Active Directory Infrastructure Planning and Design

7/25/2019 Active Directory Infrastructure Planning and Design

1/47


2/47

Copyright 2008 Microsoft Corporation. All rights reserved. Complying with the applicablecopyright laws is your responsibility. By using or providing feedbac on this documentation! youagree to the license agreement below.

"f you are using this documentation solely for non#commercial purposes internally within $%&'company or organi(ation! then this documentation is licensed to you under the CreativeCommons Attribution#)onCommercial *icense. +o view a copy of this license! visit

http,--creativecommons.org-licenses-by#nc-2.- or send a letter to Creative Commons! /1oward treet! th 3loor! an 3rancisco! California! 4/50! &A.

+his documentation is provided to you for informational purposes only and is provided to youentirely 6A "7. $our use of the documentation cannot be understood as substituting forcustomi(ed service and information that might be developed by Microsoft Corporation for aparticular user based upon that users particular environment. +o the e9tent permitted by law!M"C'%%3+ MA:; )%


3/47

ContentsThe Planning and Design Series Approach 1

Introduction to Active Directory Planning and Design 3

Active Directory in Microsoft Infrastructure OptimizationActive Directory Design Decision Process !

Step 1" Determine the #um$er of %orests &

Step '" Determine the #um$er of Domains1'

Step 3" Assign Domain #ames 1(

Step " Select the %orest )oot Domain 1*

Step A1" Design the O+ Structure 1&

Step ,1" Determine Domain -ontroller Placement '1

Step ,'" Determine the #um$er of Domain -ontrollers '3

Step ,3" Determine .lo$al -atalog Placement '(

Step ," Determine Operations Master )ole Placement '&

Step -1" -reate the Site Design 31Step -'" -reate the Site /in0 Design 33

Step -3" -reate the Site /in0 ,ridge Design 3!

Step D1" Determine Domain -ontroller -onfiguration 3

-onclusion 1

Appendi2" Design o$ Aid 3

Ac0no4ledgments (

Solution Accelerators microso"t.com%technet%SolutionAccelerators


4/47

The Planning and Design SeriesApproach

&his 'uide is one in a series o" $lannin' and desi'n 'uides that clari"y and streamline the

$lannin' and desi'n $rocess "or (icroso"t in"rastructure technolo'ies.)ach 'uide in the series addresses a uni*ue in"rastructure technolo'y or scenario. &hese'uides include the "ollowin' to$ics

De"inin' the technical decision "low +"low chart, throu'h the $lannin' $rocess.

Describin' the decisions to be made and the commonly available o$tions to considerin ma-in' the decisions.

elatin' the decisions and o$tions to the business in terms o" cost# com$le/ity# andother characteristics.

!ramin' the decision in terms o" additional *uestions to the business to ensure acom$rehensive understandin' o" the a$$ro$riate business landsca$e.

&he 'uides in this series are intended to com$lement and au'ment the $roductdocumentation.

Document Approach&his 'uide is desi'ned to $rovide a consistent structure "or addressin' thedecisions%activities that are most critical to the success"ul im$lementation o" the WindowsServer 2008 o$eratin' system Active Directory directory service in"rastructure.

)ach decision%activity is subdivided into "our elements

ac-'round on the decision or activity# includin' conte/t settin' and 'eneralconsiderations.

&y$ical o$tions or tas-s to $er"orm "or the activity.

e"erence section evaluatin' such items as cost# com$le/ity# and mana'eability tothe o$tions%tas-s.

uestions "or the business that may have a si'ni"icant im$act on the decisions to bemade.

&he "ollowin' table lists the "ull ran'e o" characteristics discussed in the evaluationsections. nly those characteristics relevant to a $articular o$tion or tas- are included ineach section.

Table 1. Architectural Characteristics

Characteristic Description

3om$le/ity &he com$le/ity o" this o$tion relative to other o$tions.

3ost &he initial setu$ and sustained cost o" this o$tion.

!ault &olerance 4ow the decision su$$orts the resiliency o" the in"rastructure.&his will ultimately a""ect the availability o" the system.

Per"ormance 4ow the o$tion will a""ect the $er"ormance o" the in"rastructure.

Scalability &he im$act the o$tion will have on the scalability o" thein"rastructure.

Security &his value re"lects whether the o$tion will have a $ositive orne'ative im$act on overall in"rastructure security.



5/47

)ach o" the desi'n o$tions is com$ared a'ainst the above characteristics and issub5ectively rated in order to $rovide a relative wei'htin' o" the o$tion a'ainst thecharacteristic. &he o$tions are not e/$licitly rated a'ainst each other as there are toomany un-nowns about the business drivers to accurately com$are them.

&he ratin's are relative and ta-e two "orms

3ost and 3om$le/ity are rated on a scale o" 4i'h# (edium# or 6ow.

&he remainin' characteristics are rated on the scale listed in the "ollowin' table.

Table 2. Impact on Characteristic

Symbol Definition

7 Positive e""ect on the characteristic.

9o e""ect on the characteristic# or there is no basis "or com$arison.

: 9e'ative e""ect on the characteristic.

&he characteristics are $resented either as two;column or three;column tables. &he two;column table is used when the characteristic is a$$licable to all o$tions or when there areno o$tions available


6/47

Windows Server 2008 Active Directory Domain Services

Introduction to Active DirectoryPlanning and Design

Active Directory controls the core security o" the (icroso"t Windows networ-

environment. &he directory service is res$onsible "or authenticatin' user and com$uteraccounts within the Active Directory in"rastructure. =n addition# the directory service$rovides a mechanism "or centrali>ed# dele'ated administration o" resources within the"orest.

&o develo$ and im$lement a success"ul desi'n o" Active Directory# numerous *uestionsmust be answered and many decisions and strate'ies must be determined.3onsiderations "or $er"ormance# security# mana'eability# scalability# and many othercriteria must be addressed i" the desi'n is to be success"ul.

&he $ur$ose o" this 'uide is to assist desi'ners in the decision;ma-in' $rocess by$rovidin' a clear and concise $ath "or desi'nin' the Active Directory in"rastructure# 'iventhe relative conte/t. &his 'uide relies on best $ractices and real;world e/$erience to o""erconsiderations and alternatives at each $oint in the desi'n.

&his 'uide# when used in con5unction with $roduct documentation# will hel$ com$aniescon"idently $lan an Active Directory im$lementation. &he a$$endi/ includes a sam$le 5obaid "or recordin' the decisions made durin' the desi'n $rocess.

Assumptions&o limit the sco$e o" material in this 'uide# the "ollowin' assum$tions have been made

&he decision to im$lement Active Directory has already been made. &his 'uide doesnot address the business or technical case to ma-e a directory choice.

&his desi'n is "or use in a $roduction environment. =t is e/$ected that a testenvironment will also be created to mirror the $roduction environment incon"i'uration.

&he reader has "amiliarity with the (icroso"t in"rastructure and directory services.&his 'uide does not attem$t to educate the reader on the "eatures and ca$abilities o"(icroso"t $roducts. &he $roduct documentation covers that in"ormation.

FeedbackPlease direct *uestions and comments about this 'uide to sat"db-?microso"t.com.

mailto:[email protected]?subject=Infrastructure%20Planning%20and%20Designmailto:[email protected]?subject=Infrastructure%20Planning%20and%20Design


7/47

=n"rastructure Plannin' and Desi'n

Active Directory in MicrosotInrastructure !ptimi"ation

&he =n"rastructure $timi>ation +=, (odel at (icroso"t 'rou$s =& $rocesses and

technolo'ies across a continuum o" or'ani>ational maturity. +!or more in"ormation# see(icroso"t.com%io., &he model was develo$ed by industry analysts# the (assachusetts=nstitute o" &echnolo'y +(=&, 3enter "or =n"ormation Systems esearch +3=S,# and(icroso"t@s own e/$eriences with its enter$rise customers. A -ey 'oal "or (icroso"t increatin' the =n"rastructure $timi>ation (odel was to develo$ a sim$le way to use amaturity "ramewor- that is "le/ible and can easily be a$$lied as the benchmar- "ortechnical ca$ability and business value.

= is structured around three in"ormation technolo'y models 3ore =n"rastructure$timi>ation# A$$lication Plat"orm $timi>ation# and usiness Productivity =n"rastructure$timi>ation. Accordin' to the 3ore =n"rastructure $timi>ation (odel# havin'administrator;controlled automated $hysical or virtual a$$lication distribution will hel$move an or'ani>ation to the ationali>ed level. Active Directory $rovides theadministrator with the mechanism "or user and machine authentication within the

or'ani>ation. Active Directory be'ins to move the or'ani>ation to the Standardi>ed level#while $rovidin' the in"rastructure "or additional services re*uired in the ationali>ed andDynamic levels. &his 'uide will assist you in $lannin' and desi'nin' the in"rastructure "oran Active Directory im$lementation.

Figure 1. apping of Acti!e Directory technology into Core Infrastructure"ptimi#ation odel

Inrastructure Architecture and #usinessArchitecture

(icroso"t $roduces architectural decision;ma-in' 'uidance "or =& in"rastructure andbusiness architecture. &he architectural $rinci$les and decisions $resented in the=n"rastructure Plannin' and Desi'n series are relevant to =& in"rastructure architecture.&he business architecture tem$lates "rom (icroso"t "ocus on detailed businessca$abilities# such as $rice calculation# $ayment collection $rocess# and order "ul"illment.

Althou'h the =& in"rastructure will a""ect business ca$abilities# and business architecturalre*uirements should contribute to in"rastructure decisions# the =n"rastructure Plannin'and Desi'n series does not de"ine or correlate s$eci"ic individual business architecture


/
http://www.microsoft.com/iohttp://www.microsoft.com/io


8/47


tem$lates. =nstead# the =n"rastructure Plannin' and Desi'n 'uides will $resent criticaldecision $oints where service mana'ement or business $rocess in$ut is re*uired.

!or additional in"ormation about business architecture tools and models# $lease contactyour nearest (icroso"t re$resentative or watch the video about this to$ic# available athttp://channel9.msdn.com/ShowPost.aspx?PostID=179071.

http://channel9.msdn.com/ShowPost.aspx?PostID=179071http://channel9.msdn.com/ShowPost.aspx?PostID=179071http://channel9.msdn.com/ShowPost.aspx?PostID=179071


9/47


Active Directory Design Decision

Process&his 'uide "ocuses on addressin' the critical desi'n decisions "aced by mostor'ani>ations when im$lementin' Active Directory in Windows Server 2008.

&his 'uides 'oal is to address the most common scenarios# decisions# activities# o$tions#tas-s# and outcomes that most or'ani>ations will encountered. =t does not attem$t toaddress every $ossible scenario or $ermutation o" a scenario. eaders who thin- theirsituation is uni*ue should consider hirin' a desi'n consultant to address their needs.

Decisions&his 'uide addresses the "ollowin' decisions and%or activities that need to occur in$re$arin' "or Active Directory $lannin'. &he "ollowin' 1B ste$s re$resent the most criticaldesi'n elements in a well;$lanned Active Directory im$lementation

1. Determine the number o" "orests +ste$ 1,.

2. Determine the number o" domains re*uired "or each "orest +ste$ 2,.

B. Assi'n Domain 9ame Service +D9S, and 9et=S names "or each domain +ste$ B,.C. Select the "orest root domain "or each "orest +ste$ C,.

. Desi'n the or'ani>ational unit +E, structure "or each domain +ste$ A1,.

F. Determine the domain controller $lacement "or each domain +ste$ 1,.

G. Determine the number o" domain controllers "or each location +ste$ 2,.

8. Plan 'lobal catalo' server $lacement "or each "orest +ste$ B,.

H. Plan the !le/ible Sin'le (aster $erations +!S(, role $lacement "or each "orestand domain +ste$ C,.

10. 3reate a site desi'n +ste$ 31,.

11. 3reate a site lin- desi'n +ste$ 32,.

12. Determine the site lin- brid'e desi'n +ste$ 3B,.

1B. Determine domain controller hardware and installation con"i'uration +ste$ D1,.Some o" these items re$resent decisions that must be made. Where this is the case# acorres$ondin' list o" common res$onse o$tions will be $resented.

ther items in this list re$resent tas-s that must be carried out. &hese ty$es o" items areaddressed because their $resence is si'ni"icant in order to com$lete the in"rastructuredesi'n.

Decision Flo$=n many cases# the se*uence in which the decisions are made or the tas-s areaccom$lished is si'ni"icant to the desi'n $rocess. &he critical $ath o" the desi'n $rocessis the $ath that orders decisions in series# as one tas- must be com$leted be"ore anothertas- starts.

&he critical $ath "or Active Directory desi'n is illustrated in the "low chart in !i'ure 2. !orthe $ur$oses o" this document# the ste$s will be $er"ormed in a se*uential $ath# movin'"rom to$ to bottom o" the dia'ram. Some $rocess "lows in this $ath can be $er"ormedeither in $arallel or se*uentially in any order. !or e/am$le# both A and must becom$letedI however# they can be $er"ormed at the same time# A can be $er"ormed be"ore# or vice versa.


E


10/47


Figure 2. Critical path and process flo$ for Acti!e Directory design

Inormation %ollectionVarious ty$es o" in"ormation will be needed durin' the $lannin' $rocess. &he "ollowin'in"ormation is re*uired "or desi'nin' the Active Directory in"rastructure.

%eeded for designing the "& structure of each domain 'A1(

&he current administrative model used in the or'ani>ation. &his lists who isres$onsible "or mana'in' the resources o" the environment. Another way o"loo-in' at it would be to as- J)hodoes $hatto $homKL

Mrou$ Policy de$loyment re*uirements and strate'ies

%eeded for domain controller placement '*1(

&he number o" users $er $hysical location +"or e/am$le.# cor$orate o""ice# brancho""ice# satellite o""ice,

&he number o" com$uters $er $hysical location

%eeded for creating a site design 'C1(

Physical location ma$

9etwor- lin- s$eeds and available bandwidth between locations

&3P%=P subnets used in each $hysical location

Domains re$resented in each $hysical location

Domain controllers +$er domain, in each $hysical location

%eeded for creating a site lin+ design 'C2(,e$lication conver'ence 'oals "or the"ollowin'

3on"i'uration and Schema

Domain

Mlobal 3atalo'

A$$lication Partitions


F

F


11/47


Applicable Scenarios&his 'uide addresses considerations that are related to $lannin' and desi'nin' thenecessary com$onents "or a success"ul Active Directory in"rastructure

Production cor$orate intranets

3entrali>ed "acilities +hub locations,

ranch o""ices +satellite locations, 9ational networ-s

Mlobal networ-s

!ut o Scope&his document is desi'ned to 'uide the architect throu'h the $rocess o" desi'nin' thecore im$lementation "or Active Directory. =ts sco$e has there"ore been limited so that itdoes not cover the "ollowin' areas

Active Directory%A$$lication (ode +AD%A(,# which is a li'htwei'ht im$lementation o"Active Directory# sometimes set u$ "or use by individual a$$lications.

(i'ration "rom# co;e/istence with# or intero$eration with non;(icroso"t directoryservices.

(i'ration "rom im$lementations earlier than Windows Server 2008. &here are#however# some desi'n considerations involvin' Windows 2000 server com$onents.

!ederated im$lementations in which multi$le cor$orations are 5oined to'ether.

(ulti;tenant considerations in which multi$le com$anies are hosted within a "orest.

&he remainder o" this document addresses the decisions and activities $reviouslyde"ined.


8


12/47


Step &' Determine the (umber oForests

)very Active Directory im$lementation will have at least one "orest. &he "irst ste$ in Active

Directory desi'n is to determine whether one or multi$le "orests are re*uired to meet theor'ani>ations ob5ectives. =" multi$le "orests are re*uired# then the total number o" "orestsneeds to be determined.

Mettin' this decision correct in the be'innin' is im$ortant. As $lannin' $ro'resses# theassum$tions that are driven by this desi'n decision will ma-e chan'in' the con"i'urationmore di""icult. =t is considerably more di""icult to colla$se "orests once they have beenestablished than it is to add additional "orests later.

!ption &' Single ForestWhen considerin' the overall desi'n o" Active Directory# a sin'le "orest im$lementation isthe de"ault.

A best $ractice is to start with a sin'le "orest and let business re*uirements 5usti"y any

additional "orests.!or e/tremely lar'e directories# re$lication could become an issue. Whereas domains areused to $artition the directory data and control re$lication o" domain;centric in"ormation#"orest;wide in"ormationation$aths. A test environment could be created as a resource "orest.

Forest administrator distrust.Some or'ani>ations have an internal structure thatincludes more than one =& team. When each =& team wants to control the "orest whiledenyin' the other =& sta"" control# im$lementin' multi$le "orests are means to thatend. &his is a common scenario when com$anies mer'e# in 'overnment a'encies#and at universities.

egal regulations or geo/political reasons for application and0or data access.All domains in a sin'le "orest have automatic# two;way Nerberos trusts so that dataand a$$lications can be accessed easily. When wor-in' with some countries orre'ions# le'al re*uirements may dictate the se$aration o" data and a$$lications.

(ulti$le "orests $rovide this se$aration.=m$lementin' multi$le "orests increases the cost o" mana'in' the environment. Additionalhardware and so"tware are re*uired to maintain and su$$ort multi$le "orests# andadditional sta"" may also be re*uired.

=" in"ormation sharin' across "orests is re*uired# then cross;"orest trusts are necessary.&hese trusts su$$ort Nerberos in Windows Server 200B and Windows Server 2008environments.

Mlobal catalo's do not re$licate across "orest boundaries. &o obtain a uni"ied view acrossmulti$le "orests# directory synchroni>ation so"tware# such as =dentity 6i"ecycle (ana'er


4

4
http://www.microsoft.com/miis/default.mspxhttp://www.microsoft.com/miis/default.mspx


13/47


200G#must be im$lemented. =m$lementin' such technolo'ies increases theadministrative burden o" multi$le "orests.

o$ any ForestsWhen the need "or multi$le "orests is con"irmed# the e/act number o" re*uired "orestsmust be determined. =terate throu'h the "orest decision until all o" the business

re*uirements have been addressed and the total number o" "orests re*uired has beenidenti"ied.

*valuating the %haracteristics

Comple3ity

ne "orest A sin'le "orest is the entry $oint "or a de$loyment o" ActiveDirectoryI com$le/ity cannot be reduced.

6ow

(ulti$le"orests

Second and subse*uent "orests add to the overall com$le/ity o"the environment.

4i'h

Cost

ne "orest A sin'le "orest is the most ine/$ensive choice because itre*uires less hardware# so"tware# and administrative su$$ort.

6ow

(ulti$le"orests

4ardware# so"tware# and administrative considerations increasethe cost "or each "orest that is added to the desi'n.

4i'h

Security

ne "orest &he "orest is the security boundary# and the "orest administratorhas access to all resources within the "orest.

(ulti$le"orests

Security res$onsibilities are 'ranted to the administrator o" each"orest. &he division o" security res$onsibilities amon' multi$leadministrators could be a better overall ratin' "or security.

4

+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestions have been-nown to a""ect "orest desi'n decisions

Are there any ac5uisition or di!estiture plans in the near future =" the com$anymi'ht be ac*uired in the near "uture# it may be $rudent to discuss desi'n details withthe ac*uirin' com$any# rather than desi'n a directory that could be discarded oncethe ac*uisition is com$lete.

=" the com$any is ac*uirin' a new business# re*uirements around that ac*uisitionshould be considered durin' the desi'n $hase. !or e/am$le# uni*ue administration

re*uirements mi'ht be introduced durin' the ac*uisition.=" a business unit is 'oin' to be divested# a se$arate "orest mi'ht ma-e the transitioneasier and sim$ler.

Are there any impending separation re5uirementsPendin' or -nowncom$liance re'ulations mi'ht introduce se$aration re*uirements.


50
http://www.microsoft.com/miis/default.mspxhttp://www.microsoft.com/miis/default.mspxhttp://www.microsoft.com/miis/default.mspx


14/47


Tasks and %onsiderations!or each "orest in the environment# its im$ortant to consider time synchroni>ation.Nerberos de$ends on the time o" domain controllers# servers# and clients bein'synchroni>ed within minutes o" one anotherI otherwise# Nerberos authentication will "ail.&ime is one o" the considerations used "or assessin' the health state o" the directory.

Active Directory relies on the domain controller that runs the $rimary domain controller+PD3, emulator role in the root domain to -ee$ the master time"or all domains in the"orest. &here are two o$tions "or establishin' the time "or that domain controller.

&he time can be set to synchroni>e with either an internal source or an e/ternal source tothe or'ani>ation. =" an internal source is used# it can be synchroni>ed with a time serverthat is on the =nternet. Also# the time source and domain controller can use authenticationto ensure a reliable time. =" an e/ternal time source is used# no authentication is $rovided.

(anually settin' and u$datin' the time is not recommended. &he Active Directoryenvironment relies too heavily on the time# and serious $roblems can occur i" the time isnot set $ro$erly.

Decision SummaryA sin'le "orest is ideal. =t is easier to mana'e as well as bein' chea$er to im$lement#maintain# and su$$ort. (ulti$le "orests are necessary i" le'al# schema# administrative# ora$$lication re*uirements dictate the decision.

Additional ,eadingJ3reatin' a !orest Desi'nL athtt$%%technet2.microso"t.com%windowsserver%en%library%"ba181BH;11F8;C2H;82bB;cBbCc81HCH810BB.ms$/Km"rOtrue

J4ow to con"i'ure an authoritative time server in Windows Server 200BL athtt$%%su$$ort.microso"t.com%-b%81F0C2%


55

55
http://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=truehttp://support.microsoft.com/kb/816042/http://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/fba18139-1168-4259-82b3-c3b4c81945981033.mspx?mfr=truehttp://support.microsoft.com/kb/816042/


15/47


Step )' Determine the (umber oDomains

&he second ste$ in Active Directory desi'n is to determine the number o" domains that

are re*uired to meet the or'ani>ations ob5ectives. ecause each "orest is uni*ue andse$arated "rom the other "orests# the number o" domains in each "orest must beconsidered inde$endent o" the other "orests.

&he addition or removal o" a domain a"ter the initial desi'n has been im$lemented is notalways sim$le. (i'ration o" com$uters# users# data# and a$$lications could ma-e themodi"ication to the number o" domains a com$le/ tas-.

!ption &' Single Domain&he desi'n will need to have at least one domain. =" there are multi$le "orests# then therewill need to be one domain $er "orest# minimum. A sin'le domain model has the "ollowin'advanta'es and bene"its

A sin'le domain is the least e/$ensive o$tion. Additional domains increase the cost o"

hardware# so"tware# and administration. A sin'le domain is easier to mana'e. (ana'ement overhead and the related costs

increase with additional domains.

A sin'le domain is easier to recover in the event o" a disaster.

!ption )' Multiple DomainsAny o" the "ollowin' re*uirements will lead to a desi'n with multi$le domains

=n environments that consist o" a combined total o" 100#000 user or com$uter ob5ects#tests should be $er"ormed in the lab to ensure that the re$lication load does notoverwhelm the re$lication to$olo'y "or the domain. (ulti$le domains may be re*uiredto reduce the overall domain re$lication load.

=" Active Directory has a lar'e number o" "re*uently chan'in' attributes# it may be

use"ul to brea- the environment into multi$le domains to control the re$lication withinthe domains. &estin' should be done in a lab to determine i" multi$le domains reducethe re$lication tra""ic in a si'ni"icant way.

&he com$ression al'orithm used to re$licate directory service chan'es across slowlin-s is hi'hly e""icient. 4owever# i" slow lin-s still cause issues "or re$lication# ase$arate domain mi'ht be necessary. &his scenario can be challen'in' when thereare numerous chan'es occurrin' to directory service ob5ects on a re'ular basis.

An e/istin' (icroso"t directory# runnin' on an earlier o$eratin' system level# needs tobe $reserved. &o do so# the environment can be se$arated into its own domain.

#ote


16/47


o$ any Domainsnce the need "or multi$le domains has been identi"ied# the e/act number o" domains$er "orest is determined. A se$arate domain will be added to address each o" theconsiderations that have been identi"ied.

*valuating the %haracteristicsComple3ity

nedomain

A sin'le;domain directory is the least com$le/ environment. 6ow

(ulti$ledomains

3om$le/ity increases with the addition o" each domain. 4owever#5ust addin' another domain does not add as much com$le/ity as itdoes "or cost and mana'eability.

4i'h

Cost

nedomain

&he cost to set u$ and o$erate a sin'le domain is the lowest$ossible.

6ow

(ulti$ledomains

Setu$ costs rise with each additional domain because o" there*uirements o" installin' and con"i'urin' each domain controller#not to mention the hardware and so"tware cost "or each domaincontroller.

4i'h

+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestions have been-nown to a""ect domain desi'n decisions

Is there a need to separate a business unit because of legal re5uirementsSome com$anies and many 'overnmental# university# or military environmentsre*uire that some users and com$uters e/ist in a se$arate domain. =" such a $olicye/ists# it should be re;evaluated as the domain is no lon'er the security boundary itwas in Windows 9& C.0 and $revious versions. =" the $olicy is around isolationre*uirements# a se$arate "orest will be re*uired.

Are there different administrati!e units that need to be autonomous=n mostcases# usin' dele'ation at the E level within a sin'le domain can $rovide autonomyto administrative units. 4owever# $olitics# cor$orate structure# administrative controls#and other "actors mi'ht cause a need "or additional domains instead.

Decision SummaryA sin'le domain is the de"ault con"i'uration "or each "orest. Add domains only asnecessary to solve technical and business concerns that cant be solved within a sin'le

domain. Additional domains cost more to install and increase the hardware and so"twareneeded to run the domain controllers in each domain.

emember to record the decisions made in the 5ob aid in the a$$endi/ o" this 'uide.

Important5 +he number of domains will need to be determined per forest.


5

5


17/47


Additional ,eadingJ3reatin' a Domain Desi'nL athtt$%%technet2.microso"t.com%windowsserver%en%library%F0bF81Ge;C12B;Cbb0;8FCF;HFCc8Bb2eB2810BB.ms$/Km"rOtrue

JAD DS !ine;Mrained Password PoliciesL at

htt$%%technet2.microso"t.com%windowsserver2008%en%library%0FaGBe";cHe;CCdG;acc1;C"0badeFcdG10BB.ms$/Km"rOtrue


5/
http://technet2.microsoft.com/windowsserver/en/library/60b6817e-4123-4bb0-8646-964c83b2e3281033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/60b6817e-4123-4bb0-8646-964c83b2e3281033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/60b6817e-4123-4bb0-8646-964c83b2e3281033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/60b6817e-4123-4bb0-8646-964c83b2e3281033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true


18/47


Step -' Assign Domain (ames&he third ste$ in Active Directory desi'n is to assi'n names to each o" the domains.&here are two names to assi'n the Domain 9ame System +D9S, name and the 9etwor-asic =n$ut%ut$ut System +9et=S, name. Althou'h Windows Server 2008 uses D9S

"or name resolution instead o" the Windows =nternet 9ame Service +W=9S, 9et=Sname resolution method that is used in (icroso"t Windows 9& C.0based networ-s# mostor'ani>ations still re*uire W=9S since there are a$$lications that re*uire it.

Task &' Assign the (et#I!S (ame&he 9et=S namin' activity does not lend itsel" to a list o" s$eci"ic o$tions. 4owever#there are considerations that need to be addressed when desi'nin' the names$ace.

9et=S names are the names that users most o"ten see when $rom$ted "or a domainname in Windows. )ach domain re*uires a 9et=S name to be assi'ned. &he 9et=Sname must be uni*ue on the networ- or name resolution con"licts will result.

&he same 9et=S name can be used in di""erent cor$orations to re$resent the sameentityI "or e/am$le# the 9et=S name CORPis o"ten used as the name "or the internalcor$orate networ-. =n this case# i" two com$anies mer'e and both have used the9et=S name CORP,there will be a con"lict when the two networ-s are inte'rated.

9ame resolution con"licts can be avoided by usin' a 9et=S name that is more li-ely tobe uni*ue across cor$orations# such as CONTOSOCORP "or a cor$oration named3ontoso. Ese a name that will be uni*ue and inde$endent o" e/istin' re'ional oror'ani>ational names within the cor$oration.

Task )' Assign the D(S (ameSimilar to 9et=S namin'# the D9S namin' activity does not lend itsel" to a list o"s$eci"ic o$tions. 4owever# there are considerations that need to be addressed whendesi'nin' the names$ace.

As with 9et=S# several rules a$$ly to D9S namin'. &he JAdditional eadin'L sectionlater in this section $rovides lin-s to resources about these rules.

&he D9S names o" Active Directory domains include two $arts a host name and anetwor- name. When concatenated# these names create a non;ambi'uous name "or aresource. &he host name is the name o" the Active Directory domain.

!irst# determine the networ- name. A best $ractice is to match the re'istered =nternetdomain name "or the business. Doin' so will ensure that the name is uni*ue across the=nternet and is not in con"lict with other cor$orations e/ternal name ownershi$sI thisreduces the ris- o" name con"licts durin' mer'ers and ac*uisitions.

Second# select the host name "or the domain. &he de"ault namin' scheme will ma-e the9et=S name and D9S the same# such as the 9et=S name CONTOSOCORPandthe D9S name contosocorp.com. !or ease o" trac-in' D9S names and 9et=S nameswithin inter"aces and when troubleshootin' networ-;related or Active Directoryrelated

issues# it is a 'ood idea to -ee$ these names the same. 4owever# doin' so is notre*uired.

&o ensure uni*ueness amon' com$anies# dont du$licate e/istin' cor$orations re'istered=nternet D9S domain names. =t is a best $ractice to re'ister all to$;level domain names+also -nown as networ- names,# which are bein' used# both internally and e/ternally# with=nternet 9etwor- =n"ormation 3enter +=nter9=3, to ensure 'lobal D9S uni*ueness o" thename on the =nternet.


5

5


19/47


+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestions have been-nown to a""ect domain namin' decisions

)e plan to use our current Internet domain name. Are there any groups orapplications that re5uire a different D%S namespace6 perhaps for identityreasonsA se$arate domain would be re*uired to su$$ort a di""erent D9S namewithin the "orest.

Are there any planned mergers or ac5uisitions3han'es in the cor$oratestructure can a""ect the namin' structure.

Decision SummaryDomain names should be -e$t sim$le and should be consistent with the =nternet D9Snames$ace. oth the 9et=S name and D9S name need to be considered "orconsistency# mana'eability# and com$le/ity.

nce im$lemented# this decision is di""icult to chan'e because all com$uters#a$$lications# and scri$ts would need to be u$dated to re$resent the new name. Also#users are e/$osed to the domain name at lo'on and when usin' domain;relateda$$lications. A chan'e to the domain name would be con"usin' and disru$tive.

Important5 'un through the decision process to determine the name of every domain in everyforest and record the decision in the ob aid in the appendi9.

Additional ,eadingJ9amin' conventions in Active Directory "or com$uters# domains# sites# and EsL athtt$%%su$$ort.microso"t.com%-b%H0H2FC.

J9ames$ace $lannin' "or D9SL athtt$%%www.microso"t.com%windows%windows2000%en%advanced%hel$%sa'QD9SQim$Q9ames$acePlannin'.htm.


5E
http://support.microsoft.com/kb/909264http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_imp_NamespacePlanning.htmhttp://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_imp_NamespacePlanning.htmhttp://support.microsoft.com/kb/909264http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_imp_NamespacePlanning.htmhttp://www.microsoft.com/windows/windows2000/en/advanced/help/sag_DNS_imp_NamespacePlanning.htm


20/47


Step .' Select the Forest ,oot Domain&he "irst domain de$loyed in an Active Directory "orest is called the "orest root domain.&his domain remains the "orest root domain "or the li"e cycle o" the Active Directoryde$loyment. =t cannot be chan'ed without rede$loyin' the entire "orest.

&he "orest root domain contains the )nter$rise Admins and Schema Admins 'rou$s.&hese administrator 'rou$s are used to mana'e "orest;level o$erations# such as theaddition and removal o" domains and chan'es to the schema.

A domain that e/ists in the desi'n can be selected as the "orest root# or a dedicated"orest root can be selected. nce the "orest root domain has been established# it cannotbe chan'ed without rebuildin' the "orest.

!ption &' Use a Planned DomainWhen the domain desi'n "or a "orest indicates a sin'le domain# then this sin'le domain isthe "orest root domain. &his one domain will host all users# 'rou$s# com$uters# and the"orest root 'rou$s.

=" multi$le domains e/ist in the desi'n# one o" the domains can be selected to be the"orest root domain in addition to mana'in' the users and resources o" the domain. &heselected domain will de"ine the "orest names$ace and will need to be the "irst domainde$loyed in the environment. Althou'h it will also mana'e users and resources# it willalways maintain its uni*ue status as the domain containin' the )nter$rise Admins andSchema Admins 'rou$s.

!ption )' Dedicated Forest ,oot DomainA dedicated "orest root domain# also -nown as an em$ty "orest root# may be added to thee/istin' domain structure to s$eci"ically mana'e the "orest level "unctions. Whenselected# this domain does not contain any user accounts or resources other than theservice administrator accounts "or the "orest root domain# and it does not re$resent anyre'ion in the domain structure. All domains become children o" this domain.

A dedicated "orest root is 'enerally chosen "or the "ollowin' reasons

$erational se$aration o" "orest service administrators "rom domain serviceadministrators.

Protection "rom o$erational chan'es in other domains.

Serves as a neutral root so that no re'ion a$$ears to be subordinate to anotherre'ion.

=t should be noted# however# that the "orest level "unctions are not $rotected "rom a ro'ueadministrator mani$ulatin' the Active Directory database in such a way as to com$romisethe inte'rity and security o" the directory. &his means that while an em$ty "orest root mayse$arate "unctional administrative 'rou$s# it does not 'rant any additional security to the"orest "rom ro'ue administrators.


5F

5F


21/47



Cost

Ese a$lanned

domain

9o additional costs are re*uired as a $lanned domain is bein'used as the "orest root.

6ow

)m$tyrootdomain

Dedicatin' an em$ty root domain to host the "orest root will incure/tra hardware and so"tware costs "or the com$uters to run thedomain and maintain its availability.

4i'h

+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestion has been-nown to a""ect "orest root $lacement decisions

Are any mergers or ac5uisitions planned3han'es in the cor$orate structurecould a""ect the $lacement o" a "orest root.

Decision Summary&he identity o" the "orest root domain has been determined at this $oint. )ither a $lanneddomain has been chosen or a new domain has been added to the desi'n as the "orestroot.


58


22/47


Step A&' Design the !U Structureb5ects in the directory are or'ani>ed by usin' or'ani>ational units +Es,. &he desi'n "orthe Es will have two $rimary "actors the dele'ation o" the administration o" directoryob5ects and the a$$lication o" Mrou$ Policy ob5ects +MPs,. !undamentally# the E

desi'n should be a re"lection o" how the ob5ects in the domain are mana'ed.

3han'in' the E desi'n is not di""icult# but it can be com$le/ since access control listsneed to be care"ully mani$ulated. nce dele'ation and Mrou$ Policy have beenestablished# redesi'nin' the Es to which the con"i'urations have been a$$lied will ta-etime.

Since Es serve the dual roles o" administration dele'ation and the a$$lication o" Mrou$Policy# it will be necessary to 'o throu'h the desi'n $rocess "or Es twice once "ordele'ation and then a second time with an eye toward Mrou$ Policy usa'e.

Task &' Design !U %oniguration orDelegation o Administration

Es can be used to dele'ate the administration o" ob5ects# such as users or com$uters#to a desi'nated 'rou$. Althou'h it is $ossible to dele'ate $ermissions to an individual# itis a best $ractice to use 'rou$s because as $eo$le chan'e in the or'ani>ation# it is easierto u$date membershi$ in the dele'ation 'rou$s than to u$date the $ermissions onob5ects in the directory. Dele'ation by means o" an E involves the "ollowin' tas-s

=denti"y or create administrative 'rou$s to which ri'hts will be dele'ated.

Place the individuals or 'rou$s to which ri'hts will be dele'ated into the E. 3reatethe Es to which the administrative 'rou$s will have authority.

Assi'n the ob5ect ri'hts to be dele'ated to the administrative 'rou$ within each E.

3reate%$lace the ob5ects to be controlled within the E.

When identi"yin' the 'rou$s to which administrative tas-s will be dele'ated# try to be ass$eci"ic as $ossible about the minimum amount o" control that is re*uired. !or e/am$le# i"

a 'rou$ needs 5ust the ability to u$date users tele$hone in"ormation# the 'rou$ shouldnot be 'ranted "ull control.

Task )' Design !U %oniguration or /roupPolicy Application

Es can be created to a$$ly Mrou$ Policy settin's to a s$eci"ic subset o" com$uters orusers. y de"ault# all ob5ects in an E will receive the settin's contained in an a$$liedMP.

With the E desi'n com$lete "rom a dele'ation +or o$erations, $ers$ective# the ne/t ste$is to revise the E desi'n to account "or any uni*ue circumstances that Mrou$ Policysettin's may introduce. !or e/am$le# "rom a dele'ation $ers$ective# an E may beestablished called JWor-stationsL to dele'ate $ermissions to mana'e all wor-stations.

When Mrou$ Policy considerations are a$$lied# there may be a need "or a des-to$ Eand a mobile E to re"lect the di""erent $olicy needs "or des-to$s and noteboo-s. =n thiscase# these des-to$ and mobile Es may be created as sub;Es inside the wor-stationsor E# or the Wor-stations E may be re$laced by these two individual Es.

=denti"y 'rou$s o" users or machines to which a MP needs to be a$$lied. &hen# e/aminethe current E desi'n "or the domain. e;use e/istin' Es i" $ossible and create newEs only i" necessary. =" new Es are created to su$$ort MPs# then ma-e sure toreview the ob5ect dele'ation in the $revious tas- to ensure that the ob5ect administrationand o$eration model is u$ to date.


54

54


23/47


&here are many "ilterin' and tar'etin' o$tions "or Mrou$ Policy a$$lication. Security"ilterin'# Windows (ana'ement =nstrumentation +W(=, "ilterin'# and Mrou$ Policy$re"erence tar'etin' can all be used to tar'et which ob5ects receive which MPs. Esethese techni*ues as a last resort in lieu o" usin' the de"ault Mrou$ Policy a$$lication and$recedence. !iltered Mrou$ Policy security is very di""icult to troubleshoot and mana'eand can cause a sli'ht $er"ormance de'radation "or client lo'ons.

Decision Summary&he E structure needs to be de"ined "or each domain in the desi'n. At the end o" thisdecision# the E desi'n should have identi"ied the "ollowin'

Es to be created# based on one o" two desi'n criteria dele'ation o" administrationor Mrou$ Policy a$$lication.

Which ob5ects need to be located in each E.

Administration +Dele'ation, 'rou$s to be created and ma$$ed to Es.

b5ect ri'hts to be 'ranted to each 'rou$ in each E.

Which MPs need to be created and to which Es they should be lin-ed.

Additional ,eadingBest Practice Active Directory Design for Managing Windos Netor!sathtt$%%www.microso"t.com%technet%$rodtechnol%windows2000serv%technolo'ies%activedirectory%$lan%b$adds'n.ms$/.


20
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx


24/47


Step #&' Determine Domain %ontrollerPlacement

&y$ically# a networ- to$olo'y will have a "ew $hysical locations +lar'e cam$uses or o""ice

buildin's and data centers, that are considered hubs# in which there are concentrationso" users# com$uters# or networ- connectivity. &hese hubs may connect to a number o"smaller satellite locations# such as branch or home o""ices# to which the hubs $rovidenetwor- or com$utin' resources. Satellite locations ty$ically do not $rovide services toother satellite o""ices.

=n this ste$# decide where domain controller resources will be $laced "or each domain ineach "orest. Ste$ 2 will address how many domain controllers to $lace in each location"or each domain.

=n order to reduce cost and com$le/ity and to increase mana'eability# it is better to $lacedomain controllers in as "ew locations as $ossible and where they will have the bestutili>ation and hi'hest value im$act "or the or'ani>ation.

ne additional consideration is that each domain should have a domain controller in atleast two 'eo'ra$hically dis$ersed locations to allow "or business continuity in the eventthat one location e/$eriences a catastro$hic event.

All domain controllers need to be $hysically secured. =" $hysical security is not availableat a location# a "ull domain controller should not be $laced at that locationI however# aead;nly Domain 3ontroller could be $laced in a location where $hysical security is aconcern. See J&as- 2 Determine &y$e o" Domain 3ontroller Placed in 6ocationL in thene/t section# JDetermine 9umber o" Domain 3ontrollers.L

&he decision about domain controller $lacement can be chan'ed easily at any time.

Task &' 0ub 1ocations4ub locations $rovide com$utin' and networ-in' services to many users within theor'ani>ation. 4ub locations may $rovide these resources to users in the hub# as well as

to one or more satellite locations.Since hub locations are a central $oint# they are ideal candidates "or havin' the hi'hestvalue im$act. A hub may be the a''re'ation $oint "or several satellite locations# so havin'the hub host the domain controller is less e/$ensive than havin' each individual locationhost its own domain controller.

Determine which hub locations will host domain controllers "or which domains and recordthe decisions in the 5ob aid.

Task )' Satellite 1ocationsSatellite locations are connected to the overall networ- throu'h hubs. =n most cases# asatellite location has "ewer users and com$uters than a hub. &he clients in a satellitelocation can use resources locally# can use resources in the hub# or can use the hub to

access networ- resources located in other $arts o" the networ-. Several considerationscan indicate the need to $lace a domain controller in a satellite site.

Domain controllers need to be mana'ed. Place a domain controller in a $articularlocation only i" the domain controller can be mana'ed locally or mana'ed remotely byuse o" a secure connection.

3ommunication with a domain controller is essential to authentication when accessin'networ- resources. &here"ore# i" the WA9 lin- "rom the satellite o""ice to the hub isunreliable and cannot be cost;e""ectively u$dated# consider $lacin' a domain controller inthe satellite o""ice to accommodate client authentication.


25

25


25/47


Another "actor "or considerin' the $lacement o" a domain controller in a satellite o""ice iswhether WA9 lin- bandwidth is available "or both routine networ- tra""ic andauthentication. =n some cases# satellite;o""ice networ- tra""ic over a WA9 lin- mi'ht needto use the ma5ority o" the available bandwidth "or an a$$lication or service. =n that case# alocal domain controller in the satellite o""ice mi'ht be necessary.

Another consideration "or $lacin' a domain controller in a satellite o""ice is to

accommodate services and resources that mi'ht reside in the satellite o""ice. Servicessuch as D9S and Distributed !ile System +D!S,# as well as resources such as mail anddatabases# could bene"it "rom havin' a domain controller on the same networ- instead o"havin' to cross a WA9 lin- "or authentication and mana'ement o" the directory.

Site autonomy is sometimes a reason "or $lacin' domain controllers in a location. !ore/am$le# i" a com$any has a manu"acturin' "acility in a remote location and thee*ui$ment on the manu"acturin' line re*uires authentication to wor-# then $lacin' adomain controller in this satellite location allows manu"acturin' to continue re'ardless o"whether or not the WA9 is available.

Determine which satellite locations will host domain controllers "or which domains# andrecord the decisions in the 5ob aid.

+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestion has been-nown to a""ect domain controller $lacement decisions

Are there any users $ho tra!el fre5uently to satellite locations and $ho re5uirehigh/performance logon and directory ser!ices in those locationsA domainmay be re*uired in some satellite locations to $rovide a local e/$erience "or travelin'users.

Tasks and %onsiderationsWhen $lacin' domain controllers in hubs and satellites# it may be necessary to controlwhich domain controllers re'ister site location records within D9S. !or e/am$le# i" a

domain controller "ails in a satellite site# the clients should contact a domain controller inthe nearest hub rather than a domain controller located in another satellite site. &his is$articularly true i" the WA9 lin- between the two is not reliable. =denti"y i" this is a concern"or the $lanned environment. Additional in"ormation can be "ound in the JAdditionaleadin'L section.

Decision SummaryPlace domain controllers in hub and satellite locations when a$$ro$riate. (ost hublocations re*uire one or more domain controllers. Satellite o""ices mi'ht re*uire a domaincontroller de$endin' on WA9 lin- characteristics# number o" clients# and resources.

emember to re$eat this decision $rocess "or every domain in every "orest.

Additional ,eadingJPlannin' Domain 3ontroller PlacementL athtt$%%technet2.microso"t.com%windowsserver%en%library%c08BCH1F;C1FF;C"81;8HCa;acd12GF"8cFd10BB.ms$/Km"rOtrue.

J4ow Domain 3ontrollers are 6ocated in WindowsL athtt$%%su$$ort.microso"t.com%-b%2CG811%

J4ow to o$timi>e the location o" a domain controller or 'lobal catalo' that resides outsideo" a clients siteL at htt$%%su$$ort.microso"t.com%KidOB0FF02


22
http://technet2.microsoft.com/windowsserver/en/library/c0834916-4166-4f81-894a-acd1276f8c6d1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/c0834916-4166-4f81-894a-acd1276f8c6d1033.mspx?mfr=truehttp://support.microsoft.com/kb/247811/http://support.microsoft.com/?id=306602http://technet2.microsoft.com/windowsserver/en/library/c0834916-4166-4f81-894a-acd1276f8c6d1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/c0834916-4166-4f81-894a-acd1276f8c6d1033.mspx?mfr=truehttp://support.microsoft.com/kb/247811/http://support.microsoft.com/?id=306602


26/47


Step #)' Determine the (umber oDomain %ontrollers

A $revious section o" this 'uide addressed the need to determine the $hysical $lacemento" domain controllers. A related decision is to determine the number o" domain controllers"or each location.

&here are many decidin' "actors around how many domain controllers to have "or eachdomain. Decisions are based on $er"ormance o" authentications# access to resources#re$lication# and cost.

Task &' Determine (umber o Domain%ontrollers

!or each domain in each location identi"ied in Ste$ 1# the minimum number o" domaincontrollers re*uired needs to be identi"ied. &he table below describes the minimumnumber o" domain controllers re*uired# based on number o" users.

Table 7. inimum %umber of Domain Controllers

&ser per domain in a site inimum number of domain controllersre5uired per domain in a site

1CHH ne Sin'le Processor

00HHH ne Dual Processor

1#0002#HHH &wo Dual Processor

B#00010#000 &wo uad Processor

!or wor-loads 'reater than 10#000 users in a site# additional testin' should be $er"ormedwith user wor-loads to determine the need "or additional hardware. Previous 'uidancestated an e/tra uad $rocessor system "or every additional #000 users. 4owever# "orauthentication;only wor-loads# this will be over-ill "or most environments.

=" only one domain controller $er location e/ists# consideration should be made "or theneed to s$an the WA9 to communicate with a domain controller "or authentication andaccess to resources in the event o" "ailure o" the local domain controller.

All domain controllers within a domain must be "ully aware o" all in"ormation related tothe domain. &his is handled by re$lication o" the Active Directory database betweendomain controllers. &his re$lication occurs within Active Directory sites and across siteboundaries. =" the number o" re$lication $artners in a 'iven site reaches 1 or more# anadditional domain controller should be added to the site. Another domain controllershould be added "or each additional 1 re$lication $artners.

eview all a$$lications that rely on Active Directory data. Some a$$lications# such as)/chan'e Server# re*uire additional domain controllers in order to "unction correctly.)valuate the need "or additional domain controllers based on the e/$ected loads andre*uirements o" the a$$lications.


2

2


27/47


Task )' Determine Type o Domain%ontroller Placed in 1ocation

!or each domain controller identi"ied# determine whether that domain controller will be awrite;able or a read;only domain controller +D3,. &he "ull domain controller should

only be $laced in locations where the $hysical security o" the domain controller can beensured.

&he $rimary reason to use an D3 is "or locations with $oor $hysical security. Since theD3 is read;only# nothin' on the D3 can be chan'ed and re$licated bac- to thewrite;able domain controllers. D3s re*uire u$stream access to a "ull domain controller"or authentication $ur$oses. y de"ault# none o" the hashes "or $asswords are re$licatedto the D3. &he D3 "orwards the re*uest "or lo'on to a writeable domain controller.=ts $ossible to con"i'ure the environment so that the "ull domain controller re$licates there*uested hash bac- to the D3 "or cachin'. =t should be noted that i" this occurs andthe D3 is com$romised# only the hashes re$licated to the D3 need to be reset.

&he "unctionality $rovided by the D3 may be a""ected i" the WA9 is down or a "ulldomain controller is not available to service re*uests "rom the D3.

Determine which domain controllers will be writable and which will be read;only# andrecord the decisions in the 5ob aid.

Decision SummaryA minimum o" two domain controllers is needed to $rovide "ault tolerance "or a domain.ased on $reviously described business re*uirements# domain controllers can be $lacedin $hysical locations to $rovide local authentication. Additional domain controllers may bere*uired based on user authentication and a$$lication re*uirements. &he use o" D3servers can increase security dramatically and also can increase $er"ormance. &he cost"or addin' these servers in the correct scenarios is minimal and should be considered.

&he decision to add or remove domain controllers can be chan'ed at any time.

Additional ,eadingWindos "### Active Directory Si$er Too%athtt$%%www.microso"t.com%technet%$rodtechnol%windows2000serv%downloads%w2-adst.ms$/


2/
http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadst.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadst.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadst.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadst.mspx


28/47


Step #-' Determine /lobal %atalogPlacement

Mlobal catalo' services "acilitate the loo-u$ o" in"ormation to all domains in the "orest#

s$eci"ically to domains outside o" the current domain. &he catalo' is a subset o"in"ormation "rom each domain that is re$licated to every 'lobal catalo' server in the"orest. A$$lications such as )/chan'e Server rely heavily on the 'lobal catalo' "orrelevant in"ormation. &he 'lobal catalo' is also used durin' the lo'on $rocess toenumerate universal 'rou$ membershi$s.

All 'lobal catalo' services $hysically reside on one or more domain controllers. &here isno way to se$arate 'lobal catalo' "unctionality "rom a domain controller.

&he decision needs to be made as to which domain controllers in the "orest will host'lobal catalo' services.

Task &' Determine /lobal %atalog 1ocationsand %ounts

=" a "orest consists o" only one domain# then all domain controllers should be con"i'uredas 'lobal catalo' servers. &he subset o" data that would be re$licated to all 'lobalcatalo's will already be re$licated throu'h the normal domain re$lication $rocess. &herewill be no additional re*uirements "or dis- s$ace usa'e# 3PE usa'e# or re$lication tra""ic.

=" a "orest contains multi$le domains# then ty$ically each domain controller should not bea 'lobal catalo' server because o" the increase in stora'e re*uirements and theadditional re$lication overhead.

=n a multi;domain "orest environment# a subset o" the domain controllers in theenvironment will be con"i'ured to run as 'lobal catalo' servers. ecause all 'lobalcatalo's re$licate a subset o" all ob5ects in each domain# $lacement o" the 'lobal catalo'needs to be care"ully considered with res$ect to the increased bandwidth overheadintroduced by the additional tra""ic. =n addition# there are increased hardware

re*uirements "or storin' 'lobal catalo' data. !i'ure B illustrates the decision tree "low "ordecidin' where to $lace 'lobal catalo's in the environment.


2

2


29/47


Figure 7. Decision tree flo$ for placement of global catalog ser!ers in theen!ironment

Are There Any Applications That %eed a 8lobal CatalogSer!er -unning at the ocation

3ertain a$$lications# such as )/chan'e Server# (icroso"t (essa'e ueuin' +(S(,#and a$$lications that use distributed 3( +D3(,# rely heavily on 'lobal catalo'servers. &hese a$$lications tend to $er"orm better when they have a local 'lobal catalo'

available to im$rove *uery times.&here may be some a$$lication restrictions around whether a D3 can be used as a'lobal catalo'. )/chan'e Server does not su$$ort 'lobal catalo's runnin' on an D3Ihowever# (icroso"t utloo- messa'in' and collaboration clients can use an D3'lobal catalo' "or Address oo- loo-u$s.

Is the %umber of &sers at the ocation 8reater Than 199Mlobal catalo' servers should be $laced at any location that has more than 100 users inorder to reduce WA9 tra""ic and to $revent $roductivity loss in case o" WA9 lin- "ailures.


2E


30/47


Is the )A% in+ 199 Percent A!ailable3onsider $lacin' a 'lobal catalo' server in a location in which the WA9 lin- is notsu""iciently reliable to ensure user authentication# or else con"i'ure universal 'rou$membershi$ cachin'.

Do any -oaming &sers )or+ at the ocationoamin' users need to contact a 'lobal catalo' server whenever they lo' on "or the "irsttime at any location. &here"ore# a 'lobal catalo' server should be $laced at locations thatinclude many roamin' users. "ten# too many lo'ons over the WA9 lin- can causesi'ni"icant WA9 tra""ic and cause $er"ormance de'radation and $roduction loss.

Can &ni!ersal 8roup embership Caching SufficeEniversal 'rou$ membershi$ cachin' is an o$tion "or locations that include "ewer than100 users and do not include many roamin' users or a$$lications that re*uire a 'lobalcatalo' server. Eniversal 'rou$ membershi$ cachin' can be enabled on domaincontrollers that are runnin' Windows Server 200B or Windows Server 2008.

When a user lo's on to the networ-# the 'lobal catalo' server is contacted to enumerateuniversal 'rou$ membershi$ "or that user. ver slow lin-s# this $rocess can ta-e a

si'ni"icant amount o" time or# in the event o" a "ailure to contact the 'lobal catalo' server#can result in denial in the lo'on $rocess. Eniversal 'rou$ membershi$ cachin' can beused to address this $roblem. Eniversal 'rou$ membershi$ cachin' is available byde"ault on domain controllers that are runnin' Windows Server 200B or Windows Server2008. &he "eature must be enabled on a $er;site basis.

o$ any 8lobal Catalogsnce it has been determined that 'lobal catalo' servers are re*uired in a location# thene/t *uestion is how many 'lobal catalo' servers are re*uired. =n most cases# one or two'lobal catalo' servers will su""ice in each location. A$$lication re*uirements# such as)/chan'e Server re*uirements# may increase the number o" 'lobal catalo' serversre*uired.

ecord which domain controllers will be con"i'ured as 'lobal catalo's.

+alidating $ith the #usiness=n addition to evaluatin' the decision in this ste$ a'ainst =&;related criteria# the e""ect o"the decision on the business should also be validated. &he "ollowin' *uestion has been-nown to a""ect 'lobal catalo' $lacement decisions

Are there any users $ho tra!el fre5uently to satellite locations and $ho re5uirehigh/performance logon and directory ser!ices in those locationsA 'lobalcatalo' server may be re*uired in some satellite locations to $rovide a locale/$erience "or travelin' users.


2F

2F


31/47


32/47


Step #.' Determine !perations Master,ole Placement

&he ne/t ste$ is to decide the $lacement o" the o$erations master roles +also -nown as

!S(s, "or the "orest and each domain. Althou'h each domain controller within ActiveDirectory can authenticate accounts and write to the directory database# some "unctionsare dedicated to a sin'le domain controller. !S( roles e/ist on desi'nated domaincontrollers and control s$eci"ic "unctions o" the domain and "orest.

&here are three !S( roles "or each domain

PDC emulator operations master. &his role $rocesses all re$lication re*uests "romWindows 9& C.0 bac-u$ domain controllers +D3s, and $rocesses all $asswordu$dates "or clients that are not runnin' Active Directory client so"tware. &his is alsothe de"ault domain controller used "or u$datin' Mrou$ Policy.

-elati!e ID '-ID( operations master. &his role allocates =Ds to all domaincontrollers in order to ensure that all security $rinci$als have a uni*ue security =D+S=D,.

Infrastructure operations master. &his role maintains a list o" the security $rinci$als"rom other domains that have membershi$ in 'rou$s within the o$erations mastersdomain.

&here are also two o$erations master roles "or each "orest

Schema operations master.&his role allows chan'es to the schema.

Domain naming operations master. &his role is res$onsible "or additions andremoval o" domains# sites# and domain;based D!S con"i'urations to and "rom the"orest.

As a 'eneral 'uideline# -ee$ the o$erations roles on as "ew domain controllers as$ossible to sim$li"y trac-in' the role locations. =" the load on the o$eration master 5usti"iesa move# $lace the =D and PD3 emulator roles on se$arate domain controllers in thesame site. &he domain controllers should be direct re$lication $artners.

=n 'eneral# the in"rastructure master should never be $laced on a 'lobal catalo' server. ="

an in"rastructure master is $laced on a 'lobal catalo' server# it will not correctly identi"youtdated security $rinci$als "rom other domains. &he e/ce$tion is in domains in which alldomain controllers are 'lobal catalo' servers or in a sin'le;domain "orest. =n these cases#the in"rastructure master has all the in"ormation it needs.

&he schema and domain namin' masters are rarely used and should be ti'htlycontrolledI -ee$ them to'ether on the same domain controller that hosts the 'lobalcatalo'. 3ertain o$erations# such as creatin' 'rand;child domains# use the domainnamin' master and will "ail i" the role is not on a 'lobal catalo' server.

Place these domain controllers in a location that has the most users "or that domain andthat has a hi'hly reliable networ-. $erations master role $lacement can be modi"iedeasily.

All !S( roles should be $laced on domain controllers that are readily available to all

other domain controllers in the environment. Domain controllers that are unable tocommunicate with the domain controllers hostin' the !S(s can e/$erience "ailures.


24

24


33/47


Task &' FSM! Placement=n a sin'le domain "orest# leave the "ive roles on a sin'le server. &here is no bene"it tose$aratin' the roles

=n the "orest root domain o" multi;domain "orests# leave all the o$erations master roles on

the same domain controller# $rovided that all domain controllers in the "orest root domainare also 'lobal catalo' servers. &here is no bene"it to se$aratin' the roles.

=" some o" the "orest root domain controllers are not con"i'ured as 'lobal catalo' servers#then move the in"rastructure master role to a domain controller that is not a 'lobal catalo'server and ensure that the server is never con"i'ured as such. &he in"rastructure masterrole should not reside on a 'lobal catalo' server unless all domain controllers in thedomain are 'lobal catalo' servers.

=n all other domains# the three domain;s$eci"ic o$erations master roles can reside on the"irst domain controller "or that domain. Do not $lace the in"rastructure master role on adomain controller that is also a 'lobal catalo' server.

Decision Summary

!S(s should be $laced strate'ically to ensure the com$lete and $ro$er "unctionin' o"all directory services# "rom both an authentication and a mana'ement stand$oint. !S(server $lacement must be decided "or "ive roles in the root domain and three roles "or allother domains in the "orest. &his $rocess must be com$leted "or every "orest.

Tasks and %onsiderations!or each o$erations master role# desi'nate a domain controller that can host theo$erations master roles. &he standby o$erations master domain controller should be adirect re$lication $artner o" the actual o$erations master role holder in case the standbycan assume the role in the event the actual role holder "ails. &he new !S( role holderwill then have the most u$;to;date in"ormation re'ardin' Active Directory.

Additional ,eadingJ!S( $lacement and o$timi>ation on Active Directory domain controllersL athtt$%%su$$ort.microso"t.com%-b%22BBCF

JWindows 2000 Active Directory !S( rolesL at

htt$%%su$$ort.microso"t.com%-b%1HG1B2

J4ow to view and trans"er !S( roles in Windows Server 200BL athtt$%%su$$ort.microso"t.com%-b%B2C801


0
http://support.microsoft.com/kb/223346http://support.microsoft.com/kb/197132http://support.microsoft.com/kb/324801http://support.microsoft.com/kb/223346http://support.microsoft.com/kb/197132http://support.microsoft.com/kb/324801


34/47


Step %&' %reate the Site Design&he site desi'n is the ma$$in' o" the $hysical networ- to the lo'ical site construct within

Active Directory. A site within Active Directory is a lo'ical collection o" one or more well;connected &3P%=P subnets. Sites are used to control directory re$lication by settin' a

schedule "or inter;site re$lication. Sites also are used to direct client systems to networ-resources that are Active Directoryaware# and thus can be lo'ically $laced closest tothese resources.

&he "ollowin' decisions need to be made

Should a $hysical location be directly correlated to a siteK

3an a $hysical location be 'rou$ed with other locations into a siteK

nce the sites have been identi"ied# the "inal tas-s will be to ma$ the &3P%=P subnetsre$resented in a s$eci"ic location to the corres$ondin' site. &he site desi'n can bechan'ed later i" necessary.

Task &' %reate a Site or the 1ocation

A site should be de"ined "or any $hysical location in which domain controllers are bein'$laced# as well as any $hysical location that contains resources or services that rely onsite to$olo'y in"ormation to direct the client to the nearest re*uested resource.

!or e/am$le# i" numerous $hysical locations need to access "ile resources# theseresources can be con"i'ured within a Distributed !ile System +D!S, environment. A"ter$lacin' the D!S servers that contain the resources in the $hysical locations# a site can becon"i'ured "or each location. When a client accesses the D!S;based resource# the localD!S resource will be accessed# reducin' WA9 tra""ic and increasin' $er"ormance "or theresource access.

!inally# sites can be created to control which domain controllers handle authenticationtra""ic "or a$$lications that have e/tremely hi'h authentication re*uirements. 6ar'e(icroso"t SharePoint $ortal environments can 'enerate si'ni"icant domaincontroller%'lobal catalo' tra""ic. y creatin' a site s$eci"ically "or the SharePoint servers

and assi'nin' s$eci"ic domain controller%'lobal catalo's to the site# administrators cancontrol the authentication tra""ic o" the $ortal solution.

!or each site identi"ied# record the site name and the =P subnets that are assi'ned to thatsite.


5

5


35/47


Task )' Associate 1ocation to (earestDeined Site

!or any remainin' $hysical locations that have not been associated with a site withinActive Directory# associate the subnets in that location to an e/istin' site. &he site

selected should include a location that has the 'reatest WA9 s$eed and availablebandwidth to the location bein' con"i'ured. &his a$$roach will hel$ direct client tra""ic'enerated within the location to the site havin' the 'reatest ca$acity to handle theadditional tra""ic.

ecord the assi'nment o" the additional subnet in"ormation to the selected site.

Decision Summary)ach $hysical location should be e/amined and a decision should be made as to whetherthe location should be a new site within the directory or should be associated to anothersite. &he subnets within each location should be assi'ned to the site in which theybelon'. )ach domain controller should also be assi'ned to the $ro$er site.

&he site desi'n needs to be com$leted "or each "orest.

Additional ,eadingJest Practices "or Active Directory Desi'n and De$loymentL athtt$%%www.microso"t.com%technet%community%columns%$ro"win%$w0B02.ms$/


2
http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspxhttp://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx


36/47


Step %)' %reate the Site 1ink DesignSite lin-s are used to connect the de"ined sites in Active Directory. &he site lin-s re"lectthe inter;site connectivity and method used to trans"er re$lication tra""ic. All sites must beconnected with site lin-s i" the domain controllers at each site are to re$licate. y de"ault#

all sites belon' to the de"ault;"irst;site;lin-# with re$lication scheduled to occur every 180minutes# each day o" the wee-.

Site lin-s can be created at any time and sites can be added or removed easily. 4owever#there could be an im$act on re$lication because o" latency issues when recon"i'urin'sites# site lin-s# and schedulin' associated with the site lin-s.

Task &' Determine the Site 1ink DesignActive Directory automatically creates the de"ault;"irst;site;lin-. When all sites in thedesi'n are connected and have the same connectivity and availability to one another# asin'le site lin- can be used to re$resent the lin-s between the sites. &his "ull mesh desi'nassumes that all sites are well connected and that there is no need to desi'n s$eci"iclin-s between sites. &his a$$roach sim$li"ies the desi'n by eliminatin' the need to desi'n

site lin-s# as well as automatically con"i'urin' the site lin- structure.Since the connectivity and availability o" the lin-s are identical# the re$lication schedule#interval# and cost will be con"i'ured identically. &his choice is only use"ul when all o" thesites are connected by WA9 connections with identical available bandwidth and latency.

=" sites are connected with $hysical networ- lin-s that have di""erent costs o" usa'e#availability# s$eed# or available bandwidth# there may be a need "or di""erent re$licationschedules. A new site lin- would need to be created to account "or these di""erences.

Site lin-s use a cost al'orithm to in"luence which $ath re$lication tra""ic will use to "lowbetween sites. A $re"erred connection would be con"i'ured at a lower cost than a less;$re"erred connection. &he re$lication system uses the lin- with the lowest cost. =" there isa dollar cost to usin' a lin-# the lin- mi'ht be assi'ned a hi'her cost value as well.

&he re$lication o" tra""ic across the lin- is controlled by the availability schedule and how

"re*uently the lin- is set to re$licate. !or e/am$le# a lin- can be con"i'ured to re$licateevery B0 minutes durin' the hours o" 200 A.(. to C00 A.(.# (onday throu'h !riday.

Site schedulin' can s$eci"y intervals as brie" as every 1 minutes# ran'es "rom any timeo" the 2C hour cloc-# and any combination o" days o" the wee-.

When assi'nin' the re$lication schedules and intervals# care should be ta-en to ensurethat any re$lication 'oals re*uired by the or'ani>ation are met. e$lication 'oals can bede"ined such that all chan'es are recorded in a set $eriod o" time "or the "ollowin'

Configuration and schema con!ergence.Any chan'es to con"i'uration or schemaare re$licated to all domain controllers in the "orest.

Domain con!ergence.All domain chan'es are re$licated to all domain controllers inthe domain.

8lobal catalog con!ergence.All 'lobal catalo' chan'es are re$licated to all 'lobal

catalo's in the "orest. Application partition con!ergence.All a$$lication $artition chan'es are re$licated

to all domain controllers hostin' the a""ected a$$lication $artition.

When de"inin' the re$lication schedules and intervals# ensure that all re$lication 'oalsare met "or worst case scenarios. &hat is# can a chan'e ori'inatin' in one site re$licatewithin the time "rame with the site that is the 'reatest number o" ho$s away "rom theori'inatin' siteK =" it is not $ossible to meet the 'oal# then the interval and schedule needto be u$dated or the 'oal needs to be rede"ined.



37/47


3onsider a to$olo'y that consists o" "ive sites +A!,# consistin' o" a sin'le "orest with "ourdomains. &he sites are connected to one another throu'h direct site lin-s with there$lication schedule con"i'ured "or 2C hours and the interval set at the de"ault o" B hours.!or the $ur$oses o" this e/am$le# there are two re$lication 'oals one "or schema andcon"i'uration conver'ence to be com$leted in F hours and one "or 'lobal catalo'conver'ence in C hours.

Figure :. Configuration and schema con!ergence

ecause o" the number o" ho$s involved# it is not $ossible "or a chan'e introduced in site) or ! to conver'e at site 3 within F hoursI it would ta-e a minimum o" H hours +B ho$s,.)ither the re$lication 'oal would need to be u$dated or the interval would need to be setto another value.

Figure ;. 8lobal catalog con!ergence


/


38/47


=n the e/am$le o" 'lobal catalo' conver'ence# there are "our 'lobal catalo' servers insites A# # D# and ). =" a chan'e is introduced in site D# then all sites will be u$datedwithin the C;hour re$lication 'oal. 4owever# i" the chan'e is introduced in sites A# # or )#then it will not be $ossible to meet the 'oal o" C hours as it will ta-e a minimum o" F hours+2 ho$s, to reach all sites. A'ain# the re$lication 'oals would need to be u$dated or theinterval time "rame chan'ed on the site lin-s.

Associate all sites with similar lin-s to the new lin- and remove the sites "rom the de"ault;"irst;site;lin-.

!or each site lin- identi"ied# record the name o" the site lin-# the cost associated withusin' the lin-# and the lin-s re$lication schedule and interval. !or each site# record thelin- that is used to connect it to other sites. A site may have multi$le site lin-s associatedwith it.

Decision Summary6in-s between all sites should be de"ined throu'h the use o" one or more site lin-s. =" anysites are disconnected "rom the others# the Nnowled'e 3onsistency 3hec-er +N33, will'enerate an error messa'e. &he site lin-s control the re$lication o" the directory databasebetween domain controllers in di""erent sites and# i" multi$le $aths are available# control

which $ath is $re"erred.&he site lin- desi'n can be chan'ed. 4owever# chan'in' the site lin-s may have anim$act on the $er"ormance o" directory chan'es until all u$dates conver'e.

Additional ,eadingJ3reatin' a Site 6in- rid'e Desi'nL athtt$%%technet2.microso"t.com%windowsserver%en%library%d0"Ced;aHec;Cdac;bHa8;82GbFc8e0da10BB.ms$/Km"rOtrue

http://technet2.microsoft.com/windowsserver/en/library/5d05f4ed-a9ec-4dac-b9a8-8527b6c8e0da1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/5d05f4ed-a9ec-4dac-b9a8-8527b6c8e0da1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/5d05f4ed-a9ec-4dac-b9a8-8527b6c8e0da1033.mspx?mfr=truehttp://technet2.microsoft.com/windowsserver/en/library/5d05f4ed-a9ec-4dac-b9a8-8527b6c8e0da1033.mspx?mfr=true


39/47


Step %-' %reate the Site 1ink #ridgeDesign

A site lin- brid'e enables transitivity between site lin-s. )ach site lin- in a brid'e needs to

have a site in common in order "or re$lication to "low correctly across the brid'e. &he sitelin- brid'e desi'n can be chan'ed# but it should be done care"ully to ensure that there$lication o" Active Directory is not com$romised or sto$$ed.

!ption &' Deault #ehavior=" the networ- is "ully routed and there is no need to control the Active Directoryre$lication "low# then leave the transitivity enabled "or all site lin-s by leavin' the *ridgeAll Site in+so$tion enabled. &his is the de"ault state.

y allowin' all transitivity across all sites# any domain controller in a site can create adirect re$lication $artner with another domain controller in another site. &his sim$li"iesre$lication in that there is no need to restrict or de"ine which sites a domain controller canuse to search "or re$lication $artners.

&his may become an issue with lar'er im$lementations that are based on a hub;and;s$o-e model. y brid'in' all site lin-s# there is no control on which domain controller isconsidered $art o" the hub site when it comes to re$lication.

!ption )' %ustom Site 1ink #ridge=" a networ- is not "ully routed# disable the *ridge All Site in+so$tion "or the =Ptrans$ort and con"i'ure site lin- brid'es to ma$ to the $hysical networ- connections.

Additionally# i" the =P networ- is "ully routed but there are too many routes that the N33should not consider# creatin' a custom site lin- brid'e to$olo'y and disablin' theautomatic transitivity o" site lin-s will eliminate con"usion. &he N33# by de"ault# willconsider all $ossible connections and brid'es "or re$lication.

Site lin- brid'es can also be used to control re$lication "low o" Active Directory. &he two

most common reasons "or creatin' site lin- brid'es are to control re$lication "or "ailover o"a hub;and;s$o-e networ- desi'n and to control re$lication throu'h a "irewall. =" ActiveDirectory re$lication "low is to be controlled throu'h the desi'n o" site lin- brid'es# thendisable the *ridge All Site in+so$tion "or the =P trans$ort.

y con"i'urin' two site lin- brid'es "or re$lication o" Active Directory between two sites#re$lication will succeed even i" one lin- "ails. &his is necessary because the disablin' o"*ridge All Site in+swill ne'ate the N33 and =ntersite &o$olo'y Menerator +=S&M, "romhel$in' with the brid'in' o" site lin-s in the case o" a "ailure o" any as$ect o" the to$olo'y.

=" re$lication tra""ic $asses throu'h a "irewall and the "irewall is con"i'ured to allowconnections "rom s$eci"ic domain controllers# then site lin- brid'es need to be con"i'uredto match this environment. A site lin- brid'e is created "or each side o" the "irewall# andthe site lin-s connectin' each site are associated to the site lin- brid'e on the lin-s sideo" the "irewall. &he site lin- that connects the two sites throu'h the "irewall will not be

$laced in a brid'e. =" a domain controller that is allowed to communicate throu'h the"irewall "ails# its re$lication $artners will attem$t to set u$ new re$lication $artners onlywith domain controllers in sites that are $art o" the brid'e.

=t should be noted that the robustness o" Active Directory re$lication can be reduced bythe choices bein' made. !or e/am$le# i" all domain controllers in the hub o" a hub;and;s$o-e desi'n "ail# then the satellite sites will become disconnected "rom the re$licationto$olo'y because all their $otential $artners have been removed "rom the networ-.


E


40/47


6i-ewise# i" the domain controllers that can communicate across the "irewall "ail# thenre$lication will u$date only those chan'es that are made on either side o" the "irewall.(odi"ications will not cross the "irewall until the "ailed domain controllers are brou'ht bac-online.


Comple3ity

De"aultsite lin-brid'e

Esin' the de"ault con"i'uration means a less com$le/im$lementation.

6ow

3ustomsite lin-brid'e

3ustomi>in' the con"i'uration increases the com$le/

Active Directory Infrastructure Planning and Design

Documents

Transcript of Active Directory Infrastructure Planning and Design