Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft Official Course

    Uploaded by

    Adewale Raji
    66 views38 pages
    20413B_05

    Original Title

    20413B_05

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    20413B_05

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    66 views38 pages

    Microsoft Official Course

    Uploaded by

    Adewale Raji
    20413B_05

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    Microsoft Official Course

    Module 5

    Designing and Implementing an Active Directory Domain Services Forest and Domain Infrastructure

    Module Overview
    Designing an AD DS Forest

    Designing and Implementing AD DS Forest Trusts


    Designing and Implementing AD DS Domains Designing DNS Namespaces in AD DS

    Environments Designing AD DS Domain Trusts

    Lesson 1: Designing an AD DS Forest


    What Is an AD DS Forest?

    AD DS Forest Models
    Benefits of a Single Forest Model Considerations for Implementing Multiple Forests Guidelines for Designing an AD DS Forest

    Infrastructure Discussion: Selecting a Suitable Forest Design

    What Is an AD DS Forest? An AD DS forest is the highest-level container object in the AD DS hierarchy Objects in a forest have the following characteristics: Share a common schema Share a common global catalog Are a single administrative unit

    AD DS Forest Models You can choose from the following design models: Single forest model Organizational forest model Resource forest model Restricted-access forest model

    Benefits of a Single Forest Model The single forest model: Provides a number of components that are shared by all domain controllers in the forest Provides a less complex design Makes it possible for applications to have centralized access to the directory service Makes resource access much easier Can make it difficult to implement schema changes

    Considerations for Implementing Multiple Forests The multiple forest model: Can meet isolation requirements Allows use of AD DS for servers on the perimeter network Provides granular control over forest-wide changes Requires planning of namespace and DNS requirements, when implemented Can result in higher costs and administrative complexity

    Guidelines for Designing an AD DS Forest Infrastructure Consider the following guidelines when designing an AD DS forest: Map your business, security, and administration requirements to an AD DS forest model If possible, use a single AD DS forest rather than multiple forests If you implement multiple forests, use as few as possible Consider using additional domains within a forest, instead of using multiple forests

    Discussion: Selecting a Suitable Forest Design

    Wingtiptoys.com

    Tailspintoys.com

    emea

    USA

    pacific

    Lesson 2: Designing and Implementing AD DS Forest Trusts


    Characteristics of Forest Trusts

    Forest Trust Security Considerations


    Resource Access Guidelines for Designing Forest Trusts Demonstration: Creating a Forest Trust

    Characteristics of Forest Trusts Forest trusts provide the following benefits: Simplified management of resources across two forests Complete two-way trust relationships with every domain in each forest Use of UPN authentication across two forests Use of both the Kerberos V5 authentication protocol and NTLM authentication protocol Flexibility of administration

    Forest Trust Security Considerations An incorrectly configured trust can allow unauthorized access to resources. You can use the following to mitigate these concerns: SID filtering Selective authentication UPN suffix routing

    Resource Access

    Forest trust
    Global catalog
    woodgrovebank. com

    6
    contoso.com

    Global catalog

    2 3 1
    emea.woodgrovebank.com

    4 5 7 8 9
    na.contoso.com

    Guidelines for Designing Forest Trusts


    Ensure that DNS is configured correctly

    Ensure that the forest functional level is set to at

    least Windows Server 2003 Use external trusts if only two domains are involved Use selective authentication Consider alternatives to forest trusts

    Demonstration: Creating a Forest Trust In this demonstration, you will see how to: Configure the prerequisites of a forest trust Create a forest trust

    Lab A: Designing and Implementing an Active Directory Domain Services Forest Infrastructure
    Exercise 1: Designing an AD DS Forest

    Infrastructure Exercise 2: Implementing AD DS Forest Trusts


    Logon Information
    Virtual machines: User name: 20413B-LON-DC1 20413B-TREY-DC1 20413B-CON-SVR Adatum\Administrator TreyResearch\Administrator .\administrator Pa$$w0rd

    Password:

    Estimated Time: 45 minutes

    Lab Scenario
    The current AD DS environment at A. Datum Corporation consists of a single AD DS forest, which has only domain controllers running Windows Server 2008 R2. All domain controllers are deployed in a single AD DS site at the London data center.
    A. Datum wants to integrate its newly acquired companies, Contoso, Ltd, and Trey Research, into their organization. A. Datum also is planning to expand the number of employees who are located at the Contoso office in Paris, because this will become the primary office for the companys aggressive expansion into European markets. Additionally, A. Datum plans to deploy some applications and services for external clients.

    Lab Review
    What was your approach to the AD DS forest

    design exercises? Did your design differ from the suggested solution? If cost were not a factor, how might this affect your design?

    Lesson 3: Designing and Implementing AD DS Domains


    AD DS Domain Models

    Reasons for Deploying Multiple Domains


    Considerations for Deploying Dedicated Forest

    Root Domains Guidelines for Designing AD DS Domains Demonstration: Implementing an AD DS Domain

    AD DS Domain Models

    Single domain

    Single domain tree

    Multiple domain trees

    Resource domain

    Regional domain

    Reasons for Deploying Multiple Domains You can deploy multiple AD DS domains: When replication traffic needs to be minimized When only SMTP is available for AD DS replication When password and account lockout policies at the domain level have different requirements When there are separate administrative units

    Considerations for Deploying Dedicated Forest Root Domains The reasons to deploy a dedicated forest root domain include: Separation of forest-level service administrators from domain-service administrators Dedicated forest root domain protected from organizational changes Ability to strategically place forest-wide operations master domain controllers Deployment of forest-wide applications to the forest root domain

    Guidelines for Designing AD DS Domains

    When designing AD DS domains, consider the following guidelines:


    Capture the business, technical, and administrative

    requirements Record the geographical layout Limit the number of domains whenever possible Implement regional domains to minimize replication traffic Maintain a dedicated forest root if administration model requires separation of forest-level service administrators from domain service administrators Use fine-grained password policies for password requirements

    Demonstration: Implementing an AD DS Domain In this demonstration, you will see how to: Add the AD DS server role Create a new domain in an existing forest

    Lesson 4: Designing DNS Namespaces in AD DS Environments


    AD DS and DNS Integration

    Options for Designing an AD DS Namespace


    Designing DNS Application Partitions Guidelines for Implementing DNS Servers into AD

    DS Environments

    AD DS and DNS Integration AD DS and DNS integration:


    You must have DNS installed so that you can use AD DS DNS is installed by default on domain controllers Clients and servers use DNS to locate domain controllers

    When planning AD DS and DNS integration: Consider the number and placement of DNS servers that will affect the AD DS functionality Consider how to store zone data

    Options for Designing an AD DS Namespace When choosing an AD DS namespace strategy, you can: Use the same internal and external DNS names Use different internal and external DNS names Use a separate domain name

    Designing DNS Application Partitions


    You can store DNS zones in: One of the default application partitions, which have specified replication scopes Custom partitions with scopes that you define
    To all domain controllers in the AD DS domain Domain Config Schema DomainDNSZone ForestDNSZones Custom Partition To all domain controllers in the replication scope for the application partition To all domain controllers that are DNS servers in the AD DS domain

    To all domain controllers that are DNS servers in the AD DS forest

    Guidelines for Implementing DNS Servers into AD DS Environments Guidelines for implementing DNS servers: Use Windows Server 2012 DNS servers with AD DSintegrated zones Ensure that DNS servers support service (SRV) resource records Use the default DNS application directory partitions Ensure that the internal and external namespaces are hosted on separate DNS servers

    Lesson 5: Designing AD DS Domain Trusts


    Trust Relationships

    Shortcut Trusts
    External Trusts and Realm Trusts Guidelines for Designing AD DS Domain Trusts

    Trust Relationships In a trust relationship: The trust extends the concept of the trusted identity store to another domain The trusting domain trusts the identity store and authentication services of the trusted domain A trusted user can authenticate to, and be given access to resources in the trusting domain Within a forest, each domain trusts all other domains Trust relationships can exist with external domains

    Shortcut Trusts
    Forest root domain Tree root domain tailspintoys.com wingtiptoys.com

    europe.tailspintoys.com

    usa.wingtiptoys.com

    asia.wingtiptoys.com

    External Trusts and Realm Trusts

    tailspintoys.com

    wideworldimporters.com

    asia.tailspintoys.com

    europe.tailspintoys.com

    sales.wideworldimporters.com

    Guidelines for Designing AD DS Domain Trusts Guidelines for designing AD DS domain trusts: Use external domain trusts instead of forest trusts Implement SID filtering and selective authentication Consider using shortcut trusts in multidomain tree environments Maintain a current list of trust relationships for future reference Perform regular backups of domain controllers

    Lab B: Designing and Implementing an AD DS Domain Infrastructure


    Exercise 1: Designing an AD DS Domain

    Infrastructure Exercise 2: Implementing an AD DS Domain Infrastructure Logon Information


    Virtual machines: User name: 20413B-LON-DC1 20413B-TREY-DC1 20413B-CON-SVR Adatum\Administrator TreyResearch\Administrator .\administrator Pa$$w0rd

    Password:

    Estimated Time: 60 minutes

    Lab Scenario During the AD DS forest design process at A. Datum Corporation, the design team members decided that they will need to maintain a separate forest for the treyresearch.net domain to fulfill the research departments isolation requirements. However, the design team is currently considering how best to integrate the Contoso, Ltd organization into the A. Datum network infrastructure. Currently, Contoso has not deployed AD DS.

    Lab Review
    What was your approach to the AD DS domain

    design exercises? Did your design differ from the suggested solution? How does the domain design compare with your organizations domain implementation?

    Module Review and Takeaways


    Review Question(s)

    You might also like