Module 3Planning for

Active Directory®

Module Overview• Selecting a Forest and Domain Topology• Selecting a Domain and Forest Functional Level• Planning Identity and Access Services in Active Directory• Implementing Active Directory in the Physical Network

Lesson 1: Selecting a Forest and Domain Topology• Overview of Active Directory• Considerations for Designing a Forest Infrastructure• Guidelines for Designing an Active Directory Domain

Infrastructure • Determining Whether to Implement Multiple Trees in Your

Forest• What Is a Trust Relationship?• Discussion: Selecting an Active Directory Topology

Overview of Active Directory• Forest• Schema• Global catalog• Tree• Domain• Site• Organizational unit

Considerations for Designing a Forest Infrastructure• Isolation requirements limit

design choices• Design negotiation can be a

lengthy process• Balance costs against

benefits• Document the proposed

forest design

Guidelines for Designing an Active Directory Domain Infrastructure• Review domain models• Determine number of

domains required• Consider upgrade

implications from existing domain infrastructure

Determining Whether to Implement Multiple Trees in Your Forest

Use a single tree unless your name space requires noncontiguous names within your organization

What Is a Trust Relationship?

Forest(root)

Tree/RootTrust

Forest Trust

Shortcut TrustExternal

Trust

Kerberos Realm

Realm Trust

Domain D

Forest 1

Domain BDomain ADomain E

Domain F

Forest(root)

Domain P Domain Q

Parent/ChildTrust

Forest 2

Domain C

Discussion: Selecting an Active Directory Topology

Given the following scenario, which Active Directory topology

would you recommend?

15 min

Lesson 2: Selecting a Domain and Forest Functional Level• What Are the Domain Functional Levels?• What Are the Forest Functional Levels?• Demonstration: Modifying the Functional Level

What Are the Domain Functional Levels?

Windows 2000 NativeWindows Server 2003Windows Server 2008

What Are the Forest Functional Levels?

Windows 2000 NativeWindows Server 2003Windows Server 2008

Demonstration: Modifying the Functional Level In this demonstration, you will see how to:• Raise the domain functional level• Raise the forest functional level

Lesson 3: Planning Identity and Access Services in Active Directory• What Is AD CS?• What Is AD LDS?• What Is AD FS?• What Is AD RMS?

What is AD CS?• Extends the concept of trust

A certificate from a trusted certificate authority (CA) proves identity Trust can be extended beyond the boundaries of your enterprise, as long as clients

trust the CA of the certificates you present• Creates a public key infrastructure (PKI)

Confidentiality, Integrity, Authenticity, Non-Repudiation• Many uses

Internal-only or external Secure Web sites (SSL) VPN Wireless authentication and encryption Smart card authentication

• Integration with AD DS powerful, but not required

What Is AD LDS?

Active Directory Lightweight Directory

Services

AD DS

What Is AD FS?

Corporate Network

Client

Account Federation

Server

Active Directory

Resource Federation

Server

AD FS Enabled Web Server

Active Directory

Internal Client

Corporate Network

Perimeter Network

What Is AD RMS?

1

2

1

2

Lesson 4: Implementing Active Directory in the Physical Network• What Is a Domain Controller?• Determining the Placement of Domain Controllers • Demonstration: Creating a Site• What Is a Read-Only Domain Controller?• Demonstration: Deploying an RODC

What Is a Domain Controller?

Domain controllers : •Provide authentication

• Host operations master roles •Host the global catalog •Support group policies and SYSVOL

• Provide for replication

Determining the Placement of Domain Controllers

Seattle

Bellevue

Redmond

Demonstration: Creating a SiteIn this demonstration, you will see how to:• Create a site• Configure the replication interval and schedule

What Is a Read-Only Domain Controller?RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication

RODCs:• Cannot hold operation master roles or be configured as replication

bridgehead servers

• Can be deployed on servers running Windows Server 2008 Server core for additional security

RODCs provide: •Additional security for branch office with limited physical security

• Additional security if applications must run on a domain controller

RODC

Demonstration: Deploying an RODCIn this demonstration, you will see how to:• Prepare the forest• Deploy an RODC• Configure the password replication policy for the RODC

Lab: Planning for Active Directory• Exercise 1: Selecting a Forest Topology • Exercise 2: Planning Active Directory for a Branch Network• Exercise 3: Deploying a Branch Domain Controller

Estimated time: 60 minutes

Logon information

Virtual machine6430B-SEA-DC16430B-SEA-SVR1

User name Adatum\AdministratorPassword Pa$$w0rd

Lab Scenario• Adatum Corporation has recently acquired Contoso, a

company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum.

• Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals.

• You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office.

Module Review and Takeaways• Review Questions