Windows Server 2008 ®

Active Directory Domain Services

®

Infrastructure Planning and Design Series

Published: February 2008
Updated: July 2009
 What Is IPD?
Guidance that aims to clarify and streamline the planning and
design process for Microsoft® infrastructure technologies

IPD:
Defines decision flow
Describes decisions to be made
Relates decisions and options for the business
Frames additional questions for business understanding

IPD Guides are available at www.microsoft.com/ipd

Page 2 |
 Getting Started
ACTIVE DIRECTORY DOMAIN SERVICES

Page 3 |
 Purpose and Agenda
Purpose
To provide design guidance for Windows Server® 2008
Active Directory
Agenda
Determine process for Active Directory design
Assist designers in the decision-making process
Provide design assistance based on best practices and
real-world experience

Page 4 |
 Active Directory in Microsoft Infrastructure
Optimization

Page 5 |
 Decision Flow Diagram
S te p 1: S te p 2: S te p 4: A & B, in
S te p 3:
De te rmin e th e De te r m ine th e Se le c t th e e ith e r o rd e r
S ta rt

As s ig n Dom a in
Nu m b e r o f Nu m b e r of Fo r e s t Ro o t o r in
Na me s
Fo r e s ts Dom a in s Do ma in p a r a lle l

C & D, in
S te p A1:
Ar e A & B Ye s e ith e r o rd e r
A De s ig n the OU
Co m p le te ? o r in
S tr uc tu r e
p a r a lle l

No
S te p B1: S te p B2: S te p B4:
S te p B3:
De te r m ine De te r min e De te r m ine
De te r min e Co mp le te
B Do ma in Nu mb e r o f Op e ra tio n s
Glob a l Ca ta lo g A or B
Co n tr olle r Dom a in Ma s te r Ro le
P la c e m e nt
P la c e m e n t Con tr o lle r s P la c e m e n t

S te p C3:

Fin is h e d
S te p C1: S te p C2:
Cr e a te th e S ite Ar e C & D
C Cr e a te th e S ite Cr e a te th e S ite Ye s
Lin k Brid g e Co m p le te ?
De s ig n Lin k De s ig n
De s ig n

No
S te p D1:
De te r m ine
Co mp le te
D Do ma in
C or D
Co n tr olle r
Con fig ur a tio n

Page 6 |
 Tips for the Planning Process
Considerations at each design phase
Complexity
Cost
Fault tolerance
Performance
Scalability
Security

Page 7 |
 Decision Flow Start Path:
Determine Domain and Forest Components

S te p 1 : S te p 2 : S te p 4: A & B, in
S te p 3:
De te r m in e th e De te r m in e th e S e le c t th e e ithe r o r d e r
S ta r t

As s ig n Dom a in
Num b e r o f Num b e r o f Fo r e s t Ro ot or in
Na m e s
Fo r e s ts Do m a in s Do m a in p a r a lle l

Page 8 |
 Determine the Number of Forests
How Many Forests?
Option 1: Single forest

Option 2: Multiple forests

Multiple Forest Drivers

Multiple schemas

Resource forests

Forest administrator distrust

Legal regulations for application or data access

1 2 3 4

Page 9 |
 Determine the Number of Domains
How Many Domains?
Option 1: Single domain
Option 2: Multiple domains

Multiple Domain Drivers

Large number of frequently changing attributes
Reduce replication traffic
Control replication traffic over slow links
Preserve legacy Active Directory

1 2 3 4

Page 10 |
 Assign Domain Names
Task 1: Assign the NetBIOS Name
Maximum effective length of 15 characters

Use a NetBIOS name that is unique across corporations

Task 2: Assign DNS Name

DNS name consists of host name and network name

Ensure uniqueness by not duplicating existing registered

Internet domain names

Register all top-level domain names with Internic

Name should not represent business unit or division

1 2 3 4
Page 11 |
 Select the Forest Root Domain
Establish Forest Root Domain Structure:
Option 1: Use a planned domain

Option 2: Dedicated forest root domain

Additional Considerations:
Determine time synch strategy

Consider cost of final structure

Consider complexity of final structure

1 2 3 4
Page 12 |
 Decision Flow Path A:
Determine Organizational Unit (OU) Structure

Page 13 |
 Design the OU Structure
Choose an OU Design:
Task 1: Design OU configuration for delegation of
administration

Task 2: Design OU configuration for group policy application

1
Page 14 |
 Decision Flow Path B:
Determine Domain Controller Placement and
Operations Master Role Placement

S te p B1: S te p B2: S te p B4:

S te p B3:
De te r m ine De te r m ine De te r m ine
De te r m ine
B Do m a in Num b e r o f Op e r a tion s
Glob a l Ca ta lo g
Co ntr o lle r Do m a in Ma s te r Ro le
P la c e m e nt
P la c e m e nt Co ntr o lle r s P la c e m e nt

Page 15 |
 Determine Domain Controller
Placement
Placement of the Domain Controllers:
Task 1: Hub locations

Task 2: Satellite locations

1 2 3 4
Page 16 |
 Determine the Number of Domain
Controllers
Number of Domain Controllers Needed and Their Type:
Task 1: Determine number of domain controllers
Task 2: Determine type of domain controllers placed in
location

1 2 3 4
Page 17 |
 Determine Global Catalog Placement
Global Catalog Locations and Number Needed:
Ap p lic a tio n
Ye s
Re q uir e m e nt?

Task 1: Determine global catalog locations and counts

No

Num b e r
Ye s
of us e r s > 100?

No

Do no t p la c e a
WAN link
g lob a l c a ta lo g
100 % Ye s
s e r ve r a t the
Ava ila b le ?
lo c a tio n

No

P la c e a g lob a l
Ma n y ro a m ing Ye s c a ta log s e rve r a t
us e rs a t
the lo c a tio n
lo c a tio n ?

No

Pla c e a d o m a in

1 2 3 4
c o ntr olle r a t the
loc a tion a nd e na b le
u nive r s a l g r o up
m e m b e r s h ip
c a c h ing

Page 18 |
 Determine Global Catalog Placement
Considerations:
Locate near applications that rely on global catalog

Number of users at the location greater than 100

WAN link availability

Roaming users at location

Use of universal group caching

How many global catalog servers?

1 2 3 4
Page 19 |
 Determine Operations Master Role
Placement
Domain Roles
Primary domain controller (PDC) emulator operations master

Relative ID (RID) operations master

Infrastructure operations master

Forest Roles
Schema operations master

Domain naming operations master

1 2 3 4
Page 20 |
 Determine Operations Master Role
Placement
Operations Master Role Placement:
Task 1: FSMO placement

1 2 3 4
Page 21 |
 Decision Flow Path C:
Determine Site Design and Structure

S te p C3:
S te p C1: S te p C2 :
Cr e a te the S ite
C Cr e a te th e S ite Cr e a te the S ite
Lin k Br id g e
De s ig n Lin k De s ig n
De s ig n

Page 22 |
 Create the Site Design
Creating the Site Design:
Task 1: Create a site for the location

Task 2: Associate location to nearest defined site

1 2 3
Page 23 |
 Create a Site Link Design
Creating the Site Link Design:
Task 1: Determine the site link design

1 2 3
Page 24 |
 Create the Site Link Bridge Design
Creating the site link bridge design:
Option 1: Default behavior

Option 2: Custom site link bridge

1 2 3
Page 25 |
 Decision Flow Path D:
Determine Domain Controller Configuration

S te p D1 :
De te r m ine
D Dom a in
Co ntr o lle r
Co nfig ur a tio n

Page 26 |
 Determine Domain Controller
Configuration
Plan Domain Controller Configuration:
Task 1: Identify minimum disk space requirements for each
domain controller

Task 2: Identify memory requirements for each domain

controller

Task 3: Determine CPU requirements

Task 4: Identify network requirements for each domain

controller

Page 27 |
 Active Directory Dependencies
Direct Dependencies
Domain Name Service (DNS)

Lightweight Directory Access Protocol (LDAP)

Indirect Dependencies
Windows Internet Naming Services (WINS)

Page 28 |
 What’s Next? – Discuss, Rinse, Repeat
Implement your design
Test and refine design along the way
Provide feedback on the doc to satfdbk@microsoft.com

Page 29 |
 Summary and Conclusion
Organizations should base the design of their Active
Directory infrastructure on business and technical
requirements
Considerations should include:
The scope of the network and environment

Technical requirements and considerations

Additional business requirements

Designing an Active Directory infrastructure to meet these
requirements

Validating the overall approach

Page 30 |
 Find More Information
Microsoft Solution Accelerators
microsoft.com/technet/SolutionAccelerators
satfdbk@microsoft.com

Download the Full Document

http://go.microsoft.com/fwlink/?LinkId=100915

Online Resources
Creating a Forest Design: provides information on the details and needs for a forest design
Creating a Domain Design: provides information on the details and needs for a domain design
Namespace planning for DNS: provides information on the best practices and techniques for
DNS names
Configuration of the time service within Active Directory will help with syntax and design
requirement for setting up the time for the Active Directory enterprise
Best Practice Active Directory Design for Managing Windows Networks
Windows Server 2003 Deployment Guide: provides invaluable information for deploying and
configuration servers for Active Directory
FSMO placement and optimization on Active Directory domain controllers
Best Practices for Active Directory Design and Deployment
Designing and Deploying Directory and Security Services

Page 31 |