This document provides guidance on designing the logical structure of Active Directory. It discusses designing forests, domains, and organizational units (OUs) to simplify management, optimize performance, and delegate administration appropriately. The key steps are:
1. Identify project teams and assign roles like executive sponsor, architect and manager.
2. Design forests based on autonomy and isolation needs. Common models are organizational, resource and restricted access forests.
3. Design domains considering models like single or regional domains.
4. Integrate Active Directory with the existing DNS infrastructure.
5. Design OUs to delegate control over resources to appropriate administrators.
2. Active Directory Logical Structure
Design
• Simplified management of Windows networks
that contain large numbers of objects.
• A consolidated domain structure and reduced
administration costs.
• The ability to delegate administrative control
over resources as appropriate.
• Reduced impact on network bandwidth
3. Active Directory Logical Structure
Design
• Simplified resource sharing.
• Optimal search performance.
• Low total cost of ownership.
4. Process for Designing the Active Directory
Logical Structure
1. Identify the project deployment project
participants
2. Create a forest design
3. Create a domain design for each forest
4. Create a DNS infrastructure to support Active
Directory for each forest
5. Design organization units for delegation of
administration for each forest.
5. 1. Identifying the Deployment Project
Participants
• The first step in establishing an Active
Directory deployment project is to establish
the design and deployment project teams who
will be responsible for managing the design
phase and deployment phase of the Active
Directory project cycle..
6. 1.1 Defining Project-Specific Roles
• An important step in establishing the project teams is
to identify the individuals who are to hold project-
specific roles. These include the executive sponsor,
the project architect, and the project manager.
• These individuals establish channels of
communication throughout the organization, build
project schedules, and identify the individuals who
will be members of the project teams, beginning
with the various owners.
7. 1.1 Defining Project-Specific Roles
• Executive sponsor
– understands the business value of the
deployment, supports the project at the executive
level, and can help resolve conflicts across the
organization.
• Project architect
– The architect provides technical expertise to assist
with the process of designing and deploying
Active Directory
8. 1.1 Defining Project-Specific Roles
• Project manager
– facilitates cooperation across business units and
between technology management groups.
– someone from within the organization who is
familiar with the operational policies of the IT
group and the design requirements for the groups
that are preparing to deploy Active Directory
– oversees the entire deployment project, beginning
with design and continuing through
implementation, and makes sure that the project
stays on schedule and within budget
9. 1.2 Establishing Owners and
Administrators
• Owners
– are held accountable by management for making
sure that deployment tasks are completed and
that Active Directory design specifications meet
the needs of the organization. Owners do not
necessarily have access to or manipulate the
directory infrastructure directly.
10. 1.2 Establishing Owners and
Administrators
• Administrators
– are the individuals responsible for completing the
required deployment tasks. Administrators have
the network access and permissions necessary to
manipulate the directory and its infrastructure.
11. Two Types of Owners
• Service owners
– are responsible for the planning and long-term
maintenance of the Active Directory infrastructure,
and ensuring that the directory continues to
function, and that the goals established in service
level agreements are maintained.
• Data owners
– are responsible for the maintenance of the
information stored in the directory. This includes
user and computer account management and
management of local resources, such as member
servers and workstations.
12. Two Types of Administrators
• Service administrators
– implement policy decisions made by service
owners and handle the day-to-day tasks
associated with maintaining the directory service
and infrastructure.
• Data administrators
– are users within a domain who are responsible for
maintaining data that is stored in Active Directory
and maintaining computers that are members of
their domain.
13. Service and Data Owners for Active
Directory
• Forest owner
– typically a senior IT manager in the organization,
who is responsible for the Active Directory
deployment process and who is ultimately
accountable for maintaining service delivery within
the forest after the deployment is complete.
• Active Directory DNS owner
– is an individual who has a thorough understanding
of the existing DNS infrastructure and the existing
namespace of the organization.
14. Service and Data Owners for Active
Directory
• Site topology owner
– is familiar with the physical structure of the network
of the organization, including the mapping of
individual subnets, routers, and the areas of the
network that are connected by means of slow links
• OU owner
– is responsible for managing data stored in the
directory. This individual needs to be familiar with
the operational and security policies that are in
place on the network.
15. 1.3 Building Project Teams
• The Active Directory project teams are
temporary groups that are responsible for
completing Active Directory design and
deployment tasks. When the Active Directory
deployment project is complete, the owners
assume responsibility for the directory and
the project teams can disband.
16. 1.3 Building Project Teams
• Identifying Potential Forest Owners
– the IT group is generally the forest owner and
therefore the potential forest owner for any future
deployments.
• Establishing a Design Team
– responsible for gathering all of the information
needed to make decisions about the Active Directory
logical structure design.
• Establishing a Deployment Team
– responsible for testing and implementing the Active
Directory logical structure design.
17. 1.3 Building Project Teams
• Document the Design and Deployment Teams
– Document the names of and contact information
for the people who will participate in the design
and deployment of Active Directory. Identify who
will be responsible for each role on the design and
deployment teams.
18. 2. Creating a Forest Design
• Identifying Forest Design Requirements
• Determine the number of Forest
• Document the Design and Deployment Teams
19. 2.1 Identifying Forest Design
Requirements
• This involves determining how much
autonomy the groups in your organization
need to manage their network resources, and
whether each group needs to isolate their
resources on the network from other groups.
21. Autonomy vs. Isolation
• Autonomy.
– Autonomy involves independent but not exclusive
control of a resource. When you achieve
autonomy, administrators have the authority to
manage resources independently; however,
administrators with greater authority exist who
also have control over those resources and can
take control away if necessary.
22. Autonomy vs. Isolation
• Service autonomy.
– This type of autonomy involves control over all or
part of service management.
• Data autonomy.
– This type of autonomy involves control over all or
part of the data stored in the directory or on
member computers joined to the directory.
23. Autonomy vs. Isolation
• Isolation.
– involves independent and exclusive control of a
resource. When you achieve isolation,
administrators have the authority to manage a
resource independently and no other
administrators can take control of the resource
away
24. Autonomy vs. Isolation
• Service isolation
– This type of isolation prevents administrators
other than those specifically designated to control
service management from controlling or
interfering with service management.
• Data isolation
– This type of isolation prevents administrators
other than those specifically designated to control
or view data from controlling or viewing a subset
of data in the directory or on member computers
joined to the directory.
25. 2. Determining the Number of Forests
Required
• In order to determine the number of forests
that you must deploy, you need to carefully
identify and evaluate the isolation and
autonomy requirements for each group in
your organization and map those
requirements to the appropriate forest design
models.
26. Forest Design Models
• Organizational Forest Model
• Resource Forest Model
• Restricted Access Forest Model
27. Organizational Forest Model
• In the organizational forest model, user
accounts and resources are contained in the
forest and managed independently. The
organizational forest can be used to provide
service autonomy, service isolation, or data
isolation, if the forest is configured to prevent
access to anyone outside the forest.
29. Resource Forest Model
• In the resource forest model, a separate forest
is used to manage resources. Resource forests
do not contain user accounts other than those
required for service administration and those
required to provide alternate access to the
resources in that forest if the user accounts in
the organizational forest become unavailable.
31. Restricted Access Forest Model
• In the restricted access forest model, a
separate forest is created to contain user
accounts and data that must be isolated from
the rest of the organization.
33. Type of Service Management
• Management of domain controller operations
– Creating and removing domain controllers.
– Monitoring the functioning of domain controllers.
– Managing services that are running on domain
controllers.
– Backing up and restoring the directory.
34. Type of Service Management
• Configuration of domain-wide settings
– Creating domain and domain user account
policies, such as password, Kerberos, and account
lockout policies.
– Creating and applying domain-wide Group
Policies.
35. Type of Service Management
• Delegation of data-level administration
– Creating OUs and delegating administration.
– Repairing problems in the OU structure that OU
owners do not have sufficient access rights to fix
• Management of external trusts
– Establishing trust relationships with domains
outside the forest.
36. 2.3 Documenting the Forest Design
• The proposed forest design should be
documented. Include in your documentation
the name of the group for which the forest is
designed, the contact information for the
forest owner, the type of forest for each forest
that you include, and the requirements that
each forest is designed to meet.
37. 3. Creating a Domain Design
• Reviewing the Domain Models
• Determine the number of domains required
• Determine whether to upgrade existing or
deploy new domains
• Assign domain names
• Select the forest root domain
38. 3.1 Reviewing the Domain Models
• The amount of available capacity on your
network that you are willing to allocate to
Active Directory.
• The number of users in your organization.
39. Domain Design Models
• Single Domain Model
– It is the easiest to administer and the least
expensive to maintain. It consists of a forest that
contains a single domain.
• Regional Domain Model
– enables you to maintain a stable environment
over time. Base the regions used to define
domains in your model on stable elements such as
continental boundaries.
40. 3.2 Determining the Number of
Domains Required
• Every forest starts with a single domain. The
maximum number of users that a single
domain forest can contain is based on the
slowest link that must accommodate
replication between domain controllers and
the available bandwidth that you want to
allocate to Active Directory.
42. 3.4 Determining Whether to Upgrade
Existing or Deploy New Domains
• Each domain in your design will either be a
new domain or an existing domain that has
been upgraded in place. Users from existing
domains that you do not upgrade in place
must be migrated into new domains.
43. 3.5 Assigning Domain Names
• You must assign a name to every domain in
your plan. Active Directory domains have two
types of names: DNS names and NetBIOS
names. In general, both names are visible to
end users. The DNS names of Active Directory
domains include two parts, a prefix and a
suffix.
44. Selecting the Forest Root Domain
• The first domain that you deploy in an Active
Directory forest is called the forest root
domain.
• Selecting the forest root domain involves
determining whether one of the Active
Directory domains in your domain design can
function as the forest root domain, or
whether you need to deploy a dedicated
forest root domain.
45. Choosing a Regional or Dedicated
Forest Root Domain
• A dedicated forest root domain is a domain that is
created specifically to function as the forest root. It
does not contain any user accounts other than the
service administrator accounts for the forest root
domain, and it does not represent any region in your
domain structure.
46. Choosing a Regional or Dedicated
Forest Root Domain
• If you choose not to deploy a dedicated forest
root domain, then you must select a regional
domain to function as the forest root domain.
This domain is the parent domain of all the
other regional domains and will be the first
domain that you deploy.
47. Assigning the Forest Root Domain Name
• The forest root domain name is also the name
of the forest. The forest root name is a DNS
name that consists of a prefix and a suffix in
the form of prefix.suffix. For example, an
organization might have the forest root name
corp.contoso.com. In this example, corp is the
prefix and contoso.com is the suffix.
48. 4. Designing a DNS Infrastructure to
Support Active Directory
• Review DNS concepts
• Review DNS and Active Directory
• Integrate Active Directory into an existing DNS
infrastructure
• Document your DNS infrastructure design
49. 5. Designing Organizational Units for
Delegation of Administration
• Review organizational unit design concepts
• Delegate administration using OU objects
• Create account OUs
• Document the organizational unit design for
each domain
• Apply Group Policy to OUs