Contents Overview 1 Identifying Business Needs 2 Accessing Resources Between Domains 5 Planning for Multiple-Domain Trees 9 Planning for Multiple-Tree Forests 13 Planning for Multiple Forests 16 Lab A: Designing a Multiple-Domain Structure 19 Review 23 Module 7: Designing a Multiple-Domain Structure Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart Module 7: Designing a Multiple-Domain Structure iii Instructor Notes This module presents the design points to consider when planning a multiple- domain structure. Included are strategies for assessing the need for multiple domains, and reasons for maintaining a single-domain structure. The module briefly examines the Kerberos V5 protocol security process and how it affects trust relationships within a multiple-domain structure. The module also examines how those trust relationships affect design. Finally, strategies are provided for designing multiple domains to fit several different business scenarios, including scenarios that require multiple-domain trees, multiple trees, and multiple forests. At the end of this module, students will be able to: ! Identify criteria for determining whether a single or multiple-domain structure is necessary to meet business needs. ! Describe the trust relationships inherent in multiple-domain structures. ! Plan a multiple-domain tree. ! Plan a multiple-tree forest. ! Plan multiple forests. Materials and Preparation This section provides you with the required materials and preparation tasks that are needed to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft ® PowerPoint ® file 1561b_07.ppt ! Visio 2000 Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the lab. ! Read the following technical white paper located on the Trainer Materials compact disc: • Windows 2000 Kerberos Authentication Presentation: 45 Minutes Lab: 30 Minutes iv Module 7: Designing a Multiple-Domain Structure Instructor Setup for a Lab This section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab. Lab A: Designing a Multiple-Domain Structure Ensure that Visio 2000 Enterprise Edition is installed on the instructor computer and all student computers and that the Active Directory template is operational. Also ensure that the \\London\Solutions\Lab7 directory is shared and accessible from the student computers. This planning lab presents the students with a scenario and design criteria that require the planning of multiple domains. In the first exercise, a simple two- domain forest is necessary to meet the criteria. The second exercise gives the students a scenario and criteria for a larger organization where multiple domains are called for. There are two key elements that the student should include in the design based on the criteria. First, given the high security demands made in the criteria, the student should select an empty root domain so that no part of the organization is subordinate to another. Second, students should create a shortcut trust between queensland.taztrade.msft and southpacific.taztrade.msft to optimize the sharing of resources between those domains. Module Strategy Use the following strategy to present this module: ! Identifying Business Needs Explain the strategies used to assess the need for multiple domains. Explain that a single-domain structure is preferable to a multiple-domain structure. ! Accessing Resources Between Domains Explain how the Kerberos V5 protocol security process is used to implement authentication between domains and how it affects trust relationships within a multiple-domain structure. Also, discuss the different types of trusts between domains and how they are used to access resources across domains. ! Planning for Multiple-Domain Trees Explain in detail the relationships between domains within a single tree. Focus especially on how information is shared between domains. Demonstrate the structure of an empty root domain. Discuss in detail the possible scenarios that might require a multiple-domain structure instead of a single-domain structure. Module 7: Designing a Multiple-Domain Structure v ! Planning for Multiple-Tree Forests Begin by introducing multiple-tree forests. Explain the structure and characteristics of a multiple-tree forest. Finally, describe the important considerations while designing multiple-tree forests. ! Planning for Multiple Forests Introduce the concept of multiple forests. Describe the structure and characteristics of multiple forests and how trusts are established between the domains of two forests. Explain the scenarios that would encourage the use of multiple forests. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module requires students to use Visio 2000 to document their designs. Visio 2000 is demonstrated in course 1561B, module 3, Designing Active Directory to Delegate Administrative Authority. If Visio has not been previously demonstrated to students, refer to module 3 for instructions on demonstrating Visio 2000. The lab in this module includes a script to be run at the beginning and end of the lab that creates and returns the computer to the default configuration for the course. As a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 7: Designing a Multiple-Domain Structure 1 Overview ! Identifying Business Needs ! Accessing Resources Between Domains ! Planning for Multiple-Domain Trees ! Planning for Multiple-Tree Forests ! Planning for Multiple Forests Domains, trees, and forests are bordered units within Microsoft ® Windows ® 2000 Active Directory ™ directory service. These units can share resources but can also be administered separately. There is also a difference in how these units intercommunicate, and how replication traffic flows between them. If your organization requires more than one domain, tree, or forest, then you must understand how information flows across these borders. The information flow between units will help you decide whether you need a structure more complex than a single domain, and if so, how to plan for the most effective administration model. At the end of this module, you will be able to: ! Identify business needs that require a multiple-domain structure, and business needs that can be met by a single domain. ! Describe the trust relationships that allow users and resources to gain access to multiple domains, and the security protocol used to authenticate access. ! Plan an infrastructure in Active Directory that has multiple domains in a single tree. ! Plan an infrastructure in Active Directory that has multiple trees in a single forest. ! Plan an infrastructure in Active Directory that has multiple forests. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about designing multiple domains in Active Directory and identifying business situations that require multiple domains. 2 Module 7: Designing a Multiple-Domain Structure # ## # Identifying Business Needs ! Reasons to Maintain a Single Domain ! Reasons to Create Multiple Domains The smallest tree in Active Directory consists of a single domain. While this is the simplest design for an Active Directory structure, there are business circumstances in an organization that require the addition of child domains to the tree. Some business needs that may seem to require multiple domains might be adequately met by a single domain structure. Before designing a multiple- domain structure, you should first ensure that the design cannot be met by using a single domain. This section will discuss the reasons to maintain a single domain, and help you identify the reasons that would require you to create multiple domains. Slide Objective To introduce the decision options that exist when creating multiple domains. Lead-in The initial Active Directory structure is a single domain, which should be adequate for most business needs. Occasionally multiple domains may be required. Module 7: Designing a Multiple-Domain Structure 3 Reasons to Maintain a Single Domain ! Ease of Management ! Easier Delegation ! Fewer Members in Domain Admins Group ! Object Capacity Same as Multiple Domain Structure OU OU OU OU OU OU OU OU OU The default structure in Active Directory begins with a single domain, and, if at all possible, your structure should keep a single domain. Single domains offer the following advantages over multiple-domain structures: ! Ease of management. Single domains require less hardware to purchase and maintain, less trusts to create, and less administrative groups to create and maintain. ! Easier delegation of administrative authority. In a single-domain structure, you can create organizational units (OUs) as needed to delegate authority over resources and Active Directory objects. Delegating administrative authority is more complicated in a multiple-domain structure. ! Fewer members in the Domain Admins group. With a single domain you can keep membership of the powerful Domain Admins group to a minimum, and use delegation to allow detailed control of directory objects in Active Directory. ! Object capacity same as multiple domain structure. You can theoretically have over four billion objects in the global catalog. The global catalog includes all objects in all domains in a forest, regardless of the number of domains present. So, if the objects will not fit within a single domain, they will not fit within a multiple-domain forest either. Slide Objective To describe the benefits of a single-domain infrastructure. Lead-in A single domain can accommodate many business needs and is much easier to administer. 4 Module 7: Designing a Multiple-Domain Structure Reasons to Create Multiple Domains ! Reasons for Using a Multiple- Domain Tree: $ Distinct domain-level policies $ Tighter administrative control $ Decentralized administration $ Separation and control of affiliate relationships $ Reduced replication traffic OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU OU The single domain in Active Directory is the most flexible, least expensive, and easiest to administer directory structure. However, when planning the design for the Active Directory structure, you may want to consider additional domains if your organization requires any of the following: ! Distinct domain-level policies. Because account and password policies are applied at the domain level, you can create separate domains with distinct policies that will apply to the users in each domain. ! Tighter administrative control. A domain is a security boundary. Domain administrators cannot cross domain boundaries to manage other domains without explicit permission. ! Decentralized administration. In some organizations, divisions that make a monetary investment in their own computer hardware, such as domain controllers, want to retain complete administrative control of their hardware. ! Separation and control of affiliate relationships. Large corporations often form business affiliations by being involved in joint ventures or partnerships. Multiple domains allow you to isolate administrative and security control of shared resources and external users. ! Reduced replication traffic. Within a domain, all objects and attributes are replicated between all domain controllers in the domain. If a slow or congested wide area network (WAN) link within a domain prevents Active Directory replication from occurring within a necessary timeframe, consider creating multiple domains to reduce replication traffic. The only data replicated between separate domains are changes to the global catalog server, configuration information, and schema. Slide Objective To describe business needs that require multiple domains. Lead-in A single domain is still the most flexible Active Directory structure, but there are business needs that require more than one domain. [...]... Information Through Automatic Trusts All domains within an Active Directory tree share a common directory schema, configuration information, and global catalog They also have automatic transitive trust relationships that allow users in each domain to gain access to available resources in all other domains in the tree Module 7: Designing a Multiple-Domain Structure 11 Creating an Empty Root Domain Slide Objective... subsidiary with its own registered domain name, and want to maintain the separate name ! The organization requires centralized control of administration, and a global organizational directory for full access of resources and information The trees in a forest still share a common directory schema, configuration information, and global catalog 16 Module 7: Designing a Multiple-Domain Structure # Planning... Organization In this exercise, you will evaluate the scenario and design criteria at a large organization to determine the domain strategy for the organization Working with your lab partners, review the company profile and the design criteria and perform the tasks Scenario You have been hired to assist in the design of an Active Directory naming strategy for Tasmanian Traders Tasmanian Traders is a multi-national... multiple-domain tree, you should understand the structure and characteristics of a multipledomain tree, and the organization's business situations that may require multiple domains 10 Module 7: Designing a Multiple-Domain Structure Characteristics of Multiple-Domain Trees Slide Objective To illustrate the structure and characteristics of a multiple-domain tree nwtraders.msft nwtraders.msft Root Root Lead-in... child domain can be the parent of additional child domains Domains Within a Tree Share a Single Tree Root A tree has a single root and is built as a strict hierarchy Each domain below the root has exactly one immediate parent domain Each level of the hierarchy is directly related to the level above it and to the level below it An Active Directory tree hierarchy is a Domain Name System (DNS) hierarchy... domains in a multipledomain tree are made up of parent and child domains us.nwtraders.msft us.nwtraders.msft Child Domain europe.nwtraders.msft europe.nwtraders.msft Child Domain Transitive Trusts Exist Between All Domains Child Domain sales.us.nwtraders.msft sales.us.nwtraders.msft When additional domains, or child domains, are attached to the initial domain they form a hierarchical structure Any... default global directory for an organization comprised of multiple forests ! You have partner or affiliate relationships You may wish to have limited access to resources between an organization’s partners or affiliated companies, but want to keep the administration separate Creating multiple forests ensures separation of resources, and permits sharing only when specifically authorized Module 7: Designing. .. Settings Here are some reasons for creating a multiple-domain tree The following are design criteria that may require a multiple-domain tree ! You need a distinct security boundary If your organization uses decentralized administration, or if some groups must be separated for security reasons, creating multiple domains allows each domain to administer itself Another reason to create separate domains is to... access of resources Save your design to the \\London\solutions\lab7 share with yourteamnamelab7ex2.vsd as the file name taztrade.msft Empty Root Domain Shortcut Trust enchantment.taztrade.msft lakes.taztrade.msft ferguson.taztrade.msft lucerne.ferguson.taztrade.msft corp.taztrade.msft shear.taztrade.msft Module 7: Designing a Multiple-Domain Structure Review Slide Objective To reinforce module objectives... decentralized administration may choose a single tree with an empty root domain An empty root domain contains no OUs and only the enterprise administrator (or a small number of administrators) as the only users in the domain The advantage of this model is a contiguous namespace with a distinct separation between divisions In the scenario pictured in the slide, the root domain holds the default administrator . Occasionally multiple domains may be required. Module 7: Designing a Multiple-Domain Structure 3 Reasons to Maintain a Single Domain ! Ease of Management ! Easier. When additional domains, or child domains, are attached to the initial domain they form a hierarchical structure. Any child domain can be the parent of additional