Professional Documents
Culture Documents
Before Designing a Domain, You Should: Identify Administrative Strategy Identify Security Needs Plan for Growth and Flexibility
nwtraders.msft
Active Directory
First Domain
OU OU
OU
OU
OU
OU
Deciding Which Security Group to Use Planning for Nested Groups Design Guidelines
Universal Group
Members from any domain in the forest Use for
domain
Global Group
Members from own domain only Use for
domain
Domain Local Group
Members from any domain in the forest Use for
Northeast Managers
nwtraders.msft
Root Domain
First Level
North America Asia
Second Level
Mexico
Canada
Japan
China
Third Level
Sales
HR
Mfg
HR Sales
HR
IT
HR
Root Domain
First Level
North America Asia
Second Level
Mexico
Canada
Japan
China
Third Level
Sales
HR
Mfg
HR Sales
HR
IT
HR
Design Guidelines
When Designing the OU Structure: Choose Stable Upper-Level OU Names That are Meaningful to Administrators Create Lower-Level OUs to Support Group Policy Test the OU Structure and Make Changes Based On Evaluation
contoso.msft
nwtraders.msft
3 4
KDC
2
KDC Server
1
Client
Session Ticket
marketing.contoso.msft
sales.nwtraders.msft
Forest Root Domain Domain 1 Tree Root Domain Tree Two Domain A Forest
Tree One
Shortcut Trust
Domain 2 Trusting Domain Domain C
Trusting Domain
The Global Catalog and the Logon Process Creating a Global Catalog Server
GC
Universal Group
. . . And Replicated to All Global Catalog Servers in the Forest Reduce Replication Traffic by Minimizing The use of universal groups to limit replication to a domain The membership in universal groups to other groups rather than user accounts Changes to the membership to reduce the Chennais Premier replication ADVANTAGE PRO frequency of Networking Training Centre
Nest Global Groups (optional) Add Global Groups from Each Domain into Universal Groups Add Universal Groups into Domain Local Groups in Each Domain
Global Group
Global Group
Global Group
Universal Group
DLG
Universal Group Domain Local Group
Assign Permissions to the Domain Local Group DLG in Each Domain Domain Local Group
Permissions
Reasons to Maintain a Single Domain Reasons to Create Multiple Domains Reasons for multiple-tree forest Reasons for multiple forest
OU
Ease of Management Easier Delegation Fewer Members in Domain Admins Group Object Capacity Same as Multiple Domain Structure
OU
OU
OU OU OU OU
OU OU
Reasons for Using a Multiple-Domain Tree: Distinct domain-level policies Tighter administrative control Decentralized administration Separation and control of affiliate relationships Reduced replication traffic
OU OU OU
Root
nwtraders.msft
us.nwtraders.msft
europe.nwtraders.msft
Child Domain
Child Domain
nwtraders.msft
usa.nwtraders.msft
Child Domain
europe.nwtraders.msft
Child Domain
Design Guidelines
Design Needs that May Require a Multiple-Domain Tree: Distinct Security Boundaries
Bandwidth Constraints on WAN Links Legal Reasons for Separate Domains Distinct Domain-Level Group Policy Settings
nwtraders.msft
Root
Tree 1
domainA.nwtraders.msft
Child Child
domain2.contoso.msft
domain3.contoso.msft
Child
Tree 2
ADVANTAGE PRO Chennais Premier domainB.domainA.nwtraders.msft Networking Training Centre Child
Design Guidelines
Consider Using a Multiple-Tree Forest When You Need: Distinct DNS names for Public Identities Centralized Control Among All Active Directory Trees and Domains
contoso.msft
Root
nwtraders.msft
Root
domainA.nwtraders.msft
Tree 1
Child Child Child
domain2.contoso.msft
domain3.contoso.msft
Child
Tree 2
domainB.domainA.nwtraders.msft
ADVANTAGE PRO Chennais Premier Networking Training Centre
Design Guidelines
Design Multiple Forests When:
You Do Not Want a Common Schema You Do Not Want a Global Directory You Need Limited Partner or Affiliate Relationships