Lesson 1: Designing a Forest Model

Previous page
Table of content
Next page

The first step in creating a forest plan is to design a forest model for an organization's Active Directory infrastructure. This lesson walks you through the steps for designing a forest model, including assessing the factors in the organization's environment that impact its forest model and determining the number of forests to use.

After this lesson, you will be able to

  • Assess the factors in an organization's environment that impact its forest model
  • Indicate the reasons for using multiple forests in an Active Directory infrastructure
  • Explain the implications of using multiple forests
  • Analyze an organization's environment to design its forest model

Estimated lesson time: 20 minutes

Understanding Forests

In Active Directory, a forest is a distributed database. The database is a collection of one or more Windows 2000 domains that share a single schema, configuration container, and global catalog and are linked by implicit two-way transitive trusts. Forests help users interact with the directory and help administrators manage multiple domains.

Recall that the Active Directory schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. The schema is a naming context that is replicated to every domain controller in the forest. A naming context is a tree of objects stored in Active Directory. The Schema Admins predefined universal group has full control of the schema.

The configuration container stores configuration objects that represent the structure of Active Directory, including display specifiers, extended rights, partitions, sites, domain controllers, services, well-known security principals, and other configuration objects. The configuration container is a naming context that is replicated to every domain controller in the forest. The Enterprise Admins predefined universal group has full control of the configuration container.

Recall that the global catalog is the central repository of information about objects in a tree or forest. It stores a full replica of all object attributes in the directory for its host domain and a partial replica for all object attributes contained in the directory of every domain in the forest. The global catalog allows users and administrators to find objects outside of the domain and across the enterprise with speed and efficiency. It also allows users to log on easily by using an abstracted (shortened) user principal name (UPN), rather than specifying the default (full domain path) UPN. For example, if the user Sherri has her user account in sls.uk.microsoft.com she must type sherri@sls.uk.microsoft.com to log on. By abstracting the sls.uk.microsoft.com domain name in the domain tree, the global catalog allows her to type sherri@microsoft.com when logging on.

Design Step: Designing a Forest Model

To design the forest model needed for your organization, you must complete the following tasks:

  1. Assess the organization's forest needs.
  2. Determine the number of forests for your organization.

Assessing Forest Needs

To design a forest model for your organization, you must first consult the following business and technical environment analysis documents compiled earlier by your design team:

  • Business Structures Worksheet. Assess the current administrative structure of your organization.
  • IT Management Organization Worksheet. Assess current structure and administration practices in your organization's IT management organization.
  • Technical Standards Worksheet. Assess current administrative and security standards.

In addition to assessing these requirements, it is imperative that you assess any changes that may be planned for the sites or domain controller locations to address growth, flexibility, and the ideal design specifications of the organization.

NOTE

Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the work-sheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."

Determining the Number of Forests

Because Windows 2000 domains in a forest share a single schema, configuration container, and global catalog and are linked by two-way transitive trusts, you should strive to have only one forest for your organization. Ideally, the use of multiple forests should be temporary, and reserved for situations such as a merger, acquisition, or partnership where two or more organizations must be joined. You must realize that by defining multiple forests you will be requiring users in your organization to take a series of complex steps just to use the directory. Refer to "Implications of Using Multiple Forests," later in this lesson, for further information.

Reasons to Use Multiple Forests

Although you should strive to define only one forest for your organization, there are some situations that may warrant the use of multiple forests. You may need to consider using multiple forests if any of the following are true:

  • Network administration is separated into autonomous groups that do not trust each other.
  • Business units are politically separated into autonomous groups.
  • Business units must be separately maintained.
  • There is a need to isolate the schema, configuration container, or global catalog.
  • There is a need to limit the scope of the trust relationship between domains or domain trees.

If you want to separate business units or keep specific users from accessing resources and you cannot achieve this through your domain or OU structure, a multiple forest model can be an effective tool for creating privacy and security.

IMPORTANT

Although the reasons above may indicate that you need to define multiple forests, you should always consult your design team before proceeding with a multiple forest model. Examine all options for delegating administration using domains or OUs before you define multiple forests.

Implications of Using Multiple Forests

Adding a forest increases administrative and usability costs. When determining whether to use multiple forests, keep the following administrative issues in mind:

  • Schema. Each forest has its own schema. You will need to maintain the contents and administration group memberships for each schema separately even if they are similar. Refer to Lesson 2, "Designing a Schema Modification Plan," for details.
  • Configuration container. Each forest has its own configuration container. You will need to maintain the contents and administration group memberships for each configuration container separately even if they are similar.
  • Trusts. An explicit one-way nontransitive trust is the only trust relationship permitted between domains in different forests. You must explicitly (manually) set up and maintain a series of one-way nontransitive trusts to accommodate domains requiring interforest trust relationships. Figure 3.1 is an example of an interforest trust relationship.
  • Replication. Replication of objects between forests is manual and requires the development of new administrative policies and procedures.
  • Merging forests or moving domains. Forests cannot be merged in a one-step operation; you must clone security principals, migrate objects, decommission domain controllers, downgrade them to member servers, and add each to the new forest domain.
  • Moving objects. Although objects can be moved between forests, you must use the ClonePrincipal tool to clone security principals in the new forest, or the LDAP Data Interchange Format (LDIFDE.EXE) command-line tool to move other objects.
  • Smart card logon. Default UPNs must be maintained for smart cards to be able to log on across forests.
  • Additional domains. Each forest must contain at least one domain. Additional domains increase hardware and administrative costs. Refer to Chapter 4, "Creating a Domain Plan," for further information.

click to view at full size

Figure 3.1 An interforest trust relationship

When determining whether to use multiple forests, also keep the following usability issues in mind:

  • User logon. When a user logs on to a computer outside his or her own forest, he or she must specify the default UPN, which contains the full domain path for the user account, rather than just the easy-to-remember abstracted UPN. The default UPN is required because the domain controller in the forest will not be able to find the abstracted UPN in its global catalog. The user's abstracted UPN resides only in the global catalog in the user's forest.
  • User queries. Users must be trained to make explicit queries across all of an organization's forests. Incomplete or incorrect queries can negatively affect users' work.

All of the reasons for using multiple forests involve administrative issues. However, the negative effects of a multiple forest scenario have the greatest impact on users. You should consider that the issues that are important to administrators are not the same issues that are important to users. Unless the use of multiple forests in your organization appears transparent to users, you should try not to create separate forests.

To design a forest model

  1. Consider the reasons for using multiple forests and determine whether your organization requires one or multiple forests.
  2. If your organization requires multiple forests, temporarily label each forest (Forest A, Forest B, etc.) and list the reasons why each forest is required.

Design Step Example: Designing a Forest Model

Figure 3.2 shows a forest model for the A. Datum Corporation, an Internet service provider (ISP) that hosts Active Directory for some of its clients. The forests needed for the organization have only been identified. At this point, the forest has not been named, nor have domains within it been placed in a hierarchy.

click to view at full size

Figure 3.2 Forest model for A. Datum Corporation

Lesson Summary

In this lesson you learned the steps for designing a forest model, including assessing the factors in the organization's environment that impact its forest model and determining the number of forests to use. You learned that the factors within the organization that can affect the forest model include administrative structures, IT management organization structure and administration practices, and the current administrative and security standards. In addition, changes currently planned to address growth and flexibility needs and changes that would help to meet the ideal design specifications of the organization can also affect the forest model.

You also learned that you should always strive to define only one forest for your organization. However, there are some situations that may warrant the use of multiple forests. You learned the reasons for using multiple forests and the implications of using them. Finally, you learned that you should always consult your design team before proceeding with a multiple forest model. It is important to examine all options for delegating administration using domains or OUs before you define multiple forests.


Previous page
Table of content
Next page
MCSE Training Kit Exam 70-219(c) Designing a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
ISBN: 0735613648
EAN: 2147483647
Year: 2001
Pages: 76
Authors: MeasureUp Inc., Jill Spealman
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Software Configuration Management
SQL Hacks
Cisco CallManager Fundamentals (2nd Edition)
Twisted Network Programming Essentials
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy