Chat
Topic : Designing and Deploying Active Directory Services Chat Expert : Manik Ahuja
April
6, 2005
subhashini
(Moderator):
hello everbody . A very good evening to all of you. subhashini
(Moderator):
welcome to today's chat on Designing and Deploying Active Directory
Services subhashini (Moderator):
We have Manik Ahuja with us today. subhashini
(Moderator):
I am sure most of you already know him. But to give a quick intro
about him : subhashini (Moderator):
Manik is with Microsoft India as an IT Pro Evangelist . subhashini
(Moderator):
Manik Ahuja is an avid technology enthusiast. He has a variety of
experience from Academics to Professional Consulting over a period
of more than 10 years. This coupled with an equally wide skill set
that ranges from Windows to Unix & Linux makes him every bit of
a technology consultant. He is also an MCSE (Twice Over) and an RHCE
(Red Hat Certified Engineer), his strengths lie in designing complex,
heterogeneous and yet completely interoperable networks. His interests
lie in helping customers with selecting the right technology and enabling
IT Professionals do their job better. subhashini
(Moderator):
You can reach him at mahuja@microsoft.com subhashini (Moderator):
a few chat rules subhashini (Moderator):
before we begin subhashini (Moderator):
Please refrain from sending any private messages to the expert during
the chat subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will
respond to as many questions as they can. Please understand that there
may be some questions we cannot respond to due to lack of information
or because the information is not yet public. We encourage you to
submit questions for our Experts. We ask that you stay on topic for
the duration of the chat. This helps the Guests and Experts follow
the conversation more easily. We invite you to ask off topic questions
after this chat is over. subhashini (Moderator):
So the stage is set ! Lets welcome Manik Ahuja .. subhashini
(Moderator):
Hi manik Manik (Expert):
Hi everybody, good evening to all Manik
(Expert):
Hi Manik (Expert):
Okay all of you already got my introduction, that's good, thanks to
Subhashini for that subhashini (Moderator):
:-) Manik (Expert):
So lets have a quick introduction for all, lets start with the nick
names as they appear on the list Manik
(Expert):
please tell us about your real name, present occupation and the status
of ACTIVE DIRECTORY in your organization ;) Manik
(Expert):
Great and where are you based Sidhu Manik
(Expert):
absolutely ;) Manik (Expert):
may I please request others to quickly introduce themselves to the
group. Manik (Expert):
Thanks Dasaradha, you are welcome, I am going to do exactly that today Manik (Expert):
Thanks Vivek Manik (Expert):
Welcome rvaddadi Manik (Expert):
Welcome to you too Manik (Expert):
Hi Shreeman Manik (Expert):
Hi Rishi Manik (Expert):
I guess there are a few people left to introduce, urge them to quickly
introduce themselves Manik (Expert):
Well, here is the agenda for today. Manik
(Expert):
Planning an Active Directory Deployment Project 3
Designing the Active Directory Logical Structure 29
Designing the Site Topology 137Planning Domain Controller Capacity
Manik (Expert):
Sorry for that Manik (Expert):
The agenda is as follows Manik (Expert):
We will look at the basics of Active directory, what it is and how
it helps you perform better Manik (Expert):
Then we will look at Planning an Active Directory Deployment Project Manik (Expert):
Followed by Desigining the Site Topology for Active Directory Manik (Expert):
and finally with Planning Domain Controller Capacities. Manik
(Expert):
All of you are welcome to ask me any question that you want and I
will try to answer them :) Manik (Expert):
An Active Directory is basically a database system , optimized for
searching and grouping of related sets of information Manik
(Expert):
you can ask the questions as we go along Manik
(Expert):
Typically all users are part of the Users and Goups OU Manik
(Expert):
It is not a scaled version of LDAP , but basically built on top of
an LDAP compliant system, and yes it is fully compatible with the
LDAP standard Manik (Expert):
Yes you can use LDAP queries from Linux to query an ADS database. Manik (Expert):
Hi Manikadsi, can you please elaborate on your question.. Manik
(Expert): Q: Heared it's a scaled down version
of LDAP ? A: It is not a scaled version of LDAP , but basically
built on top of an LDAP compliant system, and yes it is fully compatible
with the LDAP standard Manik (Expert): Q: Can we use the db in Linux LDAP and use Active Directory
Service API for manipulation A: Yes you can use LDAP queries
from Linux to query an ADS database Manik
(Expert): Q: I am starting with :-what are the
the security concern with ADSI and WMI that is if i need to create
a remote share or i need to remote admin to run a program in remote
comp thru WMI and ADSI? A: The security concerns will typically
be the same that you would take car eof when running this script locally
on a computer Manik (Expert): Q: extending my question i need to be a remote admin to run
my program (adsi script )thru out the shared network ?what is the
security concern in .net i need to follow up with? A: Same
as earlier Manik (Expert): Q: In ADSI we can store only user profile or we can store any
other information A: In ADSI , you can store almost any
attribute of information that you can think of. The out of the box
implementation takes care of almost everything that you would need
to manage an oganization effectively. If needed you can even extend
the schema of the ADS by writing your custom objects / attributes
Manik (Expert): Q:
Last week i had set up a new windows 2003 server and set users permissions,
as a result of which the administrator was getting only readonly access
on the server. What could be the mistake? A: The administrator
typcially has complete permission on the server, please check the
default groups to which he belongs, the only problem could be wrongly
assigned group memberships, or an ordinary account renamed as adminstrator Manik (Expert): Q:
Ok thank you, can you explain a practical scenario? A:
A practical scenario to achieve a cross platform functionality between
Linux LDAP queries and ADS could be a Linux Mail Server that requires
usser accout information to deliver mail and for that it queries the
ADS database Manik (Expert): Q: What is difference bet Directory service and RDBMS? A: A directory service is a search optimized and customized
database to suit the needs of an organization. The language used to
query the LDAP database is also different Manik
(Expert): Q: when giving specific righs to any
folder can i remove everyone from the ntfs security permissions A: Absolutely, and that is the correct way of assigning permissions
too. You should remove everyone group and then assign permissions
to only those users/groups that need it Manik
(Expert): Q: I am designing a login control
in C#.net which will support different authentication models Active
directory is one fo those so i need some help regarding the same.
A: I am sorry I would not be able to help you with that
as I am not a developer. I guess you could get a good answer from
one of our Developer group like the bdotnet user group at groups.msn.com/bdotnet
Manik (Expert): Q:
Exchange server is internally used ADSI? A: An ADSI is
genrally installed and configured when you install Windows 2000/2003
Server and configure it. During that process it prompts you for installing
the Exchange Schema also. If you have an Exchange server you should
then choose the option to install that. You could also extend the
schema later when you install the Exchange server Manik
(Expert): Q: coz one of my senior had then attended
the prob and he mentioned that he added every one group and the problem
was solved. even i was puzzled how can that be? can this be a solution?? A: Not recommended though Manik
(Expert): Q: If you can please explain with
a code snippet about the possibilities A: Hi Bijoy, cant
help you with a code snippet but definitely could share with you syntax
of the LDAP command that can be used from Linux to query the ADS.
It goes like this...... Manik (Expert): Q: If you can please explain with a code snippet about the
possibilities A: # ldapsearch -A "attribute list"
-h "ldap server name / ip address" Manik
(Expert): Q: Can i say there is tight integration
bet Exchange and ADSI? A: Absolutely, actually they are
desgined to best work in this fashion, for example if you have this
setup, whenever you create an ordinary user in the domain, you will
be prompted to configure his email account too. All this is automatic
and the you just have to define the user properties once. Manik
(Expert): Q: can't we manipulate the impersonation
of the remote user using adsi?how ?if yes isn't it a security loop
hole? A: You cannot manipulate the information within the
ADSI database without relevant privileges, normally that is the domain
admin's password. Further the permissions that you want to give to
different uesrs can also be fine tuned to suit the exact requirements.
For example you may have permissions given to ordinary users only
for querying and listing specific attributes from a User's Profile
Manik (Expert):
Also using ADS you can actually delegate management of specific parts
of the domains , based on OU's or even regions or any other Unit to
different people Manik (Expert):
this way the design can actually scale out to accomodate thousands
and even millions of objects in the directory Manik
(Expert):
Ok Manik (Expert): Q:
Let's go through your agenda A: ok Manik
(Expert):
I wanted to talk about a little more about planning a domain controller
to basically give you an idea as to what kind of servers are needed
to host an ADS solution based on number of users Manik
(Expert):
Planning domain controller capacity helps you estimate the hardware
requirements for domain controllers that are running Windows Server
2003. Your actual hardware requirements depend on the specific usage
patterns in your environment. Manik (Expert):
typically for a domain structure of 1 - 499 users you would need a
Uniprocessor machine running @ 800Mhz with around 4 GB of Hard Disk
Capacity and 512 MB of RAM Manik (Expert):
as you scale up the number of users you will also typcially increase
the power of the machines that you utilize for the ADSI Manik
(Expert):
the next logical upgrade would be for 500 - 999 users where you will
need the same processor @ 800-850 Mhz, same Hard disk space i.e 4
GB but the RAM requirement goes up to 1 GB Manik
(Expert):
going forward you can scale the system to accomodate > 10000 Users
and the requirements to host such a solution would be as follows.
For every 5000 Users you will put in an additional Quad Processor
Server with 4 GB of space and around 2 GB of RAM Manik
(Expert): Q: if all is using Microsoft tech A: I did not understand the question. Manik
(Expert): Q: can i configure multiple domains
on a single machin A: When you configure an ADS , you actually
create a Forest First, a forest is group of domains under the same
logical entity, and yes you can therefore have multiple domains under
the same ADS Manik (Expert): Q: What if all the users have to use romaing profile A:
Roaming user profiles get stored into the domain controller and then
get replicated to other domain controllers within the domain. That
is a perfectly acceptable situation and this sizing takes care of
that Manik (Expert): Q:
Sir, Is this considerations only for ADSI A: Yes these
considerations are for deploying the ADS Manik
(Expert): Q: Escuse me if this is a stupid question,
why can't we use SQL Server instead of ADS? So we can avoid user level
planning A: SQL server is an RDBMS , whereas ADS is database
that is tightly integrated within the Windows Server desgin, it is
optimized and tuned for working with the servers. Also all possible
objects and attributes are already defined with an option to extend
them further. So you actually dont have to plan for User Level Planning Manik (Expert):
The Real advantage is that this is one place from where all thing
can be centrally managed as well as delegated too. It is an integral
part of all Windows Server System including SQL. So if for example
you need to assign a particular user certain privileges within the
SQL database , then that can be done easily as SQL server relies on
Users in the ADS database Manik (Expert):
Ok, when you install a Windows 2003 server , during the setup process
it prompts you for sestting it up as a domain Controller. Manik
(Expert):
If you select this option the ADS installation process is initiated
and walks you through a step by step process Manik
(Expert):
During this process you actually define the name of the Forest and
the associated domain in it Manik (Expert):
as an Example if your company is called XYZ then the Forest will typically
be named XYZ Manik (Expert):
you may then have Delhi, Bangalore and Mumbai Office and for each
of them you will create domains like delhi.xyz, mumbai.xyz and bangalore.xyz Manik (Expert):
within these 3 domains you will users for each domain Manik
(Expert): Q: Would you like to elaborate that
answer? A: explaining on the chat subhashini
(Moderator):
well, the time's up:-) subhashini (Moderator):
We have come to teh end of this chat Manik
(Expert):
Yes you can have a transitive trust set up between all the domains
and going further you can extend the trust between two different forest
too subhashini (Moderator):
i give Manik the liberty to close this chat subhashini
(Moderator):
according to his convenience subhashini
(Moderator):
please feel free to email manik at mahuja@microsoft.com` Manik
(Expert):
Ok guys, i will take one more question as our time seems to be up subhashini (Moderator):
for any queries regarding this chat Manik
(Expert):
edirectory is an implementation by Novell for the same purpose. subhashini (Moderator):
I thank manik for this informative session and thank all of you for
attending the chat. subhashini (Moderator):
please feel free to pool in your comments and feedback at commind@microsoft.com Manik (Expert):
Ok also before i go I would like you all to come up and join our IT
Pro User Groups at either http://groups.msn.com/bangaloreitpro
, http://groups.msn.com/puneitpro
and also at http://groups.msn.com/mumbaiitpro subhashini
(Moderator):
thanks manik Manik (Expert):
You are welcome subhashini (Moderator):
and all of you have a lovely evening Manik
(Expert):
Bye and Take care
