Embed Size (px)
Citation preview
How To Deploy A Windows How To Deploy A Windows 2000 Active Directory In 2000 Active Directory In Your OrganizationYour Organization
NameNameTitleTitleDepartmentDepartmentMicrosoft CorporationMicrosoft Corporation
Session PrerequisitesSession Prerequisites
This session assumes that you This session assumes that you understand the fundamentals of:understand the fundamentals of: General knowledge of General knowledge of
Windows NTWindows NT®® 4.0 domains 4.0 domains Basic knowledge of network Basic knowledge of network
operating systemsoperating systems General familiarity with Windows 2000General familiarity with Windows 2000
This is a level 200 sessionThis is a level 200 session
What You Will Learn TodayWhat You Will Learn Today
When and how to create Domains, Trees, When and how to create Domains, Trees, Forests, Organizational Units, and GroupsForests, Organizational Units, and Groups
Understand sites and replication topologyUnderstand sites and replication topology Become familiar with new security and Become familiar with new security and
administration features administration features How to build an enterprise How to build an enterprise
domain architecturedomain architecture How Windows NT 4.0 coexists with and How Windows NT 4.0 coexists with and
migrates to Windowsmigrates to Windows®® 2000 2000
Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy
Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy
Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy
A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability
ActiveActiveDirectoryDirectory
ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific
directory info directory info • PolicyPolicy
Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy
InternetInternet
Firewall ServicesFirewall Services• ConfigurationConfiguration• Security PolicySecurity Policy• VPN policyVPN policy
OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce
Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy
E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book
Windows 2000 Active DirectoryWindows 2000 Active Directory
Active Directory ConceptsActive Directory Concepts
Logical ConceptsLogical Concepts DomainsDomains Organizational UnitsOrganizational Units TreeTree ForestForest DNS IntegrationDNS Integration
Physical ConceptsPhysical Concepts SitesSites Global CatalogGlobal Catalog ReplicationReplication
DomainsDomains
Boundary of SecurityBoundary of Security Boundary of AuthenticationBoundary of Authentication
Boundary of ReplicationBoundary of Replication Domain NC ReplicationDomain NC Replication
Boundary of DNS NamespaceBoundary of DNS Namespace Boundary of AdministrationBoundary of Administration
COMPANY
Tip: Design your new domain structure as the perfect environment, then integrate with the existing structure
Creating Additional DomainsCreating Additional Domains
Reasons to Create DomainsReasons to Create Domains Unique Security PoliciesUnique Security Policies Network OptimizationNetwork Optimization Network ConnectivityNetwork Connectivity
Reasons not to Create DomainsReasons not to Create Domains Namespace RequirementsNamespace Requirements Securing Directory DataSecuring Directory Data Administration ConsiderationsAdministration Considerations Organizational StructureOrganizational Structure CapacityCapacity
Tip: Domain restructuring is not trivial; strive to get it right up front.
Organizational UnitsOrganizational Units
Containers within DomainsContainers within Domains Distinct Units of AdministrationDistinct Units of Administration Unique to DomainsUnique to Domains
Tip: Find elements common to more than one division, & set the OU structure to provide consistency.
Reasons T0o Create OUsReasons T0o Create OUs
Enhance Administrative DelegationEnhance Administrative Delegation Group Policy ApplicationGroup Policy Application 3 Common Structures:3 Common Structures:
Tip: OU restructuring is trivial. You do not have to get it right the first time.
Europe
West Coast
United States
East Coast
Geographical
Accounting
Server Admins
IT Staff
Network Admins
Organizational
UsersPrinters
Task
Computers
GroupsGroups
TypesTypes SecuritySecurity DistributionDistribution
ScopesScopes
Tip: Native Mode provides support for Nested & Universal Security Groups in your Enterprise.
america.company europe.company
company
GGCompany
GGEuropeGGAmerica
GGAmerica2
couser1
couser2
couser3
euuser1
euuser2
euuser3
amuser1
amuser2
amuser3
DLCompany
DLAmerica
DLEurope
UG1
Demonstration Demonstration Active Directory Users & Active Directory Users & Computers Management ConsoleComputers Management Console
TreesTrees
Hierarchy of Domains forming a Hierarchy of Domains forming a contiguous namespacecontiguous namespace
Transitive Trust Relationships Transitive Trust Relationships All Domains in a Tree share:All Domains in a Tree share:
SchemaSchema ConfigurationConfiguration Global CatalogGlobal Catalog
COMPANY
EUROPE.COMPANYAMERICA.COMPANY
NICARAGUA.AMERICA.COMPANY
Tip: NT4 style trusts are still supported
ForestsForests
Hierarchy of Domains forming a Hierarchy of Domains forming a contiguous or disjoint namespacecontiguous or disjoint namespace
Transitive Trust RelationshipsTransitive Trust Relationships All Domains in a Forest share:All Domains in a Forest share:
SchemaSchema ConfigurationConfiguration Global CatalogGlobal Catalog
Tip: A single Forest provides a single enterprise-wide Directory.
DIVISION.COM COMPANY
AMERICA.COMPANY
DNS And Active DirectoryDNS And Active Directory
SRV Records to locate SRV Records to locate services (req’d.)services (req’d.)
DDNS for Dynamic Update (desired)DDNS for Dynamic Update (desired) WindowsWindows®® 2000 DNS also provides: 2000 DNS also provides:
Incremental Zone TransferIncremental Zone Transfer Active Directory IntegratedActive Directory Integrated
Single replication topologySingle replication topology Multi-master replicationMulti-master replication Secure Dynamic updateSecure Dynamic update
Tip: BIND 8.1.2 or higher is sufficient to use with AD
DNS ImplementationsDNS Implementations No existing DNS infrastructureNo existing DNS infrastructure
Deploy Microsoft DNSDeploy Microsoft DNS
Existing DNS meets requirementsExisting DNS meets requirements Existing DNS not adequate:Existing DNS not adequate:
Choice 1: Update ServerChoice 1: Update Server Choice 2: Migrate to Microsoft DNSChoice 2: Migrate to Microsoft DNS Choice 3: Delegate a subdomain to Choice 3: Delegate a subdomain to
Microsoft DNSMicrosoft DNS
Tip: Windows 2000 DNS included FREE!
SitesSites
What is a Site?What is a Site? A set of well connected IP subnetsA set of well connected IP subnets
Site UsageSite Usage Locating Services (e.g. Logon, DFS)Locating Services (e.g. Logon, DFS) ReplicationReplication Group Policy ApplicationGroup Policy Application
Sites are connected with Site LinksSites are connected with Site Links Connects two or more sitesConnects two or more sites
Tip: A site is a group of subnets where each has LAN speed connectivity to one another.
Site TopologySite Topology
company
america.company europe.company
DC
Site A
Site B
Site C
DC
GC
GC
GC
DC
DC = Domain ControllerGC = Global Catalog
ReplicationReplication
Naming Contexts that are replicatedNaming Contexts that are replicated Schema Naming ContextSchema Naming Context Configuration Naming ContextConfiguration Naming Context Domain Naming ContextDomain Naming Context
Multi-Master ReplicationMulti-Master Replication Intra-site Bi-directional Ring Intra-site Bi-directional Ring
TopologyTopology Inter-site Spanning Tree TopologyInter-site Spanning Tree Topology
Synchronous RPC over TCP/IPSynchronous RPC over TCP/IP Asynchronous SMTPAsynchronous SMTP
Global CatalogGlobal Catalog
Partial Replica of all Objects Partial Replica of all Objects in the Forestin the Forest
Configurable sub-set of AttributesConfigurable sub-set of Attributes Fast Forest-wide searchesFast Forest-wide searches Required at Logon for Universal Required at Logon for Universal
Group MembershipGroup Membership
Tip: A Global Catalog Server is simply a domain controller configured to maintain a partial replica of all other domains.
DemonstrationDemonstrationActive Directory Sites & Active Directory Sites & Services Management ConsoleServices Management Console
Security And Security And AdministrationAdministration DelegationDelegation Group PolicyGroup Policy Authentication ProtocolsAuthentication Protocols
DelegationDelegation
Permissions can be applied to specific Permissions can be applied to specific Objects, Object Classes and AttributesObjects, Object Classes and Attributes
Variables of DelegationVariables of Delegation By Geography: Admins in New YorkBy Geography: Admins in New York By Organization: Admins in AccountingBy Organization: Admins in Accounting By Role/Task: Printer AdminsBy Role/Task: Printer Admins
Tip: You can delegate specific permissions to users and/or groups (i.e. resetting passwords).
DemonstrationDemonstrationDelegation of AdministrationDelegation of Administration
Group PolicyGroup Policy
GPO (Group Policy Object) is a collection GPO (Group Policy Object) is a collection of settings that will affect a given user of settings that will affect a given user or computeror computer Group Policy affects subjects regardless of Group Policy affects subjects regardless of
physical locationphysical location A single GPO may contain hundreds of A single GPO may contain hundreds of
individual settingsindividual settings A GPO is made up of a GPT stored on SYSVOL A GPO is made up of a GPT stored on SYSVOL
and a GPC stored in the Active Directoryand a GPC stored in the Active Directory
Group Policy may be associated with the Group Policy may be associated with the Local computer, Site(s), Domain(s), or Local computer, Site(s), Domain(s), or Organizational Unit(s)Organizational Unit(s)
Group Policy UsageGroup Policy Usage
Computer and User SettingsComputer and User Settings Software PoliciesSoftware Policies Software ManagementSoftware Management User Documents and SettingsUser Documents and Settings Security SettingsSecurity Settings ScriptsScripts
Tip: Group Policies are applied to sites, domains or OUs and can be filtered by groups.
Authentication ProtocolsAuthentication Protocols
Kerberos v5Kerberos v5 Faster connection authenticationFaster connection authentication Mutual authentication of both client Mutual authentication of both client
and server and server Delegation of authentication Delegation of authentication Transitive trust between domainsTransitive trust between domains Mature IETF standard for interoperabilityMature IETF standard for interoperability
NTLMNTLM
Building An EnterpriseBuilding An EnterpriseTarget ArchitectureTarget Architecture
company
GC
GC
america.company
DC
GC
europe.company
DC
DC
Site: Headquarters(in Washington, DC)
Site: NewYorkCity
Site: London
DC = Domain ControllerGC = Global Catalog
DemonstrationDemonstrationDCPROMODCPROMO
Building An EnterpriseBuilding An EnterpriseCreating the ArchitectureCreating the Architecture
company
GC
GC
europe.company
DCDC
america.company
Tip: Here you can allow DCPROMO to install and configure DNS
Tip: Remember to associate the proper subnets with the sites
Tip: Install DNS on all DCs and make sure they are Active Directory Integrated. DNS will populate automatically
Tip: Be sure you have enterprise admin privileges when creating a new child domain
Tip: Make sure you have DNS name resolution configured properly
Tip: To refresh DNS parameters without rebooting, use the IPCONFIG /REGISTERDNS command
DCGCSite: NewYorkCity
Site: London
Site: Headquarters(in Washington, DC)
DemonstrationDemonstrationResource Kit – ADSI EditorResource Kit – ADSI Editor
Building An EnterpriseBuilding An EnterprisePost-Creation ChecklistPost-Creation Checklist
Network functionalityNetwork functionality NETDIAGNETDIAG
DNSDNS Locate subdomains – IPCONFIG /REGISTERDNSLocate subdomains – IPCONFIG /REGISTERDNS
Active Directory Active Directory Verify sites and connection objectsVerify sites and connection objects Browse the DirectoryBrowse the Directory Logon as a new user to a member server or Logon as a new user to a member server or
workstationworkstation
Upgrade ScenariosUpgrade Scenarios
Single Domain Upgrade in PlaceSingle Domain Upgrade in Place Multi Domain Upgrade in PlaceMulti Domain Upgrade in Place Domain RestructuringDomain Restructuring
PDC
Windows NT4 Upgrade the PDC
Mixed Mode
Upgrade In PlaceUpgrade In PlaceSingle DomainSingle Domain
BDC
BDCBDC
Take BDC offline
BDC
Native Mode
Switch to native mode
Upgrade BDCs
NORTHNORTHAMERICAAMERICA
MARKETINGMARKETING RD2RD2 RD3RD3
NEWNEWYORKYORK
Pre-Windows 2000 Pre-Windows 2000 ArchitectureArchitecture
MARKETINGMARKETING RD2RD2 RD3RD3
NORTHNORTHAMERICAAMERICA
NEWNEWYORKYORK
Windows 2000 Tree Windows 2000 Tree and Forest Modeland Forest Model
MARKETINGMARKETING RD2RD2 RD3RD3
NEWNEWYORKYORK
Upgrade In PlaceUpgrade In PlaceMulti Domain ArchitectureMulti Domain Architecture
OU=NEWYORK
MARKETINGMARKETING RD2RD2 RD3RD3
NORTH NORTH AMERICAAMERICA
MARKETINGMARKETING RD2RD2 RD3RD3
NORTHNORTHAMERICAAMERICA
NEWNEWYORKYORK
Domain RestructuringDomain RestructuringMulti Domain ArchitectureMulti Domain Architecture
OU=NEWYORK
OU=MARKETING
RD2RD2 RD3RD3
NORTHNORTHAMERICAAMERICA
Support ToolsSupport Tools ADSIEDITADSIEDIT MMC snap-in for all naming contextsMMC snap-in for all naming contexts DNSCMDDNSCMD Manage DNS, create zones, RRsManage DNS, create zones, RRs DSACLSDSACLS Set ACLs on DS objectsSet ACLs on DS objects DSASTATDSASTAT Compare directory dataCompare directory data LDPLDP Graphical LDAP toolGraphical LDAP tool MOVETREEMOVETREE Move objects between domainsMove objects between domains NETDOM5NETDOM5 Manage trusts, join computers Manage trusts, join computers NETTESTNETTEST Test end to end network connectivityTest end to end network connectivity NLTESTNLTEST Test Secure channel, DC presenceTest Secure channel, DC presence NTDSUTILNTDSUTIL Database, DSA managementDatabase, DSA management REPADMINREPADMIN Check and modify replicationCheck and modify replication REPLMONREPLMON Graphical management of replicationGraphical management of replication
Questions And AnswersQuestions And Answers
For More Information...For More Information...
Refer to TechNet website at Refer to TechNet website at http://http://www.microsoft.com/technet/events/contentwww.microsoft.com/technet/events/content
For More Information…For More Information… MicrosoftMicrosoft®® Official Curriculum Official Curriculum
1556: Administering Microsoft Windows 20001556: Administering Microsoft Windows 2000 1558: Advanced Administration for Microsoft 1558: Advanced Administration for Microsoft
Windows 2000Windows 2000 1561: Designing a Microsoft Windows 2000 1561: Designing a Microsoft Windows 2000
Directory Services InfrastructureDirectory Services Infrastructure 1265: Installing and Administering Microsoft 1265: Installing and Administering Microsoft
Windows NT 5.0Windows NT 5.0 1557: Installing and Configuring Microsoft 1557: Installing and Configuring Microsoft
Windows 2000 Windows 2000 1264C: Microsoft Windows 2000 First Look1264C: Microsoft Windows 2000 First Look 1266: Supporting Microsoft Windows NT 5.01266: Supporting Microsoft Windows NT 5.0 1267: Planning and Implementing Active Directory1267: Planning and Implementing Active Directory 1560: Upgrading Support Skills From Microsoft 1560: Upgrading Support Skills From Microsoft
Windows NT Server 4.0 to Windows 2000Windows NT Server 4.0 to Windows 2000
