Professional Documents
Culture Documents
Module 5
Designing and Implementing an Active Directory Domain Services Forest and Domain Infrastructure
Module Overview
Designing an AD DS Forest
AD DS Forest Models
Benefits of a Single Forest Model Considerations for Implementing Multiple Forests Guidelines for Designing an AD DS Forest
What Is an AD DS Forest? An AD DS forest is the highest-level container object in the AD DS hierarchy Objects in a forest have the following characteristics: Share a common schema Share a common global catalog Are a single administrative unit
AD DS Forest Models You can choose from the following design models: Single forest model Organizational forest model Resource forest model Restricted-access forest model
Benefits of a Single Forest Model The single forest model: Provides a number of components that are shared by all domain controllers in the forest Provides a less complex design Makes it possible for applications to have centralized access to the directory service Makes resource access much easier Can make it difficult to implement schema changes
Considerations for Implementing Multiple Forests The multiple forest model: Can meet isolation requirements Allows use of AD DS for servers on the perimeter network Provides granular control over forest-wide changes Requires planning of namespace and DNS requirements, when implemented Can result in higher costs and administrative complexity
Guidelines for Designing an AD DS Forest Infrastructure Consider the following guidelines when designing an AD DS forest: Map your business, security, and administration requirements to an AD DS forest model If possible, use a single AD DS forest rather than multiple forests If you implement multiple forests, use as few as possible Consider using additional domains within a forest, instead of using multiple forests
Wingtiptoys.com
Tailspintoys.com
emea
USA
pacific
Characteristics of Forest Trusts Forest trusts provide the following benefits: Simplified management of resources across two forests Complete two-way trust relationships with every domain in each forest Use of UPN authentication across two forests Use of both the Kerberos V5 authentication protocol and NTLM authentication protocol Flexibility of administration
Forest Trust Security Considerations An incorrectly configured trust can allow unauthorized access to resources. You can use the following to mitigate these concerns: SID filtering Selective authentication UPN suffix routing
Resource Access
Forest trust
Global catalog
woodgrovebank. com
6
contoso.com
Global catalog
2 3 1
emea.woodgrovebank.com
4 5 7 8 9
na.contoso.com
least Windows Server 2003 Use external trusts if only two domains are involved Use selective authentication Consider alternatives to forest trusts
Demonstration: Creating a Forest Trust In this demonstration, you will see how to: Configure the prerequisites of a forest trust Create a forest trust
Lab A: Designing and Implementing an Active Directory Domain Services Forest Infrastructure
Exercise 1: Designing an AD DS Forest
Password:
Lab Scenario
The current AD DS environment at A. Datum Corporation consists of a single AD DS forest, which has only domain controllers running Windows Server 2008 R2. All domain controllers are deployed in a single AD DS site at the London data center.
A. Datum wants to integrate its newly acquired companies, Contoso, Ltd, and Trey Research, into their organization. A. Datum also is planning to expand the number of employees who are located at the Contoso office in Paris, because this will become the primary office for the companys aggressive expansion into European markets. Additionally, A. Datum plans to deploy some applications and services for external clients.
Lab Review
What was your approach to the AD DS forest
design exercises? Did your design differ from the suggested solution? If cost were not a factor, how might this affect your design?
AD DS Domain Models
Single domain
Resource domain
Regional domain
Reasons for Deploying Multiple Domains You can deploy multiple AD DS domains: When replication traffic needs to be minimized When only SMTP is available for AD DS replication When password and account lockout policies at the domain level have different requirements When there are separate administrative units
Considerations for Deploying Dedicated Forest Root Domains The reasons to deploy a dedicated forest root domain include: Separation of forest-level service administrators from domain-service administrators Dedicated forest root domain protected from organizational changes Ability to strategically place forest-wide operations master domain controllers Deployment of forest-wide applications to the forest root domain
requirements Record the geographical layout Limit the number of domains whenever possible Implement regional domains to minimize replication traffic Maintain a dedicated forest root if administration model requires separation of forest-level service administrators from domain service administrators Use fine-grained password policies for password requirements
Demonstration: Implementing an AD DS Domain In this demonstration, you will see how to: Add the AD DS server role Create a new domain in an existing forest
DS Environments
When planning AD DS and DNS integration: Consider the number and placement of DNS servers that will affect the AD DS functionality Consider how to store zone data
Options for Designing an AD DS Namespace When choosing an AD DS namespace strategy, you can: Use the same internal and external DNS names Use different internal and external DNS names Use a separate domain name
Guidelines for Implementing DNS Servers into AD DS Environments Guidelines for implementing DNS servers: Use Windows Server 2012 DNS servers with AD DSintegrated zones Ensure that DNS servers support service (SRV) resource records Use the default DNS application directory partitions Ensure that the internal and external namespaces are hosted on separate DNS servers
Shortcut Trusts
External Trusts and Realm Trusts Guidelines for Designing AD DS Domain Trusts
Trust Relationships In a trust relationship: The trust extends the concept of the trusted identity store to another domain The trusting domain trusts the identity store and authentication services of the trusted domain A trusted user can authenticate to, and be given access to resources in the trusting domain Within a forest, each domain trusts all other domains Trust relationships can exist with external domains
Shortcut Trusts
Forest root domain Tree root domain tailspintoys.com wingtiptoys.com
europe.tailspintoys.com
usa.wingtiptoys.com
asia.wingtiptoys.com
tailspintoys.com
wideworldimporters.com
asia.tailspintoys.com
europe.tailspintoys.com
sales.wideworldimporters.com
Guidelines for Designing AD DS Domain Trusts Guidelines for designing AD DS domain trusts: Use external domain trusts instead of forest trusts Implement SID filtering and selective authentication Consider using shortcut trusts in multidomain tree environments Maintain a current list of trust relationships for future reference Perform regular backups of domain controllers
Password:
Lab Scenario During the AD DS forest design process at A. Datum Corporation, the design team members decided that they will need to maintain a separate forest for the treyresearch.net domain to fulfill the research departments isolation requirements. However, the design team is currently considering how best to integrate the Contoso, Ltd organization into the A. Datum network infrastructure. Currently, Contoso has not deployed AD DS.
Lab Review
What was your approach to the AD DS domain
design exercises? Did your design differ from the suggested solution? How does the domain design compare with your organizations domain implementation?