You can make changes as you need, be it asolution for a small network or a WAN connecting multipledomain controllers and an extensive Active Directory tree.. We alsoupgraded a large Wind
Trang 1Active Directory Installation and Deployment
This chapter deploys an Active Directory infrastructure
Working from the deployment plan blueprint described
in this chapter, you will be able to identify and modify the elements of the deployment plan that will suite yourconfiguration You can make changes as you need, be it asolution for a small network or a WAN connecting multipledomain controllers and an extensive Active Directory tree
Getting Ready to Deploy
This chapter takes you through the actual installation of thedomain controllers for an Active Directory domain We will beusing our fictitious city, Millennium City (MCITY), as the demo
So far, we have put several structures into place according tothe blueprint we will discuss next You may take this blueprintand deployment plan and use it as a template for your ownproject, expanding or cutting and pasting to and from it as youneed, or just use the examples to establish your own strategy
The text in this chapter is abridged, and a more detailed plan
is available in PDF format on the accompanying CD If the planappears to be a real-life example, that’s because it is ThisWindows 2000 network and namespace have actually beendeployed
What we espouse here is not the gospel on Active Directorydeployment by any means It works for our environment,situation, and the diversity of our demo organization Smallercompanies may find it too expensive to implement some ofour suggestions; others may garner some deep insight Ourpurpose is to show a rich implementation
Planning forReplication Traffic Creating
Organizational Units
Trang 2While Millennium City is a fictitious city (modeled on the organizational chart of areal U.S city), the following deployment plan was executed and actual domaincontrollers were set up across a simulated WAN in a test environment We alsoupgraded a large Windows NT Primary Domain Controller (PDC) containing severalhundred accounts from a live domain, and joined it to the MCITY namespace andthe GENESIS forest as part of a live pilot project involving actual users.
Millennium City Active Directory Deployment Plan
The MCITY deployment plan consists of several phases These phases aredescribed in the plan according to the following contents:
A Executive Summary
B Deployment Phases
Phase I: Install and Test Root Active Directory Domain
Phase II: Install and Test Child Active Directory Domains
Phase III: Create Organizational Units
Phase IV: Create Groups and Users (Chapter 10)
Phase V: Establish and Implement Security Policy (Chapter 11)
Phase VI: Establish Trusts with Windows NT Domains or Domains
in Other Forests (Chapter 11)
Phase VII: Establish Workplace Management Policy (Chapter 11)
Phases IV, V, VI and VII are not included in the actual plan components discussed inthis chapter; they relate to chapters 10 and 11 After consulting these chapters, andwith practice, you can extend this plan with these latter phases according to yourspecific needs
Executive Summary
The following summary describes the deployment specifics for the GENESIS forest
on the MCITY.ORG and GENESIS.MCITY.ORG namespaces (see the MCITY logicalstructure in Chapter 7)
Note
Trang 3MCITY Network
The MCITY network (MCITYNET) is managed in the Department of Technology andTelecommunications (DITT) The backbone at DITT connects to a bank of Cisco 4000series routers that connect MCITYNET to an ATM backbone The routers and physicalnetwork are provided by and managed by a major long-distance provider that offersmanaged network services (MNS) MCITYNET comprises both the Internet servicesrequired by the city and the private wide area network (WAN) and intranet, known asthe GENESIS network
DITT connects to the CITYHALL and MCPD over a dedicated IP network, and tosmaller departments over an MNS T1 network Several locations are connected
on smaller pipes from 64 Kbps to 250 Kbps, and so on The configuration of theGENESIS segment of MCITYNET is outlined in Table 9-1, and also illustrated inFigure 8-7 in the Chapter 8
Table 9-1
Genesis Network Configuration
Location Genesis Cityhall DITT MCPD
Subnets 100.10.0.0 100.45.0.0 100.50.0.0 100.70.0.0 DHCP 100.10.2.1 to 100.45.2.1 to 100.50.2.1 to 100.70.2.1 to scope 100.10.2.254 100.45.5.254 100.50.5.254 100.70.254.254 Domain MCDC00 MCDC10 MCDC50 MCDC70 to Controllers to MCDC09 to MCDC49 to MCDC69 MCDC129
Reserved Names Sites GEN-ST00 – CH-ST00 – DITT-ST00 – MCPD-ST00 –
ST09 ST09 ST09 ST40 JKIJS09K87 J98KIJD654 JKP09KLJ JKDOP843D
The GENESIS Domain
The root Active Directory (AD) domain and the forest for Millennium City will becalled GENESIS The forest is also called GENESIS because Active Directory forcesthe forest to take its name from the root domain After several months of extensiveresearch and testing of Microsoft’s Active Directory services on Windows 2000Server, the Millennium City Windows 2000 testing team have come to a decision
on how to best deploy Active Directory services
Trang 4It has been decided that for an organization the size of Millennium City, the rootdomain of the organization’s Active Directory namespace needs to be a securedomain accessible only by a small group of senior administrators Theseadministrators will have the organization’s highest security clearance There will be no user accounts in the domain outside of the core administrators, and
no active workplace management — other than what is needed for security,domain controller (DC) lockdown, and to protect and administer in this domain —will be put into place There are several reasons for the need to establish such
a domain
First, the root domain in any large organization is a target for e-terrorists If the rootdomain contains many user and computer accounts and a lot of information, theorganization could suffer extensive damages if this domain is destroyed eitherphysically (removal or destruction of the DC servers) or by a concerted networkattack, or if its data is accessed by unauthorized personnel Naturally, a smallconcern might not need such a “bastion” root domain, but any large enterpriseshould seriously consider it
Second, all MCITY first-, second-, and third-level domains are extensively populated byuser and computer accounts (security principals) and many groups (see Figure 8-7 inthe previous chapter, which identifies the levels on the GENESIS domain tree) Thereare also numerous OUs in these domains and thus many administrators at variouslevels of the domain’s OU hierarchy We thus deemed it necessary to establish a rootdomain with no more than a handful (preferably no more than five) administratorswho by virtue of having accounts in the root domain would have the widest authorityover the city’s namespace, starting from GENESIS down (This security policy isdiscussed in Chapter 11.)
Third, the root domain is critical to the city It might be feasible — if Microsoftmakes it possible — in the future to disconnect the root domain from the rest of thedomain tree, and graft the tree to another root However, at present it is not, andlosing the domain root would result in the loss of the entire domain tree, takingwith it all levels subordinate to the root, in fact everything on the tree To thusprotect the root domain, we will establish partner DCs of the root domain at severalremote locations, primarily for redundancy and to locate the root domain over awide area These locations will initially be as follows (see Figure 8-7 in Chapter 8):
✦ Location 1: DITT’s Network Operations Center (NOC)
✦ Location 2: City Hall’s Network Operations Center
✦ Location 3: MCPD (Police Department) Network Operations Center
The lightweight (user accounts) nature of the root domain, which in addition to thebuilt-in accounts only contains a handful of users, makes it easier to replicate itsdatabases around the enterprise (See Chapter 8 for more detailed discussion ofreplication topology.)
Trang 5Finally, the root domain controller is also our Schema Operations Master and
Domain Naming Operations Master for the forest and holds the master schema
and other naming contexts that affect the enterprise as a whole, such as the globalcatalog (GC), that can only be changed on the operations master
The Schema Operations Master is where all schema updates will be performed, and the Domain Naming Operations Master is where we can make changes to thedomain namespace on an enterprise-wide basis
Physical location of GENESIS
The GENESIS domain’s first and second DCs will be secured in the main server room
of DITT’s network operations center (NOC) These DCs will not be attended to byDITT’s operators, but instead will be administered to by the GENESIS administrators
As stated earlier, GENESIS DCs will also be placed in MCPD and CITYHALL,supported by reliable, high-bandwidth pipes
Although it is important to locate the GENESIS root DC in a secure location, it is alsoimportant to make the services of the GENESIS DCs and GC easily available in asmany GENESIS locations as possible This will allow users to be able to obtain thefollowing services without having to contact the DC over many hops on the WAN:
✦ Users should not have to look up the network address of any GENESIS DC,
or any DC for that matter
✦ High availability The GENESIS DCs need to be in as many places as possible inthe city so that the most up-to-date replicas of the GC and other informationare nearby
✦ Reliable query results Strong and closely located GCs should facilitate richqueries, and users must be able to rely on the currency of the data They must
be able to obtain information on users, groups, and other network serviceswithout any interruption in services or lack of data
Network specifics of GENESIS
The GENESIS domain will be established on a segment of the physical network onwhich the Department of Technology and Telecommunications (DITT) currently runs This network currently is supported on a 100Mbps backbone on which the DITTsupports its AS/400, UNIX, and Windows NT systems GENESIS will be established
on the same network, but on its own IP subnet This IP address space is a networksupported by Windows 2000 routing services It can also be supported behindnetwork address translation services (NAT) running on a Windows 2000 role server
See Chapter 15 for a discussion of Routing and Remote Access (RRAS) andChapter 12 for a discussion of Network Address Translation
Note
Trang 6GENESIS site object specifics
In order to support replication to and from other MCITY domains (inter-site) andbetween domain controllers belonging to the same domain (intra-site), an ActiveDirectory site will support GENESIS This site will be named GEN-ST00-JKIJS09K87, asillustrated in Figure 8-7 and Table 9-1 The following DC names have been reservedfor this site: MCDC00.GENESIS.MCITY.ORG to MCDC09.GENESIS.MCITY.ORG MCDC50.The NetBIOS name range of these DCs is MCDC00 to MCDC09
GENESIS subnet object specifics
The subnet address 100.10.0.0 will be assigned to a subnet object This subnetobject will be associated with the GENESIS site object described previously
Domain health and security
Two partner DCs will support the domain in the main DC site The main DC site willalso house a copy of the GC for the entire MCITY Active Directory namespace
The administrators in the GENESIS domain will have administrative authority overthe resources in the GENESIS domain The GENESIS domain also has administrativeand security authority over the subordinate domains
The CITYHALL Domain
The CITYHALL domain is the first of the Windows 2000 populated domains Therewill be several hundred user and computer accounts in this domain This domainwill support the accounts and network resources for the Mayor’s office and thevarious departments that fall directly under the Mayor
Physical location of CITYHALL
The CITYHALL domain controllers will be located at City Hall and will fall under theauthority of the City Hall network administrators who work directly for the Mayor
We will supply at least two DCs to support the initial deployment of Windows 2000into City Hall
Network specifics of CITYHALL
The CITYHALL domain is to be established on the actual network segment assigned
to CITYHALL by DITT This segment is the 100.45.0.0 network CITYHALL currently
is supported on a 100Mbps backbone between the ten floors, and the network iscollapsed into a 10Mbps network that services the workstations, printers, andother network devices
City Hall’s IT department also supports AS/400 systems, CICS on IBM S390, andseveral technologies supported on UNIX systems, such as Oracle and Informixdatabase management systems
Trang 7CITYHALL site object specifics
In order to support replication to and from other MCITY domains and several remotelocations that will belong to the CITYHALL domain, an Active Directory site willsupport CITYHALL The main site will be named CH-ST00-J98KIJD654 The following
DC names have been reserved for this site: MCDC10.CITYHALL.GENESIS.MCITY.ORG
to MCDC50.CITYHALL.GENESIS.MCITY.ORG The NetBIOS name range of these DCs isMCDC10 to MCDC50
CITYHALL subnet object specifics
The subnet address 100.45.0.0 will be assigned to a subnet object This subnetobject will be associated with the CITYHALL site (CH-ST00- J98KIJD654) objectdescribed previously
Domain health and security
At least three partner or peer DCs will support the CITYHALL domain in the main
DC site We have decided to locate one DC in the secure server room of the floor onwhich the Mayor’s office is located The remaining two DCs will be located in themain server room in City Hall’s network operations center (NOC) The DCs will alsohouse copies of the GCs for the entire MCITY Active Directory namespace
The administrators in the CITYHALL domain will have administrative authorityover the resources only in the CITYHALL domain Some administrators inCITYHALL are also administrators of the GENESIS domain
The DITT Domain
The DITT domain contains the resources for the Department of InformationTechnology and Telecommunications There will be several hundred user andcomputer accounts in this domain This domain will support the accounts andnetwork resources for the IT staff and consultants, and the various departments,that fall directly under DITT
Network specifics of DITT
The DITT domain is to be established on the network segment 100.50.0.0 See Table 9-1 for the configuration specifics of DITT
The MCPD Domain
The MCPD domain contains the resources for the Millennium City PoliceDepartment According to the configuration, a large number of IP addresses arerequired for this network The IP address range in the DHCP scope will supporthundreds of workstations, terminals, and other network devices This domain isthe most complex of the four domains, because numerous domain controllers and
Trang 8sites will have to be configured to cover an extensive network connecting theprecincts to the commissioner’s offices, the DA’s office, and various lawenforcement agencies.
Network specifics of DITT
The MCPD domain is to be established on the network segment 100.70.0.0
See Table 9-1 for the configuration specifics of MCPD
Install and Test the Active Directory Domain Controllers
There are several deployment phases outlined in this plan Phase I covers theinstallation and deployment of the GENESIS, CITYHALL, MCPD, and DITT domains
Instead of repeating the full installation and deployment of each domain, we willfirst briefly install the root domain We will then fully demonstrate the promotion
of the CITYHALL domain controller and how it joins the GENESIS domain tree andforest The other domains will join GENESIS in the same fashion Each domain willthen be administered as a separate entity, while still being covered by any policythat might derive from the root The root administrators have the highest power ofadministration over all the domains in the forest
The following sequence of events describes the creation of all the domaincontrollers These activities will take you through machine preparation to final deployment:
1 Install the DC machine
2 Promote the server to domain controller
3 Make the server the root DC or join forest and trees
4 Establish the DC in DNS/WINS
5 Establish the DC in Active Directory site
6 Build initial OUs
7 Delegate OU administration
8 Secure DC further and follow disaster recovery protocol
Install the DC Machine
Follow the procedures described in Chapter 5 or Appendix B for installing Windows
2000 Server Ensure the machine is stable The best way to do this is to keep itrunning for about two weeks You can use Backup/Restore as discussed in Chapter
5 to “burn in” the machine After several DCs are all built or acquired on the same
Note
Trang 9hardware configuration, you might consider reducing the burn-in period to severaldays instead of two weeks If your machine is still running under load after severalweeks, consecutive machines configured on identical hardware will likely runwithout problems But a few days of tests are required to be certain.
You do not need to go to the additional expense of using Advanced Server for adomain controller All Windows 2000 Servers can be promoted to a domaincontroller Providing a fail-over service or a cluster for Active Directory is also awaste of resources and money A fully redundant server will not only be cheaper,
it will make for a more secure Active Directory deployment
of the domain it wants to join
Note
Trang 10Leave as many services out of the installation as possible It is worth repeating herethat it is better to first get a bare-bones machine running before adding additionalservices However, there is one exception, as described next
Choose a Terminal Services mode
There is one service that we deem to be the most important, and that is TerminalServices (TS) You will have to select TS from the Windows Components dialog box
You do not have to select licensing as well; that is only for application server servers.
While choosing services, you will also be asked to choose the mode for TS, so selectRemote Administration mode This will allow you to attach to the machine remotelywhen it is installed in the new location The machine can be promoted from theremote location or in the lab, but you should also provide a means to administer itremotely This is demonstrated shortly Remote Administration mode, as discussed inChapter 25, allows up to two concurrent sessions to be used for remote administra-tion without licensing
Promote to Domain Controller
The steps we take you through in this section demonstrate installing a root domainand a child domain into an existing domain tree You would perform these samesteps to install Active Directory for any new domain controller The only difference
is that you need to choose to create a domain controller according to the choicesoutlined in Table 9-2 If you are not sure what you need to be installing, you need to
do some more preparation and planning Read the fine print on the dialog boxesuntil you are sure about your actions, but do not overly concern yourself until thelast step because you can always go backwards and forwards in these dialog boxesuntil you are sure
Table 9-2
Domain Controller Promotion Choices
Action GENESIS CITYHALL DITT MCPD
DC for a Yes Yes Yes Yes new domain
Additional DC for Yes, at any Yes, at any Yes, at any Yes, at any
an existing domain time you time you need time you time you
need more more DCs need more need more DCs DCs DCs Create a new tree Yes No No No Create a new domain No Yes Yes Yes
in an existing tree
Trang 11Action GENESIS CITYHALL DITT MCPD
Create a new forest Yes No No No Place domain tree in No N/A N/A N/A
an existing forest
The creation of the root DC is the easiest You just need to follow the instructions tocreate a new domain and a new domain tree in a new forest This will essentially bethe first Active Directory domain you will create for your enterprise, and it is known asthe root domain We recommend a root domain structure similar to the one createdhere Your own “Genesis” domain need not be on an expensive server In fact, our firstGENESIS server was a Pentium 133Mhz with 64MB RAM The replica we show in thischapter is a Pentium PRO 200Mhz We plan to add a super-server DC for GENESIScapable of holding a huge database and taking many thousands of concurrent queriesand logon requests
Before you begin promotion, make sure your server can talk to the network Theserver does not necessarily have to send packets out to other machines Unlike newWindows NT 4.0 Backup Domain Controllers, there is no need to immediately beginsynchronization with the primary domain controller (PDC) However, Windows 2000will not let you promote the server and install Active Directory if it cannot detectthat it is attached to a network Connecting the server to a hub is good enough, even
if it is the only server in the hub
If the server cannot be contacted from the network, you will obviously not be able
to promote it remotely, nor will it be able to join the domain tree We will now beginthe promotion of the DCs and the creation of child domains You will need to takethe following steps to complete the promotion:
1 Promote the server using the command DCPROMO or using the Configure
Your Server utility You can use the DCPROMO command from the commandprompt, which is quicker and easier if you plan to promote many servers
The Configure utility is illustrated in Figure 9-1 To open the utility, clickStart ➪ Programs ➪ Administrative Tools ➪ Configure Your Server
2 In the Configure Your Server utility, select the Active Directory item in the menu
on the left of the dialog box to switch to the Active Directory page Scroll downand click the hyperlink “Start the Active Directory Wizard.” When the Wizardloads, continue by clicking the Next button
3 The Domain Controller Type dialog box loads, as shown in Figure 9-2 Make
sure to check the option “Domain controller for a new domain.” This is thefirst DC for the domain GENESIS or CITYHALL or any other new domain Thecreation of the root domain from here on is a no-brainer Without an existingforest or domain tree, you cannot install anything else So, we will nowproceed to install a child domain CITYHALL Click Next
Trang 12Figure 9-1: The Configure Your Server utility
Figure 9-2: Choose domain controller type
4 The Create Tree or Child Domain dialog box loads Select the option “Create a
new child domain in an existing domain tree.” Click Next
5 The Network Credentials dialog box now loads Here, you are asked to enter
the name of a user account in a domain in the existing forest that has theauthority to create the domain and join it to the domain tree Enter the nameand password and click Next In our case, we entered the name of an
administrator with such authority in the GENESIS domain
Trang 136 The Child Domain Installation dialog box now loads Here, you are asked to
enter the parent domain In the example for MCITY, we will add GENESIS forthe parent and CITYHALL for the child domain The DNS name is automaticallyconstructed, as illustrated in Figure 9-3 You can also browse for the correctdomain if more than one already exists Upon browsing, we find that only oneother domain exists: the root GENESIS.MCITY.ORG (so far, so good) Only enterthe name of the domain itself and not the entire DNS name, which will beautomatically built for you As illustrated in the example, this can be used asthe NetBIOS name for a domain as well Click Next when you are sure you haveentered the right information If you are unsure, go back and check the
deployment plan, which is why you create such things
Figure 9-3: Naming the child domain
7 The next dialog box to load is the NetBIOS name we just touched on, and the
title of the dialog box is “NetBIOS Domain Name.” Choose the default Checkback over previous chapters concerning the choice of names Domain namesshould be simple They need to be accessible to humans, not computers In thisexample, we chose the NetBIOS name CITYHALL Be sure you choose the rightname, because you cannot change it after you promote the server Click Next
8 The Database and Log Locations dialog box now loads If you have separate
disks, then choose a separate drive letter for the logs, as illustrated in Figure 9-4
This technique is inherited from Microsoft Exchange, which is the foundationfor the Active Directory database and replication engines You will get betterperformance if you choose two disks If you are using RAID and only have onedrive letter, then configure both locations to point to the same drive letter
Click Next
Trang 14Figure 9-4: Choosing the database and log files
hard disk resources
9 The Shared System Volume dialog box loads You can usually leave this to the
default chosen by the server Click Next
10 The Permissions dialog box loads, as illustrated in Figure 9-5 If you have
Windows NT servers that need to access information on this server, thenchoose the first option For security reasons, we have chosen to upgrade allour NT servers in CITYHALL and deploy only Windows 2000 (we have waysand means of spending our taxpayer’s money) CITYHALL will then be a nativemode domain For more information on the modes and permissions levels,consult Chapter 10 Click Next
Figure 9-5: Permissions for legacy NT server access