Post on 21-Dec-2015
transcript
Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant
MCS Talks Infrastructure Architecture
Live Meeting Information...
Feedback Panel
Questions & Answers
Blog - http://blogs.technet.com/MCSTalks
Session 2: Core Infrastructure DesignAndrew Hill – ConsultantRob Lowe – Consultant
MCS Talks Infrastructure Architecture
Purpose
Purpose:To provide design guidance for Microsoft Windows Server 2008 Active Directory
AgendaDetermine process for Active Directory designAssist designers in the decision-making process Provide design assistance based on best-practice and real-world experience
Active Directory Design Overview
Forest and domain designOrganizational Units (OUs)Group Policy Objects (GPOs)Security GroupsDomain Controller Placement (inc. RODC)Sites TopologyDomain Controller ConfigurationDNS
Active Directory in Microsoft Infrastructure Optimization
Standardized DynamicRationalizedBasic
Data Protection and Recovery
Identity and Access Management
Security and Networking
Desktop, Device, and Server Management
Windows Server 2008 Active Directory Domain Services
Tips for the Planning Process
Considerations at each design phaseComplexityCostFault TolerancePerformanceScalabilitySecurity
Contoso Network Infrastructure
Ireland1000 UsersDevelopment
London6,000 UsersHead Office
India1500 UsersDevelopment
London LAN
BristolFail Over
Data CentreManchesterData Centre
ManchesterLAN
Manchester25,000 Users
Call Centre
Glasgow LAN
Glasgow25,000 UsersManufacturing
1MB to 8MBADSL
RemoteVPN Users
3,000
York100 Users
Newcastle350 Users
Edinburgh400 Users
Birmingham750 Users
Reading350 Users
Oxford250 Users
Exeter500 Users
Paris20 Users
Tokyo10 Users
New York30 Users
1MB 512KB 512KB
10MB
2MB
1GB
1MB 1MB 1MB
1MB
1MB
10MB
10MB
100MB 1GB
How Many Forests?
Option 1: Single Forest
Option 2: Multiple Forests
Multiple Forest Drivers
Multiple Schemas
Resource Forests
Forest Administrator Distrust
Legal Regulations for Application or Data Access
Requirements to be disconnected for long periods (e.g. Military)
Determine the Number of Forests
Single Organizational Forest Model
Exchange
Users
Workstations
Applications SharePoint
Multiple Organizational Forest Model
Exchange
Users
Workstations
Applications SharePoint
Exchange
Users
Workstations
Applications SharePoint
Forest Trust
Shared Resource Forest Model
Exchange
SharePoint
Users
Workstations Applications
Users
Workstations ApplicationsForest Trust Forest Trust
Shared Account Forest Model
Exchange
Users
Workstations
Applications SharePoint
Restricted Data and Applications Restricted Data and Applications
Forest TrustForest Trust
Determine the Number of Domains
How many Domains?Option 1: Single DomainOption 2: Multiple Domains
Multiple Domain driversLarge number of frequently changing attributesReduced replication trafficControl replication traffic over slow linksPreserve legacy active directory
Forest and Domain Functional Levels
2003 interim FFLLinked Value ReplicationDifferent replication compression ratiosImproved KCC
2003 FFLForest Trusts ( + with Selective Authentication)Deactivation of attributes within the Schema Domain RenameRODC (2008 OS only with schema updates)
2008 DFLFine Grained Password PoliciesDFS-R for Sysvol Last Interactive logon information
Fine-Grained Password Policies
System
Password Settings Object
Password Settings Container User
Group
Exceptional PSO
msDS-PSOAppliesTo msDS-PSOApplied
AttributesmsDS-PasswordSettingsPrecedencemsDS-PasswordReversibleEncryptionEnabledmsDS-PasswordHistoryLengthmsDS-PasswordComplexityEnabledmsDS-MinimumPasswordLengthmsDS-MinimumPasswordAgemsDS-MaximumPasswordAgemsDS-LockoutThresholdmsDS-LockoutObservationWindowmsDS-LockoutDuration
PSO ApplicationLowest Precedence Value or PSO GUIDmsDS-ResultantPso – identifies which PSORSOP CalculationUser and Global Group Links IncludedUser will override group Best to only assign users to 1 PSO Global Group
Assign Domain Names
Assign the NetBIOS NameMaximum effective length of 15 charactersUse a NetBIOS name that is unique across organisation
Assign DNS NameEnsure uniqueness by not duplicating existing registered Internet domain namesRegister all domain names with InternicName should not represent business unit or divisionAvoid using single-label names
Organisational Units
Choose an OU Design:Task 1: Design OU Configuration for Delegation of AdministrationTask 2: Design OU Configuration for Group Policy Application
Other OU (and container) related recommended practices
Do not move DCs out of the Domain Controllers OUDo not move built-in users and groups from users containerOUs and child objects now protected from accidental deletion by default in 2008
Contoso Organisational Unit Design
Group Policy Objects
Very powerful, but consider management of group policies in designBest practices
Specify user and computer settings in separate GPOsUse many small GPOs with few settings each rather than fewer large GPOs with many settingsMake GPO descriptive for its purposeDo not unlink Default Domain and DDC policies
Advanced Group Policy ManagementChange Control WorkflowV3.0 (2008) increases granular permissions
Advanced Group Policy Management
3.0 RTMSeptember
2008
Next version
2.5
Current version
Enable group policy change managementProvides granular administrative controlReduce risk of widespread failure
Versioning, history & rollback of group policy changesRole-based administration & templatesWorkflowOffline editing
What it Does Benefits
Advanced Group Policy Management - Reporting
Difference Reports Settings reports
Group Policy Preferences
Security Groups
Group ScopeAccount groups – for group users and computers
GlobalUniversal
Resource groups – for controlling rights and permissions
Domain LocalBuilt-in Local
Complex Group nesting makes audit and reconciliation more difficult
Domain Controller Placement
Placement of the Domain Controllers:Hub LocationsSatellite (Branch) LocationsHeavily dictated by network and application requirements
Global Catalog (GC)Very few reasons now not to make all DCs a GC
Read-Only Domain ControllersNew in Windows Server 2008 (Read-Only AD and no passwords)Primarily a security feature to mitigate against high risk sites
RODC Deployment
Consider the following:Application needs – Exchange?Applications make Write / Read back calls? Site topology – BASL turned off?Password Replication Policy – which model for you?
Remember no cached accounts means more WAN / HUB DC impactCache computer and User accounts
Deployment:Start with min 2 x 2008 RW Hub DCsAdd 2008 RWDC to NS records (for RSO)Delegate deployment – don’t use Domain Admins
Create the Site Design
Option 1: create a logical site for each physical location
Assign subnets for each physical location to corresponding siteSite coverage
Option 2: create a logical site only for physical locations with domain controllers
Assign subnets for each physical location to most appropriate site depending on underlying network
Create a Site Link Design
Site links map to underlying networkSet cost and schedule
Bridge all site links (on by default)Appropriate if network is fully routable (all domain controllers can communicate with all other domain controllers)Generally not recommended for Branch Office – KCC overheadsUse Repadmin /siteoptions to disable!
Custom Site Link BridgesUse when the network is not fully routed, e.g. when network firewalls restrict communications between domain controllers
Contoso Network Infrastructure Revisited
Ireland1000 UsersDevelopment
London6,000 UsersHead Office
India1500 UsersDevelopment
London LAN
BristolFail Over
Data CentreManchesterData Centre
ManchesterLAN
Manchester25,000 Users
Call Centre
Glasgow LAN
Glasgow25,000 UsersManufacturing
1MB to 8MBADSL
RemoteVPN Users
3,000
York100 Users
Newcastle350 Users
Edinburgh400 Users
Birmingham750 Users
Reading350 Users
Oxford250 Users
Exeter500 Users
Paris20 Users
Tokyo10 Users
New York30 Users
1MB 512KB 512KB
10MB
2MB
1GB
1MB 1MB 1MB
1MB
1MB
10MB
10MB
100MB 1GB
Active Directory Replication Topology
KCC automatically manages based on site link design
Applies to Active Directory and Sysvol replication
Sysvol uses DFS-R for replicating its contents in new Windows Server 2008 native forests
Sysvol can be migrated to DFS-R once DFL is at 2008FRS VVJoins are inherently inefficient DFS-R Sysvol eliminates inefficiency in FRS VVJoinsMigration is simple 4 step process for upgraded forests
Domain Controller Configuration
64-bit supports much larger addressable memory space
Allow enough memory for entire Active Directory database to be cachedThink about 64 bit now, 32 bit will be unavailable in several years time
CPU and query performanceDisk configuration
Keep database and logs on separate physical drives for better performance
Running RODCs on Hyper-VNever snapshot a DC – even RODC
DNS
Critical for Active DirectoryAD-integrated DNS recommended
Consider Forwarding modelRoot hints can introduce additional management overhead.Forwarding is recommended approach for AD
New in Windows Server 2008Storage of Conditional Forwarding settings in Active Directory
What’s Next? Discuss, Rinse, Repeat
Implement your designTest and refine design along the way
Summary and Conclusion
Organizations should base the design of their Active Directory infrastructure on business and technical requirementsConsiderations should include:
The scope of the network and environmentTechnical requirements and considerationsAdditional business requirementsDesigning an Active Directory infrastructure to meet these requirementsValidating the overall approach
Questions and Answers
Please enter your questions using the Q&A panel for the presenters!
Thank you for attending this TechNet Event
Find these slides at:http://www.microsoft.com/uk/technetslides
Visit our blog at:http://blogs.technet.com/mcstalks
Register for the next session, Messaging, at:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032386416&Culture=en-GB
Please fill out your evaluations!