|
|
 |
|
|
|
ALS Designing a Microsoft® Windows® 2000 Directory Services Infrastructure
|
|
|
Author
|
|
Microsoft Corporation
|
|
|
Pages
|
688
|
|
Disk
|
N/A
|
|
Level
|
Beg/Int
|
|
Published
|
04/25/2001
|
|
ISBN
|
9780735612679
|
|
|
|
|
|
|
|
|
Index
Page references to figures and tables are indicated in italics.
A
abstract schema class objects 103
access control entries (ACEs), 184
access control lists. See ACLs
account domain 303
Account Lockout Policy 125
Account Policies subdirectory 125
ACEs (access control entries), 184
ACLs (access control lists)
containing permissions for domain objects 7
function of 184
OUs and access control 193
Active Directory 1-36. See also designing Active Directory infrastructure; implementing Active Directory plan
about directory services 2
automatic schema modification 109
components of 5
connection objects 253, 254
designing infrastructure for 38
DNS namespace 26-31, 27, 29, 31
benefits of DNS service 26
DNS service essential to function of Active Directory 27
hierarchical structure of 27-28, 27
host names 30
naming conventions 32-34
RFCs on domain names and DNS 26
root domains 28
second-level domains 29-30, 29
top-level domains 28-29
zones 30-31, 31
domains in 121
group policies 23-25, 24
lab exercise for migrating from Windows NT 4 to 326-28
logical structures of 5-10, 6
domains 6-7
forests 9-10
organizational units 7-8, 8
trees 8-9, 9
migrating from Windows NT 4 directory services, planning steps for 294
name servers 31-32
objects and attributes for 2-3, 3
online seminars on designing 272
overview of 16, 34-35
physical structure of 10-12
domain controllers 11-12
sites 10-11
reasons to modify schema 108-9
replication 17-20, 19, 20
intersite 20, 20
intrasite 19, 19
what is replicated 17-18
review questions 36
role of global catalog 12-15, 15
schema 3-5, 4
selecting new preferred bridgehead server in failover 257
trust relationships 21-22, 22
zone replication for 168
Active Directory Connector. See ADC
Active Directory Migration Tool (ADMT), 291-93
Active Directory Schema snap-in 101-2
Active Directory Sizer
calculating domain controllers needed in sites 247
placing global catalog servers and operations masters using 268-69, 275-77
ADC (Active Directory Connector)
configuring Exchange Server and Windows 2000 connection agreements 317-18
defining connection agreements 317
installing and setting up synchronization with 311
ADC group policy 315-16
administration
delegating with OU structures 184-85, 184
assessing IT administration requirements 194-95
examples of 198-99, 199
for full control or control of object classes 194-95, 198-99, 199, 200
steps for 193-95
of group policies 188-92, 189, 192
exceptions to default processing order 190-91, 192
inheritance 190
overview 188
processing order for settings 189, 189
structuring OUs for 188-92, 189, 192,
197-98, 201, 202
hierarchy models delegating OU 185-87, 185, 186, 187, 188
of inheritance 184-85, 184, 190
meeting requirements for defining domains 125
need assessment
for DNS server environment 169
for domain controllers 245
for domain hierarchies 145
for domain names 151
for domains 123-24
for forest root domain 136
for forests 92-93
for schemas 107
responsibilities for synchronizing Novell NetWare Bindery and NDS networks 321
of user accounts 215, 217-18
administrative groups
administering user accounts 215, 217-18
Domains Admins group 13, 125, 127
Schema Admins group 105
ADMT (Active Directory Migration Tool), 291-93
analyzing
business environment 42, 48-49, 84-87
business processes 57-63
for communication flow 59, 59-60
for decision making 61-62, 62-63
for information flow 57, 57-59
business strategy influences 63-64, 64-66
business structure 52-53, 53-57
current domain structure and Exchange Server site topology 315
DNS environment 80-81, 81
domain architecture of Microsoft Windows NT 82, 82
hardware and software 74-75, 76-77
network architecture 72, 72-74
organization of information technology management 66-67, 68-69
products and customers 49, 50-52
technical environment 42, 70-71
technical standards 77, 77-79
Windows NT domain architecture 82, 82
architecture. See network architecture
attributes
Active Directory 2-3, 3
defined 2-3, 3
inheritance for user class object 103, 103
mapping Exchange Server to Active Directory 315-16
automatic schema modification 109
auxiliary schema class objects 103
B
bandwidth
about average available 237
calculating average available 72
base schema
defined 101
viewing 101-2
Bindery. See Novell NetWare Bindery
Block Policy Inheritance group policy setting 25, 191, 192
bridgehead servers
in Active Directory Sizer 277
designating 256-57
in intersite replication 257-58, 258
specifying preferred 260
business environment analysis 42, 48-49, 84-87
business environment analysis document 49
business processes 57-63
analyzing information flow 57, 57-59
communication flow analysis 59, 59-60
decision making analysis for 61-62, 62-63
business strategy influences worksheet 63-64, 64-66
business structures worksheet, 53-56, 86-87, 92
C
catalog services, defined 12
CD-ROM. See also worksheets
"Comparative Active Directory Designs," 272
"Designing the Active Directory Structure," 272
"Designing in the Real World" (Trulli), 43
"Designing in the Real World & Creating a Domain Plan" (Inman), 120
"Designing in the Real World: Creating an Organization Unit Plan" (Minet), 182
"How to Migrate Your Windows NT 4.0 Directory Services to Windows 2000 Active Directory," 293
interview worksheets on 49
white paper on Microsoft Metadirectory Services 314
white papers on MSDSS deployment 313
"Windows 2000: Designing and Deploying Active Directory Service for the Microsoft Internal Corpnet," 47
certificate authority (CA), 259
child domains 8-9, 27-28
child OUs 184, 184
collisions detected by domain controllers 12
command decisions 62
communication flow worksheet 59, 59-60
configuration container
defined 91-92
for multiple forests 94
configuration naming context 252
connection agreements for Exchange Server 5.5, 311
connection object 253, 254
consensus decisions 62
consultative decisions 62
containers. See also OUs
configuration 91-92, 94
defined 3, 3
mapping Exchange Server containers to Active Directory domains and OUs 315
contiguous namespace 28
cross-link trusts 144-45, 144, 147
D
decision making worksheets 61-62, 62-63
decision matrix 61, 61
dedicated domain as forest root domain 137-38
Default-First-Site-Name object 243
delegated decisions 62
delegated subdomains 171
design. See also designing Active Directory infrastructure; design teams
assembling teams for infrastructure 39-42, 42
of forest model 96-99, 97, 113-14
further readings on
"Comparative Active Directory Designs," 272
"Designing the Active Directory Structure," 272
"Designing in the Real World" (Trulli), 43
"Designing in the Real World & Creating a Domain Plan" (Inman), 120
"Designing in the Real World: Creating an Organization Unit Plan" (Minet), 182
"Windows 2000: Designing and Deploying Active Directory Service for the Microsoft Internal Corpnet," 47
plan for OUs 45-46
principles for infrastructure 46-47
of pristine forest 300
of schema modification plan 100-112
for site topology 46
stages of Active Directory 43-46
designing Active Directory infrastructure 37-88
about Active Directory infrastructure design 38
analyzing
business environment 42, 48-49, 84-87
business processes 57-63
business strategy influences 63-64, 64-66
business structure 52-53, 53-57
DNS environment 80-81, 81
hardware and software 74-75, 76-77
information technology management organization 66-67, 68-69
network architecture 72, 72-74
products and customers 49, 50-52
technical environment 42, 70-71
technical standards 77, 77-79, 92
Windows NT domain architecture 82, 82
assembling design teams 39-42, 42
establishing test environment for infrastructure 43
guiding principles for 46-47
lab exercise for analyzing business environment 84-85, 86-87
review questions 88
stages of 43-46
creating domain plan 45
creating forest plan 45
creating organizational unit plan 45-46
creating site topology plan 46
overview 43, 44, 45
"Designing the Active Directory Structure," 272
"Designing in the Real World & Creating a Domain Plan" (Inman), 120
"Designing in the Real World: Creating an Organization Unit Plan" (Minet), 182
design teams 39-42, 42
infrastructure designers on 39-40
management representatives on 41
sample multilevel 41-42, 42
staff representatives on 40-41
directory-enabled application 109
directory information tree (DIT), 101
directory partition 17
Directory Service Remote Procedure Call (DS-RPC), 254, 259
directory services. See also Active Directory; designing Active Directory infrastructure; implementing Active Directory plan
defined 2
domains for Windows 2000, 28
migrating from Windows NT to Active Directory 285-308
about migration to Active Directory 285-86, 286, 308
Active Directory Migration Tool 291-93
assessing migration goals 294
consolidating resource domains into OUs 301-2
determining migration method 295
domain restructuring 288-89, 288, 299-301
domain upgrades 286-87, 287, 296-99
lab exercise 326-28
migrating resource domains 289-90
minimizing production environment problems 290
mixed and native domain modes for Windows 2000, 290-91
with multimaster domain model 306-7, 307
with multiple trust domain model 307-8, 307
planning steps for 294
with single domain model 302-3, 303
with single master domain model 303-5, 304, 305
synchronizing with Active Directory 309-25
about 309-10, 325
choosing one- or two-way synchronization 320
with Exchange Server 5.5, 310-11, 314-18, 322-24, 324
with LDAP-compliant directory services 313-14
with Novell NetWare Bindery or NDS, 311-13, 319-22, 324-25
directory synchronization 310
disabling site link transitivity 255, 260
distinguished names (DNs), 32, 32
DIT (directory information tree), 101
DNS (Domain Name System). See also DNS servers; namespace
analyzing current DNS environment 80-81, 81
benefits of 26
as essential to Active Directory 27
RFCs on domain names and 26
valid site names 238
DNS BIND 170, 173
DNS environment analysis worksheet 80-81, 81
DNS name servers. See DNS servers
DNS Notify process 166, 167
DNS servers 161-73. See also domains
about 161-62, 162-63, 164, 172-73
assessing environment of 169
placing 170-71
determining existing services 170-71
planning additional zones for 170
planning deployment of 171, 172, 172
zone replication 165-68, 166, 167
choosing method of 171
requirements for Active Directory 168-69
zones, zone database files, and resource records 163, 164
documents
business environment analysis 49
technical environment analysis 70-71
domain controllers. See also global catalog servers; operations master roles
assigning infrastructure master role to 270
choosing upgrade strategy for 298
deciding number and location of global catalog servers and 275-77
effect of multiple domains on 127
functions of 11-12
as global catalog servers 15, 268
placing in sites 243-50
about 243-44, 248
assessing needs 245
deciding number needed 247
determining location 245-46
example of 247, 248
naming domain controllers and computers 244, 244
scenario for 249-50, 250
planning operations master roles by domain 269-70
replication 18
actions triggering 252
pre-Windows 2000, 20
running mixed and native domain modes, 290-91
domain GPOs 23
domain hierarchies 141-49
about 141, 149
arranging subdomain hierarchy 147
assessing needs for 145
cross-link trusts and 144-45, 144, 147
defining 148, 149, 155-60, 156, 157, 159, 160
designating tree root domains 146, 147
determining number of domain trees 146
effect of multiple trees in 146
parent-child trusts 141-43, 142, 143
structure of 27-28, 27
domain local groups 208, 209, 213-14
domain names 150-60, 156, 157, 159, 160. See also domains
about 150, 154, 159
assessing needs for 151
of child domains 8-9, 27-28
choosing 151-53
defining 155-60, 156, 157, 159, 160
example of 153, 154
fully qualified 30
registering 152-53
RFCs on DNS and 26
Domain Name System. See DNS
domain naming context 252
domain naming master 265, 270
domain restructure 288-89, 288, 299-301
about 288-89, 288
designing pristine forest 300
establishing timeline for 300
identifying trust relationships for resource domains 301
mapping groups and users to be migrated 301
domains 119-79. See also domain restructure; domain upgrades
about 121
analyzing
Exchange Server domain structure and site topology 315
Windows NT domain architecture 82, 82
assigning PDC emulator roles to 270
as boundary for security 7
characteristics of 6-7
as component of Active Directory 5, 6
creating plan for 45, 174-78, 176, 177
defining 128-30, 128, 130
activity for 155-60, 156, 157, 159, 160
assessing domain needs 123-24
based on geographical structure 122
deciding number per forest 124
meeting administrative requirements for 125
minimum number of 122-23
multiple 124-25, 127
to optimize replication traffic 126
scenarios for 131-34, 132, 134
security requirements and policies for 125
domain hierarchies 141-49
about 141, 149
arranging subdomain hierarchy 147
assessing needs for 145
cross-link trusts 144-45, 144, 147
defining 148, 149
designating tree root domains 146, 147
determining number of domain trees 146
implications of multiple trees in 146
parent-child trusts 141-43, 142, 143
forest root 135-40
about 135, 140
assessing needs for 136
choosing 136-38
defining 138, 139, 139, 140
illustrated, 6
mapping Exchange Server sites and containers to Active Directory 315
migrating resource 289-90
moving within multiple forests 94
naming 150-60
about domain names 154, 159
activity for 155-60, 156, 157, 159, 160
assessing needs for domain names 151
choosing domain names 151-53
example of 153, 154
registering domain names 152-53
operations master roles for 266-67, 267
placing domain controllers in 245-47
planning DNS server deployment 161-73
about DNS servers 161-62, 162-63, 164, 172-73
assessing DNS server environment 169
DNS server requirements for Active Directory zone replication 168-69
placing DNS servers 170-71
zone replication 165-68, 166, 167
planning operations master role assignments by 269-70
relationship of sites and, 238
retaining Windows NT 126-27
review questions 179
root 28
second-level 29-30, 29
top-level 28-29
trust relationships 21-22, 22
Windows 2000 vs. DNS 28
Domain Admins group
implications of multiple domains on 127
logging on to network when global catalog not available 13
setting special requirements for 125
domain trees. See forests; trees
domain upgrades 296-99
about 286-87, 287
determining order for upgrading domains, 297-98
making recovery plan 297
strategy for upgrading domain controllers 298
switching to native mode 298-99
DS-RPC (Directory Service Remote Procedure Call), 254, 259
E
Exchange 2000 Server 310
Exchange Server 5.5. See Microsoft Exchange Server 5.5
explicit one-way nontransitive trust 21-22, 22, 94, 95
F
fault tolerance
ensuring with site link configuration 254
role of domain controllers in 12
File Migration Utility 312-13
files
NTDS.DIT 100
root domains for zone 30-31
zone database 163, 164
firewalls 255
forest model 96-99, 97, 113-14
forest root domain
about 135, 140
assessing needs for 136
choosing 136-38
defining 138
designating dedicated domain as 137-38
existing domain as 137
defining 138, 139, 139, 140
reasons for designating existing domain as 137
tree root domain as 146, 147
forests. See also operations master roles; schema
about 91-92
characteristics of 9-10
as component of Active Directory 5, 6
deciding number of domains for each 124
designing schema modification plan 100-112
assessing schema needs 107
automatic schema modification 109
creating schema modification policy 105-7, 106-7
example of 111-12
implications of modifying schema 110
reasons to modify schema 108-9
steps in 110
types of schema modifications 108
understanding schema 100-105
determining number of domain trees 146
illustrated, 6
operations master roles 265-66
assigning schema master and domain naming master roles 270
planning for forest growth 271
planning 45, 89-117
assessing organization's forest needs 92-93
designing forest model 96-99, 97, 113-14
determining number of 93-96, 95
exercise designing schema modification plan 114-15
overview 97
pristine 288, 300
review questions 116-17
FQDN (fully qualified domain name)
defined 30
for domain controllers and computers 244, 244
full control for OU 194-95, 198, 199
full zone transfer 166-67, 167
G
geographical structure of domains 122
global catalog 12-15, 15. See also global catalog servers
about 12-13, 92
query process for 14-15, 15
replication of 18
role of 12-15, 15
schema extensions in 18
global catalog servers 264-74. See also site topology plan
about 264-65, 273-74
defined 13
placing
example of 271-72, 273
locating domain controllers and designating as server 268
steps in 269
using Active Directory Sizer 268-69, 275-77
global groups 207, 209, 213-14
globally unique identifier (GUID), 33-34
GPOs (group policy objects)
applying policy to 23-25, 24
linking to OUs 188
group policies 23-25, 24
about 23, 188
administering 188-92, 189, 192
exceptions to default processing order,
190-91, 192
inheritance 190
overview 188
processing order for settings 189, 189
applying settings for 23-25, 24
Block Policy Inheritance 25, 191, 192
implications of multiple domains on access control and 127
Loopback 25, 191
No Override 24, 190-91, 192
structuring OUs to administer 188-92, 189, 192, 197-98, 201, 202
group policy objects. See GPOs
groups 205-27. See also group policies
about users and 205-9, 209
activity defining structure and 228-32
administering policies for 188-92, 189, 192
defined 206
exercise defining 230, 231-32
group scopes 207-8
membership rules for 209
guidelines for defining OU structures 192-93
mapping those to be migrated in domain restructure 301
naming and defining 212-15
assessing naming conventions and OU structure 212
defining global and domain local groups 213-14
determining group naming convention 212, 213
examples of 219, 220, 221, 221
steps for 215
universal groups 214
nesting 208
scenario for planning 227
structure diagram of sample 217, 217
structuring OUs to administer policies 188-92, 189, 192, 197-98, 201, 202
types of 207
universal security 208, 209
group scopes 207-8, 209
GUID (globally unique identifier), 33-34
guidelines for defining OU structures 192-93
H
hardware and software worksheet 74-75, 76-77
hiding objects with OU structures 188, 195-96, 200, 201
hierarchy models delegating OU administration 185-87, 185, 186, 187, 188
host names 30
"How to Migrate Your Windows NT 4.0 Directory Services to Windows 2000 Active Directory," 293
I
implementing Active Directory plan 283-329
migrating from Windows NT to Active Directory 285-308
about migration to Active Directory 285-86, 286, 308
Active Directory Migration Tool 291-93
assessing migration goals 294
consolidating resource domains into OUs 301-2
determining migration method 295
domain restructuring 288-89, 288, 299-301
domain upgrades 286-87, 287, 296-99
lab exercise 326-28
migrating resource domains 289-90
minimizing production environment problems 290
mixed and native domain modes for Windows 2000, 290-91
with multimaster domain model 306-7, 307
with multiple trust domain model 307-8, 307
planning steps for 294
with single domain model 302-3, 303
with single master domain model 303-5, 304, 305
review questions 329
synchronizing directory services with Active Directory 309-25
about directory service synchronization, 309-10, 325
with Exchange Server 5.5, 310-11, 314-18, 322-24, 324
with LDAP-compliant directory services 313-14
with Novell NetWare Bindery or NDS, 311-13, 319-22, 324-25
implicit two-way transitive trust 21, 22, 142
incremental zone transfer 166-67
information flow worksheet 57, 57-59
information technology management organization worksheet 66-67, 68-69, 92
infrastructure. See designing Active Directory infrastructure; implementing Active Directory plan
infrastructure designers 39-40
infrastructure master role
about 266
assigning to domain controller 270
inheritance
administering 190
blocking 25, 191, 192
defining OUs to administer 184-85, 184
for user class object attributes 103, 103
Inman, Darron 120
in-place upgrades 126-27
Internet standard characters 151-52
Inter-Site Messaging-Simple Mail Transport Protocol (ISM-SMTP), 254
intersite replication
about 20, 20
intrasite vs., 252-54, 253
process of 257-58, 258
interviewing skills 40
intrasite replication
about 19, 19
intersite vs., 252-54, 253
invalid characters
for groups 213
for user accounts 210
IP address resolution 161
ISM-SMTP (Inter-Site Messaging-Simple Mail Transport Protocol), 254
ISO (International Standards Organization) country codes 153
IT management organization Worksheet 66-67, 68-69, 92
K
KCC (Knowledge Consistency Checker), 19
creating connection objects between domain controllers 253
designating bridgehead servers 256-57
designating domain controllers for configured site links 256
determining replication paths between sites 254
Kerberos policy 125
Knowledge Consistency Checker. See KCC
L
lab exercise
for analyzing business environment 84-85,
86-87
to create forest model 113-14
creating site topology plan 278-80
defining groups 230, 231-32
for defining OU structures 228-30
designing schema modification plan 114-15
for migrating from Windows NT 4 to Active Directory 326-28
for modifying schema 114-15
LANs, defining sites for 239, 240
LDAP-compliant directory services 313-14. See also synchronizing directory services with Active Directory
local GPOs 23
locations
choosing
for domain controllers 245-46
for Exchange Server ADC 316
for global catalog servers and domains 275-77
for operations master roles 269-71
defining sites reachable with SMTP protocol 239, 242
optimizing performance with domain controller 245-46
OU structure based on 185, 185, 187, 188
logging on
across forests with smart cards 95
logon names 210, 210-11
outside user's own forest 96
with user principal name 92
when global catalog not available 13
logical structures of Active Directory 5-10, 6
domains 6-7
forests 9-10
organizational units 7-8, 8
trees 8-9, 9
Loopback group policy setting 25, 191
Next
Last Updated: Friday, July 6, 2001 |
