Documente Academic
Documente Profesional
Documente Cultură
Domain Structure
Contents
Overview 1
Introduction to Designing a Domain
Structure 2
Collecting Organizational Information 10
Determining the Number of Domains 13
Determining the Design of the Forest
Root Domain 20
Determining a Domain Hierarchy 24
Evaluating the Domain Design 26
Modifying the Domain Structure After
Deployment 28
Demonstration: Visio Professional 2002 30
Lab A: Designing a Domain Structure 31
Lab Discussion: Designing a Domain
Structure 42
Best Practices 43
Review 45
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 3: Designing a Domain Structure iii
Instructor Notes
Presentation: This module provides students with the knowledge and skills necessary to
75 Minutes design an Active Directory™ directory service domain structure for Microsoft®
Windows® .NET. The module describes the characteristics of domains and then
Lab: describes the advantages of single- and multiple-domain structures. The module
60 Minutes explains how to determine the number of domains in a forest, the design of the
forest root domain, and the domain hierarchy in a multiple-domain design. The
Lab Discussion:
45 Minutes module also describes how to evaluate a domain structure design. At the end of
this module, students will able to design a domain structure that meets the
business needs of an organization.
In the lab, a business scenario will provide students with the opportunity to
design a domain structure for a fictitious organization.
After completing this module, students will be able to:
! Describe the process of designing a domain structure, including identifying
the domain characteristics that affect the design process and describing the
advantages of single- and multiple-domain designs.
! Gather the appropriate organizational information used to determine the
design of the domain structure.
! Determine the number of domains in a forest.
! Determine the design of the forest root domain.
! Determine the domain hierarchy in a multiple-domain design.
! Evaluate the design of the domain structure.
! Identify the issues related to modifying the domain structure after
deployment.
! Apply best practices for designing a domain structure.
Required Materials
To teach this module, you need the Microsoft PowerPoint® file 2281A_03.ppt
iv Module 3: Designing a Domain Structure
Preparation Tasks
To prepare for this module, you should:
! Read all of the materials for this module.
! Complete the lab, and review the lab answers and suggested lab solutions.
Review the recommended solution, which is a Microsoft
Visio® Professional 2002 diagram named Domainlab.vsd, that is included on
the Trainer Materials compact disc in the StudentCD\Labfiles folder.
Prepare alternate solutions to the lab exercises to discuss with students
during the lab discussion.
! Read Chapter 9, “Designing the Active Directory Structure” in the
Deployment Planning Guide in the Microsoft Windows 2000 Server
Resource Kit. This chapter is located under Additional Reading on the Web
page on the Student Materials compact disc.
! Practice the Visio demonstration that is described in the next section.
Demonstration
This section provides demonstration procedures that will not fit in the margin
notes or are not appropriate for the student notes.
Module Strategy
Use the following strategy to present this module:
! Introduction to Designing a Domain Structure
In this topic, provide an overview to designing a domain structure. In the
subtopic on the characteristics of Active Directory domains, describe the
characteristics of a domain. Emphasize to students that they need to
consider these characteristics in the context of an organization’s business
needs to design a domain structure. In the subtopic on single- and multiple-
domain structures, describe the characteristics of single and multiple domain
structures. Be sure to mention the advantages and disadvantages of each
type of domain structure. In the subtopic on the domain design process,
provide an outline of the domain design process. Tell students that the
subsequent topics in this module will discuss each design task in more
detail. In the subtopic on the domain plan, describe the deliverables that are
included in the domain plan. Tell students that some of the deliverables on
this list (such as the Domain Name System [DNS] name for each domain)
may not be determined until other components of the Active Directory
design are addressed.
Finally, be sure to stress the important note in the Characteristics of a
Domain topic. It may be presumed that the domain is the security boundary
of an Active Directory infrastructure; however, the forest must be
considered the ultimate security boundary.
! Collecting Organizational Information
In this topic, describe the type of organizational information that must be
collected to determine the design of the domain structure. Tell students that
some of this information (such as the characteristics of the network
connections) is used when designing other components of the Active
Directory infrastructure.
! Determining the Number of Domains
In this topic, tell students that determining the number of domains is the first
step in designing the domain structure and then introduce the topics related
to determining the number of domains. In the subtopic on administrative
requirements, describe how to determine the administrative requirements
that will affect the number of domains. Explain the factors that students
consider in the context of an Active Directory domain as an administrative
boundary. In the subtopic on security policy requirements, describe the
security-related Group Policy settings that can be applied only on a domain-
wide basis. Suggest alternative ways to design around theses potential
limitations. In the subtopic on replication requirements, describe the
replication issues that may impact the domain structure design. Emphasize
that that primary replication issue is the scope of object availability. Tell
students that the design of the site topology is the primary way to address
replication issues. In the subtopic on the costs of additional domains,
describe the costs of adding domains to the domain structure. Remind
students that they should have sufficient business reasons for each domain
in the domain structure.
Module 3: Designing a Domain Structure vii
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Training and
Certification courseware.
There are no computer-based labs in this module, and as a result, there are no
lab setup requirements or configuration changes that affect replication or
customization.
Module 3: Designing a Domain Structure 1
Overview
Topic Objective
To provide an overview of
the module topics and ! Introduction to Designing a Domain Structure
objectives.
! Collecting Organizational Information
Lead-in
In this module, we will ! Determining the Number of Domains
discuss how to design an
Active Directory domain ! Determining the Design of the Forest Root Domain
structure and how to
validate the domain ! Determining a Domain Hierarchy
structure design.
! Evaluating the Domain Design
! Modifying the Domain Structure After Deployment
! Best Practices
Remind students that Active Active Directory domains divide a forest into separate units of administration,
Directory uses a multi- authentication, security, and replication. Being able to identify the
master replication model, characteristics of Active Directory domains will help you to determine the
where each domain number of domains required in the domain structure for the organization.
controller stores a writable
copy of the domain When designing the domain structure, consider the following characteristics of
database. Active Directory domains:
! A domain is an administrative boundary. Members of the Domain Admins
group, which is a built-in global group, have full control over all Active
Directory objects in the domain. Therefore, members of this group can
administer every object in the domain. However, these administrative
privileges do not automatically extend to any other domain in an Active
Directory forest. Administrators can administer objects in a different
domain only if they are explicitly assigned permissions in the other domain.
! A domain is a unit of authentication. The domain database contains all the
security principal objects, such as users, groups, and computers that reside
in the domain. Every domain controller in a domain maintains a copy of this
domain database. Therefore, only a domain controller for the domain in
which the security principal is located can authenticate that security
principal.
4 Module 3: Designing a Domain Structure
Note Theoretically, the global catalog can contain more than four billion
objects. The global catalog includes all objects in all domains in a forest,
regardless of the number of domains present. So, if the objects will not fit
within a single domain, they will not fit within a multiple-domain forest either.
6 Module 3: Designing a Domain Structure
!Strive
! Strive to
to design
design an
an ideal
ideal domain
domain structure
structure
!Use
! Use the
the fewest
fewest possible
possible number
number of
of domains
domains
!Modify
! Modify the
the design
design or
or the
the physical
physical network
network as
as necessary
necessary
Emphasize to students the The goal of the domain design process is to design a single- or multiple-domain
function of the domain structure based on business needs and then validate the design by determining
design is to logically whether the existing physical network will support the proposed domain
partition the organization’s structure.
Active Directory
infrastructure. The domain
design has to reflect the The Design Process
appropriate logical structure Designing a domain structure consists of five tasks:
of your enterprise, not its
physical one. The physical 1. Collecting organizational information.
structure is addressed by
To design a domain structure that meets business needs, you need to gather
the site topology design,
which is discussed in
information about the organization, and use it to determine the functional
Module 5, “Designing a Site requirements that the domain structure must address. You need to identify
Topology, ” in Course the physical locations, the number of users in each location, and the
2281A, Designing a characteristics of the connections between each location.
Microsoft Windows .NET 2. Determining the number of domains.
Directory Services
Infrastructure (Beta). Although you should strive for a single-domain design, organizational needs
may require that you use additional domains. Analyzing the administrative,
Key Point
A domain design should be
security, and replication requirements helps you determine the necessary
as simple as possible and number of domains.
should specify the fewest 3. Determining the design of the forest root domain.
number of domains
necessary to meet the If your domain design requires multiple domains, you need to determine
business and administrative which domain will be the forest root domain and whether that domain will
needs of the organization. contain user and computer objects or whether it will be dedicated to the
purpose of administering the forest.
8 Module 3: Designing a Domain Structure
For each guideline, ask the To design a domain structure that will support the requirements and structure of
students to provide an organization, you must start by gathering information about the organization.
additional examples of how The information that you collect will help you and your organization to
the collected information will determine the Active Directory requirements. To obtain this information,
be used during the domain consult with the current domain administrators, the people who manage and
design process. monitor the physical network, and the people who are responsible for network
security.
Emphasize to students that
while the type and reliability To gather information for the domain structure:
of connections between
locations may impact the ! Determine the number of geographic locations in the organization.
domain design, these Knowing the number of locations and the geographic placement of the
characteristics of the
locations helps you identify the number of domains required to address
physical network are best
addressed by the site replication and user authentication issues. For example, a widely
design. geographically distributed enterprise may have replication issues because a
wide area network (WAN) may not provide adequate bandwidth to replicate
Emphasize to students that a domain across the entire WAN. There may also be geopolitical reasons to
they must carefully design create additional domains (for example, when different languages are used
around a pay-per-use at different divisions of the organization).
connection.
In addition, you should determine the number of users and computers at
each location. Knowing this helps you determine if you need to divide a
large location among multiple domains to control the scope of replication.
Module 3: Designing a Domain Structure 11
Note The information that you gather during the domain design process will
also be useful during the design of other components of the Active Directory
design, such as the design of the site topology and the organizational unit
structure.
Module 3: Designing a Domain Structure 13
Topic Objective
To introduce the topics
related to determining the
! Determining Administrative Requirements
number of domains. ! Determining Security Policy Requirements
Lead-in
Although you should strive ! Determining Replication Requirements
for a design with the fewest
number of domains,
! Examining the Costs of Additional Domains
organizational needs may
require that you use
additional domains.
Explain to students that the The replication requirements for an Active Directory infrastructure are most
site topology is the primary effectively addressed by the design of the site topology, because the site
Active Directory component topology’s main function is to manage replication. However, the replication
used to manage replication. characteristics of Active Directory also affect the design of the domain
However, the design of the structure.
domain structure should
consider the scope of Replication within a domain occurs between all domain controllers on a regular
availability of objects basis. Replication requires network availability and reliability to ensure that the
throughout the organization. domain objects are available everywhere in the domain for logon authentication
Therefore, even if the and resource access. When determining how replication impacts the design of
available network bandwidth
the domain structure, consider the following two factors:
is sufficient to support
domains that span large ! Available bandwidth to handle replication traffic. All domain controllers for
geographic distances, a domain maintain a writable copy of the directory partition. This means
students should examine
that every domain controller has a copy of all objects that reside in the
whether to make data
available to users who may
domain. Therefore, when a single domain spans multiple locations, every
not need it. object is available in each of the physical locations for logon authentication.
This might lead to objects being replicated to locations where these objects
are rarely used.
However, this is acceptable if there is enough available bandwidth—enough
to handle the replication of objects in a domain that spans multiple physical
locations. If the available bandwidth is inadequate, then you should consider
using more domains; for example, use a separate domain for a physical
location to compensate for slow links.
Module 3: Designing a Domain Structure 17
Note Although you can use additional domains to address replications issues,
Active Directory sites are the best way to manage replication. For more
information about using sites to manage replication, see Module 5, “Designing
a Site Topology,” in Course 2281A, Designing a Microsoft Windows .NET
Directory Services Infrastructure (Beta).
18 Module 3: Designing a Domain Structure
Emphasize to students that After you determine the number of domains in the forest, the next task in
a dedicated forest root designing a domain structure is to determine which domain will be the forest
domain provides a stable root domain and how that domain will be designed. The forest root domain is
environment so that the first domain that is created in a forest and resides at the root of the Active
domains can be added or Directory hierarchy. You must carefully plan the selection and design of the
removed without having to forest root domain.
destroy the forest.
Key Point The following list describes the characteristics of the forest root domain and
You must carefully plan the why these characteristics are important:
selection, design, and name
of the forest root domain.
! The forest root domain is a mission-critical component of the Active
Directory infrastructure. The forest root domain must always be available
because all communication between domain controllers in the forest passes
through the forest root domain. For example, if a domain controller needs to
authenticate a user from a different domain in the forest, the communication
between the domain controllers passes through the trust path that connects
those two domains with the forest root domain.
! The forest root contains the Enterprise Admins and Schema Admins built-in
groups. Because members of these groups can make forest-wide changes,
the membership of these two groups must be closely monitored and
controlled.
! The name of the forest root domain can never be changed. Because the
forest root domain is the first domain created in the forest, the name of this
domain also provides the name of the root of the Active Directory
namespace. Therefore, the names of any additional domains (added to the
tree in which the forest root domain is the root) are derived from the name
of the forest root domain. You cannot change the name of the forest root
domain—and, therefore, the name of the root of the Active Directory
namespace—without reinstalling the entire forest.
When designing the domain structure, you can choose to use a dedicated
domain or a non-dedicated domain as the forest root.
Module 3: Designing a Domain Structure 21
If you choose to use a dedicated forest root domain, be sure that you have valid
business reasons to do so. Using a dedicated forest root domain will increase
costs because it will add one additional domain to the domain structure. In
addition, a dedicated forest root domain will require additional hardware
because it is a best practice to deploy a minimum of two domain controllers in
the forest root domain for redundancy and fault tolerance.
Module 3: Designing a Domain Structure 23
Important If all domain controllers in the forest root domain are lost in a
catastrophic event and one or more of these domain controllers cannot be
restored from backup, the entire forest, the Enterprise Admins group, and
Schema Admins groups will be permanently lost. There is no way to reinstall
the forest root domain of a forest.
24 Module 3: Designing a Domain Structure
Naming Domains
Active Directory domains are named with DNS names. The name of a tree is
the DNS name of the domain at the root of the tree. Similarly, the name of the
forest is the DNS name of the forest root domain. When naming domains, you
should use a naming strategy that is capable of withstanding reorganizations
without the need to restructure the domain hierarchy. This is because after the
domain structure is implemented, changes in the domain architecture create
difficult and IT-intensive support requirements. In addition, a domain name
must be unique within the organization.
When naming domains, you should:
! Use names relative to a registered DNS name. Registered DNS domain
names are globally unique and therefore provide the base for a stable
naming structure. Use a registered DNS name as suffixes for the domain
names (such as corp.microsoft.com).
! Use names that are stable and subject to little change. Use names based on
geographic locations (such as city names, state names, or country names),
administrative entities within the organization (such as sales, marketing, or
research), or other stable organization-specific boundaries.
Note For more information about naming domains, see Module 4, “Designing
a DNS Namespace Solution for Active Directory” in Course 2281A, Designing
a Microsoft Windows .NET Directory Services Infrastructure (Beta).
Note If there are multiple trees in a forest, the root domain of any tree is linked
by trusts only to the forest root domain and not to any of the other tree root
domains. This means that all authentication traffic between any two domains in
different trees must pass through the forest root.
26 Module 3: Designing a Domain Structure
After completing the initial # Use it to compare the network to the domain structure
domain design, it is
important to evaluate the Assess user authentication and queries
design by determining how # Determine if domain controller is located near users
Important You will have to create a separate domain for any location
that is connected to the network only by SMTP mail. Mail-based
replication cannot be used between domain controllers in the same
domain because SMTP cannot replicate the domain directory partition.
Module 3: Designing a Domain Structure 27
! Renaming domains
Although it is possible to change domain names in Windows .NET, the
process for doing this is disruptive to the directory services environment and
should not be undertaken without careful consideration of the consequences.
It is recommended that you still make every effort to get the domain
namespace correct the first time.
Domain rename does not update the fully qualified domain name (FQDN)
of the domain controller for the renamed domain. Renaming domain
controllers is available as a separate process in Windows .NET. If you do
rename a domain, it is recommended that you also rename the domain
controllers. As with renaming a domain, this is a disruptive process because
all domain controllers that are renamed must be restarted to complete this
process.
Note Although you can add new domains to a forest, you cannot move existing
domains between forests without performing a significant amount of
administrative work.
30 Module 3: Designing a Domain Structure
Note You can use Visio to export an Active Directory design drawing created
in Visio to a Lightweight Directory Access Protocol (LDAP) Data Interchange
Format (LDIF) file that can, in turn, be imported into an Active Directory
deployment.
Module 3: Designing a Domain Structure 31
After consulting with the LAN (Local Area Network) administrators and WAN
(Wide Area Network) administrators, you were given the following table and
network diagram.
WAN Bandwidth
link usage WAN link WAN link
Location Function Employees Speed (average) reliability availability
T3 -
44.736
Corporate
Uppsala 7,000 megabits 30% Good Anytime
headquarters
per second
(Mbps)
Heavy business
usage during
Regional T1 - 1.544
Oslo 4,000 50% Good business day
office Mbps
(9:00 A.M. –
5:00 P.M.)
56 kilobits
Sundsvall Retail 50 per second 30% Poor Anytime
(Kbps)
Heavy business
U.S.
Wilmington 500 128 Kbps 70% Average usage (24
operations
hours)
64 Kbps
Durham Branch sales 10 dial on 10% Good Anytime
demand
Northwind
Charlotte Traders 100 64 Kbps 20% Good Anytime
office
34 Module 3: Designing a Domain Structure
T3
(44.736
Mbps) Frame
Relay
128 Kbps
T1 (1.544
Mbps)
Wilmington, NC
Uppsala, Sweden
100 Mbps
100 Mbps LAN
LAN
Exercise 1
Determining the Number of Domains
Help the students divide into You must help to determine how many domains Contoso, Ltd. needs. Divide
teams. The number of into teams with the help of your instructor. Read through the scenario, examine
students in the group can the Contoso, Ltd. network as a team, and then work as a team to answer the
vary, depending on the questions. As you answer the questions, draw a diagram to keep track of your
number of students in the domain design. Elect a representative to discuss your team’s design rationale
class. For example, a class with the other teams.
of 20 students could be
divided into teams of four. Start with a single domain, and examine the administrative, security, and
replication requirements to help you determine if any additional domains will
be needed to meet the needs of Contoso, Ltd.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
36 Module 3: Designing a Domain Structure
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 3: Designing a Domain Structure 37
Exercise 2
Determining the Design of the Forest Root Domain
You may want to check the Now your team must determine the forest root domain for Contoso, Ltd. After
students’ progress after this answering the questions, draw your forest root domain on your diagram.
exercise to make sure they
are progressing 1. Examine your domain design so far. Would you create a domain to use as a
satisfactorily. dedicated forest root or would you use a non-dedicated forest root? What
are the trade-offs for your suggested design?
Create a dedicated forest root domain. With a dedicated forest root, a
very small group of people will have forest-wide authority. The design
will be more flexible should any domain additions or deletions to the
forest happen in the future. However, the use of a dedicated forest root
domain will require additional hardware for the domain controllers
necessary to support that domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. If you decide to use a dedicated forest root domain, where would user
accounts, groups, and other security principals be located?
Security principals would be located in an additional domain other than
the dedicated forest root domain. This domain could be created as a
child domain of the forest root domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
3. Update your diagram to reflect your previous answers. The instructor may
check your progress at this point, so be prepared to discuss your answers.
38 Module 3: Designing a Domain Structure
Exercise 3
Designing a Domain Hierarchy
Now your team can create a domain hierarchy diagram for the Contoso, Ltd.
Active Directory.
Exercise 4
Evaluating the Domain Structure Design
Now your team must validate your design by determining how well the logical
structure will work with the existing physical network.
As you examine your logical structure with the physical network, you may
discover that additional domains, or additional domain controllers from an
existing domain, need to be added. If this is the case, add these to your domain
diagram.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
5. Would you trust the link at Wilmington to authenticate the users of this
department in a reasonable amount of time? Explain.
No. The network link is heavily used day and night, it has only 30
percent of its bandwidth available, and it is only a 128-Kbps link.
____________________________________________________________
____________________________________________________________
____________________________________________________________
! To assess replication
1. The two most heavily used network connections are located at Oslo and
Wilmington. What could be done, as an alternative to creating multiple
domains, to minimize the impact of domain partition replication traffic at
those two locations?
You could use sites to try to schedule replication during the least busy
times on those network links.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. Examine the Sundsvall location. Notice the WAN link reliability. What
replication transport should be used to at this location? Explain.
SMTP should be used, because it is the best choice for an unreliable
connection.
____________________________________________________________
____________________________________________________________
Module 3: Designing a Domain Structure 41
____________________________________________________________
____________________________________________________________
Lead students in an During this discussion, you will present your domain structure design solutions
interactive class discussion. to the class and discuss the answers to the lab questions.
Students should discuss
their answers to the lab
questions and present their
domain structure designs.
Module 3: Designing a Domain Structure 43
Best Practices
Topic Objective
To outline best practices for
creating a domain plan. Design
Design for
for the
the least
least flexible
flexible business
business requirements
requirements first
first
Lead-in
Consider these best
practices for creating a Start
Start with
with aa single
single domain
domain
domain plan.
Use
Use aa dedicated
dedicated domain
domain for
for the
the forest
forest root
root domain
domain
Use
Use Group
Group Policy
Policy to
to enforce
enforce strong
strong password
password requirements
requirements
Use
Use Group
Group Policy
Policy to
to restrict
restrict the
the membership
membership of
of built-in
built-in groups
groups
Review
Topic Objective
To reinforce module
objectives by reviewing key ! Introduction to Designing a Domain Structure
points.
! Collecting Organizational Information
Lead-in
The review questions cover ! Determining the Number of Domains
some of the key concepts
taught in the module. ! Determining the Design of the Forest Root Domain
! Determining a Domain Hierarchy
! Evaluating the Domain Design
! Modifying the Domain Structure After Deployment
! Best Practices
3. What are the costs that are associated with adding additional domains?
• More domain administrators and the need to perform redundant
administrative tasks in each domain.
• Additional domain controller hardware.
• More communication is required between domain controllers in
different domains; this situation creates a greater chance for points
of failure between domain controllers.
• Increased probability of needing to move security principals
between domains.
4. What are the advantages and disadvantages of using a dedicated forest root
domain?
The advantages are:
• Limits the number of administrators that can make forest-wide
changes.
• Allows domains controllers in the forest root domain to be quickly
backed up and restored.
• Functions as the parent for all top-level child domains.
• Mitigates the risk of the forest root domain becoming obsolete.
5. When would you consider creating more than one tree in your forest?
For an organization that requires multiple Active Directory
namespaces. For example, if a division in your organization has its own
registered DNS name and runs its own DNS servers.
6. What are the three tasks that you perform when evaluating a domain
structure design?
1. Obtain or create a map of the physical network and then compare
the logical domain structure to the physical network to assess how well
the physical network supports the proposed design of the domain
structure.
2. Assess user authentication and user queries of Active Directory to
determine how well the domain design supports user authentication and
Active Directory queries. It is the physical proximity of users and
domain controllers on the network that will help you determine how
well the domain design supports user authentication and Active
Directory queries.
3. Assess the availability of Active Directory objects to users. By
examining which domains encompass which physical locations, you can
determine if the Active Directory objects that will be replicated to each
location are relevant to users.
THIS PAGE INTENTIONALLY LEFT BLANK