Scribd Logo
Upload

Welcome to Scribd!

  • MCSE-07-Designing of An Active Directory Service-02-Theory

    Uploaded by

    sivasankar015
    22 views35 pages
    Designing an Active Directory domain ADVANTAGE PRO 2 ChennaiPs Premier Networking Training Centre Identifying Administrative Strategy Identify Security Needs Plan for Growth and Flexibility.

    Original Description:

    Original Title

    MCSE-07-Designing of an Active Directory Service-02-Theory

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Designing an Active Directory domain ADVANTAGE PRO 2 ChennaiPs Premier Networking Training Centre Identifying Administrative Strategy Identify Security Needs Plan for Growth and Flexibility.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views35 pages

    MCSE-07-Designing of An Active Directory Service-02-Theory

    Uploaded by

    sivasankar015
    Designing an Active Directory domain ADVANTAGE PRO 2 ChennaiPs Premier Networking Training Centre Identifying Administrative Strategy Identify Security Needs Plan for Growth and Flexibility.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 35

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Designing an Active Directory Domain

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Identifying Business Needs

    Before Designing a Domain, You Should:  Identify Administrative Strategy  Identify Security Needs  Plan for Growth and Flexibility

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Designing the Initial Active Directory Domain

    nwtraders.msft
    Active Directory

    First Domain
    OU OU

    OU

    OU

    OU

    OU

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for Security Groups

      

    Deciding Which Security Group to Use Planning for Nested Groups Design Guidelines

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Deciding Which Security Group to Use

    Universal Group
     Members from any domain in the forest  Use for

    access to resources in any

    domain

    Global Group
     Members from own domain only  Use for

    access to resources in any

    domain
    Domain Local Group
     Members from any domain in the forest  Use for

    access to resources in one

    domain ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for Nested Groups


    When Nesting, You Should:
     Minimize Levels of Nesting  Document Group Membership
    Worldwide Managers Group

    Northeast Managers

    Southwest Managers Mid-Atlantic Managers


    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for OUs


    

    Planning Upper-Level OU Strategies Planning Lower-Level OU Strategies Design Guidelines

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning Upper-Level OU Strategies

    nwtraders.msft

    Root Domain
    First Level
    North America Asia

    Second Level

    Mexico

    Canada

    Japan

    China

    Third Level

    Sales

    HR

    Mfg

    HR Sales

    HR

    IT

    HR

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning Lower-Level OU Strategies


    nwtraders.msft

    Root Domain
    First Level
    North America Asia

    Second Level

    Mexico

    Canada

    Japan

    China

    Third Level

    Sales

    HR

    Mfg

    HR Sales

    HR

    IT

    HR

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Design Guidelines
    

    When Designing the OU Structure: Choose Stable Upper-Level OU Names That are Meaningful to Administrators Create Lower-Level OUs to Support Group Policy Test the OU Structure and Make Changes Based On Evaluation

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Designing a Multiple-Domain Structure

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    How Kerberos V5 Works


    Kerberos Authentication
    KDC KDC Forest Root Domain

    contoso.msft

    nwtraders.msft

    3 4

    KDC

    2
    KDC Server

    1
    Client
    Session Ticket

    marketing.contoso.msft

    sales.nwtraders.msft

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Shortcut Trusts in Windows 2000

    Forest Root Domain Domain 1 Tree Root Domain Tree Two Domain A Forest

    Tree One

    Shortcut Trust
    Domain 2 Trusting Domain Domain C

    Trusted Domain Domain B

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Trusting Domain

    The Global Catalog

     

    The Global Catalog and the Logon Process Creating a Global Catalog Server

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Problem: Logon and GC Dependency


    A users universal group membership changes by: Adding the user to a universal group Adding a global group of which the user is a member Nesting appropriate global and universal groups
    Builtin Domain Local Global Universal 
    Membership details in GC

    Membership details in logon domain

    Security Access Token

    GC

    User SID Group SIDs

    During the logon process the security access token is constructed


    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Strategies for Using Groups in Trees and Forests


     

    Universal Groups and Replication Nesting Strategy Using Universal Groups

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Universal Groups and Replication


    All Membership Changes in the Universal Group Are Updated in the Global Catalog . . .
    Global Catalog Server

    Universal Group

    . . . And Replicated to All Global Catalog Servers in the Forest Reduce Replication Traffic by Minimizing  The use of universal groups to limit replication to a domain  The membership in universal groups to other groups rather than user accounts  Changes to the membership to reduce the Chennais Premier replication ADVANTAGE PRO frequency of Networking Training Centre

    Nesting Strategy Using Universal Groups


    Add User Accounts into Global Groups
    Users Global Group

    Nest Global Groups (optional) Add Global Groups from Each Domain into Universal Groups Add Universal Groups into Domain Local Groups in Each Domain

    Global Group

    Global Group

    Global Group

    Universal Group

    DLG
    Universal Group Domain Local Group

    Assign Permissions to the Domain Local Group DLG in Each Domain Domain Local Group

    Permissions

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Identifying Business Needs

    Reasons to Maintain a Single Domain Reasons to Create Multiple Domains Reasons for multiple-tree forest Reasons for multiple forest

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Reasons to Maintain a Single Domain

     

    OU

    Ease of Management Easier Delegation Fewer Members in Domain Admins Group Object Capacity Same as Multiple Domain Structure

    OU

    OU

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Reasons to Create Multiple Domains


    
    OU OU OU

    OU OU OU OU

    OU OU

    Reasons for Using a Multiple-Domain Tree: Distinct domain-level policies Tighter administrative control Decentralized administration Separation and control of affiliate relationships Reduced replication traffic

    OU OU OU

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Accessing Resources Between Domains

    Authentication Across a Forest Types of Trusts

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for Multiple-Domain Trees


    

    Characteristics of Multiple-Domain Trees Creating an Empty Root Domain Design Guidelines

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Characteristics of Multiple-Domain Trees

    Root
    nwtraders.msft

    us.nwtraders.msft

    europe.nwtraders.msft

    Child Domain

    Child Domain

    Transitive Trusts Exist Between All Domains


    Child Domain
    sales.us.nwtraders.msft
    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Creating an Empty Root Domain

    nwtraders.msft

    Enterprise Admin is Sole User in Root Domain Root

    usa.nwtraders.msft
    Child Domain

    europe.nwtraders.msft
    Child Domain

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Design Guidelines
    Design Needs that May Require a Multiple-Domain Tree:  Distinct Security Boundaries
    

    Bandwidth Constraints on WAN Links Legal Reasons for Separate Domains Distinct Domain-Level Group Policy Settings

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for Multiple-Tree Forests

     

    Characteristics of Multiple-Tree Forests Design Guidelines

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Characteristics of a Multiple-Tree Forest

    Transitive Trust Relationship Created Between Roots contoso.msft


    Root

    nwtraders.msft
    Root

    Tree 1
    domainA.nwtraders.msft
    Child Child

    domain2.contoso.msft

    domain3.contoso.msft

    Child

    Tree 2
    ADVANTAGE PRO Chennais Premier domainB.domainA.nwtraders.msft Networking Training Centre Child

    Design Guidelines

    Consider Using a Multiple-Tree Forest When You Need:  Distinct DNS names for Public Identities  Centralized Control Among All Active Directory Trees and Domains

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Planning for Multiple Forests

     

    Characteristics of Multiple Forests Design Guidelines

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Characteristics of Multiple Forests`


    One-Way External Trusts Established Among Specified Domains Only

    contoso.msft
    Root

    nwtraders.msft
    Root

    domainA.nwtraders.msft

    Tree 1
    Child Child Child

    domain2.contoso.msft

    domain3.contoso.msft
    Child

    Tree 2

    domainB.domainA.nwtraders.msft
    ADVANTAGE PRO Chennais Premier Networking Training Centre

    Design Guidelines
    Design Multiple Forests When:
    

    You Do Not Want a Common Schema You Do Not Want a Global Directory You Need Limited Partner or Affiliate Relationships

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    ALL THE BEST

    ADVANTAGE PRO Chennais Premier Networking Training Centre

    You might also like