Transcription of Active Directory Design - HACC
1 Novell to Microsoft Conversion Assessment: Active Directory Design Presented to: 03/11/11 1215 Hamilton Lane, Suite 200 Naperville, IL 60540 Voice & Fax: 877-212-6379 Active Directory Design hacc Page 2 of 38 Version History Ver. # Ver. Date Author Description 19-Jan-11 Brian Desmond Initial Draft 25-Jan-11 Scott Weyandt Edits 03-Feb-11 Brian Desmond Edits at hacc 09-Feb-11 Brian Desmond Updated drawings 09-Mar-11 Brian Desmond Updates based on review w/ hacc Active Directory Design hacc Page 3 of 38 Table of Contents Introduction .. 5 Background .. 5 Approach .. 6 Current Environment .. 6 Design Goals .. 6 Forest & domain Design .. 7 Forest Model.
2 7 domain Model .. 7 Trusts .. 8 Schema Customizations .. 9 Site Topology & domain Controller Placement .. 11 Site Layout .. 11 Replication Topology .. 12 Exchange Server Considerations .. 13 domain Controller Hardware & OS .. 14 domain Controller Placement .. 16 Global Catalog Placement .. 17 Read Only domain Controller Placement .. 18 Filtered Attribute Set .. 19 Password Replication Policy .. 19 FSMO Placement .. 20 Active Directory Design hacc Page 4 of 38 Name Resolution .. 23 DNS Namespace Design .. 23 Time Sync .. 25 Best 25 Time Sync Design .. 25 Disaster 27 Backup .. 27 Restore .. 28 Active Directory Recycle Bin .. 29 Administrative Model .. 30 Organizational Unit Design .
3 30 Top-Level OU Design .. 31 Enterprise Support 33 Site-Level OU Design .. 35 Recommended Site-Level OU Design .. 36 Object Lifecycle Management .. 37 Summary .. 38 Active Directory Design hacc Page 5 of 38 Introduction This document details the recommendations of Moran Technology Consulting (MTC) for the Design of the new Harrisburg Area Community College ( hacc ) Active Directory . Background hacc has engaged MTC to conduct a thorough and impartial evaluation of its current network operating system and email environment (Novell NDS and GroupWise). As part of this assessment, MTC will identify the pros and cons of converting to a Microsoft Windows Server Active Directory and Exchange Server 2010 from the current Novell NetWare and GroupWise products.
4 In addition, MTC will develop a project plan that identifies the total cost of conversion, including: Estimates for hardware and software (licensing and support); Resource, time, and cost estimates for implementing the new solution (upgrade or migration); Knowledge transfer and training of hacc to operate and maintain the new solution. As part of this effort, MTC has developed the following Design for Windows Server 2008 R2 Active Directory to enable detailed pricing and planning information to be developed. Active Directory Design hacc Page 6 of 38 Approach As a firm that specializes in IT Management and Technical consulting for higher education clients, MTC recognizes the importance of the cultural, organizational, and technical challenges that must be addressed in order to develop and implement an efficient Design and plan for hacc .
5 At the kickoff of the project, a hacc Design team was assembled to provide stakeholder input into the Design to ensure that it meets the technical and functional needs of all the parties dependent on the new Active Directory . Several meetings and workshops were conducted to socialize the proposed Design and gather inputs from each of the campuses. Current Environment hacc is currently utilizing a Novell Netware/NDS as its Directory platform and Network Operating System. The Novell infrastructure is comprised of centrally hosted and distributed Novell servers at each of the campuses. Novell primarily supports file services for employees (faculty and staff) and GroupWise. Design Goals The primary goal of this Design is to provide an Active Directory infrastructure which will meet the authentication and administrative needs of the hacc stakeholders while also conforming to current best practice standards for Active Directory .
6 The following Design was established to support a proposed Microsoft Exchange Server 2010 deployment as well as desktop authentication and file services for all of the hacc campuses. Substantial consideration will be given to ensuring that administrators for each of the campuses can continue to perform all of their duties in an efficient and timely manner. Active Directory Design hacc Page 7 of 38 Forest & domain Design The two top level elements of any Active Directory Design are the forest and domain . Forests are security boundaries in an Active Directory and contain one or more domains. While domains are a replication boundary within a forest, they are never a security boundary.
7 Therefore, when complete separation of administration is necessary in an Active Directory environment, a separate forest must be deployed. A common misconception is that deploying an empty root domain to hold enterprise level administrative groups is more secure than collocating those groups in a general use domain . Given the architecture of Active Directory , it is in fact quite possible for administrators in one domain to affect other domains. Thus a single domain Design is just as secure as a multi- domain Design . Empty roots were originally conceived in an era where popular wisdom was that there were technical advantages to the deployment of the root domain . Today, the cases where the empty root makes sense are corner cases rather than the norm.
8 Forest Model The business and technical requirements for hacc s new Active Directory Design do not present any reason to implement more than one forest. The administration of the new hacc Active Directory infrastructure will be centralized. Furthermore, there are no special cases where a complete separation of administration is necessary, thus making the primary driving factor for additional forests a moot point. domain Model As the hacc network is well connected by high speed network links, there is no need to consider segregating Active Directory replication at the domain level to control network traffic. The new hacc forest will consist of a single domain which will be utilized across the entire Active Directory environment.
9 Active Directory Design hacc Page 8 of 38 The new domain will have the following names: DNS Name NetBIOS Name hacc In the unlikely event that the hacc need to deploy an additional domain , it is logical to either deploy that domain as a child of ( ) or as a separate tree in the forest ( ). This flexibility exists regardless of whether or not an empty root domain is deployed as part of the forest Design . Trusts Trusts enable disparate domains and forests to coexist with pass through authentication. Trusts can exist between domains or between forests, with forest trusts operating in a transitive manner similar to the implicit trusts between domains in a multi- domain forest.
10 SID Filtering is a security feature which can be enabled or disabled on a per trust basis. SID Filtering prevents SIDs from domains other than a principal s parent domain from being included in a token across a trust. When migrating security principals between domains, SID History is typically used to maintain an archive of the principal s previous SID(s). This way the principal can access resources (such as file shares) which are secured using an older SID without needing to update the resource s ACL. In order for this functionality to work across trusts, SID Filtering must be disabled on the trust. Selective authentication is a security feature of trusts in Windows Server 2003 and newer domains.