session 2 core infrastructure design n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Session 2: Core Infrastructure Design PowerPoint Presentation
Download Presentation
Session 2: Core Infrastructure Design

Loading in 2 Seconds...

play fullscreen
1 / 36

Session 2: Core Infrastructure Design - PowerPoint PPT Presentation


  • 167 Views
  • Uploaded on

Session 2: Core Infrastructure Design. Andrew Hill – Consultant Rob Lowe – Consultant . MCS Talks Infrastructure Architecture. Live Meeting Information. Feedback Panel. Questions & Answers. Blog - http://blogs.technet.com/MCSTalks. Session 2: Core Infrastructure Design.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Session 2: Core Infrastructure Design' - afya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
session 2 core infrastructure design

Session 2: Core Infrastructure Design

Andrew Hill – Consultant

Rob Lowe – Consultant

MCS Talks Infrastructure Architecture

live meeting information
Live Meeting Information...
  • Feedback Panel
  • Questions & Answers
  • Blog - http://blogs.technet.com/MCSTalks
session 2 core infrastructure design1

Session 2: Core Infrastructure Design

Andrew Hill – Consultant

Rob Lowe – Consultant

MCS Talks Infrastructure Architecture

purpose
Purpose
  • Purpose:
    • To provide design guidance for Microsoft Windows Server 2008 Active Directory
  • Agenda
    • Determine process for Active Directory design
    • Assist designers in the decision-making process
    • Provide design assistance based on best-practice and real-world experience
active directory design overview
Active Directory Design Overview
  • Forest and domain design
  • Organizational Units (OUs)
  • Group Policy Objects (GPOs)
  • Security Groups
  • Domain Controller Placement (inc. RODC)
  • Sites Topology
  • Domain Controller Configuration
  • DNS
tips for the planning process
Tips for the Planning Process
  • Considerations at each design phase
    • Complexity
    • Cost
    • Fault Tolerance
    • Performance
    • Scalability
    • Security
contoso network infrastructure
Contoso Network Infrastructure

Glasgow LAN

London LAN

100MB

1GB

Ireland

1000 Users

Development

1MB to 8MB

ADSL

Glasgow

25,000 Users

Manufacturing

Manchester

25,000 Users

Call Centre

London

6,000 Users

Head Office

10MB

Remote

VPN Users

3,000

Manchester

LAN

1MB

2MB

1GB

York

100 Users

1MB

India

1500 Users

Development

Bristol

Fail Over

Data Centre

Manchester

Data Centre

10MB

Newcastle

350 Users

10MB

1MB

1MB

1MB

512KB

512KB

1MB

Edinburgh

400 Users

Birmingham

750 Users

Reading

350 Users

Exeter

500 Users

Oxford

250 Users

Tokyo

10 Users

Paris

20 Users

New York

30 Users

determine the number of forests
Determine the Number of Forests
  • How Many Forests?
    • Option 1: Single Forest
    • Option 2: Multiple Forests
  • Multiple Forest Drivers
    • Multiple Schemas
    • Resource Forests
    • Forest Administrator Distrust
    • Legal Regulations for Application or Data Access
    • Requirements to be disconnected for long periods (e.g. Military)
single organizational forest model
Single Organizational Forest Model

Users

Exchange

Workstations

Applications

SharePoint

multiple organizational forest model
Multiple Organizational Forest Model

Forest Trust

Users

Users

Workstations

Workstations

Exchange

Exchange

Applications

Applications

SharePoint

SharePoint

shared resource forest model
Shared Resource Forest Model

Exchange

Users

Users

Forest Trust

Forest Trust

Applications

Applications

Workstations

Workstations

SharePoint

shared account forest model
Shared Account Forest Model

Forest Trust

Forest Trust

Users

Workstations

Exchange

Applications

SharePoint

Restricted Data and Applications

Restricted Data and Applications

determine the number of domains
Determine the Number of Domains
  • How many Domains?
    • Option 1: Single Domain
    • Option 2: Multiple Domains
  • Multiple Domain drivers
    • Large number of frequently changing attributes
    • Reduced replication traffic
    • Control replication traffic over slow links
    • Preserve legacy active directory
forest and domain functional levels
Forest and Domain Functional Levels
  • 2003 interim FFL
    • Linked Value Replication
    • Different replication compression ratios
    • Improved KCC
  • 2003 FFL
    • Forest Trusts ( + with Selective Authentication)
    • Deactivation of attributes within the Schema
    • Domain Rename
    • RODC (2008 OS only with schema updates)
  • 2008 DFL
    • Fine Grained Password Policies
    • DFS-R for Sysvol
    • Last Interactive logon information
fine grained password policies
Fine-Grained Password Policies

Exceptional PSO

msDS-PSOApplied

msDS-PSOAppliesTo

Attributes

msDS-PasswordSettingsPrecedence

msDS-PasswordReversibleEncryptionEnabled

msDS-PasswordHistoryLength

msDS-PasswordComplexityEnabled

msDS-MinimumPasswordLength

msDS-MinimumPasswordAge

msDS-MaximumPasswordAge

msDS-LockoutThreshold

msDS-LockoutObservationWindow

msDS-LockoutDuration

  • PSO Application
    • Lowest Precedence Value or PSO GUID
    • msDS-ResultantPso – identifies which PSO
  • RSOP Calculation
    • User and Global Group Links Included
    • User will override group
    • Best to only assign users to 1 PSO Global Group
assign domain names
Assign Domain Names
  • Assign the NetBIOS Name
    • Maximum effective length of 15 characters
    • Use a NetBIOS name that is unique across organisation
  • Assign DNS Name
    • Ensure uniqueness by not duplicating existing registered Internet domain names
    • Register all domain names with Internic
    • Name should not represent business unit or division
    • Avoid using single-label names
organisational units
Organisational Units
  • Choose an OU Design:
    • Task 1: Design OU Configuration for Delegation of Administration
    • Task 2: Design OU Configuration for Group Policy Application
  • Other OU (and container) related recommended practices
    • Do not move DCs out of the Domain Controllers OU
    • Do not move built-in users and groups from users container
    • OUs and child objects now protected from accidental deletion by default in 2008
group policy objects
Group Policy Objects
  • Very powerful, but consider management of group policies in design
  • Best practices
    • Specify user and computer settings in separate GPOs
    • Use many small GPOs with few settings each rather than fewer large GPOs with many settings
    • Make GPO descriptive for its purpose
    • Do not unlink Default Domain and DDC policies
  • Advanced Group Policy Management
    • Change Control Workflow
    • V3.0 (2008) increases granular permissions
advanced group policy management
Advanced Group Policy Management

Benefits

What it Does

  • Enable group policy change management
  • Provides granular administrative control
  • Reduce risk of widespread failure
  • Versioning, history & rollback of group policy changes
  • Role-based administration & templates
  • Workflow
  • Offline editing

Next version

Current

version

3.0 RTM

September 2008

2.5

security groups
Security Groups
  • Group Scope
  • Account groups – for group users and computers
    • Global
    • Universal
  • Resource groups – for controlling rights and permissions
    • Domain Local
    • Built-in Local
  • Complex Group nesting makes audit and reconciliation more difficult
domain controller placement
Domain Controller Placement
  • Placement of the Domain Controllers:
    • Hub Locations
    • Satellite (Branch) Locations
    • Heavily dictated by network and application requirements
  • Global Catalog (GC)
    • Very few reasons now not to make all DCs a GC
  • Read-Only Domain Controllers
    • New in Windows Server 2008 (Read-Only AD and no passwords)
    • Primarily a security feature to mitigate against high risk sites
rodc deployment
RODC Deployment
  • Consider the following:
    • Application needs – Exchange?
    • Applications make Write / Read back calls?
    • Site topology – BASL turned off?
    • Password Replication Policy – which model for you?
      • Remember no cached accounts means more WAN / HUB DC impact
      • Cache computer and User accounts
  • Deployment:
    • Start with min 2 x 2008 RW Hub DCs
    • Add 2008 RWDC to NS records (for RSO)
    • Delegate deployment – don’t use Domain Admins
create the site design
Create the Site Design
  • Option 1: create a logical site for each physical location
    • Assign subnets for each physical location to corresponding site
    • Site coverage
  • Option 2: create a logical site only for physical locations with domain controllers
    • Assign subnets for each physical location to most appropriate site depending on underlying network
create a site link design
Create a Site Link Design
  • Site links map to underlying network
    • Set cost and schedule
  • Bridge all site links (on by default)
    • Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers)
    • Generally not recommended for Branch Office – KCC overheads
    • Use Repadmin /siteoptions to disable!
  • Custom Site Link Bridges
    • Use when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers
contoso network infrastructure revisited
Contoso Network Infrastructure Revisited

Glasgow LAN

London LAN

100MB

1GB

Ireland

1000 Users

Development

1MB to 8MB

ADSL

Glasgow

25,000 Users

Manufacturing

Manchester

25,000 Users

Call Centre

London

6,000 Users

Head Office

10MB

Remote

VPN Users

3,000

Manchester

LAN

1MB

2MB

1GB

York

100 Users

1MB

India

1500 Users

Development

Bristol

Fail Over

Data Centre

Manchester

Data Centre

10MB

Newcastle

350 Users

10MB

1MB

1MB

1MB

512KB

512KB

1MB

Edinburgh

400 Users

Birmingham

750 Users

Reading

350 Users

Exeter

500 Users

Oxford

250 Users

Tokyo

10 Users

Paris

20 Users

New York

30 Users

active directory replication topology
Active Directory Replication Topology
  • KCC automatically manages based on site link design
  • Applies to Active Directory and Sysvol replication
  • Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests
    • Sysvol can be migrated to DFS-R once DFL is at 2008
    • FRS VVJoins are inherently inefficient
    • DFS-R Sysvol eliminates inefficiency in FRS VVJoins
    • Migration is simple 4 step process for upgraded forests
domain controller configuration
Domain Controller Configuration
  • 64-bit supports much larger addressable memory space
    • Allow enough memory for entire Active Directory database to be cached
    • Think about 64 bit now, 32 bit will be unavailable in several years time
  • CPU and query performance
  • Disk configuration
    • Keep database and logs on separate physical drives for better performance
  • Running RODCs on Hyper-V
    • Never snapshot a DC – even RODC
slide32
DNS
  • Critical for Active Directory
    • AD-integrated DNS recommended
  • Consider Forwarding model
    • Root hints can introduce additional management overhead.
    • Forwarding is recommended approach for AD
  • New in Windows Server 2008
    • Storage of Conditional Forwarding settings in Active Directory
what s next discuss rinse repeat
What’s Next? Discuss, Rinse, Repeat
  • Implement your design
  • Test and refine design along the way
summary and conclusion
Summary and Conclusion
  • Organizations should base the design of their Active Directory infrastructure on business and technical requirements
  • Considerations should include:
    • The scope of the network and environment
    • Technical requirements and considerations
    • Additional business requirements
    • Designing an Active Directory infrastructure to meet these requirements
    • Validating the overall approach
questions and answers
Questions and Answers
  • Please enter your questions using the Q&A panel for the presenters!
slide36

Thank you for attending this TechNet Event

Find these slides at:

http://www.microsoft.com/uk/technetslides

Visit our blog at:

http://blogs.technet.com/mcstalks

Register for the next session, Messaging, at:

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032386416&Culture=en-GB

Please fill out your evaluations!