1 / 36

Session 2: Core Infrastructure Design

Session 2: Core Infrastructure Design. Andrew Hill – Consultant Rob Lowe – Consultant . MCS Talks Infrastructure Architecture. Live Meeting Information. Feedback Panel. Questions & Answers. Blog - http://blogs.technet.com/MCSTalks. Session 2: Core Infrastructure Design.

afya
Download Presentation

Session 2: Core Infrastructure Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture

  2. Live Meeting Information... • Feedback Panel • Questions & Answers • Blog - http://blogs.technet.com/MCSTalks

  3. Session 2: Core Infrastructure Design Andrew Hill – Consultant Rob Lowe – Consultant MCS Talks Infrastructure Architecture

  4. Purpose • Purpose: • To provide design guidance for Microsoft Windows Server 2008 Active Directory • Agenda • Determine process for Active Directory design • Assist designers in the decision-making process • Provide design assistance based on best-practice and real-world experience

  5. Active Directory Design Overview • Forest and domain design • Organizational Units (OUs) • Group Policy Objects (GPOs) • Security Groups • Domain Controller Placement (inc. RODC) • Sites Topology • Domain Controller Configuration • DNS

  6. Active Directory in Microsoft Infrastructure Optimization

  7. Tips for the Planning Process • Considerations at each design phase • Complexity • Cost • Fault Tolerance • Performance • Scalability • Security

  8. Contoso Network Infrastructure Glasgow LAN London LAN 100MB 1GB Ireland 1000 Users Development 1MB to 8MB ADSL Glasgow 25,000 Users Manufacturing Manchester 25,000 Users Call Centre London 6,000 Users Head Office 10MB Remote VPN Users 3,000 Manchester LAN 1MB 2MB 1GB York 100 Users 1MB India 1500 Users Development Bristol Fail Over Data Centre Manchester Data Centre 10MB Newcastle 350 Users 10MB 1MB 1MB 1MB 512KB 512KB 1MB Edinburgh 400 Users Birmingham 750 Users Reading 350 Users Exeter 500 Users Oxford 250 Users Tokyo 10 Users Paris 20 Users New York 30 Users

  9. Determine the Number of Forests • How Many Forests? • Option 1: Single Forest • Option 2: Multiple Forests • Multiple Forest Drivers • Multiple Schemas • Resource Forests • Forest Administrator Distrust • Legal Regulations for Application or Data Access • Requirements to be disconnected for long periods (e.g. Military)

  10. Single Organizational Forest Model Users Exchange Workstations Applications SharePoint

  11. Multiple Organizational Forest Model Forest Trust Users Users Workstations Workstations Exchange Exchange Applications Applications SharePoint SharePoint

  12. Shared Resource Forest Model Exchange Users Users Forest Trust Forest Trust Applications Applications Workstations Workstations SharePoint

  13. Shared Account Forest Model Forest Trust Forest Trust Users Workstations Exchange Applications SharePoint Restricted Data and Applications Restricted Data and Applications

  14. Determine the Number of Domains • How many Domains? • Option 1: Single Domain • Option 2: Multiple Domains • Multiple Domain drivers • Large number of frequently changing attributes • Reduced replication traffic • Control replication traffic over slow links • Preserve legacy active directory

  15. Forest and Domain Functional Levels • 2003 interim FFL • Linked Value Replication • Different replication compression ratios • Improved KCC • 2003 FFL • Forest Trusts ( + with Selective Authentication) • Deactivation of attributes within the Schema • Domain Rename • RODC (2008 OS only with schema updates) • 2008 DFL • Fine Grained Password Policies • DFS-R for Sysvol • Last Interactive logon information

  16. Fine-Grained Password Policies Exceptional PSO msDS-PSOApplied msDS-PSOAppliesTo Attributes msDS-PasswordSettingsPrecedence msDS-PasswordReversibleEncryptionEnabled msDS-PasswordHistoryLength msDS-PasswordComplexityEnabled msDS-MinimumPasswordLength msDS-MinimumPasswordAge msDS-MaximumPasswordAge msDS-LockoutThreshold msDS-LockoutObservationWindow msDS-LockoutDuration • PSO Application • Lowest Precedence Value or PSO GUID • msDS-ResultantPso – identifies which PSO • RSOP Calculation • User and Global Group Links Included • User will override group • Best to only assign users to 1 PSO Global Group

  17. Assign Domain Names • Assign the NetBIOS Name • Maximum effective length of 15 characters • Use a NetBIOS name that is unique across organisation • Assign DNS Name • Ensure uniqueness by not duplicating existing registered Internet domain names • Register all domain names with Internic • Name should not represent business unit or division • Avoid using single-label names

  18. Organisational Units • Choose an OU Design: • Task 1: Design OU Configuration for Delegation of Administration • Task 2: Design OU Configuration for Group Policy Application • Other OU (and container) related recommended practices • Do not move DCs out of the Domain Controllers OU • Do not move built-in users and groups from users container • OUs and child objects now protected from accidental deletion by default in 2008

  19. Contoso Organisational Unit Design

  20. Group Policy Objects • Very powerful, but consider management of group policies in design • Best practices • Specify user and computer settings in separate GPOs • Use many small GPOs with few settings each rather than fewer large GPOs with many settings • Make GPO descriptive for its purpose • Do not unlink Default Domain and DDC policies • Advanced Group Policy Management • Change Control Workflow • V3.0 (2008) increases granular permissions

  21. Advanced Group Policy Management Benefits What it Does • Enable group policy change management • Provides granular administrative control • Reduce risk of widespread failure • Versioning, history & rollback of group policy changes • Role-based administration & templates • Workflow • Offline editing Next version Current version 3.0 RTM September 2008 2.5

  22. Advanced Group Policy Management - Reporting

  23. Group Policy Preferences

  24. Security Groups • Group Scope • Account groups – for group users and computers • Global • Universal • Resource groups – for controlling rights and permissions • Domain Local • Built-in Local • Complex Group nesting makes audit and reconciliation more difficult

  25. Domain Controller Placement • Placement of the Domain Controllers: • Hub Locations • Satellite (Branch) Locations • Heavily dictated by network and application requirements • Global Catalog (GC) • Very few reasons now not to make all DCs a GC • Read-Only Domain Controllers • New in Windows Server 2008 (Read-Only AD and no passwords) • Primarily a security feature to mitigate against high risk sites

  26. RODC Deployment • Consider the following: • Application needs – Exchange? • Applications make Write / Read back calls? • Site topology – BASL turned off? • Password Replication Policy – which model for you? • Remember no cached accounts means more WAN / HUB DC impact • Cache computer and User accounts • Deployment: • Start with min 2 x 2008 RW Hub DCs • Add 2008 RWDC to NS records (for RSO) • Delegate deployment – don’t use Domain Admins

  27. Create the Site Design • Option 1: create a logical site for each physical location • Assign subnets for each physical location to corresponding site • Site coverage • Option 2: create a logical site only for physical locations with domain controllers • Assign subnets for each physical location to most appropriate site depending on underlying network

  28. Create a Site Link Design • Site links map to underlying network • Set cost and schedule • Bridge all site links (on by default) • Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers) • Generally not recommended for Branch Office – KCC overheads • Use Repadmin /siteoptions to disable! • Custom Site Link Bridges • Use when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers

  29. Contoso Network Infrastructure Revisited Glasgow LAN London LAN 100MB 1GB Ireland 1000 Users Development 1MB to 8MB ADSL Glasgow 25,000 Users Manufacturing Manchester 25,000 Users Call Centre London 6,000 Users Head Office 10MB Remote VPN Users 3,000 Manchester LAN 1MB 2MB 1GB York 100 Users 1MB India 1500 Users Development Bristol Fail Over Data Centre Manchester Data Centre 10MB Newcastle 350 Users 10MB 1MB 1MB 1MB 512KB 512KB 1MB Edinburgh 400 Users Birmingham 750 Users Reading 350 Users Exeter 500 Users Oxford 250 Users Tokyo 10 Users Paris 20 Users New York 30 Users

  30. Active Directory Replication Topology • KCC automatically manages based on site link design • Applies to Active Directory and Sysvol replication • Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests • Sysvol can be migrated to DFS-R once DFL is at 2008 • FRS VVJoins are inherently inefficient • DFS-R Sysvol eliminates inefficiency in FRS VVJoins • Migration is simple 4 step process for upgraded forests

  31. Domain Controller Configuration • 64-bit supports much larger addressable memory space • Allow enough memory for entire Active Directory database to be cached • Think about 64 bit now, 32 bit will be unavailable in several years time • CPU and query performance • Disk configuration • Keep database and logs on separate physical drives for better performance • Running RODCs on Hyper-V • Never snapshot a DC – even RODC

  32. DNS • Critical for Active Directory • AD-integrated DNS recommended • Consider Forwarding model • Root hints can introduce additional management overhead. • Forwarding is recommended approach for AD • New in Windows Server 2008 • Storage of Conditional Forwarding settings in Active Directory

  33. What’s Next? Discuss, Rinse, Repeat • Implement your design • Test and refine design along the way

  34. Summary and Conclusion • Organizations should base the design of their Active Directory infrastructure on business and technical requirements • Considerations should include: • The scope of the network and environment • Technical requirements and considerations • Additional business requirements • Designing an Active Directory infrastructure to meet these requirements • Validating the overall approach

  35. Questions and Answers • Please enter your questions using the Q&A panel for the presenters!

  36. Thank you for attending this TechNet Event Find these slides at: http://www.microsoft.com/uk/technetslides Visit our blog at: http://blogs.technet.com/mcstalks Register for the next session, Messaging, at: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032386416&Culture=en-GB Please fill out your evaluations!

More Related