Color profile: Generic CMYK printerprofileTip&Tec/ Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x /Composite Default screenBlind Folio 3:78CHAPTER 3Designing the Active DirectoryIN THIS CHAPTER Introducing Active Directory79 Designing the Solution: Using the Active Directory Blueprint87 Putting the Blueprint into Action89 Forest/Tree/Domain Strategy91 Designing the Naming Strategy101 Designing the Production Domain OU Structure104 AD and Other Directories112 Service Positioning116 Site Topology127 Schema Modification Strategy133 AD Implementation Plan135 The Ongoing AD Design Process137 Best Practice Summary137 Chapter Roadmap138P:\010Comp\Tip&Tec\343-x\ch03.vpTuesday, March 25, 2003 11:32:02 AM

Color profile: Generic CMYKprinterprofile Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 3Tip&Tec/ WindowsComposite Default screenActive Directory is the core of the Windows Server 2003 network. It is the central componentthat not only serves to provide authentication and authorization, but also administration,information sharing, and information availability. It can be defined as follows:“A secure virtual environment where users can interact either with each other or with networkcomponents, all according to the business rules of the enterprise.”Quite a change from Windows NT, isn’t it? It’s no wonder people have not accepted ActiveDirectory (AD) at a neck-breaking pace. It is a paradigm shift that is even more complex than movingfrom character-based computing to the graphical interface. Understanding the breadth of possibilitiesActive Directory brings is the biggest challenge of the enterprise network with WS03.The first rule you must set for yourself when working to design your Active Directory is “Use bestpractices everywhere!” Don’t try to change the way Active Directory is designed to work no matterwhat you might think at first. Active Directory provides a wealth of opportunities that you will discoveras you implement, use, and operate it. Changes that might make sense according to IT concepts todaymay well have a negative impact on the operation of your Active Directory tomorrow.The first step toward the implementation of the enterprise network—you could say the major steptoward this implementation—is the design and implementation of your Active Directory. Even if youhave already implemented Active Directory and are using it with Windows 2000, a quick review ofhow you design and plan to use directory services in your network can’t hurt, unless you are completelysatisfied with the way your directory delivers service. In that case, you can move on to Chapter 4 toreview your communications infrastructure and begin installing the enterprise network. If, on theother hand, you are using Windows NT and want to move to WS03, the following section is a mustand cannot be overlooked under any circumstances.Introducing Active DirectoryCountless books, articles, and presentations have been written on the subject of Active Directory, and it isnot the intention of this book to repeat them. However, it is important to review a few basic terms andconcepts inherent in Active Directory. Figure 3-1 illustrates the concepts that make up an Active Directory.Active Directory is first and foremost a database. As such it contains a schema—a databasestructure. This schema applies to every instance of Active Directory. An instance is defined as anActive Directory forest. The forest is the largest single partition for any given database structure.Every person and every device that participates in the forest will share a given set of attributes andobject types. That’s not to say that information sharing in Active Directory is limited to a singleforest. Forests can be linked together to exchange certain information, especially with WindowsServer 2003. WS03 introduces the concept of forest trusts which allow forests to share portions oftheir entire Active Directory database with others and vice versa.If you compare the WS03 forest to Windows NT, you can easily see that while NT also includedan identity management database—the domain—its scope was seriously limited compared to ActiveDirectory. NT could basically store the user or computer name along with passwords and a few rulesaffecting all objects. The basic WS03 AD database includes more than 200 object types and morethan 1,000 attributes by default. You can, of course, add more object types or attributes to thisdatabase. Software products that take advantage of information stored in the Active Directory will79P:\010Comp\Tip&Tec\343-x\ch03.vpTuesday, March 25, 2003 11:32:02 AM

Color profile: GenericCMYK printerprofileTip&Tec/ WindowsServer 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 3Composite Default screen80Windows Server 2003: Best Practices for Enterprise DeploymentsFigure 3-1The Active Directory databasealso extend the AD schema. Microsoft Exchange, for example, practically doubles the number ofobjects and attributes in a forest because it is integrated to the directory.Like any database, AD categorizes the objects it contains, but unlike relational databases, ActiveDirectory’s database structure is hierarchical. This is because it is based on the structure of the DomainNaming System (DNS), used on the World Wide Web. On the Web, everything is hierarchical. Forexample, the root of Microsoft’s Web site is Everything spans from this page.P:\010Comp\Tip&Tec\343-x\ch03.vpTuesday, March 25, 2003 11:32:07 AM

Color profile: Generic CMYKprinterprofile Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 3Tip&Tec/ WindowsComposite Default screenChapter 3: Designing the Active Directory81Moving to any other section, such as TechNet or MSDN, sends you to pages whose names are basedon the root.Forests act in the same way except that in a forest, the root point (analogous to the home page)is the root domain. Every AD forest must have at least one domain. Domains act as discrete objectcontainers in the forest. Domains can be regrouped into trees. Trees are segregated from each otherthrough their DNS name. For example, Microsoft has a multitree forest. Its namespace, the DNSelement that defines the boundaries of the forest, is As such, all domains in this treehave names similar to Microsoft created a second tree when it in its forest. The namespace automatically created a tree and all domains underit are named forest will include at least one tree and at least one domain. The domain is both a securitypolicy and an administration boundary. It is required to contain objects such as users, computers,servers, domain controllers, printers, file shares, applications, and much more. If you have more thanone domain in the forest, it will automatically be linked to all others through automatic transitivetwo-way trusts. The domain is defined as a security policy boundary because it contains rules thatapply to the objects stored in it. These rules can be in the form of security policies or Group PolicyObjects (GPOs). Security policies are global domain rules. GPOs tend to be more discrete and areapplied to specific container objects. While domains are discrete security policy boundaries, theultimate security boundary will always be the forest.Domain contents can be further categorized through grouping object types such as OrganizationalUnits (OUs) or groups. Organizational Units provide groupings that can be used for administrativeor delegation purposes. Groups are used mainly for the application of security rights. WS03 groupsinclude Universal, which can span an entire forest, Global, which can span domains, or DomainLocal, which are contained in a single domain. OUs are usually used to segregate objects vertically.Objects such as users and computers can only reside inside a single OU, but groups can span OUs.Thus they tend to contain horizontal collections of objects. An object such as a user can be includedin several groups, but only in a single OU.Users also have it easier with Active Directory. Working in a distributed forest composed of severaldifferent trees and subdomains can become very confusing to the user. AD supports the notion of userprincipal name (UPN). The UPN is often composed of the username along with the global forest rootname. This root name can be the name of the forest or a special alias you assign. For example, in aninternal forest named, you might use [email protected] as the UPN, making it simplerfor your users by using your external DNS name for the UPN. Users can log on to any domain orforest they are allowed to by using their UPN. In their local domain, they can just use their usernameif they prefer.Forests, Trees, Domains, Organizational Units, Groups, Users, and Computers are all objectsstored in the Active Directory database. As such, they can be manipulated globally or discretely. Thesingle major difference between Active Directory and a standard database is that in addition to beinghierarchical, it is completely decentralized. Most Active Directory databases are also distributedgeographically because they represent the true nature of an enterprise or an organization.Managing a completely distributed database is considerably more challenging than managing adatabase that is located in a single area. To simplify distributed database issues, Active Directoryintroduces the concept of multimaster replication. This means that even though the entire forestdatabase is comprised of distributed deposits—deposits that, depending on their location in theP:\010Comp\Tip&Tec\343-x\ch03.vpTuesday, March 25, 2003 11:32:07 AM

Color profile: GenericCMYK printerprofileTip&Tec/ WindowsServer 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 3Composite Default screen82Windows Server 2003: Best Practices for Enterprise Deploymentslogical hierarchy of the forest, may or may not contain the same information as others—databaseconsistency will be maintained. Through the multimaster structure, AD can accept local changesand ensure consistency by relaying the information or the changes to all of the other deposits in thedomain or the forest. This is one of the functions of the Domain Controller object in the directory.The only deposits that have exactly the same information in the AD database are two domaincontrollers in the same domain. Each of these data deposits contains information about its owndomain as well as whatever information has been determined to be of forest-wide interest by forestadministrators. At the forest level, you can determine the information to make available to the entireforest by selecting the objects and the attributes from the database schema whose properties you wantto share among all trees and domains. In addition, other forest-wide information includes the databaseschema and the forest configuration, or the location of all forest services. Published information isstored in the Global Catalog. AD publishes some items by default, such as the contents of Universalgroups, but you can also add or subtract published items to your taste. For example, you might decideto include your employees’ photos in the directory and make them available forest-wide. NOTENot all items are unpublishable; some items are prerequisites for the proper operation of ActiveDirectory Services.Whatever is published in the Global Catalog is shared by all domain controllers who play this rolein the forest. Whatever is not published remains within the domain. This data segregation controls theindividuality of domains. Whatever is not published can contain discrete information that may be ofthe same nature, even use the same values, as what is contained in another domain. Properties that arepublished in the Global Catalog of a forest must be unique just as in any other database. For example,you can have two John Smiths in a forest so long as they are both in different domains. Since thename of the object includes the name of its container (in this case, the domain), Active Directory willsee each John Smith as a discrete object.Figure 3-2 illustrates the contents of the directory store, or the NTDS.DIT database, that is locatedon every domain controller in the forest. Three items are in every directory store—the schema, theconfiguration and the domain data—and two are optional—the Global Catalog and the applicationpartition (defined later).The Global Catalog, schema, and configuration are information that is replicated throughout theforest. Domain data is information that is replicated only within the domain. Replication over localand distant networks is controlled through regional database partitions. Organizations may decide tocreate these partitions based on a number of factors. Since the domain is a security policy boundary,authoritative organizations—organizations that span a number of geographic locations they control—may want to create a single domain that spans these locations. To segregate each region, and controlthe amount and timing of database replication between regions, the domain would be divided intosites. Sites are physical partitions that control replication by creating boundaries based on InternetProtocol (IP) addressing.Organizations that are not authoritative, have independent administrations, do not control theirregional locations, or have slow links between each location, may want to further control replicationthrough the creation of regional domains. Regional domains greatly reduce replication since onlyP:\010Comp\Tip&Tec\343-x\ch03.vpTuesday, March 25, 2003 11:32:07 AM

Color profile: Generic CMYKprinterprofile Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 3Tip&Tec/ WindowsComposite Default scree