1542403

Module 3: Designing a
Domain Structure
Contents
Overview 1
Introduction to Designing a Domain
Structure 2
Collecting Organizational Information 10
Determining the Number of Domains 13
Determining the Design of the Forest
Root Domain 20
Determining a Domain Hierarchy 24
Evaluating the Domain Design 26
Modifying the Domain Structure After
Deployment 28
Demonstration: Visio Professional 2002 30
Lab A: Designing a Domain Structure 31
Lab Discussion: Designing a Domain
Structure 42
Best Practices 43
Review 45
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
 2001 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BackOffice, FrontPage,

PowerPoint, Visio, Visual Basic, Visual Studio and Windows Media are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 3: Designing a Domain Structure iii
Instructor Notes
Presentation: This module provides students with the knowledge and skills necessary to
75 Minutes design an Active Directory™ directory service domain structure for Microsoft®
Windows® .NET. The module describes the characteristics of domains and then
Lab: describes the advantages of single- and multiple-domain structures. The module
60 Minutes explains how to determine the number of domains in a forest, the design of the
forest root domain, and the domain hierarchy in a multiple-domain design. The
Lab Discussion:
45 Minutes module also describes how to evaluate a domain structure design. At the end of
this module, students will able to design a domain structure that meets the
business needs of an organization.
In the lab, a business scenario will provide students with the opportunity to
design a domain structure for a fictitious organization.
After completing this module, students will be able to:
! Describe the process of designing a domain structure, including identifying
the domain characteristics that affect the design process and describing the
advantages of single- and multiple-domain designs.
! Gather the appropriate organizational information used to determine the
design of the domain structure.
! Determine the number of domains in a forest.
! Determine the design of the forest root domain.
! Determine the domain hierarchy in a multiple-domain design.
! Evaluate the design of the domain structure.
! Identify the issues related to modifying the domain structure after
deployment.
! Apply best practices for designing a domain structure.
Materials and Preparation

This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint® file 2281A_03.ppt
iv Module 3: Designing a Domain Structure
Preparation Tasks
To prepare for this module, you should:
! Read all of the materials for this module.
! Complete the lab, and review the lab answers and suggested lab solutions.
Review the recommended solution, which is a Microsoft
Visio® Professional 2002 diagram named Domainlab.vsd, that is included on
the Trainer Materials compact disc in the StudentCD\Labfiles folder.
Prepare alternate solutions to the lab exercises to discuss with students
during the lab discussion.
! Read Chapter 9, “Designing the Active Directory Structure” in the
Deployment Planning Guide in the Microsoft Windows 2000 Server
Resource Kit. This chapter is located under Additional Reading on the Web
page on the Student Materials compact disc.
! Practice the Visio demonstration that is described in the next section.
Demonstration
This section provides demonstration procedures that will not fit in the margin
notes or are not appropriate for the student notes.
Visio Professional 2002

! To start the Active Directory template in Visio Professional 2002
1. Start Visio Professional 2002.
2. In the Choose Drawing Type area, in the list of categories, click Network.
3. In the Template area, click Active Directory.
! To start an Active Directory drawing

1. From the Active Directory Objects stencil (the area on the far left of the
Visio window), drag the Domain shape onto the drawing page.
2. Use the toolbar at the top of the Visio window to zoom in on the domain
shape.
3. Select the shape, and then type nwtraders.msft to name it. Press the ESC
key to accept the change.
4. From the Active Directory Objects stencil, drag the Organizational Unit
shape on to the drawing page and place it on the existing domain shape.
Type Paris and then press ESC.
5. Drag two more Organizational Unit shapes onto the domain shape from
the Active Directory Objects stencil. Name the organizational units by
clicking them, typing Denver and Singapore respectively, and then
pressing ESC.
6. Drag an additional Organizational Unit shape onto the Singapore
organizational unit. Type Bangalore and then press ESC.
7. Drag an additional Organizational Unit shape onto the nwtraders.msft
domain and name it Marketing.
Module 3: Designing a Domain Structure v
! To modify the drawing

1. In the Directory Navigator area on the left corner of the drawing page,
select the Marketing organizational unit, and press DELETE.
Deleting the organizational unit on the drawing page itself only deletes it
from the drawing. Right-clicking the parent shape and selecting Show
Children causes the shape to reappear. The only way to permanently delete
a shape is to delete it in the Directory Navigator area.
2. On the drawing page, drag the Bangalore shape so that it is on top of the
Nwtraders.msft shape.
This moves the shape so that it is at the same level as the other
organizational units.
3. Right-click the Nwtraders.msft domain shape, and click Lay Out Children.
Select one of the vertical layouts, and then click OK.
! To view other shapes

1. Show students the other shapes that are in the Active Directory Objects
stencil.
2. In the lower left corner of the Visio window, click Active Directory Sites
and Services to view the Active Directory Sites and Services stencil.
3. Show students the shapes in this stencil as well.
vi Module 3: Designing a Domain Structure
Module Strategy
Use the following strategy to present this module:
! Introduction to Designing a Domain Structure
In this topic, provide an overview to designing a domain structure. In the
subtopic on the characteristics of Active Directory domains, describe the
characteristics of a domain. Emphasize to students that they need to
consider these characteristics in the context of an organization’s business
needs to design a domain structure. In the subtopic on single- and multiple-
domain structures, describe the characteristics of single and multiple domain
structures. Be sure to mention the advantages and disadvantages of each
type of domain structure. In the subtopic on the domain design process,
provide an outline of the domain design process. Tell students that the
subsequent topics in this module will discuss each design task in more
detail. In the subtopic on the domain plan, describe the deliverables that are
included in the domain plan. Tell students that some of the deliverables on
this list (such as the Domain Name System [DNS] name for each domain)
may not be determined until other components of the Active Directory
design are addressed.
Finally, be sure to stress the important note in the Characteristics of a
Domain topic. It may be presumed that the domain is the security boundary
of an Active Directory infrastructure; however, the forest must be
considered the ultimate security boundary.
! Collecting Organizational Information
In this topic, describe the type of organizational information that must be
collected to determine the design of the domain structure. Tell students that
some of this information (such as the characteristics of the network
connections) is used when designing other components of the Active
Directory infrastructure.
! Determining the Number of Domains
In this topic, tell students that determining the number of domains is the first
step in designing the domain structure and then introduce the topics related
to determining the number of domains. In the subtopic on administrative
requirements, describe how to determine the administrative requirements
that will affect the number of domains. Explain the factors that students
consider in the context of an Active Directory domain as an administrative
boundary. In the subtopic on security policy requirements, describe the
security-related Group Policy settings that can be applied only on a domain-
wide basis. Suggest alternative ways to design around theses potential
limitations. In the subtopic on replication requirements, describe the
replication issues that may impact the domain structure design. Emphasize
that that primary replication issue is the scope of object availability. Tell
students that the design of the site topology is the primary way to address
replication issues. In the subtopic on the costs of additional domains,
describe the costs of adding domains to the domain structure. Remind
students that they should have sufficient business reasons for each domain
in the domain structure.
Module 3: Designing a Domain Structure vii
! Determining the Design of the Forest Root Domain

In this topic, describe the characteristics of the forest root domain and
emphasize the importance of the forest root domain. In the subtopic on a
using a dedicated forest root domain, define a dedicated forest root domain
(which is also called an empty forest root domain) and describe its
advantages. Emphasize that if students choose to use a dedicated forest root
domain, they need to make sure that it meets a specific business need. This
will help them justify the additional costs associated with the additional
domain. In the subtopic on using a non-dedicated forest root domain, define
what a non-dedicated forest root domain is and describe its advantages.
! Determining a Domain Hierarchy
In this topic, describe that a multiple-domain structure is organized into a
tree with a contiguous namespace and this domain structure will define the
parent-child relationships between all the domains in the tree. Explain that
Active Directory domains are named with DNS names and that the name of
a tree is the DNS name of the root domain of that tree. Explain that the
decision to use a single- or multiple-tree structure depends on the number of
namespaces required by an organization because multiple namespaces
require multiple trees.
! Evaluating the Domain Design
In this topic, describe how to evaluate a domain design by comparing the
logical structure of the domain design to the physical topology of the
network. Describe in components that make up a map of the physical
network. Explain how to use this map to assess user authentication, Active
Directory queries, and object availability. Suggest to students that during
this evaluation process, they should assume that a least one domain
controller will reside in each physical location; but emphasize that this is
only for evaluating the physical proximity of users and domain controllers
and that domain controller placement will be determined when designing
the site topology.
! Modifying the Domain Structure After Deployment
In this topic, describe the issues related to changing the domain structure
after it is deployed. Describe some of the tools that can be used to simplify
the merging and splitting of domains. Emphasize that students carefully
design a flexible and scalable domain structure to minimize any
modifications after Active Directory is deployed.
! Demonstration: Visio Professional 2002
In this demonstration, show students how to use Visio Professional 2002.
Encourage students to use Visio Professional 2002 to document the design
of the Active Directory component in the remaining labs for the course.
viii Module 3: Designing a Domain Structure
! Lab A: Designing a Domain Structure

In this lab, students design a domain structure for Contoso, Ltd. The lab
presents a scenario and provides information in both a table and a diagram.
Help students form teams to work on the lab. The number of students on a
team will depend on the size of a class; for example, four students on a team
in a class of 20 students would be about right.
Some students who are more familiar with the Active Directory logical
structures may jump ahead and try to design an entire Active Directory.
Remind them that for now they are to focus just on the domain design. They
will have a chance to use all of the Active Directory structures together in
the final lab in Module 7, “Designing an Active Directory Solution,” in this
course, Course 2281A, Designing a Microsoft Windows .NET Directory
Services Infrastructure (Beta).
About halfway through the lab, ask students how they are progressing in the
lab, and help teams that are having difficulty.
A proposed solution is included on the Trainer Materials compact disc in the
StudentCD\Labfiles folder. The solution is a Visio diagram named
DomainLab.vsd.
! Lab Discussion: Designing a Domain Structure
Determine if there are differing solutions and select a representative team to
present their domain structure to the class. If students used Visio for their
diagrams, create a share on the instructor computer, have them copy their
Visio diagrams to the instructor computer, and then have each team present
their design from the instructor computer. Alternatively, students can use a
whiteboard or a flip chart to present their designs with the class. Be sure to
ask for justification for each team's particular design and encourage class
participation in the questioning process.
As an alternative, solicit volunteers to answer the questions to the exercises
and query the class to see if there are other ideas. Encourage students to
share their opinions if they disagree with any assumptions that other teams
have made.
If you choose just to have students present their solutions, ask if there are
questions on any of the lab exercises. Discuss any questions as a class.
You may also wish to show and discuss the recommended solution for this
lab if students are curious. Present this solution as a possible solution, and
solicit feedback for alternative solutions.
! Best Practices
Present best practices for designing a domain structure. Emphasize the
reason for each best practice.
Module 3: Designing a Domain Structure ix
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Training and
Certification courseware.
There are no computer-based labs in this module, and as a result, there are no
lab setup requirements or configuration changes that affect replication or
customization.
Module 3: Designing a Domain Structure 1
Overview
Topic Objective
To provide an overview of
the module topics and ! Introduction to Designing a Domain Structure
objectives.
Lead-in
In this module, we will ! Determining the Number of Domains
discuss how to design an
Active Directory domain ! Determining the Design of the Forest Root Domain
structure and how to
validate the domain ! Determining a Domain Hierarchy
structure design.
! Best Practices
*****************************ILLEGAL FOR NON-TRAINER USE******************************

In Microsoft® Windows® .NET, a domain is the core unit of the logical
structure of the Active Directory™ directory service. Active Directory domains
divide a forest into separate units of administration, authentication, security,
and replication. These characteristics of domains, together with your
organization’s business needs, will help you determine the design of the domain
structure. This design will specify the number of domains, identify the forest
root domain, and identify the hierarchy in a multiple-domain design.
After you have designed a domain structure that meets the organization’s
business needs, the second part of the design process is to validate that design
by comparing it to the physical network. By making this comparison, you can
assess the impact of the physical network on the proposed domain structure.
This validation process will help you determine if changes need to be made to
either the domain design or the physical network.
After completing this module, you will be able to:
! Describe the process of designing a domain structure, including identifying
the domain characteristics that affect the design process and describing the
advantages of single- and multiple-domain designs.
! Gather the appropriate organizational information used to determine the
design of the domain structure.
! Determine the number of domains in a forest.
! Determine the design of the forest root domain.
! Determine the domain hierarchy in a multiple-domain design.
! Evaluate the design of the domain structure.
! Identify the issues related to modifying the domain structure after
deployment.
! Apply best practices for designing a domain structure.
2 Module 3: Designing a Domain Structure
" Introduction to Designing a Domain Structure

Topic Objective
To introduce the topics
related to designing a
domain structure. ! Characteristics of Active Directory Domains
Lead-in ! Examining Single- and Multiple-Domain Structures
Before you can design a
domain structure, you ! The Domain Design Process
should understand the
characteristics of Active ! The Domain Plan
Directory domains that
influence a domain
structure.

Before you begin designing the domain structure, you need to understand the
characteristics of Active Directory domains, which, together with the business
goals of the organization, will help you to determine a domain structure.
Ideally, organizations should strive for a single-domain design; however, during
the design process you may determine that the organization requires a multiple-
domain design.
The domain design process consists of collecting organization information that
will help identify the business needs that the domain structure must address. By
analyzing these business needs in the context of domain characteristics, you
will determine the number of domains in the domain structure, and, if more
than one is needed, you will determine which domain will be configured as the
forest root and the hierarchy of the multiple-domain design. A second part of
the design process is to validate the domain design by verifying that the
physical network will support the proposed domain structure. The results of this
validation process may require you to modify the domain structure or the
physical network in a way that best meets your organization’s business needs.
The result of the domain design process is a domain plan that lists the
specifications for your organization’s domain structure.
Characteristics of Active Directory Domains

Topic Objective
To describe the
characteristic of Active ! An Active Directory Domain Is:
Directory domains.
# An administrative boundary—Administrative privileges do
Lead-in not extend to other domains
Before designing the
domain structure, identify # A unit of authentication—A security principal can be
the characteristics of authenticated only by domain controllers in its domain
domains that affect the
domain design. # A security-policy boundary—A small set of security policies
can be set only at the domain level
# A replication boundary—All objects in the domain database
are replicated to all domain controllers in the domain
Remind students that Active Active Directory domains divide a forest into separate units of administration,
Directory uses a multi- authentication, security, and replication. Being able to identify the
master replication model, characteristics of Active Directory domains will help you to determine the
where each domain number of domains required in the domain structure for the organization.
controller stores a writable
copy of the domain When designing the domain structure, consider the following characteristics of
database. Active Directory domains:
! A domain is an administrative boundary. Members of the Domain Admins
group, which is a built-in global group, have full control over all Active
Directory objects in the domain. Therefore, members of this group can
administer every object in the domain. However, these administrative
privileges do not automatically extend to any other domain in an Active
Directory forest. Administrators can administer objects in a different
domain only if they are explicitly assigned permissions in the other domain.
! A domain is a unit of authentication. The domain database contains all the
security principal objects, such as users, groups, and computers that reside
in the domain. Every domain controller in a domain maintains a copy of this
domain database. Therefore, only a domain controller for the domain in
which the security principal is located can authenticate that security
principal.
! A domain is a security-policy boundary. A small set of Group Policy

security settings can be set only at the domain level. Therefore, these
security settings will apply to all users in the domain, regardless of which
organizational unit their account is located in. These domain-level settings
include the following types of security policies:
• Password policy. Determines password settings, such as complexity,
length, and lifetime.
• Account lockout policy. Determines when and for how long an account
will be locked out due to unsuccessful logon attempts.
• Kerberos V5 ticket policy. Determines the lifetime and renewal interval
for a Kerberos ticket. A Kerberos ticket is obtained during the logon
process and is used for network authentication. A particular ticket is only
valid for the lifetime specified in the policy.
Important It is important to remember that the forest is the ultimate security

boundary, and within that forest, each domain Administrator must be as
trusted as any other domain Administrator. Ultimately, each domain
Administrator must be as trusted as Schema Admins and Enterprise Admins
in the forest root, as it is easy to run attacks that would grant the domain
Administrators equivalent power.
! A domain is a replication boundary. In a domain, computers called domain

controllers contain a writable copy of the domain database, which contains
every object in the domain. Therefore, an update to any object in the domain
is replicated to every domain controller in the domain. The replication of the
domain database among all domain controllers results in all objects being
available throughout the domain.
Examining Single- and Multiple-Domain Structures

Topic Objective
To describe the benefits of a Single-Domain Structure ! Ease of management
single-domain structure and
the organizational needs ! Lower costs
that may require a multiple- ! Easier administrative delegation
domain structure. Domain
Domain ! Fewer members in Domain Admins group
Lead-in ! Simplified global catalog implementation
There are many benefits for
using a single-domain
structure; however, your
Multiple-Domain Structure ! Distinct domain-level policies
organization may have ! Separate administrative control
needs that will require a
multiple-domain structure. Domain
Domain ! Autonomous administration
! Separation and control of affiliate
relationships
Domain
Domain Domain
Domain ! Reduced scope of replication

There are many benefits to using a single-domain structure; however, your
organization may have needs that will require you to choose a multiple-domain
structure.
Benefits of Using a Single-Domain Structure

It is recommended that organizations use a single-domain structure, if possible.
The benefits of using a single-domain structure include:
! Ease of management. Single domains minimize the hardware you will need
to purchase and maintain. They also mean that you will have fewer trusts to
create and fewer administrative groups to create and maintain.
! Lower costs. Single domains are less expensive because you do not have the
incremental costs associated with adding additional domains.
! Easier delegation of administrative authority. In a single-domain structure,
you can create organizational units as needed to delegate authority over
resources and Active Directory objects. Delegating administrative authority
is more complicated in a multiple-domain structure.
! Fewer members in the Domain Admins group. With a single domain, you
can keep membership of the Domain Admins group to a minimum and use
delegation to allow detailed control of Active Directory objects.
! Simplified global catalog implementation. With a single domain, the global
catalog is not replicated separately to domain controllers.
Note Theoretically, the global catalog can contain more than four billion
objects. The global catalog includes all objects in all domains in a forest,
regardless of the number of domains present. So, if the objects will not fit
within a single domain, they will not fit within a multiple-domain forest either.
Organizational Needs that May Require a Multiple-

Domain Structure
If a single-domain does not meet the needs of the organization, it will be
necessary to use multiple domains. When designing your domain structure,
consider adding domains if your organization requires any of the following:
! Distinct domain-level policies. Because Group Policy account and password
settings are applied at the domain level, you can create separate domains
with distinct Group Policy settings that will apply to the users in each
domain.
! Decentralized administration. The flexibility of the domain structure allows
you to design a domain structure that meets the needs of your organization’s
domain administration model. For example, in some organizations, divisions
that make a monetary investment in their own computer hardware, such as
domain controllers, want to retain complete administrative control of their
hardware.
! Separation and control of affiliate relationships. Large corporations often
form business affiliations by being involved in joint ventures or
partnerships. You can use multiple domains to isolate administrative and
security control of shared resources and external users.
! Reduced scope of replication. All objects and attributes are replicated
between all domain controllers in the domain. Consequently, if a domain is
too wide in scope, then domain controllers will replicate objects that are not
useful to a percentage of the users in the domain. Therefore, you can use
additional domains to reduce the scope of object availability. For example,
you could use a separate domain for a remote physical location with a small
number of users or for a location that is poorly connected to the rest of the
organization.
The Domain Design Process

Topic Objective
To outline the domain
To
To Design
Design aa Domain
Domain Structure:
Structure:
design process.
Lead-in Collect organizational information
The domain design process
consists of designing a Determine the number of domains
logical domain structure and
then validating the domain Determine the design of the forest root domain
design by verifying that the
physical network will support Design the domain hierarchy
the proposed domain
structure. Evaluate the domain structure design
!Strive
! Strive to
to design
design an
an ideal
ideal domain
domain structure
structure
!Use
! Use the
the fewest
fewest possible
possible number
number of
of domains
domains
!Modify
! Modify the
the design
design or
or the
the physical
physical network
network as
as necessary
necessary
Emphasize to students the The goal of the domain design process is to design a single- or multiple-domain
function of the domain structure based on business needs and then validate the design by determining
design is to logically whether the existing physical network will support the proposed domain
partition the organization’s structure.
Active Directory
infrastructure. The domain
design has to reflect the The Design Process
appropriate logical structure Designing a domain structure consists of five tasks:
of your enterprise, not its
physical one. The physical 1. Collecting organizational information.
structure is addressed by
To design a domain structure that meets business needs, you need to gather
the site topology design,
which is discussed in
information about the organization, and use it to determine the functional
Module 5, “Designing a Site requirements that the domain structure must address. You need to identify
Topology, ” in Course the physical locations, the number of users in each location, and the
2281A, Designing a characteristics of the connections between each location.
Microsoft Windows .NET 2. Determining the number of domains.
Directory Services
Infrastructure (Beta). Although you should strive for a single-domain design, organizational needs
may require that you use additional domains. Analyzing the administrative,
Key Point
A domain design should be
security, and replication requirements helps you determine the necessary
as simple as possible and number of domains.
should specify the fewest 3. Determining the design of the forest root domain.
number of domains
necessary to meet the If your domain design requires multiple domains, you need to determine
business and administrative which domain will be the forest root domain and whether that domain will
needs of the organization. contain user and computer objects or whether it will be dedicated to the
purpose of administering the forest.
4. Designing the domain hierarchy.

For a multiple-domain structure, you need to design the domain hierarchy,
which defines the parent-child relationship among the domains in the forest,
and the relationship between each child domain and the forest root domain.
The domain hierarchy also defines the trust relationships among the
domains. In addition, you must determine whether to specify more than one
domain tree in the domain structure design.
5. Evaluating the domain structure design.
After completing the domain structure design, you need to compare the
domain design to the structure of the physical network to evaluate how well
the physical network supports the proposed domain structure. During this
task, you assess how well the proposed domain optimizes replication and
supports the authentication of users. You may have to modify the domain
design to compensate for limitations or restrictions imposed by the network.
The Design Methodology

When developing the domain design, strive to design an ideal logical structure
that first and foremost addresses your organization’s needs rather than a design
that initially takes into consideration the restrictions imposed by the physical
network.
A domain design should be as simple as possible and should specify the fewest
number of domains necessary to meet the business and administrative needs of
the organization. By keeping the structure as simple as possible, you can make
domain management easier and reduce the costs of supporting a more complex
domain structure.
After determining the domain design, compare it to the organization’s physical
network and then identify any modifications that must be made to either the
domain design or the physical network. To accomplish this, you may need to
adapt the domain design (for example, by adding domains) to work with the
existing network or modify the network to support the proposed domain design.
The Domain Plan

Topic Objective The
To list the specifications The Domain
Domain Plan
Plan Specifies:
Specifies:
identified by the domain
plan. The number of domains in each forest
Lead-in The forest root domain for each forest
The result of the domain
design process is a plan that The DNS name for each domain
lists the specifications for
your organization’s domain The domain hierarchy for multiple-domain structures
structure; the plan will guide
the testing and deployment Any shortcut trusts between domains in the forest
of the Active Directory
domain structure.

The result of the domain design process is a domain plan that lists the
Key Point specifications for your organization’s domain structure. These specifications
Because designing an
Active Directory
describe the structure of the domain component of the Active Directory
infrastructure is an iterative infrastructure; you will use the plan to guide both the testing and
process, you will not be able implementation of the domain structure.
to determine all of the
requirements specified by
Because designing an Active Directory infrastructure is an iterative process,
the domain structure plan you will not be able to determine all of the requirements specified by the
without first completing the domain structure plan without first completing the initial design for other
initial design for other Active Active Directory components.
Directory components.
The following list identifies the information specified in the domain plan:
! The number of domains in each forest
! The forest root domain for each forest
! The Domain Name System (DNS) name for each domain
! The domain hierarchy for multiple-domain structures
! Any shortcut trusts between domains in the forest and between domains in
different forests, if applicable
Collecting Organizational Information

Topic Objective To
To describe the type of To Collect
Collect Information
Information for
for the
the Domain
Domain Structure:
Structure:
organizational information
used to determine the Determine the number of locations in the organization
design of the domain
structure. Determine the available bandwidth between locations
Lead-in Determine the reliability and cost of the connection
To begin the domain between locations
structure design process,
the first thing you must do is Identify key stakeholders
gather information about the
organization. Identify functional groups
Identify administrative groups
Identify any future plans for changes
For each guideline, ask the To design a domain structure that will support the requirements and structure of
students to provide an organization, you must start by gathering information about the organization.
additional examples of how The information that you collect will help you and your organization to
the collected information will determine the Active Directory requirements. To obtain this information,
be used during the domain consult with the current domain administrators, the people who manage and
design process. monitor the physical network, and the people who are responsible for network
security.
Emphasize to students that
while the type and reliability To gather information for the domain structure:
of connections between
locations may impact the ! Determine the number of geographic locations in the organization.
domain design, these Knowing the number of locations and the geographic placement of the
characteristics of the
locations helps you identify the number of domains required to address
physical network are best
addressed by the site replication and user authentication issues. For example, a widely
design. geographically distributed enterprise may have replication issues because a
wide area network (WAN) may not provide adequate bandwidth to replicate
Emphasize to students that a domain across the entire WAN. There may also be geopolitical reasons to
they must carefully design create additional domains (for example, when different languages are used
around a pay-per-use at different divisions of the organization).
connection.
In addition, you should determine the number of users and computers at
each location. Knowing this helps you determine if you need to divide a
large location among multiple domains to control the scope of replication.
! Determine the available bandwidth for the connection between each

geographic location.
After you identify geographic locations, determine the bandwidth between
those locations. Knowing the available bandwidth for each connection helps
you determine the replication and authentication requirements for the
domain structure. For example, the WAN bandwidth may support the
replication traffic during peak hours for a large domain spread out across the
WAN. If the WAN cannot handle a lot of replication traffic, you may need
to include a number of smaller domains in the domain structure.
! Determine the reliability and cost of the connection between locations.
Determining the reliability and cost of the connection between the
geographic locations helps you determine the replication and authentication
requirements of the domain structure. If connections are not reliable or if a
particular connection is expensive, you will need to design the domain
structure in a way that takes these issues into consideration. For example, if
you have a pay-for-use connection, you will want to reduce the amount of
authentication and replication over that link.
! Identify key stakeholders.
Because the domain structure potentially affects the entire organization, you
should identify and work with all the groups who will be affected. This
includes current domain administrators, department or workgroup
administrators, network operations managers who maintain and monitor the
physical network, teams that own and manage the DNS service for the
network, and the team that maintains security for the information
technology (IT) infrastructure.
! Identify the functional groups within the organization.
For each location, identify the functional groups, such as divisions,
departments, and large workgroups that reside in that location. You should
also determine whether a specific functional group spans multiple
geographic locations. Knowing the functions of the workgroups helps you to
determine how the domain structure design must support these functional
groups. For example, if users at two different locations are in the same
functional organization, you may want to use a single domain.
Tip Try to obtain a corporate organization chart, which often contains

useful information about how an organization conducts business.
! Identify the administrative groups within the organization.

In addition to identifying functional groups, you need to identify the
administrative group for each functional group and any centralized group
with administrative authority throughout the organization. You should also
identify the administration task performed by each of these groups. Each
administrative group may have its own guidelines, practices, and policies
that may affect how you design the domain structure. This administrative
model for the organization is one of the primary factors that affects the
domain design because the domain structure must support the organization’s
administrative model.
! Identify any future plans for changes.
Identify upcoming or future changes that will affect the organization, the
administrative structure, or the physical network itself. This could include
future plans for organizational growth (such as acquisitions or mergers),
network expansion or upgrades, or expansion or consolidation of the
administrative staff. Being aware of upcoming changes in the organization
enables you to design flexibility into your domain structure.
Note The information that you gather during the domain design process will
also be useful during the design of other components of the Active Directory
design, such as the design of the site topology and the organizational unit
structure.
" Determining the Number of Domains
Topic Objective
To introduce the topics
related to determining the
! Determining Administrative Requirements
number of domains. ! Determining Security Policy Requirements
Lead-in
Although you should strive ! Determining Replication Requirements
for a design with the fewest
number of domains,
! Examining the Costs of Additional Domains
organizational needs may
require that you use
additional domains.

The principal task in designing the domain structure is determining the number
of domains in the forest. Although you should strive for a design with the
fewest number of domains, organizational needs may require that you use
additional domains. After you collect all of the necessary organizational
information, you use the information to develop the requirements for
administration, security policy, and replication. You compare these
requirements to the characteristics of Active Directory domains to develop a
domain design that supports these specific requirements and the organization as
a whole.
Throughout the domain design process, you should also remember that every
domain you create introduces some incremental cost in terms of additional
management overhead. Therefore, you should justify each additional domain to
ensure that the domains you add to the forest serve a purpose and address an
organizational need.
Determining Administrative Requirements

Topic Objective To
ToDetermine
Determinethe
theNumber
Numberof
of Domains
DomainsBased
Based on
onAdministrative
AdministrativeRequirements:
Requirements:
Requirements:
To describe how to
determine the administrative ! Identify autonomous administrative units
requirements that will affect
the number of domains. # An additional domain is required for each administrative group that
will not allow outside administrators control over its objects
Lead-in
Determining which ! Identify political issues in the organization
administrative groups will
have control over a group of # Additional domains often result from political issues in the
users is the primary organization
administrative requirement # Attempt to resolve political issues to produce better domain design
to consider when
determining the number of ! Identify legal or security-related issues in the organization
domains. # Legal or security-related issues may require additional domains
# Separate domains may be necessary for departments that handle
highly confidential information

Because a domain is an administrative boundary, domain administrators—
specifically, the members of the Domain Admins group—have full control over
all objects in the domain. Therefore, determining which administrative groups
have control over a group of users is the primary administrative requirement to
consider when determining the number of domains. By determining the scope
of administrative control for existing administrative groups, you can design a
domain structure that supports the organization’s current administrative model.
To determine the number of domains based on administrative requirements,
perform the following tasks:
! Identify autonomous administrative units. If the organization has a division
or department that will not allow outside administrators control over its
objects, then that department will require a separate domain for the objects it
administers.
! Identify political issues in the organization. Political issues often play a role
in the design of the domain structure. If a division or department insists on
managing all aspects of its IT infrastructure and will not yield control to
another administrative authority, then that department requires a separate
domain. When possible, work with other people in the organization to
attempt to resolve political issues that may negatively impact the design of
the domain structure.
! Identify any legal or security-related issues in the organization. Legal or
security-related issues may require that you designate a separate domain (or
forest) for a particular division or department. For example, a separate
domain is typically necessary for departments such as Human Resources
and Research and Development because they work with highly confidential
material.
Determining Security Policy Requirements

Topic Objective AA Separate
Separate Domain
Domain is
is Required
Required for
for Security
Security When:
When:
To describe how to
determine the security policy
! Any group of users needs account policy settings different
the number of domains.
from other users in the organization
Lead-in ! Groups of users require one of the following:

If an organization has a # Password settings that specify different password lengths,
group of users that requires ages, or complexity requirements
a Group Policy security
setting that is different from # Account lockout settings that specify different lockout
the security applied to the durations and non-valid logon attempts
rest of the users in the
organization, then that
# Kerberos V5 settings that specify different lifetimes for user
tickets and service tickets or that require different renewal
group of users requires a periods
separate domain.

The set of Group Policy security settings for user accounts can be applied only
at the domain level and affect all users in the domain. If your organization has a
group of users that requires a different Group Policy security setting than the
rest of the users in the organization, then that group of users requires a separate
domain.
If more than one account policy is required for users, a multiple-domain Active
Directory structure is necessary. To determine if you need additional domains
based on the need for unique security settings, perform the following tasks:
! Identify the need for more than one password policy. If a group of users
needs password settings that specify different password lengths, ages, or
complexity requirements, then this group of users must be located in a
different domain.
! Identify the need for more than one account lockout policy. If a group of
users requires account lockout settings that specify different lockout
durations and non-valid logon attempts, then this group of users must be
located in a different domain.
! Identify the need for more than one Kerberos V5 ticket policy. If a group of
users requires Kerberos V5 settings that specify different lifetimes for user
tickets and service tickets or that require different renewal periods, then this
group of users must be located in a different domain.
Determining Replication Requirements

Topic Objective To
ToDetermine
DetermineHow
How Replication
ReplicationImpacts
Impactsthe
the Domain
DomainStructure
StructureConsider:
Consider:
Consider:
To describe how to
determine the replication ! Available bandwidth to handle replication traffic
the number of domains. # When a single domain spans multiple locations, every object
is available in each location for logon authentication
Lead-in
Although the replication # Use fewer domains to span locations if available bandwidth is
requirements for an Active adequate
Directory infrastructure are
most effectively addressed # Use more domains if available bandwidth is inadequate
by the design of the site
topology, the replication ! Scope of object availability
characteristics of Active # Users may attempt to gain unauthorized access to objects
Directory also affect the
design of the domain # Use more domains to limit the scope of where objects are
structure replicated
Explain to students that the The replication requirements for an Active Directory infrastructure are most
site topology is the primary effectively addressed by the design of the site topology, because the site
Active Directory component topology’s main function is to manage replication. However, the replication
used to manage replication. characteristics of Active Directory also affect the design of the domain
However, the design of the structure.
domain structure should
consider the scope of Replication within a domain occurs between all domain controllers on a regular
availability of objects basis. Replication requires network availability and reliability to ensure that the
throughout the organization. domain objects are available everywhere in the domain for logon authentication
Therefore, even if the and resource access. When determining how replication impacts the design of
available network bandwidth
the domain structure, consider the following two factors:
is sufficient to support
domains that span large ! Available bandwidth to handle replication traffic. All domain controllers for
geographic distances, a domain maintain a writable copy of the directory partition. This means
students should examine
that every domain controller has a copy of all objects that reside in the
whether to make data
available to users who may
domain. Therefore, when a single domain spans multiple locations, every
not need it. object is available in each of the physical locations for logon authentication.
This might lead to objects being replicated to locations where these objects
are rarely used.
However, this is acceptable if there is enough available bandwidth—enough
to handle the replication of objects in a domain that spans multiple physical
locations. If the available bandwidth is inadequate, then you should consider
using more domains; for example, use a separate domain for a physical
location to compensate for slow links.
! Scope of object availability. If a domain spans multiple locations, every

object is available in each one of the physical locations, even if a group of
objects is not used in a particular location. This presents possible security
issues if users attempt to gain unauthorized access to those objects.
Therefore, if objects are rarely used in some locations, consider using more
domains to limit the physical scope of where objects are replicated.
Note Although you can use additional domains to address replications issues,
Active Directory sites are the best way to manage replication. For more
information about using sites to manage replication, see Module 5, “Designing
a Site Topology,” in Course 2281A, Designing a Microsoft Windows .NET
Directory Services Infrastructure (Beta).
Examining the Costs of Additional Domains

Topic Objective
To describe the costs
associated with additional
domains in a forest. ! Balance the Need with the Cost of Adding Domains
Lead-in Because Additional Domains Require:
There are costs associated
with each additional domain
# More domain administrators
in the forest. # More domain controller hardware
# More communication between domain controllers in
different domains
# The need to move security principals between domains

Each domain that you create will introduce incremental cost in terms of
Key Points additional administration and resources overhead. When designing the domain
When designing the domain
structure, you have to
structure, you have to balance the need for additional domains with the
balance the need for additional costs those domains will require. Therefore, you must justify each
additional domains with the additional domain to ensure that the domains you add to the forest solve a
additional costs those specific problem and meet a specific need of the organization.
domains will require.
The following list describes the administrative overhead and additional costs of
You must justify each adding domains to the domain structure:
additional domain to ensure
that the domains you add to
! More domain administrators. Because domain administrators have full
the forest solve a specific control over a domain, the membership of the domain administrators group
problem and meet a specific for each domain must be closely monitored. In addition, the administrators
need of the organization. for each domain will have to perform regular domain-level administration
tasks.
! More domain controller hardware. A domain controller can only host a
single domain. For this reason, each additional domain requires at least one
domain controller, and it is a best practice to deploy at least two domain
controllers for each domain to ensure the reliability and availability of the
domain data. In addition, because domain controllers can accept and
originate changes to Active Directory objects, you must physically guard
them with care to control the access to the computers that are configured as
domain controllers.
! More communication between domain controllers in different domains. For

a domain controller in one domain to authenticate a user from another
domain, it must be able to contact a domain controller in the second domain.
This communication between the domain controllers represents an added
possible point of failure if, for example, the network between the two
domain controllers is malfunctioning at the time.
! Greater chance of having to move security principals between domains. The
more domains you have, the greater the chance you have to move security
principals, such as users and groups, between two domains. For example, a
business reorganization or a job change for a user can create the need to
move a user between domains. To end users and administrators, moving a
security principal between organizational units inside a domain is a trivial
and transparent operation. However, moving a security principal between
domains is more involved and can impact the user’s ability to gain access to
resources.
" Determining the Design of the Forest Root Domain

Topic Objective
To describe the
characteristics of the forest
root domain that will be ! The Forest Root Domain:
used to determine the
design of the forest root # Is a mission-critical component of the Active Directory
domain. infrastructure
Lead-in # Contains the Enterprise Admins and Schema Admins
After you determine the
number of domains in the
built-in groups
forest, you must determine # Provides the name of the Active Directory namespace,
which domain will be the
which can never be changed
forest root domain and how
that domain will be
designed.
Emphasize to students that After you determine the number of domains in the forest, the next task in
a dedicated forest root designing a domain structure is to determine which domain will be the forest
domain provides a stable root domain and how that domain will be designed. The forest root domain is
environment so that the first domain that is created in a forest and resides at the root of the Active
domains can be added or Directory hierarchy. You must carefully plan the selection and design of the
removed without having to forest root domain.
destroy the forest.
Key Point The following list describes the characteristics of the forest root domain and
You must carefully plan the why these characteristics are important:
selection, design, and name
of the forest root domain.
! The forest root domain is a mission-critical component of the Active
Directory infrastructure. The forest root domain must always be available
because all communication between domain controllers in the forest passes
through the forest root domain. For example, if a domain controller needs to
authenticate a user from a different domain in the forest, the communication
between the domain controllers passes through the trust path that connects
those two domains with the forest root domain.
! The forest root contains the Enterprise Admins and Schema Admins built-in
groups. Because members of these groups can make forest-wide changes,
the membership of these two groups must be closely monitored and
controlled.
! The name of the forest root domain can never be changed. Because the
forest root domain is the first domain created in the forest, the name of this
domain also provides the name of the root of the Active Directory
namespace. Therefore, the names of any additional domains (added to the
tree in which the forest root domain is the root) are derived from the name
of the forest root domain. You cannot change the name of the forest root
domain—and, therefore, the name of the root of the Active Directory
namespace—without reinstalling the entire forest.
When designing the domain structure, you can choose to use a dedicated
domain or a non-dedicated domain as the forest root.
Using a Dedicated Domain As the Forest Root

Topic Objective
To describe the advantages ! Use a Dedicated Forest Root Domain To:
of using a dedicated domain
as the forest root. # Limit the number of administrators who can make
forest-wide changes
Lead-in
A dedicated domain # Allow domain controllers in the forest root domain to be
contains only default quickly backed up and restored
objects, the Enterprise
Admins group, and the # Function as the parent for all top-level child domains
Schema Admins group.
# Mitigate the risk of the forest root domain becoming
Therefore, the only role of
obsolete
this domain is to function as
the forest root. ! Ensure That You Have Valid Business Reasons
# Increases costs by adding one additional domain
# Requires additional domain controllers

A dedicated domain (also known as an empty forest root domain) contains the
Delivery Tip built-in user and group objects, default Group Policy objects, computer objects
Use the whiteboard to show
a dedicated forest root
for domain controllers, and the Enterprise Admins and the Schema Admins
domain. groups but does not contain any other objects such as user objects, group
objects, computer objects, or organizational units. Therefore, the only role of
this domain is to function as the forest root.
Use a dedicated domain as the forest root to:
! Limit the number of administrators who can make forest-wide changes.
Because members of the Enterprise and Schema Admins groups are the only
administrators that can make forest-wide changes, a dedicated forest root
allows you to tightly control the membership of these groups. In a non-
dedicated forest root domain, members of the Domain Admins group can
change the membership of the Enterprise and Schema Admins groups and
can therefore enable themselves or others to make forest-wide changes as
members of these groups.
! Allow domain controllers in the forest root domain to be quickly backed up
and restored. Because a dedicated forest root domain does not contain users,
groups, resources, and other objects found in most domains, the size of the
domain database is relatively small. This enables the domain controllers in
the forest root domain to be restored quickly in the case of a domain
controller failure; this ability to quickly restore a domain controller is
necessary because a domain controller in the forest root must always be
available.
! Functions as the root of the entire Active Directory infrastructure. Because

the forest root domain is the parent for all top-level child domains, you can
add or remove domains from the forest for organizations that have a large
number of acquisitions or sell-offs. In this situation, a dedicated forest root
domain will remain constant and the forest itself will remain intact.
! Mitigate the risk of the forest root domain becoming obsolete. Because the
primary role the domain has is to serve as the forest root, it will never
become obsolete. If you select a domain from your planned list of domains
to be the forest root, instead of dedicating a domain to be the forest root,
there is always a chance that that particular domain will become obsolete,
perhaps due to a change in the organization. However, you will never be
able to fully retire such a domain, because it must play the role of the forest
root.
If you choose to use a dedicated forest root domain, be sure that you have valid
business reasons to do so. Using a dedicated forest root domain will increase
costs because it will add one additional domain to the domain structure. In
addition, a dedicated forest root domain will require additional hardware
because it is a best practice to deploy a minimum of two domain controllers in
the forest root domain for redundancy and fault tolerance.
Using a Non-Dedicated Domain as the Forest Root

Topic Objective
To describe the advantages
of using a non-dedicated
domain as the forest root. ! Use a Non-Dedicated Forest Root Domain to:
Lead-in # Allow you to use an existing domain from the domain
A non-dedicated forest root
domain performs all the
structure
functions of other domains # Eliminate the costs of an additional domain
in the forest while also
serving as the forest root
domain.

A non-dedicated forest root domain performs all the functions of other domains
Delivery Tip in the forest—functions such as storing users, computers, and organizational
Use the whiteboard to show
a non-dedicated forest root
units—while also serving as the forest root domain. To use a non-dedicated
domain. domain, select a domain from the list of domains in the design of the domain
structure.
Use a non-dedicated domain as the forest root to:
! Allow you to use an existing domain from domain structure design. You can
select a domain that is critical to the operation of your organization and
make it the forest root. Because you cannot afford to lose this domain, it
will already require the kind of fault tolerance and recoverability that is
required for a forest root.
! Eliminate the costs of an additional domain. Using a non-dedicated forest
root domain enables the organization to avoid the additional cost, such as
administrative overhead and additional hardware, incurred by adding a
dedicated forest root domain to the design of the domain structure.
Important If all domain controllers in the forest root domain are lost in a
catastrophic event and one or more of these domain controllers cannot be
restored from backup, the entire forest, the Enterprise Admins group, and
Schema Admins groups will be permanently lost. There is no way to reinstall
the forest root domain of a forest.
Determining a Domain Hierarchy

Topic Objective
To describe how to organize
! Naming Domains
domains into trees.
# Domains are named with DNS names
Lead-in
A tree is a hierarchical # A naming strategy must be able to withstand reorganizations
arrangement of without the need to restructure the domain hierarchy
Windows .NET domains that
share a contiguous # Naming recommendations:
namespace. A tree consists -Use names relative to a registered DNS name
of one or more domains. -Use names that are stable and subject to little change
! Single Tree vs. Multiple Trees
# Multiple namespaces require multiple trees
# The name of each namespace is the name of the root domain
in each tree

If your organization requires multiple domains, it is necessary to design a
domain hierarchy. In a multiple-domain structure, domains are arranged in a
parent-child hierarchical structure called a tree. A tree is a set of one or more
domains with a contiguous namespace. The namespace is contiguous because
the name of a child domain is directly related to the name of its parent. For
example, if the root of the domain tree were named nwtraders.msft, a child
domain would be named, for example, sales.nwtraders.msft.
To design the hierarchy of the domain structure, you need to determine the
names of domains and whether domains will be configured as a single tree or
using multiple trees.
Naming Domains
Active Directory domains are named with DNS names. The name of a tree is
the DNS name of the domain at the root of the tree. Similarly, the name of the
forest is the DNS name of the forest root domain. When naming domains, you
should use a naming strategy that is capable of withstanding reorganizations
without the need to restructure the domain hierarchy. This is because after the
domain structure is implemented, changes in the domain architecture create
difficult and IT-intensive support requirements. In addition, a domain name
must be unique within the organization.
When naming domains, you should:
! Use names relative to a registered DNS name. Registered DNS domain
names are globally unique and therefore provide the base for a stable
naming structure. Use a registered DNS name as suffixes for the domain
names (such as corp.microsoft.com).
! Use names that are stable and subject to little change. Use names based on
geographic locations (such as city names, state names, or country names),
administrative entities within the organization (such as sales, marketing, or
research), or other stable organization-specific boundaries.
Note For more information about naming domains, see Module 4, “Designing
a DNS Namespace Solution for Active Directory” in Course 2281A, Designing
a Microsoft Windows .NET Directory Services Infrastructure (Beta).
Using a Single Tree vs. Multiple Trees

Whether the design of the domain structure consists of a single tree or multiple
trees depends on the number of namespaces the organization requires. If an
organization has the need for multiple Active Directory namespaces, then it will
require multiple domain trees. The name of each required namespace is used as
the name for the root domain in each tree. For example, if a department or
division in the organization has its own registered DNS name, then that DNS
name could be used as the name for the root domain of a tree.
Note If there are multiple trees in a forest, the root domain of any tree is linked
by trusts only to the forest root domain and not to any of the other tree root
domains. This means that all authentication traffic between any two domains in
different trees must pass through the forest root.
Evaluating the Domain Design

Topic Objective
To describe how to evaluate
a domain design by To
To Evaluate
Evaluate the
the Design
Design of
of the
the Domain
Domain Structure:
Structure:
comparing it to the physical
topology of the network.
Obtain or create a map of the network topology
Lead-in # Documents physical network at each location
After completing the initial # Use it to compare the network to the domain structure
domain design, it is
important to evaluate the Assess user authentication and queries
design by determining how # Determine if domain controller is located near users
well the proposed domain # Determine if authentication over WAN is acceptable

structure will work with the
existing physical topology of Assess object availability to users
your network. # Determine if objects are relevant to users
# Determine if wide scope is acceptable use of bandwidth

After completing the design of the logical domain structure, it is important to
Key Points validate the design by determining how well the logical structure will work with
When evaluating the domain
design, assume that at least
the existing physical network. To evaluate the design of the domain structure,
one domain controller will perform the following three tasks:
reside in each physical 1. Obtain or create a map of the physical network.
location.
By documenting the physical network, you can compare the logical domain
You will have to create a structure to the physical network to assess how well the physical network
separate domain for any supports the proposed design of the domain structure.
location that is connected to
A map of the physical network should include the following information:
the network only by SMTP
mail. Mail-based replication • Each physical location in the organization. When evaluating the domain
cannot be used between design, assume that at least one domain controller will reside in each
domain controllers in the physical location.
same domain because
SMTP cannot replicate the • The number of users at each location.
domain directory partition.
• The speed and type of each network connection between each physical
location.
• Any Simple Mail Transfer Protocol (SMTP) connection. Identify any
location that has an unreliable connection or that has no physical
connection to the network and can be reached only by SMTP mail.
Important You will have to create a separate domain for any location
that is connected to the network only by SMTP mail. Mail-based
replication cannot be used between domain controllers in the same
domain because SMTP cannot replicate the domain directory partition.
2. Assess user authentication and user queries of Active Directory.

Identifying the physical proximity of users and domain controllers on the
network will help you determine how well the domain design supports user
authentication and Active Directory queries. The quality of performance for
user logons and Active Directory queries is based on the speed of the
connection between users and domain controllers.
When you compare the domain design to the map of the physical network,
evaluate the following:
• Is a domain controller located near users? If so, will it be able to reliably
authenticate user logon request or other directory service related
queries?
• If a domain controller in the same physical vicinity cannot authenticate
users, is it acceptable for users to be authenticated over a WAN link by a
domain controller in a different physical location?
Also, you will have to determine if it is acceptable if authentication fails
because a WAN link is down.
3. Assess the availability of Active Directory objects to users.
By examining which domains encompass which physical locations, you can
determine if the Active Directory objects that will be replicated to each
location are relevant to users. When you compare the domain design to the
map of the physical network, evaluate the following:
• Are objects in the domain replicated to the locations where they are the
most relevant?
• If objects are replicated to locations where they are rarely used, then is it
a security issue to make objects available to users who do not need
them?
• Is making these objects available in locations where they are not used an
unacceptable use of available bandwidth?
The goal of domains is to partition the forest so that physical copies of
directory objects (which are contained in the domain directory partition) are
physically located near the users that need those objects (for example, user
accounts, computer accounts, and groups). In other words, these objects
need to be on domain controllers located in the same site as the user.
If objects are not in close proximity to users, then it is possible that users
will have to access objects in a different domain. If this is the case, then you
should re-evaluate the domain design so that users and the objects they need
to access often are located in the same domain.
Modifying the Domain Structure After Deployment

Topic Objective
To describe issues related
! Removing Existing Domains
to modifying the domain # Must remove child domains first
structure after it is deployed. # Demote domain controllers to delete the domain
Lead-in
! Merging and Splitting Domains
The domain structure is
difficult to restructure after it # Cannot merge two domains or split a domain into two domains
has been deployed. in a single operation
# The Active Directory Migration tool and third-party tools
simplify the merging and splitting of domains
! Renaming Domains
# Domains can be renamed in Windows .NET
# The process for domain rename is disruptive; best to plan for
stable domain names

Currently in Windows .NET, it is extremely difficult and expensive to change
Key Points the Active Directory domain structure after it is deployed. Although adding
Windows .NET supports the
renaming of the domain,
domains is easy to do, removing, merging, splitting, and renaming existing
and the domain controllers. domains requires a significant amount of time and administrative resources.
If you do not develop a well-designed domain structure, you may need to
Design the domain structure
carefully to avoid creating
modify the domain structure after it has been deployed. Therefore, it is
domains that are based on important to carefully design the domain structure to avoid creating domains
an unstable or short-lived that are based on an unstable or short-lived organizational structure. In other
organizational structure. words, strive to build as much flexibility and scalability into the domain
structure design as possible.
The following list describes some of the tasks involved in changing the domain
structure:
! Removing existing domains
You cannot remove a domain from a forest if the domain has child domains.
A domain can only be removed from the forest if it has no child domains.
Before you remove a domain from a forest, you must demote all of the
domain controllers. Demoting all of the domain controllers deletes all of the
information that was stored in the domain.
! Merging and splitting domains
Windows .NET does not provide the means to split a domain into two
domains or to merge two domains into one domain in a single operation. It
is possible to split a domain by adding an empty domain to the forest and
then moving objects into that domain from other domains. In the same way,
it is possible to merge one domain with another domain by moving all of the
objects from the source domain into the target domain.
Active Directory Migration Tool (ADMT) and third-party tools simplify the
process of merging and splitting domains.
! Renaming domains
Although it is possible to change domain names in Windows .NET, the
process for doing this is disruptive to the directory services environment and
should not be undertaken without careful consideration of the consequences.
It is recommended that you still make every effort to get the domain
namespace correct the first time.
Domain rename does not update the fully qualified domain name (FQDN)
of the domain controller for the renamed domain. Renaming domain
controllers is available as a separate process in Windows .NET. If you do
rename a domain, it is recommended that you also rename the domain
controllers. As with renaming a domain, this is a disruptive process because
all domain controllers that are renamed must be restarted to complete this
process.
Note Although you can add new domains to a forest, you cannot move existing
domains between forests without performing a significant amount of
administrative work.
Demonstration: Visio Professional 2002

Topic Objective
To demonstrate
Visio Professional 2002.
Lead-in
Before we get started on the
lab where you will design a
domain structure, let me
demonstrate
Visio Professional 2002,
which you may want to use
in the remaining labs to
diagram your Active
Directory design solution.

Microsoft Visio® Professional 2002 is a drag-and-drop drawing tool that you
can use to document the components of an Active Directory design.
Note You can use Visio to export an Active Directory design drawing created
in Visio to a Lightweight Directory Access Protocol (LDAP) Data Interchange
Format (LDIF) file that can, in turn, be imported into an Active Directory
deployment.
Lab A: Designing a Domain Structure

Topic Objective
To introduce the lab.
Lead-in
In this lab, you will design a
domain structure based on
the business requirements
of a fictional organization.
Explain the lab objectives.

Objectives
For Your Information After completing this lab, you will be able to:
A proposed solution
diagram, called ! Determine the number of domains in a forest.
DomainLab.vsd, is included
in the StudentCD folder on ! Determine the design of the forest root domain.
the Trainer Materials ! Design a domain hierarchy.
compact disc.
! Evaluate the domain structure design
A real top-level DNS domain
(.com) is being used in this
module for illustrative Scenario
purposes only. Expect other Contoso, Ltd. is a medium-sized home furnishings company headquartered in
Microsoft Official Curriculum Uppsala, Sweden; their Internet presence is Contoso.com. They design and
(MOC) courses to continue manufacture their own home furnishings and furniture for the luxury
to use a fictitious top-level marketplace. They have primarily done business in the Sweden and Norway,
domain (such as .msft). but they recently opened facilities in the United States (U.S.). They hope to
expand even more in the U.S. and Canada in the future.
The Contoso, Ltd. headquarters is located in Uppsala. There is a regional office
in Oslo, Norway and a retail site in Sundsvall, Sweden. U.S. operations are
based in Wilmington, North Carolina (N.C.). The Wilmington offices are
capable of accommodating 5,000 employees, and Contoso, Ltd. hopes to
expand to that size within the year. There is a branch sales office in Durham,
N.C. that does not have server computers.
Contoso, Ltd. also recently acquired a competitor in Charlotte, N.C. called

Northwind Traders. The Northwind Traders location has been included in the
Contoso, Ltd. wide area network (WAN). Northwind Traders will continue to
do business under its current name and will maintain its Internet presence at
nwtraders.com. The current plan is to keep the Northwind Traders management
team in place and let them continue to run the business independently. Some of
the IT functions will be centralized at Contoso, Ltd. headquarters, but there will
be an IT department that remains in Charlotte to manage the Northwind Traders
computing environment.
The Design vice president in Uppsala has moved to Wilmington to help form
the Design department in the U.S. The Design department in the U.S. will work
closely with the Design department in Uppsala, and they will probably work
together on many projects. This will require frequent travel between Sweden
and the U.S. for designers who lead projects on their respective teams. The
Design department in the U.S. will use a large amount of contractors who come
and go with each new project, so the Design management team wants to make
sure that the Design department user account passwords are more secure than
the normal Contoso, Ltd. user account passwords. Many attempts were made to
try to consolidate these security requirements into one company security policy
but this failed.
The Oslo regional office was a competitor until Contoso, Ltd. purchased them a
year ago. The competitor’s chief executive officer (CEO) was retained and
made a Contoso, Ltd. vice president. He was allowed to maintain some of his
management staff at the Oslo location. For political reasons, the Oslo vice
president asked to be allowed to maintain full autonomy with the Oslo office IT
staff and computing policies. Headquarters did not allow this, but the Oslo
location was told that they would be given the ability to administer some of
their resources locally. Oslo would have to operate under the ultimate authority
of the corporate IT department. The Oslo location management agreed to this.
Within Contoso, Ltd.’s expansion plan was the decision to deploy
Windows .NET throughout the organization. They have already made the
decision to use a single forest. They now need your help to decide how to best
partition the forest into domains.
After consulting with the LAN (Local Area Network) administrators and WAN
(Wide Area Network) administrators, you were given the following table and
network diagram.
WAN Bandwidth
link usage WAN link WAN link
Location Function Employees Speed (average) reliability availability
T3 -
44.736
Corporate
Uppsala 7,000 megabits 30% Good Anytime
headquarters
per second
(Mbps)
Heavy business
usage during
Regional T1 - 1.544
Oslo 4,000 50% Good business day
office Mbps
(9:00 A.M. –
5:00 P.M.)
56 kilobits
Sundsvall Retail 50 per second 30% Poor Anytime
(Kbps)
Heavy business
U.S.
Wilmington 500 128 Kbps 70% Average usage (24
operations
hours)
64 Kbps
Durham Branch sales 10 dial on 10% Good Anytime
demand
Northwind
Charlotte Traders 100 64 Kbps 20% Good Anytime
office
T3
(44.736
Mbps) Frame
Relay
128 Kbps
T1 (1.544
Mbps)
Wilmington, NC
Uppsala, Sweden
100 Mbps
100 Mbps LAN
LAN
56 Kbps Oslo, Norway 64 Kbps 64 Kbps

demand
10 Mbps LAN
dial
Sundsvall, Northwind Traders Durham, NC

Sweden Charlotte, NC 10 Mbps LAN
10 Mbps LAN 10 Mbps LAN
Estimated time to complete this lab: 60 minutes

Exercise 1
Determining the Number of Domains
Help the students divide into You must help to determine how many domains Contoso, Ltd. needs. Divide
teams. The number of into teams with the help of your instructor. Read through the scenario, examine
students in the group can the Contoso, Ltd. network as a team, and then work as a team to answer the
vary, depending on the questions. As you answer the questions, draw a diagram to keep track of your
number of students in the domain design. Elect a representative to discuss your team’s design rationale
class. For example, a class with the other teams.
of 20 students could be
divided into teams of four. Start with a single domain, and examine the administrative, security, and
replication requirements to help you determine if any additional domains will
be needed to meet the needs of Contoso, Ltd.
! To determine administrative requirements

Students will most likely • Based on the information provided in the scenario and on the network
come up with domain diagram and table, are there any autonomous administrative units, political
names that differ with those issues, or legal issues that would warrant adding additional domains?
in the proposed solution Explain.
diagram. The names of the
domains are not as Yes. The Northwind Traders business will be run and administered
important as the reasons autonomously, so, for mostly political reasons, they could be allowed to
that students give for why maintain their own domain in the Active Directory structure.
the domains were created.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
! To determine security requirements

• Based on the information provided in the scenario and on the network
diagram and table, are there any account policies that would warrant adding
additional domains? Explain.
Yes. The Design management team would like to make their user
account passwords more secure than the normal Contoso, Ltd.
accounts. An agreement over the password policy could have avoided
the need for another domain, but since this was not possible, a separate
domain can be created to satisfy this requirement.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
! To determine replication requirements

• Based on the information provided in the scenario and on the network
diagram and table, are there any bandwidth or object availability issues that
would warrant adding additional domains? Explain.
No, although the Wilmington location has a WAN connection that is
heavily used day and night, and it uses 70 percent of the available
bandwidth. This should probably be addressed through the use of sites.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Exercise 2
Determining the Design of the Forest Root Domain
You may want to check the Now your team must determine the forest root domain for Contoso, Ltd. After
students’ progress after this answering the questions, draw your forest root domain on your diagram.
exercise to make sure they
are progressing 1. Examine your domain design so far. Would you create a domain to use as a
satisfactorily. dedicated forest root or would you use a non-dedicated forest root? What
are the trade-offs for your suggested design?
Create a dedicated forest root domain. With a dedicated forest root, a
very small group of people will have forest-wide authority. The design
will be more flexible should any domain additions or deletions to the
forest happen in the future. However, the use of a dedicated forest root
domain will require additional hardware for the domain controllers
necessary to support that domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. If you decide to use a dedicated forest root domain, where would user
accounts, groups, and other security principals be located?
Security principals would be located in an additional domain other than
the dedicated forest root domain. This domain could be created as a
child domain of the forest root domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
3. Update your diagram to reflect your previous answers. The instructor may
check your progress at this point, so be prepared to discuss your answers.
Exercise 3
Designing a Domain Hierarchy
Now your team can create a domain hierarchy diagram for the Contoso, Ltd.
Active Directory.
! To create a domain hierarchy

1. Assign your domains a fully qualified DNS name to reflect the domain
hierarchy.
2. On your diagram, indicate fully-qualified domain names for your domains.
3. Create a second page on your domain diagram (if you are using Visio, click
Insert and select Page), and draw your domains showing the hierarchical
relationship between the domains.
Exercise 4
Evaluating the Domain Structure Design
Now your team must validate your design by determining how well the logical
structure will work with the existing physical network.
As you examine your logical structure with the physical network, you may
discover that additional domains, or additional domain controllers from an
existing domain, need to be added. If this is the case, add these to your domain
diagram.
! To assess your network topology map

1. Examine the network diagram and table. What are the most heavily used
links on the Contoso, Ltd. WAN?
The link at Oslo uses 50 percent of its bandwidth and is heavily used
during business hours, and the link at Wilmington uses 70 percent of
the available bandwidth and is heavily used for business day and night.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. What location appears to have the best connection on the WAN?

The Uppsala link, with 44.736 Mbps and 30 percent usage.
____________________________________________________________
____________________________________________________________
! To assess user authentication

1. What location would appear to be the most logical to locate the forest root
domain? Look for a location with good network connectivity, numerous
users, centrally located, and so on.
Uppsala. It is the headquarters, it has the best WAN connectivity, and it
has the most users.
____________________________________________________________
____________________________________________________________
2. Place your forest root domain controller at this location.

3. Place additional domain controllers for any additional domains required at
the above location.
4. Examine the users at the Wilmington location. What department will be
located at both Uppsala and Wilmington?
The Design department.
____________________________________________________________
5. Would you trust the link at Wilmington to authenticate the users of this
department in a reasonable amount of time? Explain.
No. The network link is heavily used day and night, it has only 30
percent of its bandwidth available, and it is only a 128-Kbps link.
____________________________________________________________
If not, place an additional domain controller for this domain at the

Wilmington location.
6. Examine the Durham location. Would you place a domain controller at this
location? Explain.
No. Durham is a small branch office with no server computers. Users
can authenticate over the dial-on-demand link or use cached credentials
if the link is unavailable.
____________________________________________________________
____________________________________________________________
____________________________________________________________
7. Confirm that your domain diagram shows domain controller placement

according to your answers.
! To assess replication
1. The two most heavily used network connections are located at Oslo and
Wilmington. What could be done, as an alternative to creating multiple
domains, to minimize the impact of domain partition replication traffic at
those two locations?
You could use sites to try to schedule replication during the least busy
times on those network links.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. Examine the Sundsvall location. Notice the WAN link reliability. What
replication transport should be used to at this location? Explain.
SMTP should be used, because it is the best choice for an unreliable
connection.
____________________________________________________________
____________________________________________________________
3. Can Sundsvall be included in one of the existing domains? Explain.

No. Locations using SMTP for replication have to be in a separate
domain. Mail-based replication cannot be used between domain
controllers of the same domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
4. Update your diagrams based on your answers.

Lab Discussion: Designing a Domain Structure

Topic Objective
To discuss the proposed
domain structure design
plan that students
developed during the lab.
Lead-in
Let’s discuss as a group the
domain structure design that
you determined during the
lab.
Lead students in an During this discussion, you will present your domain structure design solutions
interactive class discussion. to the class and discuss the answers to the lab questions.
Students should discuss
their answers to the lab
questions and present their
domain structure designs.
Best Practices
Topic Objective
To outline best practices for
creating a domain plan. Design
Design for
for the
the least
least flexible
flexible business
business requirements
requirements first
first
Lead-in
Consider these best
practices for creating a Start
Start with
with aa single
single domain
domain
domain plan.
Use
Use aa dedicated
dedicated domain
domain for
for the
the forest
forest root
root domain
domain
Use
Use Group
Group Policy
Policy to
to enforce
enforce strong
strong password
password requirements
requirements
Use
Use Group
Group Policy
Policy to
to restrict
restrict the
the membership
membership of
of built-in
built-in groups
groups

Consider the following best practices for creating a domain plan:
! Design the domain structure for the least flexible business requirements
first.
When designing the domain structure, first consider the business
requirements that are the least likely to change. These include elements of
the existing infrastructure, such as the structure of the physical network, the
geographic locations of the organization, and the politics of the
organization. Because it is unlikely that you will be able to modify any of
these requirements, start your design process assuming that these factors are
fixed.
! Start with a single domain when determining the number of domains in each
forest.
Start with a single domain and make sure that every additional domain has a
specific purpose before you create it and add it to the forest. This will help
you minimize the cost and administrative overhead involved in creating
additional domains.
! Use a dedicated domain as the forest root domain, if possible.
For large organizations, a dedicated forest root domain provides the most
flexibility for future growth and provides a secure way to manage the
membership of the powerful, enterprise-wide built-in groups.
! Use Group Policy security settings to enforce strong password requirements

for a dedicated forest root domain forest.
Because enterprise administrators will be the only users with accounts in a
dedicated forest root domain, use the account policy settings in Group
Policy to set strong password and account lockout settings. This will help to
protect the forest root domain from unauthorized access.
! Use Group Policy security settings to restrict the membership of built-in
groups in the forest root domain.
Use the Restricted Groups policy settings in Group Policy to manage and
restrict the membership of built-in administrative groups (such as Enterprise
Admins, Domain Admins, and Schema Admins). When you add groups—
and their membership information—Group Policy enforces the membership
of these groups and will not allow local variations on different computers.
Review
Topic Objective
To reinforce module
objectives by reviewing key ! Introduction to Designing a Domain Structure
points.
Lead-in
The review questions cover ! Determining the Number of Domains
some of the key concepts
taught in the module. ! Determining the Design of the Forest Root Domain
! Determining a Domain Hierarchy
! Best Practices

1. List the steps used to design a domain structure.
1. Collect organizational information.
2. Determine the number of domains.
3. Determine the design of the forest root domain.
4. Design the domain hierarchy.
5. Evaluate the domain structure design.
2. What characteristic of Active Directory replication should you consider

when designing the domain structure?
The scope of object availability. Because all domain controllers have a
copy of all objects that reside in the domain, it is possible that objects
will be replicated to physical locations where the objects are rarely
used.
3. What are the costs that are associated with adding additional domains?
• More domain administrators and the need to perform redundant
administrative tasks in each domain.
• Additional domain controller hardware.
• More communication is required between domain controllers in
different domains; this situation creates a greater chance for points
of failure between domain controllers.
• Increased probability of needing to move security principals
between domains.
4. What are the advantages and disadvantages of using a dedicated forest root
domain?
The advantages are:
• Limits the number of administrators that can make forest-wide
changes.
• Allows domains controllers in the forest root domain to be quickly
backed up and restored.
• Functions as the parent for all top-level child domains.
• Mitigates the risk of the forest root domain becoming obsolete.
The disadvantages are:

• Requires one additional domain.
• Requires additional domain controllers; for redundancy and fault-
tolerance, a forest root domain should have a minimum of two
domain controllers.
5. When would you consider creating more than one tree in your forest?
For an organization that requires multiple Active Directory
namespaces. For example, if a division in your organization has its own
registered DNS name and runs its own DNS servers.
6. What are the three tasks that you perform when evaluating a domain
structure design?
1. Obtain or create a map of the physical network and then compare
the logical domain structure to the physical network to assess how well
the physical network supports the proposed design of the domain
structure.
2. Assess user authentication and user queries of Active Directory to
determine how well the domain design supports user authentication and
Active Directory queries. It is the physical proximity of users and
domain controllers on the network that will help you determine how
well the domain design supports user authentication and Active
Directory queries.
3. Assess the availability of Active Directory objects to users. By
examining which domains encompass which physical locations, you can
determine if the Active Directory objects that will be replicated to each
location are relevant to users.
THIS PAGE INTENTIONALLY LEFT BLANK

1542403

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

1542403

Încărcat de

Drepturi de autor:

Formate disponibile

Module 3: Designing a

 2001 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BackOffice, FrontPage,

Materials and Preparation

Visio Professional 2002

! To start an Active Directory drawing

! To modify the drawing

! To view other shapes

! Determining the Design of the Forest Root Domain

! Lab A: Designing a Domain Structure

*****************************ILLEGAL FOR NON-TRAINER USE******************************

" Introduction to Designing a Domain Structure

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Characteristics of Active Directory Domains

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! A domain is a security-policy boundary. A small set of Group Policy

Important It is important to remember that the forest is the ultimate security

! A domain is a replication boundary. In a domain, computers called domain

Examining Single- and Multiple-Domain Structures

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Benefits of Using a Single-Domain Structure

Organizational Needs that May Require a Multiple-

The Domain Design Process

*****************************ILLEGAL FOR NON-TRAINER USE******************************

4. Designing the domain hierarchy.

The Design Methodology

The Domain Plan

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Collecting Organizational Information

Identify administrative groups

Identify any future plans for changes

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! Determine the available bandwidth for the connection between each

Tip Try to obtain a corporate organization chart, which often contains

! Identify the administrative groups within the organization.

" Determining the Number of Domains

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Determining Administrative Requirements

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Determining Security Policy Requirements

Lead-in ! Groups of users require one of the following:

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Determining Replication Requirements

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! Scope of object availability. If a domain spans multiple locations, every

Examining the Costs of Additional Domains

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! More communication between domain controllers in different domains. For

" Determining the Design of the Forest Root Domain

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Using a Dedicated Domain As the Forest Root

# Requires additional domain controllers

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! Functions as the root of the entire Active Directory infrastructure. Because

Using a Non-Dedicated Domain as the Forest Root

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Determining a Domain Hierarchy

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Using a Single Tree vs. Multiple Trees

Evaluating the Domain Design

well the proposed domain # Determine if authentication over WAN is acceptable

*****************************ILLEGAL FOR NON-TRAINER USE******************************

2. Assess user authentication and user queries of Active Directory.

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**