Module 14 Implementing an Active Directory Infrastructure Overview

Module 14: Implementing an Active Directory Infrastructure

Overview n Business Scenario n Requirements for the Active Directory Infrastructure n Class Discussion: How to Implement the Active Directory Infrastructure n Lab A: Implementing the Active Directory Infrastructure

n This module will provide you the opportunity to apply the knowledge and skills that you learned in this course to implement and administer an Active Directory® directory service infrastructure. You will implement Active Directory based on the business requirements of a fictitious organization.

n At the end of this module, you will be able to: l Describe the infrastructure of a fictitious organization. l Identify the business requirements for implementing the Active Directory infrastructure. l Describe how to implement the Active Directory infrastructure. l Perform the tasks necessary to implement the Active Directory infrastructure.

Business Scenario North America Asia Toronto Seattle Singapore Detroit Denver Bangalore Australia Sydney

n In this module, a fictitious organization named. Contoso, Ltd. will be used to demonstrate how to implement an Active Directory infrastructure based on an organization's business requirements. Contoso, Ltd. is a worldwide organization with 50, 000 employees.

The following are the business specifications of the different regions of Contoso, Ltd. n The North American region has 25, 000 employees: l 24, 500 employees are located in the four primary locations, and the other employees are located in the 10 branch offices in other major North American cities. l Three of the four primary locations are separate business units and operate independently. The fourth primary location is corporate headquarters. l Each branch office has 50 or fewer employees. The employees need access to resources in all four primary locations. But the employees seldom need access to resources in other locations. l T 1 lines connect the four primary locations. All branch offices are connected to the nearest primary location by 128 kilobits per second (Kbps) lines.

n The Asian region has 15, 000 employees: l The employees are located in the two locations, Bangalore and Singapore. There are 8, 000 employees at the Bangalore location and 7, 000 employees at the Singapore location. These locations make up a single business unit. l The employees need occasional access to resources in the corporate location in North America, but seldom need access to resources in the Australian location. l The Bangalore and Singapore locations are connected to each other and to the North American location by T 1 lines.

n The Australian region has 10, 000 employees: l All employees are located in a single location, Sydney. l The employees need occasional access to resources in the corporate location in North America, but seldom need access to resources in the Asian location. l The Australian location is connected to the North American location by a 128 Kbps line.

n Contoso, Ltd. 's growth is expected to be minimal over the next three years. n There are three main departments within. Contoso, Ltd. : Accounting, Human Resources, and Information Services. Each of these departments is further divided into smaller departments and each location has employees from each of these departments.

Requirements for the Active Directory Infrastructure Implementation Requirements A Single Schema Fault Tolerance in the Forest Root Domain DNS Infrastructure in Place Before Installing Active Directory DNS Solution Must Be Secure Reduction in Network Traffic and Separate Security Group Policy Set Up Printer Locations Standardization of the Administrative Model of OUs Delegation of Administrative Control Creation of User and Group Types Access to Performance Review Data Group Policy to Manage Users’ Desktops and Deploy Applications

n The implementation of the Active Directory infrastructure for Contoso, Ltd. should include the following requirements in the infrastructure: l Use a single schema for the entire organization. l Provide directory services and Domain Name System (DNS) fault tolerance in the forest root domain. l Put the DNS infrastructure in place before installing Active Directory. l Secure the DNS solution so that only authorized clients may register in DNS. l Reduce network traffic between the North American, Asian, and Australian locations, and apply separate security Group Policy settings to the different locations. l Set up printer locations so that users can easily locate the printers near them.

l Standardize the administrative model of organizational units (OUs) across all locations. l Delegate administrative responsibility for OUs to appropriate employees. l Create appropriate types of users and groups depending on their job requirements. l Require each location to maintain performance review files of employees. All managers in the organization need access to this information. l Implement Group Policy to manage users' desktops and deploy applications.

u Class Discussion: How to Implement the Active Directory Infrastructure n Installing and Configuring DNS n Installing Active Directory n Creating Sites and Site Links n Setting Up Printer Locations n Creating the OU Structure and Delegating Administrative Control n Creating Users and Groups n Implementing Group Policy

n Based on the business scenario of. Contoso, Ltd. , you will implement a solution that uses Active Directory and Group Policy to satisfy the business requirements of the organization. In this section, you will discuss the plan for implementing DNS, Active Directory, sites and site links, printer locations, OU structure across domains, users and groups, and Group Policy.

Installing and Configuring DNS ? n Root Domain Is contoso. msft n Minimize DNS Name Resolution Network Traffic Between Regions n DNS Should Be Secure n DNS Is Fault Tolerant How Do You Set Up DNS? DNS ? contoso. msft asia. contoso. msft au. contoso. msft

Installing and Configuring DNS (2) n n n Install DNS Server Service on All Domains Implement Active Directory Integrated Zones and Secure Dynamic Updates on All DNS Servers Install at Least Two DNS Servers in the Forest Root Domain Active Directory Integrated Zone Root DNS Servers Secure Dynamic Update Active Directory Integrated Zone Forest DNS Server Secure Dynamic Update contoso. msft asia. contoso. msft DNS Server au. contoso. msft Secure Dynamic Update

Installing Active Directory ? n Single Schema n Directory Services Are Fault Tolerant n Reduce Network Traffic and Apply Separate Security Group Policy n Ensure Operations Masters Are Working Correctly How Do You Install Active Directory? ? contoso. msft asia. contoso. msft au. contoso. msft

Installing Active Directory (2) n n Single Forest with at Least Two Child Domains Two Domain Controllers in the Forest Root Domain Separate Domains in Each Region Can Transfer Infrastructure Master to a Non-Global Catalog Server Root contoso. msft Forest asia. contoso. msft au. contoso. msft

Creating Sites and Site Links North America Asia Toronto Seattle Singapore Detroit Denver Bangalore ? n n n Optimize Replication Minimize the Use of the Network Across WAN Links Manage Replication Between Sites How Do You Ensure This? Australia Sydney

Creating Sites and Site Links (2) North America Asia Toronto Seattle Bangalore Detroit Denver Singapore IP subnet Site Australia n n n Create Sites Associate Subnet Objects to Sites Create and Configure Site Links Sydney IP subnet

Setting Up Printer Locations Contoso, Ltd. North America Asia Australia Seattle Toronto Detroit Denver Sydney Building 1 Floor 1 Building 2 Floor 2 Building 3 Floor 3 Building 3 ? Bangalore Singapore Ease User Search for Printers Located Near Them Building 1 How Do You Ensure This? Building 2 n

Setting Up Printer Locations (2) Contoso, Ltd. North America Asia Australia Seattle Toronto Detroit Denver Sydney Building 1 Floor 1 Building 1 10. 15. 1. 0 10. 20. 1. 0 10. 30. 1. 0 10. 60. 1. 0 Building 2 Floor 2 Building 2 10. 15. 2. 0 10. 30. 2. 0 10. 60. 2. 0 Building 3 Floor 3 Building 3 10. 15. 3. 0 10. 20. 3. 0 10. 60. 3. 0 n n Implement Printer Locations Use Subnet Mask of 255. 0 Bangalore Singapore Building 1 10. 40. 1. 0 10. 50. 1. 0 Building 2 10. 40. 2. 0 10. 50. 2. 0

Creating the OU Structure and Delegating Administrative Control ? n Standardized Administrative Model n Delegate Administrative Control What Is the OU Structure for Each Domain and How Will You Delegate Administrative Control for Each Domain? ?

Creating Organizational Units (2) § Create a Common OU Structure in Each Domain § Delegate Administrative Control of the Three Department OUs to a Different Administrator Information Services Help Desk Apps OS Customer Support Messaging Human Resources Benefits Payroll Training. Recruiting Accounting Accts Payable Receivable

Creating Users and Groups ? § Create Multiple Users § Managers Need Read Access to the Performance Review Data for the Entire Organization § Managers Need Full Control to the Performance Review Data of Employees in Their Departments How Do You Set Up Groups? Performance Review asia. contoso. msft au. contoso. msft

Creating Users and Groups (2) 1. Add Manager Accounts into a Department Global Group in Each Domain 2. Add Department Global Groups into a Domain Managers Global Group 3. Add Domain Managers Global Group into a Universal Group 4. Add Universal Group into Domain Local Groups for Each Domain 5. Assign Read Permissions for Performance Review Data to the Domain Local Group 4 5 contoso. msft 5 DLG Performance Review 2 3 1 5 4 DLG 1 asia. contoso. msft 5 1 au. contoso. msft DLG 4

Creating Users and Groups (3) 1. Add Manager Accounts into a Department Global Group 2. Add 3 Department Global Groups into 3 Domain Local Groups 3. Assign Full Control Permission for Performance Review to the Domain Local Group for Each Department 3 3 contoso. msft DLG Performance Review 2 1 3 3 DLG 2 2 1 asia. contoso. msft 1 au. contoso. msft

Implementing Group Policy ? § Deploy Cosmo 2 Application to All Users Except Those in Human Resources OU. § Deploy Windows 2000 Support Tools to All Users in the Information Services OU Except Those in the Contractors Group. § Implement the Organization-Wide Group Policy Settings by Using Administrative Templates. § Secure the Network Resources by Implementing Organization-Wide Group Policy Settings. What Is the Proposed Group Policy Implementation for All Domains? Domain Information Services Help Desk Applications Messaging Operating Systems Customer Support Human Resources Benefits Payroll Training Recruiting Accounts Payable Accounts Receivable

Implementing Group Policy (2) Domain Information Services Help Desk Applications GPOs Messaging Operating Systems No GPO Settings Apply Customer Support Human Resources Benefits Payroll § Enable the Block Policy Inheritance for the GPO Linked to the Human Resources OU Training Recruiting Accounts Payable Accounts Receivable

Implementing Group Policy (3) Domain Information Services § Create and Link a GPO to the Information Services OU § Deny the Apply Group Policy Permission to the User Accounts of the Contractors Group in the Messaging OU Help Desk Applications Messaging Operating Systems Customer Support

Lab A: Implementing the Active Directory Infrastructure

Course Evaluation