Microsoft Official Course

Module 6
Designing and Implementing an
Active Directory Domain Services
Forest and Domain Infrastructure
Module Overview

Designing an Active Directory Forest

Designing and Implementing Active Directory
Forest Trusts
Designing Active Directory Integration with
Windows Azure Active Directory
Designing and Implementing Active Directory
Domains
Designing DNS Namespaces in Active Directory
Environments
• Designing Active Directory Domain Trusts
Lesson 1: Designing an Active Directory Forest

What Is an Active Directory Forest?

Active Directory Forest Models
Benefits of a Single Forest Model
Considerations for Implementing Multiple Forests
Guidelines for Designing an Active Directory Forest
Infrastructure
• Discussion: Selecting a Suitable Forest Design
What Is an Active Directory Forest?

An Active Directory forest is the highest-level

container object in the Active Directory hierarchy

Objects in a forest have the following

characteristics:
• Share a common schema
• Share a common global catalog
• Are a single administrative unit
Active Directory Forest Models

You can choose from the following design models:

• Single forest model
• Organizational forest model
• Resource forest model
• Restricted-access forest model
Benefits of a Single Forest Model

The single forest model:

• Provides a number of components that are shared
by all domain controllers in the forest
• Makes it possible for applications to have
centralized access to the directory service
• Makes resource access much easier
• Can make it more difficult to implement schema
extensions
Considerations for Implementing Multiple
Forests

A multiple forest model:

• Can meet isolation requirements
• Allows implementation of directory
synchronization for Microsoft Exchange
• Allows use of AD DS for servers on the perimeter
network
• Provides granular control over forest-wide
changes
• Requires planning of namespace and DNS
requirements, when implemented
• Can result in higher costs and greater
administrative complexity
Guidelines for Designing an Active Directory
Forest Infrastructure

Consider the following guidelines when designing

an Active Directory forest:
• Map your business, security, and administration
requirements to an Active Directory forest model
• If possible, use a single Active Directory forest
rather than multiple forests
• If you implement multiple forests, use as few as
possible
• Consider using additional domains within a forest,
instead of using multiple forests
Discussion: Selecting a Suitable Forest Design

Wingtiptoys.com Tailspintoys.com

emea usa pacific

Lesson 2: Designing and Implementing Active
Directory Forest Trusts

Characteristics of Forest Trusts

Forest Trust Security Considerations
Resource Access
Guidelines for Designing Forest Trusts
• Demonstration: Creating a Forest Trust
Characteristics of Forest Trusts

Forest trusts provide the following benefits:

• Simplified management of resources across two
forests
• Complete two-way trust relationships with every
domain in each forest
• Use of UPN authentication across two forests
• Use of Kerberos V5 authentication protocol and
NTLM authentication protocol
• Flexible administration
Forest Trust Security Considerations

An incorrectly configured trust can allow

unauthorized access to resources. You can use the
following technologies to mitigate these concerns:
• SID filtering
• Selective authentication
• UPN suffix routing
Resource Access

Forest 1 Forest 2
Forest trust

Global
6
Global
catalog catalog
woodgrovebank. contoso.com
com

4
2
5
3 7
8
1
9
emea.woodgrovebank.com na.contoso.com
Guidelines for Designing Forest Trusts

• Ensure that DNS is configured correctly

• Ensure that the forest functional level is set to at
least Windows Server 2003
• Use external trusts if only two domains are
involved
• Use selective authentication
• Consider alternatives to forest trusts
Demonstration: Creating a Forest Trust

In this demonstration, you will see how to:

• Configure the prerequisites for a forest trust
• Create a forest trust
Lesson 3: Designing Active Directory Integration
with Windows Azure Active Directory

Windows Azure Active Directory Overview

Windows Azure Active Directory Authentication
Options for Integrating Authentication with On-
Premises AD DS
Designing Directory Synchronization
• Options for Managing Windows Azure Active
Directory Accounts
Windows Azure Active Directory Overview

• Windows Azure Active Directory:

• Is a cloud-based IaaS for identity management and
access control
• Is different than running virtualized domain
controllers in Windows Azure
• Provides the following:
• Active Directory authentication services in the public
cloud
• Cloud-based storage for directory service data
• Federation services
• Service to extend on-premise AD DS environment to the
public cloud
• Directory synchronization and SSO
• APIs for developers
Windows Azure Active Directory Authentication

The supported Windows Azure Active Directory

authentication protocols are:
• OAuth 2.0
• SAML 2.0
• WS-Federation
Options for Integrating Authentication with On-
Premises AD DS
You can integrate an on-premises AD DS with Windows Azure Active
Directory by using:
• Windows Azure Active Directory Sync tool (DirSync):
• Must run on a domain-joined Windows Server, not a domain controller
• Requires full installation of SQL Server if environment has over 50,000
objects
• Is a requirement for SSO
• AD FS:
• Must run on-premises and be at least version 2.0
• Publish AD FS by deploying Web Application Proxy or Microsoft
Forefront Unified Access Gateway; for added security
• Single password policy covers on-premise AD DS
• On-premises AD DS:
• Is the source of record for all directory data, which then synchronizes to
Windows Azure Active Directory
• Is a prerequisite for DirSync, AD FS, and SSO
Designing Directory Synchronization

When planning for directory synchronization, consider the following:

• Filter what gets synchronized:
• By OU?
• By AD DS attribute?
• By AD DS domain?
• Determine the source of synchronization:
• Which server is the source?
• Who gets access to the server?
• Understand performance implications
• How will Microsoft Exchange be impacted?
• When should you perform the synchronization?
• Should you run it throughout the day or only after business hours?
• Understand security implications
• What rights are required for the MSOL-AD-SYNC service account?
Options for Managing Windows Azure Active
Directory Accounts
The two primary methods to manage Windows Azure Active
Directory user accounts are:
• Windows Azure Active Directory management portal. A web-
based tool that you can use to:
• Add a Windows Azure Active Directory user account
• Manage user information
• Add a domain
• Integrate with on-premises AD DS
• Enable multi-factor authentication
• Windows Azure Active Directory Module for Windows
PowerShell. Use to:
• Create accounts
• Manage accounts
Lab A: Designing and Implementing an Active
Directory Domain Services Forest Infrastructure
Exercise 1: Designing an Active Directory Forest
Infrastructure
• Exercise 2: Implementing Active Directory Forest
Trusts
Logon Information
Virtual machine: 20413C-LON-DC1
User name: Adatum\Administrator
Password: Pa$$w0rd

Virtual machine: 20413C-TREY-DC1

User name: TreyResearch\Administrator
Password: Pa$$w0rd
Estimated Time: 40 minutes
Lab Scenario

The current Active Directory environment at A.

Datum Corporation consists of a single Active
Directory forest, which has only domain
controllers running Windows Server 2008 R2. All
domain controllers are deployed in a single AD DS
site at the London head office’s data center.
A. Datum wants to integrate its newly acquired
companies, Contoso, Ltd, and Trey Research, into
their organization. Contoso currently is running
UNIX; however, Trey Research is currently running
AD DS in Windows Server 2008 R2.
A. Datum also is planning to expand the number
Lab Scenario (continued)

of employees who are located at the Contoso office

in Paris. This is because the Paris office will become
the primary sales, marketing, and delivery office for
the company’s aggressive expansion into European
markets.
Additionally, A. Datum plans to deploy some
applications and services for external clients. These
resources will be located on a perimeter network,
and should be independent from the company’s
Active Directory forest. However, the same
administrators will administer the perimeter
network resources.
Lab Review

What was your approach to the Active Directory

forest design exercises?
Did your design differ from the suggested solution?
• If cost were not a factor, how might this affect
your design?
Lesson 4: Designing and Implementing Active
Directory Domains

Active Directory Domain Models

Reasons for Deploying Multiple Domains
Considerations for Deploying Dedicated Forest
Root Domains
Guidelines for Designing Active Directory Domains
• Demonstration: Implementing an Active Directory
Domain
Active Directory Domain Models

Single domain Single domain tree

Multiple domain
trees

Resource domain Regional domain

Reasons for Deploying Multiple Domains

You can deploy multiple Active Directory domains:

• When you want to minimize replication traffic
• When you have a very large number of users in
remote sites and limited bandwidth between sites
• When password and account lockout policies at
the domain level have different requirements
• When you want to meet some administrative
requirements
Considerations for Deploying Dedicated Forest
Root Domains

Reasons to deploy a dedicated forest root domain

include:
• Separation of forest-level service administrators
from domain service administrators
• Dedicated forest root domain is protected from
organizational changes
• Ability to strategically place forest-wide operations
master domain controllers
• Ability to deploy forest-wide applications to the
forest root domain
Guidelines for Designing Active Directory
Domains
• Capture the business, technical, and administrative
requirements
• Record the geographical layout
• Limit the number of domains whenever possible
• Implement regional domains to minimize replication
traffic
• Maintain a dedicated forest root if an administration
model requires separation of forest-level service
administrators from domain service administrators
• Use fine-grained password policies for password
requirements
Demonstration: Implementing an Active
Directory Domain

In this demonstration, you will see how to:

• Add the Active Directory server role
• Create a new domain in an existing forest
Lesson 5: Designing DNS Namespaces in Active
Directory Environments

AD DS and DNS Integration

Options for Designing an Active Directory
Namespace
Designing DNS Application Partitions
• Guidelines for Implementing DNS Servers into
Active Directory Environments
AD DS and DNS Integration

AD DS and DNS integration:

• You must have DNS installed so that you can use AD DS
• DNS is installed by default on domain controllers
• Clients and servers use DNS to locate domain controllers

• When planning AD DS and DNS integration:

• Consider the number and placement of DNS servers that
will affect the Active Directory functionality
• Consider how to store zone data
Options for Designing an Active Directory
Namespace

When choosing an Active Directory namespace

strategy, you can:
• Use the same internal and external DNS names
• Use different internal and external DNS names
• Use a separate domain name
Designing DNS Application Partitions

You can store DNS zones in:

• One of the default application partitions, which have
specified replication scopes
• Custom partitions with scopes that you define
To all domain controllers in the
Active Directory domain
Domain

Configuration To all domain controllers that are DNS

servers in the Active Directory domain
Schema

DomainDNSZone
To all domain controllers that are DNS
ForestDNSZones servers in the Active Directory forest

Custom Partition

To all domain controllers in the replication

scope for the application partition
Guidelines for Implementing DNS Servers into
Active Directory Environments

Guidelines for implementing DNS servers:

• Use Windows Server–based DNS servers with
Active Directory–integrated zones
• Ensure that DNS servers support service (SRV)
resource records
• Use the default DNS application directory
partitions
• Ensure that the internal and external namespaces
are hosted on separate DNS servers
Lesson 6: Designing Active Directory Domain
Trusts

Trust Relationships
Shortcut Trusts
External Trusts and Realm Trusts
• Guidelines for Designing Active Directory Domain
Trusts
Trust Relationships

In a trust relationship:
• The trust extends the concept of the trusted
identity store to another domain
• The trusting domain trusts the identity store and
authentication services of the trusted domain
• A trusted user can authenticate to, and be given
access to resources in the trusting domain
• Within a forest, each domain trusts all other
domains
• Trust relationships can exist with external domains
Shortcut Trusts

Forest root
domain

Tree root
domain

tailspintoys.com

wingtiptoys.com

europe.tailspintoys.com

usa.wingtiptoys.com asia.wingtiptoys.com
 External Trusts and Realm Trusts

tailspintoys.com wideworldimporters.com

asia.tailspintoys.com europe.tailspintoys.com sales.wideworldimporters.com

Guidelines for Designing Active Directory
Domain Trusts

Guidelines for designing Active Directory domain

trusts:
• Use external domain trusts instead of forest trusts
when you want to have a single domain in one
forest trust a single domain in another forest
• Implement SID filtering and selective
authentication
• Consider using shortcut trusts in multidomain tree
environments
• Maintain a current list of trust relationships for
future reference
• Perform regular backups of domain controllers
Lab B: Designing and Implementing an Active
Directory Domain Infrastructure
Exercise 1: Designing an Active Directory Domain
Infrastructure
• Exercise 2: Implementing an Active Directory Domain
Infrastructure
Logon Information
Virtual machine: 20413C-LON-DC1
User name: Adatum\Administrator
Password: Pa$$w0rd

Virtual machine: 20413C-TREY-DC1

User name: TreyResearch\Administrator
Password: Pa$$w0rd

Virtual machine: 20413C-CON-SVR

User name: .\administrator
Password: Pa$$w0rd
Estimated Time: 45 minutes
Lab Scenario

During the Active Directory forest design process

at A. Datum Corporation, the design team
members decided that they will need to maintain
a separate forest for the treyresearch.net domain
to fulfill the research department’s isolation
requirements. However, the design team currently
is considering how best to integrate the Contoso,
Ltd organization into the A. Datum network
infrastructure. At this time, Contoso has not
deployed AD DS.
Lab Review

What was your approach to the Active Directory

domain design exercises?
Did your design differ from the suggested solution?
• How does the domain design compare with your
organization’s domain implementation?
Module Review and Takeaways

• Review Question(s)