Thông tin tài liệu
Contents
Overview 1
Identifying Business Needs 2
Accessing Resources Between Domains 5
Planning for Multiple-Domain Trees 9
Planning for Multiple-Tree Forests 13
Planning for Multiple Forests 16
Lab A: Designing a Multiple-Domain
Structure 19
Review 23
Module 7: Designing a
Multiple-Domain
Structure
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and
Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead: Andy Sweet (S&T OnSite)
Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente,
Richard Rose, Kathleen Norton
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor)
Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim
Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve
Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite)
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Jeffrey Gilbert (Wasser)
Copy Editor: Patti Neff (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Compact Disc and Lab Testing: Testing Testing 123
Production Support: Ed Casper (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Dean Murray, Ken Rosen
Group Product Manager: Robert Stewart
Module 7: Designing a Multiple-Domain Structure iii
Instructor Notes
This module presents the design points to consider when planning a multiple-
domain structure. Included are strategies for assessing the need for multiple
domains, and reasons for maintaining a single-domain structure. The module
briefly examines the Kerberos V5 protocol security process and how it affects
trust relationships within a multiple-domain structure. The module also
examines how those trust relationships affect design. Finally, strategies are
provided for designing multiple domains to fit several different business
scenarios, including scenarios that require multiple-domain trees, multiple trees,
and multiple forests.
At the end of this module, students will be able to:
!
Identify criteria for determining whether a single or multiple-domain
structure is necessary to meet business needs.
!
Describe the trust relationships inherent in multiple-domain structures.
!
Plan a multiple-domain tree.
!
Plan a multiple-tree forest.
!
Plan multiple forests.
Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft
®
PowerPoint
®
file 1561b_07.ppt
!
Visio 2000
Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
Complete the lab.
!
Read the following technical white paper located on the Trainer Materials
compact disc:
• Windows 2000 Kerberos Authentication
Presentation:
45 Minutes
Lab:
30 Minutes
iv Module 7: Designing a Multiple-Domain Structure
Instructor Setup for a Lab
This section provides setup instructions that are required to prepare the
instructor computer or classroom configuration for a lab.
Lab A: Designing a Multiple-Domain Structure
Ensure that Visio 2000 Enterprise Edition is installed on the instructor
computer and all student computers and that the Active Directory template is
operational. Also ensure that the \\London\Solutions\Lab7
directory is shared
and accessible from the student computers.
This planning lab presents the students with a scenario and design criteria that
require the planning of multiple domains. In the first exercise, a simple two-
domain forest is necessary to meet the criteria.
The second exercise gives the students a scenario and criteria for a larger
organization where multiple domains are called for. There are two key elements
that the student should include in the design based on the criteria. First, given
the high security demands made in the criteria, the student should select an
empty root domain so that no part of the organization is subordinate to another.
Second, students should create a shortcut trust between
queensland.taztrade.msft and southpacific.taztrade.msft to optimize the sharing
of resources between those domains.
Module Strategy
Use the following strategy to present this module:
!
Identifying Business Needs
Explain the strategies used to assess the need for multiple domains. Explain
that a single-domain structure is preferable to a multiple-domain structure.
!
Accessing Resources Between Domains
Explain how the Kerberos V5 protocol security process is used to
implement authentication between domains and how it affects trust
relationships within a multiple-domain structure. Also, discuss the different
types of trusts between domains and how they are used to access resources
across domains.
!
Planning for Multiple-Domain Trees
Explain in detail the relationships between domains within a single tree.
Focus especially on how information is shared between domains.
Demonstrate the structure of an empty root domain. Discuss in detail the
possible scenarios that might require a multiple-domain structure instead of
a single-domain structure.
Module 7: Designing a Multiple-Domain Structure v
!
Planning for Multiple-Tree Forests
Begin by introducing multiple-tree forests. Explain the structure and
characteristics of a multiple-tree forest. Finally, describe the important
considerations while designing multiple-tree forests.
!
Planning for Multiple Forests
Introduce the concept of multiple forests. Describe the structure and
characteristics of multiple forests and how trusts are established between the
domains of two forests. Explain the scenarios that would encourage the use
of multiple forests.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module requires students to use Visio 2000 to document their
designs. Visio 2000 is demonstrated in course 1561B, module 3, Designing
Active Directory to Delegate Administrative Authority. If Visio has not been
previously demonstrated to students, refer to module 3 for instructions on
demonstrating Visio 2000.
The lab in this module includes a script to be run at the beginning and end of
the lab that creates and returns the computer to the default configuration for the
course. As a result, there are no lab setup requirements or configuration changes
that affect replication or customization.
Module 7: Designing a Multiple-Domain Structure 1
Overview
!
Identifying Business Needs
!
Accessing Resources Between Domains
!
Planning for Multiple-Domain Trees
!
Planning for Multiple-Tree Forests
!
Planning for Multiple Forests
Domains, trees, and forests are bordered units within Microsoft
®
Windows
®
2000 Active Directory
™
directory service. These units can share
resources but can also be administered separately. There is also a difference in
how these units intercommunicate, and how replication traffic flows between
them. If your organization requires more than one domain, tree, or forest, then
you must understand how information flows across these borders. The
information flow between units will help you decide whether you need a
structure more complex than a single domain, and if so, how to plan for the
most effective administration model.
At the end of this module, you will be able to:
!
Identify business needs that require a multiple-domain structure, and
business needs that can be met by a single domain.
!
Describe the trust relationships that allow users and resources to gain access
to multiple domains, and the security protocol used to authenticate access.
!
Plan an infrastructure in Active Directory that has multiple domains in a
single tree.
!
Plan an infrastructure in Active Directory that has multiple trees in a single
forest.
!
Plan an infrastructure in Active Directory that has multiple forests.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about designing multiple
domains in Active Directory
and identifying business
situations that require
multiple domains.
2 Module 7: Designing a Multiple-Domain Structure
#
##
#
Identifying Business Needs
!
Reasons to Maintain a Single Domain
!
Reasons to Create Multiple Domains
The smallest tree in Active Directory consists of a single domain. While this is
the simplest design for an Active Directory structure, there are business
circumstances in an organization that require the addition of child domains to
the tree. Some business needs that may seem to require multiple domains might
be adequately met by a single domain structure. Before designing a multiple-
domain structure, you should first ensure that the design cannot be met by using
a single domain.
This section will discuss the reasons to maintain a single domain, and help you
identify the reasons that would require you to create multiple domains.
Slide Objective
To introduce the decision
options that exist when
creating multiple domains.
Lead-in
The initial Active Directory
structure is a single domain,
which should be adequate
for most business needs.
Occasionally multiple
domains may be required.
Module 7: Designing a Multiple-Domain Structure 3
Reasons to Maintain a Single Domain
!
Ease of Management
!
Easier Delegation
!
Fewer Members in
Domain Admins Group
!
Object Capacity Same as
Multiple Domain Structure
OU
OU
OU
OU
OU
OU
OU
OU
OU
The default structure in Active Directory begins with a single domain, and, if at
all possible, your structure should keep a single domain. Single domains offer
the following advantages over multiple-domain structures:
!
Ease of management. Single domains require less hardware to purchase and
maintain, less trusts to create, and less administrative groups to create and
maintain.
!
Easier delegation of administrative authority. In a single-domain structure,
you can create organizational units (OUs) as needed to delegate authority
over resources and Active Directory objects. Delegating administrative
authority is more complicated in a multiple-domain structure.
!
Fewer members in the Domain Admins group. With a single domain you
can keep membership of the powerful Domain Admins group to a
minimum, and use delegation to allow detailed control of directory objects
in Active Directory.
!
Object capacity same as multiple domain structure. You can theoretically
have over four billion objects in the global catalog. The global catalog
includes all objects in all domains in a forest, regardless of the number of
domains present. So, if the objects will not fit within a single domain, they
will not fit within a multiple-domain forest either.
Slide Objective
To describe the benefits of a
single-domain infrastructure.
Lead-in
A single domain can
accommodate many
business needs and is much
easier to administer.
4 Module 7: Designing a Multiple-Domain Structure
Reasons to Create Multiple Domains
!
Reasons for Using a Multiple-
Domain Tree:
$
Distinct domain-level
policies
$
Tighter administrative
control
$
Decentralized administration
$
Separation and control of
affiliate relationships
$
Reduced replication traffic
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
The single domain in Active Directory is the most flexible, least expensive, and
easiest to administer directory structure. However, when planning the design for
the Active Directory structure, you may want to consider additional domains if
your organization requires any of the following:
!
Distinct domain-level policies. Because account and password policies are
applied at the domain level, you can create separate domains with distinct
policies that will apply to the users in each domain.
!
Tighter administrative control. A domain is a security boundary. Domain
administrators cannot cross domain boundaries to manage other domains
without explicit permission.
!
Decentralized administration. In some organizations, divisions that make a
monetary investment in their own computer hardware, such as domain
controllers, want to retain complete administrative control of their hardware.
!
Separation and control of affiliate relationships. Large corporations often
form business affiliations by being involved in joint ventures or
partnerships. Multiple domains allow you to isolate administrative and
security control of shared resources and external users.
!
Reduced replication traffic. Within a domain, all objects and attributes are
replicated between all domain controllers in the domain. If a slow or
congested wide area network (WAN) link within a domain prevents Active
Directory replication from occurring within a necessary timeframe, consider
creating multiple domains to reduce replication traffic. The only data
replicated between separate domains are changes to the global catalog
server, configuration information, and schema.
Slide Objective
To describe business needs
that require multiple
domains.
Lead-in
A single domain is still the
most flexible Active
Directory structure, but there
are business needs that
require more than one
domain.
[...]... Information Through Automatic Trusts All domains within an Active Directory tree share a common directory schema, configuration information, and global catalog They also have automatic transitive trust relationships that allow users in each domain to gain access to available resources in all other domains in the tree Module 7: Designing a Multiple-Domain Structure 11 Creating an Empty Root Domain Slide Objective... subsidiary with its own registered domain name, and want to maintain the separate name ! The organization requires centralized control of administration, and a global organizational directory for full access of resources and information The trees in a forest still share a common directory schema, configuration information, and global catalog 16 Module 7: Designing a Multiple-Domain Structure # Planning... Organization In this exercise, you will evaluate the scenario and design criteria at a large organization to determine the domain strategy for the organization Working with your lab partners, review the company profile and the design criteria and perform the tasks Scenario You have been hired to assist in the design of an Active Directory naming strategy for Tasmanian Traders Tasmanian Traders is a multi-national... multiple-domain tree, you should understand the structure and characteristics of a multipledomain tree, and the organization's business situations that may require multiple domains 10 Module 7: Designing a Multiple-Domain Structure Characteristics of Multiple-Domain Trees Slide Objective To illustrate the structure and characteristics of a multiple-domain tree nwtraders.msft nwtraders.msft Root Root Lead-in... child domain can be the parent of additional child domains Domains Within a Tree Share a Single Tree Root A tree has a single root and is built as a strict hierarchy Each domain below the root has exactly one immediate parent domain Each level of the hierarchy is directly related to the level above it and to the level below it An Active Directory tree hierarchy is a Domain Name System (DNS) hierarchy... domains in a multipledomain tree are made up of parent and child domains us.nwtraders.msft us.nwtraders.msft Child Domain europe.nwtraders.msft europe.nwtraders.msft Child Domain Transitive Trusts Exist Between All Domains Child Domain sales.us.nwtraders.msft sales.us.nwtraders.msft When additional domains, or child domains, are attached to the initial domain they form a hierarchical structure Any... default global directory for an organization comprised of multiple forests ! You have partner or affiliate relationships You may wish to have limited access to resources between an organization’s partners or affiliated companies, but want to keep the administration separate Creating multiple forests ensures separation of resources, and permits sharing only when specifically authorized Module 7: Designing. .. Settings Here are some reasons for creating a multiple-domain tree The following are design criteria that may require a multiple-domain tree ! You need a distinct security boundary If your organization uses decentralized administration, or if some groups must be separated for security reasons, creating multiple domains allows each domain to administer itself Another reason to create separate domains is to... access of resources Save your design to the \\London\solutions\lab7 share with yourteamnamelab7ex2.vsd as the file name taztrade.msft Empty Root Domain Shortcut Trust enchantment.taztrade.msft lakes.taztrade.msft ferguson.taztrade.msft lucerne.ferguson.taztrade.msft corp.taztrade.msft shear.taztrade.msft Module 7: Designing a Multiple-Domain Structure Review Slide Objective To reinforce module objectives... decentralized administration may choose a single tree with an empty root domain An empty root domain contains no OUs and only the enterprise administrator (or a small number of administrators) as the only users in the domain The advantage of this model is a contiguous namespace with a distinct separation between divisions In the scenario pictured in the slide, the root domain holds the default administrator .
Occasionally multiple
domains may be required.
Module 7: Designing a Multiple-Domain Structure 3
Reasons to Maintain a Single Domain
!
Ease of Management
!
Easier.
When additional domains, or child domains, are attached to the initial domain
they form a hierarchical structure. Any child domain can be the parent of
additional
Ngày đăng: 17/01/2014, 09:20
Xem thêm: Tài liệu Module 7: Designing a Multiple-Domain Structure pptx, Tài liệu Module 7: Designing a Multiple-Domain Structure pptx