Lab 2-1: Designing Active Directory for Security

Lab Objectives

This lab prepares you to develop an Active Directory design to meet security requirements by meeting the following objectives:

  • Determine the number of forests required based on security requirements
  • Determine the number of domains required based on security requirements
  • Design an OU structure for delegation of administration
  • Design an OU structure for Group Policy deployment

About This Lab

This lab will help you test your ability to design an Active Directory for an organization named Contoso Ltd. The lab is based on the material learned in this chapter.

Before You Begin

Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.

Scenario: Contoso Ltd.

Contoso Ltd. is an international magazine sales company with major offices in Great Britain, the United States, and Peru. The corporate office is located in London, with the North American central office in Seattle and the South American office in Lima.

Contoso is migrating to a Windows 2000 network and you're acting as a consultant assisting them with their Windows 2000 network design. Contoso currently has no organization-wide network and wants to establish one that will increase security and lower total cost of ownership.

Existing Network

The Contoso network is laid out as shown in Figure 2.17.

click to view at full size.

Figure 2.17 The Contoso Wide Area Network

The WAN link between London and Seattle is a dedicated T1 link, and the link between London and Lima is a 56 K link. The link between London and Lima is currently 90 percent utilized. There is concern about minimizing the replication traffic between Lima and London without increasing the bandwidth of the network link.

There are currently 20,000 users at the London office, 5000 users at the Seattle office, and 500 users at the Lima office.

Design Considerations

In order to save costs associated with DCs, Contoso would like to create a Windows 2000 network that minimizes the number of required forests and domains. In addition, the network design must meet the following business requirements:

  • Replication traffic on the WAN link to Lima must be minimized.
  • The Seattle office wants to use a minimum password length of eight characters, while the rest of the organization wants a minimum password length of six characters.
  • The IT staff at each of the three locations is concerned about the management of the forest-wide administration groups. The Active Directory design should limit the number of users who can modify membership in the Enterprise Admins and Schema Admins groups.
  • Contoso wants to ensure that standard applications are deployed on both clients and servers.

Group Policy Requirements

You use Group Policy to deploy consistent security configuration to all Windows 2000 desktop computers. The following categories of computer have been defined for the organization:

  • Desktops
  • Portables
  • File servers
  • Domain controllers
  • Web servers

Each category has its own unique security template that will be deployed using Group Policy in Active Directory.

Administration Requirements

Contoso wishes to delegate some of the administrative functions within a domain to various teams within its organization. This includes the following delegation requirements:

  • The help desk must be able to reset all passwords within the domain so the staff can assist users who have logon problems because of expired or forgotten passwords.
  • The Human Resources department must be able to change all management, address, and phone-related information for all user objects.
  • The Marketing, Sales, Accounting, and Finance departments want to manage their employees' user accounts.

Exercise 1: Determining the Number of Forests

This lab exercise will have you determine the number of forests that Contoso needs for their Windows 2000 network. You must base your decision on technical reasons for creating a separate forest. The answers to these questions can be found in the appendix.

  1. Are there any business factors that may lead you to implementing more than one forest?

  2. What effect would multiple forests have on your Active Directory design?

  3. How many forests are required for the Contoso Windows 2000 network?

  4. Are there any circumstances that may cause Contoso to require more than one forest in the future?


Exercise 2: Determining the Number of Domains

This lab exercise will have you determine the number of domains required for the Contoso Windows 2000 network based on the provided business requirements. The answers to these questions can be found in the appendix.

  1. Which business factors will require Contoso to deploy multiple domains?

  2. Draw an Active Directory domain design for Contoso.

  3. If the link between London and Lima were upgraded to a 512 Kbps fractional-T1, how would this affect the Active Directory design?


Exercise 3: Designing an OU Structure

This exercise will have you design an OU structure for delegation of administration. Your design must be based on the information presented in the scenario at the beginning of the lab. The answers to these questions can be found in the appendix.

Designing an OU Structure for Administration

  1. In the space below, draw an OU structure for the Seattle domain for all user accounts. The OU structure must allow for delegation of administration as outlined in the opening scenario.

  2. Based on your OU structure, complete the following table of delegation assignments.

    Domain/OU Administrators Permissions

Designing an OU Structure for Group Policy Deployment

The following exercise requires you to design an OU structure that will ensure that the security templates described at the beginning of the lab are deployed to the correct computers in the London domain. For this exercise, assume that you can move Windows 2000 computer accounts from their default location in Active Directory if this will facilitate your OU structure design. The answers to these questions can be found in the appendix.

  1. Draw an OU structure for the deployment of the following security templates in the space provided below: Desktops, Portables, File Servers, Domain Controllers, and Web Servers.

  2. Complete the following table to determine where in the OU structure you should apply the security templates by using Group Policy to ensure consistent security settings.

    OU                       Apply the Security Template
    File Servers
    Domain Controllers
    Web Servers


Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172 © 2008-2017.
If you may any questions please contact us: