If you need to provide information about users not currently defined in the schema, you must extend the schema for the User class. The schema contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties.
By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion. By nesting the Deliveries OU within the Orders OU, the Orders OU has administrative control of the Deliveries OU but the Deliveries OU does not have administrative control of the Orders OU.
Additional global catalog servers can provide quicker responses to user inquiries, as well as redundancy. However, additional global catalog servers can require more bandwidth for replication traffic.
To create a specific desktop configuration such as background wallpaper for all Windows computers in an organization, you create group policy objects (GPOs) for sites, domains, or OUs. To display the logo on every computer in the organization, you need to apply a global GPO.
A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. The parent domain stateuniversity.microsoft.com and the domain stateuniversity.expedia.com do not form a contiguous namespace. Therefore, you cannot arrange these domains in a tree.
Exercise: Analyzing a Current Business Structure
Business Structures Worksheet
The Administration department serves as the decision-making unit of the organization and carries out administrative functions. The Maintenance department is responsible for maintaining the company's aircraft. The Operations department is responsible for coordinating the components that keep the aircraft flying, such as scheduling food purveyors, baggage handlers, pilots and flight attendants, and purchasing fuel. The Sales department is responsible for advertising and selling seats on airline flights. The Maintenance, Operations, and Sales departments report to the Administration department.
Users in each department: Administration (75), Maintenance (40), Operations (100), Sales (50). Total number of network users: 265.
Administration: Butte, MT. Maintenance: Salt Lake City, UT. Operations: Reno, NV. Sales: Boise, ID, and Laramie, WY.
Butte, MT: 75. Salt Lake City, UT: 40. Reno, NV: 100. Boise, ID: 30. Laramie, WY: 20.
The Administration department uses the network for marketing, accounting, training, and IT functions. The Maintenance department uses the network to document their maintenance activities and to maintain parts inventories. The Operations department uses the network to coordinate the scheduling of food purveyors, baggage handlers, pilots and flight attendants, and purchasing fuel. The Sales department uses the system for ticketing and developing advertisements.
There are no special operations at Vigor Airlines.
Because your team consists of four members of the IT department and only one member from outside the department, it is likely that your team will be unable to provide an accurate analysis of the entire organization. It is also likely that your team will be asked to redo your Active Directory infrastructure design because you have not involved any decision-making managers in your design team. By selecting members of the design team from the entire organization your team will be more effective.
The diagram included in the business structure analysis shows the geographical structure of the network. A diagram showing the administrative structure must also be included in the analysis. An organization's administrative structure represents the functions, divisions, departments, or positions within an organization and how they are related, including the organization's hierarchy and authority structure.
Compare your inventory with the list of Windows 2000 Server compatible hardware, available at http://www.microsoft.com/windows2000/upgrade/compat/default.asp.
Scenario: Adventure Works
The advantages of using a multiple forest model are
The disadvantages of using a multiple forest model are
Use a single forest model. The benefits of the single forest model (lower maintenance, meeting senior management goals) easily outweigh allowing the retail IT management department to continue managing only the retail operations.
Exercise 1: Designing a Forest Model
Exercise Questions
The advantages of using a multiple forest model are
The disadvantages of using a multiple forest model are
Use a multiple forest model. Because there are no initiatives to integrate the two businesses and it is likely that multiple schemas will be required, maintaining the businesses separately seems to be the best choice.
Exercise 2: Designing a Schema Modification Plan
Exercise Questions
The following items should be included in a schema modification plan for LitWare, Inc.: Modification description, modification justification, assessment of impact, complete description of the new schema object class, and written approval to test the modification from the schema modification approval committee.
The design team should not design a schema modification plan because it is likely that it is unnecessary. If the new inventory application is directory-enabled, it may automatically modify the schema, providing opportunities to handle the book title and ISBN without manually modifying the schema. You should examine all other alternatives before modifying the schema and you should be sure to test directory-enabled applications that modify the schema before installing them on the network.
Because Windows 2000 domains in a forest share a single schema, configuration container, and global catalog and are linked by two-way transitive trusts, you should strive to have only one forest for your organization.
You should inform the decision makers how users are affected by multiple forests when logging on and when performing queries. In multiple forest scenarios, when users log on to a computer outside their own forest, they must specify the default UPN, which contains the full domain path for their user account, rather than just their easy-to-remember abstracted UPN. The default UPN is required because the domain controller in the forest will not be able to find the abstracted UPN in its global catalog. The user's abstracted UPN resides only in the global catalog in the user's forest. You should also inform the decision makers that to assist the users with queries, you will have to arrange for user training in making explicit queries across all of an organization's forests because the risk of users making incomplete or incorrect queries can affect how they perform their work.
Domain administrators in both domains must configure an explicit one-way nontransitive trust between the Accounting and Finance domains. If the Finance domain trusts the Accounting domain, users in the Accounting domain can access resources in the Finance domain, but users in the Finance domain cannot access resources in the Accounting domain. Then, either domain administrator, with the correct permissions in both forests, must import the resource object into Forest 1 using the LDIFDE command-line tool. The resource object replicates to Forest 1's global catalog and the user can find the object by querying Forest 1's global catalog. Finally, the user can access the resource in Forest 2.
You should avoid changing the schema because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require. The need to change the schema is rare.
When schema class or attribute objects are added, they cannot be deleted if they are no longer needed. They can only be deactivated. You cannot deactivate the base schema, however; you can deactivate only schema that you have added.
If you know the types of data that Active Directory will hold, you can more effectively determine whether to change the base schema in the future and whom the changes will affect.
Scenario 1: Friendship Vineyards
Friendship Vineyards has no security requirements that cannot be handled within one domain. Although the company needs its administrators to apply group policies to the distribution personnel at all locations, the policies involve a user interface requirement, not a special administrative requirement. To satisfy the user interface requirement, administrators can apply policies to the distribution personnel at the OU level. A check of the network architecture diagram shows that all links are sound and there is no need to optimize replication. Since there are no requirements to preserve the existing Windows NT domains, Friendship Vineyards requires only one domain.
Scenario 2: Awesome Computers
Awesome Computers has password and account lockout security requirements at each regional office that cannot be handled within a domain. Therefore, the company needs to create a domain for each regional office. Because language settings are handled by clients in Windows 2000, there is no need to define domains based on language settings. Because of the legacy applications required in the Brazilian and Thai sales offices, each will require its own domain that must remain in mixed mode. Bits, Bytes & Chips, Inc., will also require its own domain to retain its presence on the Internet. Awesome Computers requires ten domains.
Scenario 1: Friendship Vineyards
Because the forest for Friendship Vineyards contains only one domain, the design team has designated the existing domain as the forest root domain.
Because the forest for Friendship Vineyards contains only one domain, there is no domain hierarchy.
Because Friendship Vineyards has a Web presence using the DNS name f-100times.com, the forest root domain will need a new DNS name to distinguish it from the existing Internet domain. Your design team named the forest root domain corp.f-100times.com. Answers may vary.
Scenario 2: Awesome Computers
The headquarters domain was selected as the forest root domain because it is the most critical to the operation of the organization and because IT decisions that affect the entire organization are handled by the Corporate IT Management department at headquarters. The design team did not feel it was necessary to create a dedicated forest root domain because headquarters is already serving as a separate administrative entity. However, the team realizes that it may still need to designate a dedicated domain and will revisit this issue later in the design process. The diagram below shows the forest root domain defined for Awesome Computers.
There are two trees and tree root domains, one for Awesome Computers and one for Bits, Bytes & Chips, Inc. The tree root domain for the Awesome Computers tree is also the forest root domain. To accommodate the regional offices and optimize trust relationships, regional offices will be child domains of the forest root domain, and the sales office domains in Thailand and Brazil will be grandchild domains of their respective regional domains. To accommodate the Brazilian sales office's need to access engineering resources at the European location, a cross-link trust has been established between the two domains. There are no child subdomains for Bits, Bytes & Chips, Inc. The domain hierarchy diagram is shown in the following figure.
Because the organization already has an Internet presence using the DNS name a-100times.com, the forest root domain will be named corp.a-100times.com. The forest root domain is also the tree root domain for Awesome Computers. The tree root domain for Bits, Bytes & Chips, Inc., is named corp.b-100times.com. The child subdomains for Awesome Computers are named for each of the regional offices. The remaining grandchild subdomains are named for the corresponding sales offices. Answers may vary. The following figure shows the domain hierarchy diagram with domain names defined for Awesome Computers.
Exercise: Creating a Domain Plan
Exercise Questions
The following figure shows the domains defined for Parnell Aerospace. Answers may vary. Domains were defined for the following reasons:
The previous figure shows the forest root domain defined for Parnell Aerospace. At the Phoenix headquarters, two separate departments handle IT management. One department handles IT management for the Phoenix office only, and the other handles IT management for the entire organization. The design team decided to add a dedicated domain as the forest root domain to separate the two IT management departments located in Phoenix and to reap the benefits of using a dedicated forest root domain. Answers may vary.
Because Parnell Aerospace has registered the DNS name p-100times.com and Lakes & Sons has registered the DNS name l-100times.com, the organization will need two trees in its Active Directory infrastructure. The forest root domain will also serve as the tree root domain for the Parnell Aerospace tree, while the domain at the Seattle location will serve as the tree root domain for the Lakes & Sons tree.
Users at all locations must often access engineering resources at the Phoenix location. Although each regional office domain must then go through the root domain to access resources at the Phoenix headquarters, there is no need to use cross-link trusts in this scenario except for possibly the domain at the Minneapolis location. Your design team must determine whether traffic between Minneapolis and headquarters warrants a cross-link trust.
Because the organization already has an Internet presence using the DNS names p-100times.com and l-100times.com, the Parnell Aerospace tree root and forest root domain will be named corp.p-100times.com. The Lakes & Sons tree root domain will be named corp.l-100times.com. The child subdomains are named for the regional offices using the codes as defined by ISO 3166.
The domain hierarchy diagram and domain names for Parnell Aerospace are shown in the following figure. Answers may vary.
The four reasons for defining multiple domains are to meet security requirements, to meet administrative requirements, to optimize replication traffic, and to retain Windows NT domains.
The reasons for designating an existing domain as the forest root domain are
The reasons for designating a dedicated domain as the forest root domain are
Your team may need to define more than one domain tree if your organization has more than one DNS name.
You should be sure to register and receive verification for domain names before creating your Active Directory domain namespace. After you name your forest root domain you cannot change it and it is difficult to change other domain names.
DNS BIND version 8.1.2 or later and Windows NT 4 DNS meet the DNS server requirements to support Active Directory.
Although these DNS services are compatible with Active Directory, only the Windows 2000 DNS service allows you to use Active Directory-integrated zones, incremental zone transfer, and secure dynamic updates.
Scenario: Arbor Shoes
Because each of the three locations has a small autonomous IT staff to handle support tasks, OUs were set up for San Francisco, Houston, and Boston. An administrative group at each location will have full control over its top-level OU. Because there are separate administrative groups at each location to handle the basic administration of users, the administration of computers, and the administration of resources, three second-level OUs were set up at each location for each top-level OU.
Arbor Shoes has no requirements for hiding objects.
A GPO applied to the top-level OU at each location can meet the requirement of providing a specific logon and logoff script for all users at each location, except for users in the Finance department. An additional third-level OU must be defined for the Finance department in each location. Then, a separate GPO must be linked to each Finance department OU in order to provide the separate logon script for users in the Finance department at each location. In addition, Block Policy Inheritance must be set for each Finance department OU so the logoff script set for all users at each location is not inherited by the Finance department.
The following figure shows the OU structures defined to delegate administration and to administer group policies for Arbor Shoes.
Scenario: Dearing School of Fine Art
In the table below, place the new student accounts, by account name, in the appropriate OU.
OU | New student accounts |
---|---|
FTUsers (Fiber Arts) | joberry, mengphua |
PTUsers (Fiber Arts) | PT-sarahakh, PT-martawol |
FTUsers (Painting) | joshbarn, sherriha, karankha |
PTUsers (Painting) | PT-Christin |
FTUsers (Drawing) | christob, robyoung |
PTUsers (Drawing) | PT-micheald |
Computer Art | matthewd, lisajaco |
Scenario: The Ski Haus
Set up a Denver Product Design global group and add the Denver Product Designer users to the group. Set up a Geneva Product Design global group and add the Geneva Product Designer users to the group. Then add the Denver Product Design global group to a Denver Product Design domain local group and add the Geneva Product Design global group to a Geneva Product Design domain local group. Grant full control permissions for the ski hat design database to each domain local group.
Set up a Denver domain local group that has read permission for the ski hat design database. Add the Geneva Product Design global group to the Denver domain local group. Set up a Geneva domain local group that has read permission for the ski hat design database. Then add the Denver Product Design global group to the Geneva domain local group.
Set up a universal group. Set up a domain local group in the Geneva domain that has change permission for the ski sweater design database. Add the Geneva Product Design global group and the Denver Product Design global group to the universal group. Add the universal group to a domain local group in Geneva.
Exercise 5.1: Defining an OU Structure
Exercise Questions
This diagram presents one possible answer. You may have named or planned your OU structure differently.
OU created | Reason created | Users and computers contained in the OU |
---|---|---|
Melbourne | Provides delegation of administration to Melbourne IT management organization. | User and computer accounts for Melbourne regional office, except Production servers, HR servers, and Distribution users. |
Chicago | Provides delegation of administration to Chicago IT management organization. | User and computer accounts for Chicago regional office, except Production servers, HR servers, and Distribution users. |
Berlin | Provides delegation of administration to Berlin IT management organization. | User and computer accounts for Berlin regional office, except Production servers, HR servers, and Distribution users. |
New Delhi | Provides delegation of administration to New Delhi IT management organization. | User and computer accounts for New Delhi regional office, except Production servers, HR servers, and Distribution users. |
New Products | Provides delegation of administration to New Products IT management organization. | User and computer accounts for the New Products department. |
MelProd | Provides delegation of administration of server resources to the Melbourne Production department. | Melbourne Production servers. |
ChiProd | Provides delegation of administration of server resources to the Chicago Production department. | Chicago Production servers. |
BerlinProd | Provides delegation of administration of server resources to the Berlin Production department. | Berlin Production servers. |
NDProd | Provides delegation of administration of server resources to the New Delhi Production department. | New Delhi Production servers. |
MelHRSrv | Hides Melbourne HR servers. | Melbourne HR servers. |
ChiHRSrv | Hides Chicago HR servers. | Chicago HR servers. |
BerlinHRSrv | Hides Berlin HR servers | Berlin HR servers. |
NDHRSrv | Hides New Delhi HR servers. | New Delhi HR servers. |
MelDist | Applies distribution tracking tool using GPO. | Melbourne Distribution users. |
ChiDist | Applies distribution tracking tool using GPO. | Chicago Distribution users. |
BerlinDist | Applies distribution tracking tool using GPO. | Berlin Distribution users. |
NDDist | Applies distribution tracking tool using GPO. | New Delhi Distribution users. |
This table presents one possible answer. You may have named or planned your OU structure differently.
Exercise 5.2: Defining Groups
Exercise Questions
Complete the table below to document your security group design. Include the name of each security group, the group scope, and the members of the group. Also note whether the members are individuals or list group names if the members are groups.
Group | Scope | Members |
---|---|---|
Chicago Production Server Administrators | Global | Chicago Production Server Administrators (individuals) |
Chicago Production Managers | Global | Chicago Production Managers (individuals) |
Chicago Distribution Managers | Global | Chicago Distribution Managers (individuals) |
Chicago Production Specialists | Global | Chicago Production Specialists (individuals) |
Worldwide Production Managers | Global | Melbourne Production Managers, Chicago Production Managers, Berlin Production Managers, New Delhi Production Managers |
Worldwide Distribution Managers | Global | Melbourne Distribution Managers, Chicago Distribution Managers, Berlin Distribution Managers, New Delhi Distribution Managers |
Formulas full | Domain local | Chicago Production Server Administrators |
Formulas read | Domain local | Chicago Production Specialists, Worldwide Production Managers |
Formulas change | Domain local | Chicago Production Managers |
Production and bottling logs full | Domain local | Chicago Production Server Administrators |
Production and bottling logs read | Domain local | Chicago Production Specialists, Worldwide Production Managers, Chicago Distribution Managers |
Production and bottling logs change | Domain local | Chicago Production Managers |
Customer service logs full | Domain local | Chicago Production Server Administrators |
Customer service logs read | Domain local | Chicago Production Specialists, Worldwide Production Managers, Worldwide Distribution Managers |
Customer service logs change | Domain local | Chicago Production Managers |
This table presents one possible answer. You may have named or planned your group structure differently.
The three reasons for defining an OU are: to delegate administration, to hide objects, and to administer group policy. The primary reason for defining an OU is to delegate administration.
If the OU is allowed to set its own membership, place the administrator group inside the OU.
Place the user accounts in the OU administered by the administrative groups and GPOs that apply to the account.
Domain local security groups are most often used to assign permissions to resources.
You should avoid adding individual users to universal groups because when you update the membership of a universal group, the complete membership of the group is replicated to all global catalog servers in the forest, creating a large amount of network traffic. To ensure minimal impact on replication traffic, you should add global groups, not individual users, to universal groups and change the membership of universal groups as infrequently as possible.
Scenario: Ramona Publishing
Sites were defined for the following reasons:
The reasons for locating domain controllers in this manner are
Therefore two domain controllers are placed in each of these sites.
Exercise: Creating a Site Topology Plan
Exercise Questions
Sites were defined for the following reasons:
The reasons for locating domain controllers in this manner are
There is a one-to-one relationship between the following sites and domains:
Therefore two domain controllers are placed in each of these sites.
The Tokyo, Yokohama, and Kawasaki sites are all contained in the north.corp.f-100times.com domain. To meet minimum requirements, one domain controller is placed in each site. To handle the relatively large number of users in the Tokyo site, an additional domain controller is placed in the Tokyo site.
The Kyoto and Osaka sites are both contained in the south.corp. f-100times.com domain. To meet minimum requirements, one domain controller is placed in each site.
Site Link | Transport | Cost | Frequency | Availability |
---|---|---|---|---|
Na-To | IP | 25 | 15 min | always |
Na-Os | IP | 25 | 15 min | always |
To-Os | IP | 25 | 15 min | always |
To-Yo | IP | 50 | 1 hr | 2300 to 0500 daily |
To-Ka | IP | 50 | 1 hr | 2300 to 0500 daily |
Os-Ky | IP | 50 | 1 hr | 2300 to 0500 daily |
Os-Fu | IP | 100 | 2 hr | 2300 to 0500 daily |
To-Sa | SMTP | 100 | 2 hr | 2300 to 0500 daily |
Cost, frequency, and availability answers may vary. However, because there are three different intersite link speeds, your site link table should have at least three costs.
The reasons for locating global catalog servers in this manner are
The reasons for locating operations masters in this manner are
You should define a site for each LAN or set of LANs that are connected by a high-speed backbone or for a location that does not have direct connectivity to the rest of the network and is only reachable using SMTP mail. Because a T1 line is not a high-speed backbone, you should define three sites.
The reasons for placing additional domain controllers into sites are as follows:
A site link table should include the site link name, method of replication transport, site link cost, replication frequency, and replication availability for each site link.
Polling and pull replication are used between bridgehead servers during intersite replication. Pull replication is the most efficient for intersite replication because the destination domain controller knows which replication data to request. Notification and push replication are used for intrasite replication, when domain controllers are well connected and not restrained by site link schedules.
The infrastructure master role should not be assigned to the domain controller that has been designated as the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, and so will never replicate any changes to the other domain controllers in the domain. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.
Exercise: Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory
Exercise Questions
Because the current Windows NT domain structure functions fairly well and the scenario mentions no special requirements for keeping the production environment running during the migration process, the domain upgrade method will be used to migrate the domains to Windows 2000.
A dedicated root domain must be created in the Active Directory forest before the upgrade is performed. After the upgrade is performed, it will be necessary to consolidate the resource domains into OUs in the child domains.
Answers may vary, but should include the following:
A recovery plan will be established.
The domains to be upgraded are listed in order. The dedicated root domain will be established first in the Windows 2000 forest. Then the master domains, STOCKS and CASH, will be upgraded followed by the resource domains, PHOENIX, TUSCON, and ALBUQUERQUE.
List the strategy for upgrading domain controllers in each domain. For each of the STOCKS, CASH, PHOENIX, TUSCON, and ALBUQUERQUE domains in order, the PDC will be upgraded followed by the BDC.
Indicate when you plan to switch to native mode. The switch to native mode will be made when resource domains are consolidated into OUs and when administrators are satisfied with the results of the migration.
List the present location of resources in Windows NT and the OUs to which the resources will be consolidated. Resources in each of the resource domains will be consolidated into the stocks.s-100times.com and cash.s-100times.com domains as determined by user needs.
Indicate the trust relationships that must be set up in order for users outside of the forest to access resources when they are consolidated in the target OU. There are no users outside of the forest that need to access resources consolidated into OUs.
Use the domain restructure method when the current production environment cannot withstand any negative effects as a result of the migration process.
A domain restructure migrates the existing Windows NT environment into a pristine Windows 2000 forest using a nondestructive copy. A pristine forest is an ideal Windows 2000 forest that is isolated from the Windows NT production environment and that operates in native mode. Domain accounts exist in both Windows NT and Windows 2000, and the Windows NT environment is retained until it is ready to be decommissioned.
To set up synchronization between Active Directory and Exchange Server 5.5, you must install the Active Directory Connector (ADC). The installation files for ADC are located on the Windows 2000 Server CD in the Valueadd\Msft\Mgmt\ADC folder.
To enable users of Novell directory services to implement synchronization, Microsoft developed Microsoft Directory Synchronization Services (MSDSS), which is included with Services for NetWare version 5 (SFNW5).