Post on 27-Dec-2015
transcript
Active Directory Active Directory Concepts II: Concepts II: Namespace Planning Namespace Planning For The Active DirectoryFor The Active Directory
Stuart KwanStuart KwanProgram Manager Program Manager Windows NT Distributed SystemsWindows NT Distributed SystemsMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
ObjectivesObjectives Overview of example companyOverview of example company Active Directory namespace designActive Directory namespace design SummarySummary Call to actionCall to action
ObjectivesObjectives
Ensure your software is a good citizenEnsure your software is a good citizen Practical examples of Active Practical examples of Active
Directory conceptsDirectory concepts Understand how namespace design Understand how namespace design
impacts performance, managementimpacts performance, management
Understand customer scenariosUnderstand customer scenarios Identify opportunities…Identify opportunities…
HeadquartersHeadquarters
Remote offices and hubRemote offices and hub
SubsidiarySubsidiary
PartnerPartnerTest Test sitesite
Arcadia BayArcadia BayPhysical viewPhysical view
Arcadia BayArcadia BayCompany informationCompany information
Parent company: Arcadia Bay Inc.Parent company: Arcadia Bay Inc. Registered DNS name: arcadiabay.comRegistered DNS name: arcadiabay.com Headquarters:Headquarters:
Three buildings, multiple LANs, MANThree buildings, multiple LANs, MAN Per-building IT administrationPer-building IT administration Thousands of usersThousands of users
Arcadia BayArcadia BayCompany InformationCompany Information
Arcadia Bay Inc.Arcadia Bay Inc. Three remote offices:Three remote offices:
Tens of users, central administrationTens of users, central administration Reliable WAN link to hub, HQReliable WAN link to hub, HQ
Test siteTest site Visited by HQ personnelVisited by HQ personnel Sensitive resources and dataSensitive resources and data Reliable WAN link to HQReliable WAN link to HQ
Arcadia BayArcadia BayCompany informationCompany information
Subsidiary: Ellipsis Software Ltd.Subsidiary: Ellipsis Software Ltd. Acquired companyAcquired company Registered DNS name: ellipsis.dotRegistered DNS name: ellipsis.dot Independent IT administrationIndependent IT administration Hundreds of usersHundreds of users
Partner: Three Dots Inc.Partner: Three Dots Inc. Close partner, separate managementClose partner, separate management Registered DNS name: 3dots.dotRegistered DNS name: 3dots.dot
The NetworkThe Network
ResourcesResources
Mobile usersMobile users
UsersUsers
GroupsGroups
Arcadia BayArcadia BayLogical viewLogical view
Active Directory Active Directory Namespace DesignNamespace Design Active Directory namespace:Active Directory namespace:
Domain namespaceDomain namespace DNS namespaceDNS namespace Organizational Unit namespaceOrganizational Unit namespace Site topologySite topology
Each namespace has Each namespace has unique characteristicsunique characteristics
Domain NamespaceDomain NamespaceConsiderationsConsiderations
How many forests?How many forests? How many domains in each forest?How many domains in each forest? How will domains be arranged How will domains be arranged
into structures?into structures? What will the domains be named?What will the domains be named?
Forest =Forest =
Number Of ForestsNumber Of ForestsDefinition of forestDefinition of forest
What is a forest?What is a forest? Unit of schemaUnit of schema Unit of site configurationUnit of site configuration Administrative scopeAdministrative scope Default scope for security principalsDefault scope for security principals Scope of global catalogScope of global catalog
Number Of ForestsNumber Of ForestsSchema and global catalogSchema and global catalog
SchemaSchema Attribute definitionsAttribute definitions Object definitionsObject definitions ExtensibleExtensible
Global catalog (GC)Global catalog (GC) Partial copy of all objects in forestPartial copy of all objects in forest Used for fast, forest-wide searchUsed for fast, forest-wide search
HQ’s HQ’s objectsobjects
Partner’s Partner’s objectsobjects
Number Of ForestsNumber Of ForestsMethodologyMethodology
Usually determined by number Usually determined by number of schemasof schemas Partner running directory-enabled Partner running directory-enabled
software not certified by Headquarterssoftware not certified by Headquarters Two distinct schemas requiredTwo distinct schemas required
HQ HQ forestforest
Partner Partner forestforest
Number Of ForestsNumber Of ForestsArcadia Bay exampleArcadia Bay example
Two forests for Arcadia BayTwo forests for Arcadia Bay Headquarters and PartnerHeadquarters and Partner
Domain =Domain =
Number Of DomainsNumber Of DomainsDefinition of DomainDefinition of Domain
What is a Domain?What is a Domain? Unit of partitioningUnit of partitioning Unit of authenticationUnit of authentication Administrative scopeAdministrative scope Unit of domain account policyUnit of domain account policy
Manifested by domain controllers (DCs)Manifested by domain controllers (DCs) ReplicatedReplicated
Number Of DomainsNumber Of DomainsMethodologyMethodology
Put all objects in one domainPut all objects in one domain Justify additional domainsJustify additional domains
Partition to scope replication of objectsPartition to scope replication of objects Business unit demands admin ownershipBusiness unit demands admin ownership Unique domain account policy requiredUnique domain account policy required
Password/acct lockout/Kerberos policyPassword/acct lockout/Kerberos policy
Emphasize stabilityEmphasize stability Do not to create domains that will lose Do not to create domains that will lose
meaning after reorganizationmeaning after reorganization
Number Of DomainsNumber Of DomainsPartitioning methodologyPartitioning methodology
Consider a remote officeConsider a remote office User must communicate with DC to loginUser must communicate with DC to login Trust WAN for login?Trust WAN for login?
Yes: DCs in central locationYes: DCs in central location No: place DC in remote siteNo: place DC in remote site
If DC in remote office, for what domain?If DC in remote office, for what domain? Can WAN handle replication traffic?Can WAN handle replication traffic?
Yes: put first domain DC in officeYes: put first domain DC in office No: new domain for remote officeNo: new domain for remote office
HQHQ
HQHQ HubHub Remote siteRemote site
HQHubHub
Number Of DomainsNumber Of DomainsArcadia Bay exampleArcadia Bay example
First domain: headquartersFirst domain: headquarters Remote officesRemote offices
Trust WAN to hub for loginTrust WAN to hub for login Don’t want to replicate HQ domain to hubDon’t want to replicate HQ domain to hub Create new domain for hub and remotesCreate new domain for hub and remotes
HQHQ
HQHQ Test site
HQHQ
Number Of DomainsNumber Of DomainsArcadia Bay exampleArcadia Bay example
Test siteTest site Do not trust WAN for loginDo not trust WAN for login Predominantly mobile users from HQPredominantly mobile users from HQ Replicate HQ domain to test siteReplicate HQ domain to test site
HQHQ
HQHQ SubsidiarySubsidiary
SubSub
Number Of DomainsNumber Of DomainsArcadia Bay exampleArcadia Bay example
SubsidiarySubsidiary Refuse to have HQ administrators Refuse to have HQ administrators
as domain administratorsas domain administrators Create new domain for subsidiaryCreate new domain for subsidiary
HQHQ
HubHub
SubSub
Number Of DomainsNumber Of DomainsArcadia Bay exampleArcadia Bay example
The Arcadia Bay forestThe Arcadia Bay forest
Arranging And NamingArranging And NamingConceptsConcepts
What is the Domain Name System?What is the Domain Name System? Hierarchical distributed databaseHierarchical distributed database Fast, lightweightFast, lightweight Replicated: highly available, fault tolerantReplicated: highly available, fault tolerant
DNS is the Active Directory locatorDNS is the Active Directory locator Domains have DNS namesDomains have DNS names Clients find DCs via DNS queriesClients find DCs via DNS queries
Arranging And NamingArranging And NamingMethodologyMethodology
Assign first domain a DNS nameAssign first domain a DNS name Incorporate registered Internet nameIncorporate registered Internet name Ensures global uniquenessEnsures global uniqueness
Assign each additional domain Assign each additional domain a DNS namea DNS name Child domain: name is immediately Child domain: name is immediately
subordinate to an existing domainsubordinate to an existing domain New tree: name is a peer New tree: name is a peer
of existing domainsof existing domains
Arranging And NamingArranging And NamingA word on choosing namesA word on choosing names
Prefer Internet standard charactersPrefer Internet standard characters ‘‘A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123, A’-’Z’, ‘a’-’z’, ‘0’-’9’, and ‘-’ (RFC 1123,
which references RFC 952)which references RFC 952) If you intend to use Microsoft DNSIf you intend to use Microsoft DNS
All NetBIOS chars allowed (i.e. ‘_’)All NetBIOS chars allowed (i.e. ‘_’) Includes Unicode (via UTF-8)Includes Unicode (via UTF-8)
DNS names can be up to 253 bytes longDNS names can be up to 253 bytes long Up to 63 bytes per label (dot-separated)Up to 63 bytes per label (dot-separated)
arcadiabay.comarcadiabay.com
HubHub
SubSub
Arranging And NamingArranging And NamingArcadia Bay exampleArcadia Bay example
First domain (and tree): headquartersFirst domain (and tree): headquarters Arcadiabay.comArcadiabay.com
arcadiabay.comarcadiabay.com
office.arcadiabay.comoffice.arcadiabay.com
SubSub
Arranging And NamingArranging And NamingArcadia Bay exampleArcadia Bay example
Child domain: hubChild domain: hub Office.arcadiabay.comOffice.arcadiabay.com
office.arcadiabay.comoffice.arcadiabay.com
arcadiabay.comarcadiabay.com ellipsis.dotellipsis.dot
Arranging And NamingArranging And NamingArcadia Bay exampleArcadia Bay example
Sibling tree: subsidiarySibling tree: subsidiary Insist on using ellipsis.dotInsist on using ellipsis.dot
office.arcadiabay.comoffice.arcadiabay.com
arcadiabay.comarcadiabay.com ellipsis.dotellipsis.dot
Arranging And NamingArranging And NamingTrustsTrusts
All domains in forest connected All domains in forest connected by transitive trustby transitive trust Security principals valid anywhere Security principals valid anywhere
in forestin forest
Forests AgainForests AgainLoose endsLoose ends
What is the name of a forest?What is the name of a forest? Name of the first installed domainName of the first installed domain First domain is called the “forest root”First domain is called the “forest root” The forest root cannot be removedThe forest root cannot be removed
How do multiple forests interact?How do multiple forests interact? Explicit trusts between domainsExplicit trusts between domains Dirsync so that objects from other forests Dirsync so that objects from other forests
show up in your global catalogshow up in your global catalog
DNS NamespaceDNS NamespaceConceptsConcepts
Why DNS?Why DNS? Globally recognized namespaceGlobally recognized namespace Standard, well-understood protocolStandard, well-understood protocol Proven scalability on the InternetProven scalability on the Internet Scalable locator + scalable domains = Scalable locator + scalable domains =
highly scalable directory highly scalable directory
DNS data consists of recordsDNS data consists of records (name, type, data) tuple(name, type, data) tuple dns1.microsoft.com. A 131.107.1.7dns1.microsoft.com. A 131.107.1.7
DNS NamespaceDNS NamespaceThe LocatorThe Locator
Domain controllers dynamically register Domain controllers dynamically register Service Location recordsService Location records SRV resource record (RFC 2052)SRV resource record (RFC 2052) Maps (service) --> (hosts offering service)Maps (service) --> (hosts offering service) General rendezvous mechanismGeneral rendezvous mechanism Analogous to SMTP and the MX recordAnalogous to SMTP and the MX record
NETLOGON service sends updatesNETLOGON service sends updates Dynamic update protocol (RFC 2136)Dynamic update protocol (RFC 2136)
DNS NamespaceDNS NamespaceLocator recordsLocator records
SRV records are named likeSRV records are named like ldap.tcp.<domain name>.ldap.tcp.<domain name>. i.e. ldap.tcp.arcadiabay.com.i.e. ldap.tcp.arcadiabay.com. Plenty more like that, all ending Plenty more like that, all ending
in <domain name>in <domain name>
DNS server that owns <domain name>DNS server that owns <domain name> MUST support the SRV recordMUST support the SRV record SHOULD support dynamic updateSHOULD support dynamic update
DNS NamespaceDNS NamespaceDNS Server requirementsDNS Server requirements
No pre-existing DNS infrastructureNo pre-existing DNS infrastructure Easy! Deploy Microsoft DNS ServerEasy! Deploy Microsoft DNS Server
Pre-existing DNS infrastructurePre-existing DNS infrastructure Does server that owns <domain name> Does server that owns <domain name>
support SRV RR, dynamic update?support SRV RR, dynamic update? Ownership = name falls within zone Ownership = name falls within zone
loaded by serverloaded by server Zone = a partition of the DNS databaseZone = a partition of the DNS database
DNS NamespaceDNS NamespaceDNS Server requirementsDNS Server requirements
Yes, it meets requirementsYes, it meets requirements Dynamic updates will affect DNS Dynamic updates will affect DNS
replication trafficreplication traffic
No, it does not meet requirementsNo, it does not meet requirements Choice one: Upgrade serverChoice one: Upgrade server Choice two: Migrate to MicrosoftChoice two: Migrate to Microsoft®® DNS DNS Choice three:Choice three:
Select a new nameSelect a new name Delegate name to Microsoft DNSDelegate name to Microsoft DNS
DNS NamespaceDNS NamespaceArcadia Bay exampleArcadia Bay example
Arcadiabay.com: Windows NTArcadiabay.com: Windows NT®® 4.0 4.0 Microsoft DNSMicrosoft DNS Straight upgrade to Windows NT 5.0 Straight upgrade to Windows NT 5.0
Microsoft DNSMicrosoft DNS Ellipsis.dot: BIND 4.9.7Ellipsis.dot: BIND 4.9.7
Supports SRV RR, but not dynamic updateSupports SRV RR, but not dynamic update Unwilling touch existing serversUnwilling touch existing servers Select new name, “polka.ellipsis.dot”Select new name, “polka.ellipsis.dot” Delegate name to Windows NT 5.0 Delegate name to Windows NT 5.0
Microsoft DNSMicrosoft DNS
‘‘.’ (root).’ (root)
ellipsis.dotellipsis.dot
polka.ellipsis.dotpolka.ellipsis.dot
arcadiabay.comarcadiabay.com
office.arcadiabay.comoffice.arcadiabay.com
3dots.dot3dots.dot
DNS NamespaceDNS NamespaceArcadia Bay exampleArcadia Bay example
DNS partitioning (zones)DNS partitioning (zones)
DNS NamespaceDNS NamespaceRecommended deploymentRecommended deployment
Run Microsoft DNS Run Microsoft DNS on domain controllerson domain controllers
Use Active Directory integrated DNSUse Active Directory integrated DNS Zone files stored and replicated in the DSZone files stored and replicated in the DS Setup/maintain single replication topologySetup/maintain single replication topology Multi-master dynamic updateMulti-master dynamic update
Standard DNS is single-masterStandard DNS is single-master Enables secure dynamic updatesEnables secure dynamic updates
office.arcadiabay.comoffice.arcadiabay.com
arcadiabay.comarcadiabay.com polka.ellipsis.dotpolka.ellipsis.dot
ellipsis.dotellipsis.dot 3dots.dot3dots.dot
‘‘.’ (root).’ (root)
DNS NamespaceDNS NamespaceArcadia Bay exampleArcadia Bay example
Zones stored in Active DirectoryZones stored in Active Directory
DNS NamespaceDNS NamespaceNo dynamic updateNo dynamic update
If no dynamic update supportIf no dynamic update support Hand enter records from DC into DNSHand enter records from DC into DNS
%systemroot%\system32\config\netlogon.dns%systemroot%\system32\config\netlogon.dns Re-enter/remove records if any of the Re-enter/remove records if any of the
following change:following change: Domain controller nameDomain controller name Role (GC, PDC)Role (GC, PDC) Site configuration (moved to new site)Site configuration (moved to new site) IP addressIP address DC is demotedDC is demoted
DNS NamespaceDNS NamespaceComputer namesComputer names
Primary DNS namePrimary DNS name <comp_name>.<pri_DNS_domain><comp_name>.<pri_DNS_domain> By default, <pri_DNS_domain> = By default, <pri_DNS_domain> =
<member_domain><member_domain> GetComputerNameEx()GetComputerNameEx()
Per-adapter DNS namePer-adapter DNS name <comp_name>.<adapter_DNS_domain><comp_name>.<adapter_DNS_domain> <adapter_DNS_domain> from IP config<adapter_DNS_domain> from IP config gethostbyname(NULL)gethostbyname(NULL)
DNS NamespaceDNS NamespaceA word about WINSA word about WINS
WINS and NetBIOS are not required WINS and NetBIOS are not required in a pure Windows NT 5.0 environmentin a pure Windows NT 5.0 environment
WINS *is* required for 4.0 <--> 5.0 WINS *is* required for 4.0 <--> 5.0 interoperabilityinteroperability ADS domains also have NetBIOS namesADS domains also have NetBIOS names W9x and Windows NT 4.0 clients/servers W9x and Windows NT 4.0 clients/servers
find 5.0 servers using WINSfind 5.0 servers using WINS Windows NT 5.0 clients/servers find 4.0 Windows NT 5.0 clients/servers find 4.0
servers using WINSservers using WINS
OU NamespaceOU NamespaceConceptsConcepts
Hierarchy within a domainHierarchy within a domain Easy to create, move, rename, and deleteEasy to create, move, rename, and delete
Create meaningful structure for adminsCreate meaningful structure for admins Delegate administration or accessDelegate administration or access Scope the application of policyScope the application of policy
Specific justification for each OUSpecific justification for each OU Meaningless OUs create work, add Meaningless OUs create work, add
no valueno value
OU NamespaceOU NamespaceMethodologyMethodology
Delegation of admin/access, examplesDelegation of admin/access, examples Group X can reset user passwordsGroup X can reset user passwords Group Y has full controlGroup Y has full control Group Z can read home tele# attributeGroup Z can read home tele# attribute
Scoping policy, examplesScoping policy, examples Users get applications published/deployedUsers get applications published/deployed Machines use specified IPSEC policyMachines use specified IPSEC policy
DC=arcadiabay,DC=arcadiabay,DC=comDC=com
OU=OU=St. PaulinSt. Paulin
OU=OU=MizithraMizithra
OU=OU=MeckelsMeckels
OU=OU=GroupsGroups
OU=OU=PrintersPrinters
OU=OU=UsersUsers
OU NamespaceOU NamespaceArcadia Bay exampleArcadia Bay example
HQ: admin per building, per resourceHQ: admin per building, per resource OU per building, per resourceOU per building, per resource
OU NamespaceOU NamespaceConflicting needsConflicting needs
Delegation and policy can clashDelegation and policy can clash Want all engineers to get CAD applicationWant all engineers to get CAD application Engineers work in every buildingEngineers work in every building How apply policy to engineers only?How apply policy to engineers only?
Use policy filteringUse policy filtering Apply permissions to policyApply permissions to policy Only members of Engineering security Only members of Engineering security
group can read policygroup can read policy Apply policy at domain levelApply policy at domain level
Site TopologySite TopologyConceptsConcepts
What is a Site?What is a Site? Set of well-connected IP subnetsSet of well-connected IP subnets Clients prefer DCs in their siteClients prefer DCs in their site Inter-site replication is schedulableInter-site replication is schedulable
Sites are connected with Site LinksSites are connected with Site Links Connects to or more sitesConnects to or more sites Cost parameterCost parameter
Site Link Bridges connect site linksSite Link Bridges connect site links
Site TopologySite TopologyMethodologyMethodology
Group subnets into sitesGroup subnets into sites Place DCs into sitesPlace DCs into sites Rules of thumbRules of thumb
At least one GC in every siteAt least one GC in every site At least two DNS servers in every siteAt least two DNS servers in every site If no DC in a site, then remove the siteIf no DC in a site, then remove the site
Connect sites with site links according Connect sites with site links according to network characteristicsto network characteristics
HubHub
22 33
Test siteTest site
HubHub
SubsidiarySubsidiary
RemoteRemoteRemoteRemote
RemoteRemote
HQHQ
HQHQ
11
HQHQ
HQHQHubHub
HubHub
SubSub
HQHQ
BridgeBridge
Site TopologySite TopologyArcadia Bay exampleArcadia Bay example
Users And The NamespaceUsers And The NamespaceUsers are obliviousUsers are oblivious
Users not exposed to namespacesUsers not exposed to namespaces Never have to type a domain name, LDAP Never have to type a domain name, LDAP
DN, or site nameDN, or site name E-mail style login names can be unrelated E-mail style login names can be unrelated
to actual domain namesto actual domain names Main interaction is to query global catalogMain interaction is to query global catalog
Admins see the namespaceAdmins see the namespace
SummarySummaryRemember these key pointsRemember these key points
Domains are for partitioningDomains are for partitioning OUs are forOUs are for
Delegation of administrationDelegation of administration Application of policyApplication of policy
Sites are forSites are for DC selection by clientsDC selection by clients Scheduling of replicationScheduling of replication
DNS is the domain and DNS is the domain and computer locatorcomputer locator
Call To ActionCall To ActionMarketing made me add this slideMarketing made me add this slide
Validate your software Validate your software in customer scenariosin customer scenarios
Other talks: “Developing Directory Other talks: “Developing Directory Enabled Applications”Enabled Applications” Part I: How to Write a Directory-Part I: How to Write a Directory-
Enabled ApplicationEnabled Application Part II: Designing Distributed Applications Part II: Designing Distributed Applications
for Active Directoryfor Active Directory http://msdn.microsoft.com/developer/http://msdn.microsoft.com/developer/
windowsnt5/adsi/default.htmwindowsnt5/adsi/default.htm