Active directory design highlights
* All domains in an AD forest share the same schema. Multiple forests should only be considered, if different schemas are required by an organization.
* A domain within a forest provides a security and administration boundary. All security and GPO settings are only applicable within the domain. Following type of security policies can be set on a per-domain basis:
Password policy
Account lockout policy
kerberos ticket policy
A single domain design reduces hardware cost as every domain requires atleast one DC. Single domain supports 10 levels of nested OUs.
* Windows 2000 domain controllers operator in mixed or native mode. Conversion from mixed to native mode is not reversible. Native mode allows for a new group type, called universal group.
* Organizational unit (OU) is a logical container used to organize domain resources such as users and computers. OU serve to delegate administration and apply of GPO and does not work as a security group. OU design within a domain can follow business unit, project-based or administration tier.
* Delegation of administration is a key concept behind OU design. Following categories of administrators can be defined to have access to various OUs within a domain.
Global IT administrators, create/delete/modify OUs, set domain account/security policies, create/delete/modify top level groups
Company administrator, create/delete/modify lower level OUs, modify company user and group information, create company wide printer/file resources, unlock users and reset password.
Function administrator, create/delete/modify application users/groups, create application user folders, grant permission access to applications
Server operators, restart servers, add drivers, start/stop services and clear print queues
Printer operators, reset/purge print queues and stop/start printers
* DNS serves as AD naming service. AD domains are named with DNS names and AD clients query DNS to locate DCs. Any DNS implementation that supports SRV (Service Location RRs) and dynamic update can provide naming service. Netbios and DNS name should match unless there is migration move from netbios using non-standard characters. Internal and external namespace can be the same.AD integrated DNS uses AD replication for zone transfers. AD integrated replication may also be more performance optimized as compared to standard DNS zone transfer.
* Security and distribution are two type of groups. Security groups are used to assign or deny rights and permissions to groups of users and computers. Distribution groups are mainly used as email lists. Groups have a scope, determining who can be its member and where it can be used. Local, domain local, global and universal are four group types. A standard strategy is to put user accounts in global groups and then place them in turn in domain local groups and assign permissions to domain local groups only.
* Replication traffic is controlled by site topology as part of physical design of AD. A single site can contain multiple domains and a single domain can be spread over several sites. Site consists of set of IP subnets connected by fast (10 Mbps and above) links. A site link connects two or more sites. Site links are transitive. Site links are joined together via site link bridges. Knowledge consistency checker (KCC) is a built-in process that creates and maintains replication connections between domain controllers. Intra-site replication minimize latency and inter-site replication minimize bandwidth usage and uses RPC and SMTP respectively. Client traffic per login to a DC uses approx 100-120 Kbytes. A subnet can only exist in one site. Subnets are created after sites are defined.
* There should be two DCs in the main site and one in every high traffic physical site. One DC in each site should also serve as a global catalog server.
* There are five operations master roles. Schema master is a forest wide role, DC with this role can perform write operations to schema. Domain naming master is a forest wide role for adding/removing domains and cross-refences objects to external directories. Domain wide infrastructure master role updates cross-domain group-to-user reference to reflect user's new name. PDC emulator serve as an NT DC. RID master allocates sequence of relative IDs to objects.
* Group policy is structured into domain and organization level. Number of GPO should be restricted to avoid performance impact and complex troubleshooting. Unused user or computer policy part should be disabled. Auditing settings can be enforced via GPO.
* A domain within a forest provides a security and administration boundary. All security and GPO settings are only applicable within the domain. Following type of security policies can be set on a per-domain basis:
Password policy
Account lockout policy
kerberos ticket policy
A single domain design reduces hardware cost as every domain requires atleast one DC. Single domain supports 10 levels of nested OUs.
* Windows 2000 domain controllers operator in mixed or native mode. Conversion from mixed to native mode is not reversible. Native mode allows for a new group type, called universal group.
* Organizational unit (OU) is a logical container used to organize domain resources such as users and computers. OU serve to delegate administration and apply of GPO and does not work as a security group. OU design within a domain can follow business unit, project-based or administration tier.
* Delegation of administration is a key concept behind OU design. Following categories of administrators can be defined to have access to various OUs within a domain.
Global IT administrators, create/delete/modify OUs, set domain account/security policies, create/delete/modify top level groups
Company administrator, create/delete/modify lower level OUs, modify company user and group information, create company wide printer/file resources, unlock users and reset password.
Function administrator, create/delete/modify application users/groups, create application user folders, grant permission access to applications
Server operators, restart servers, add drivers, start/stop services and clear print queues
Printer operators, reset/purge print queues and stop/start printers
* DNS serves as AD naming service. AD domains are named with DNS names and AD clients query DNS to locate DCs. Any DNS implementation that supports SRV (Service Location RRs) and dynamic update can provide naming service. Netbios and DNS name should match unless there is migration move from netbios using non-standard characters. Internal and external namespace can be the same.AD integrated DNS uses AD replication for zone transfers. AD integrated replication may also be more performance optimized as compared to standard DNS zone transfer.
* Security and distribution are two type of groups. Security groups are used to assign or deny rights and permissions to groups of users and computers. Distribution groups are mainly used as email lists. Groups have a scope, determining who can be its member and where it can be used. Local, domain local, global and universal are four group types. A standard strategy is to put user accounts in global groups and then place them in turn in domain local groups and assign permissions to domain local groups only.
* Replication traffic is controlled by site topology as part of physical design of AD. A single site can contain multiple domains and a single domain can be spread over several sites. Site consists of set of IP subnets connected by fast (10 Mbps and above) links. A site link connects two or more sites. Site links are transitive. Site links are joined together via site link bridges. Knowledge consistency checker (KCC) is a built-in process that creates and maintains replication connections between domain controllers. Intra-site replication minimize latency and inter-site replication minimize bandwidth usage and uses RPC and SMTP respectively. Client traffic per login to a DC uses approx 100-120 Kbytes. A subnet can only exist in one site. Subnets are created after sites are defined.
* There should be two DCs in the main site and one in every high traffic physical site. One DC in each site should also serve as a global catalog server.
* There are five operations master roles. Schema master is a forest wide role, DC with this role can perform write operations to schema. Domain naming master is a forest wide role for adding/removing domains and cross-refences objects to external directories. Domain wide infrastructure master role updates cross-domain group-to-user reference to reflect user's new name. PDC emulator serve as an NT DC. RID master allocates sequence of relative IDs to objects.
* Group policy is structured into domain and organization level. Number of GPO should be restricted to avoid performance impact and complex troubleshooting. Unused user or computer policy part should be disabled. Auditing settings can be enforced via GPO.
posted by Usman Wahid at
2:12 PM
|
0 comments
