  • 33.
    Type of ServiceManagement • Management of domain controller operations – Creating and removing domain controllers. – Monitoring the functioning of domain controllers. – Managing services that are running on domain controllers. – Backing up and restoring the directory.
  • 34.
    Type of ServiceManagement • Configuration of domain-wide settings – Creating domain and domain user account policies, such as password, Kerberos, and account lockout policies. – Creating and applying domain-wide Group Policies.
  • 35.
    Type of ServiceManagement • Delegation of data-level administration – Creating OUs and delegating administration. – Repairing problems in the OU structure that OU owners do not have sufficient access rights to fix • Management of external trusts – Establishing trust relationships with domains outside the forest.
  • 36.
    2.3 Documenting theForest Design • The proposed forest design should be documented. Include in your documentation the name of the group for which the forest is designed, the contact information for the forest owner, the type of forest for each forest that you include, and the requirements that each forest is designed to meet.
  • 37.
    3. Creating aDomain Design • Reviewing the Domain Models • Determine the number of domains required • Determine whether to upgrade existing or deploy new domains • Assign domain names • Select the forest root domain
  • 38.
    3.1 Reviewing theDomain Models • The amount of available capacity on your network that you are willing to allocate to Active Directory. • The number of users in your organization.
  • 39.
    Domain Design Models •Single Domain Model – It is the easiest to administer and the least expensive to maintain. It consists of a forest that contains a single domain. • Regional Domain Model – enables you to maintain a stable environment over time. Base the regions used to define domains in your model on stable elements such as continental boundaries.
  • 40.
    3.2 Determining theNumber of Domains Required • Every forest starts with a single domain. The maximum number of users that a single domain forest can contain is based on the slowest link that must accommodate replication between domain controllers and the available bandwidth that you want to allocate to Active Directory.
  • 41.
    Maximum Number ofUsers in a Single Domain
  • 42.
    3.4 Determining Whetherto Upgrade Existing or Deploy New Domains • Each domain in your design will either be a new domain or an existing domain that has been upgraded in place. Users from existing domains that you do not upgrade in place must be migrated into new domains.
  • 43.
    3.5 Assigning DomainNames • You must assign a name to every domain in your plan. Active Directory domains have two types of names: DNS names and NetBIOS names. In general, both names are visible to end users. The DNS names of Active Directory domains include two parts, a prefix and a suffix.
  • 44.
    Selecting the ForestRoot Domain • The first domain that you deploy in an Active Directory forest is called the forest root domain. • Selecting the forest root domain involves determining whether one of the Active Directory domains in your domain design can function as the forest root domain, or whether you need to deploy a dedicated forest root domain.
  • 45.
    Choosing a Regionalor Dedicated Forest Root Domain • A dedicated forest root domain is a domain that is created specifically to function as the forest root. It does not contain any user accounts other than the service administrator accounts for the forest root domain, and it does not represent any region in your domain structure.
  • 46.
    Choosing a Regionalor Dedicated Forest Root Domain • If you choose not to deploy a dedicated forest root domain, then you must select a regional domain to function as the forest root domain. This domain is the parent domain of all the other regional domains and will be the first domain that you deploy.
  • 47.
    Assigning the ForestRoot Domain Name • The forest root domain name is also the name of the forest. The forest root name is a DNS name that consists of a prefix and a suffix in the form of prefix.suffix. For example, an organization might have the forest root name corp.contoso.com. In this example, corp is the prefix and contoso.com is the suffix.
  • 48.
    4. Designing aDNS Infrastructure to Support Active Directory • Review DNS concepts • Review DNS and Active Directory • Integrate Active Directory into an existing DNS infrastructure • Document your DNS infrastructure design
  • 49.
    5. Designing OrganizationalUnits for Delegation of Administration • Review organizational unit design concepts • Delegate administration using OU objects • Create account OUs • Document the organizational unit design for each domain • Apply Group Policy to OUs