Designing Your Windows 2000 Active Directory - Part 3
There are many considerations in planning your Active Directory. Do not expect to get it right the first time. For large environments, you may consider separating the planning into two or more phases.
Figure 2. Forest, Tree,and Domain Structure.
First, design what you consider to be the ideal structure, even if it does not reflect your current domain or directory infrastructure. Although what is considered the ideal structure may not seem attainable in the current situation, it may be at a later date or under different circumstances.
Next, review your existing Windows NT Server 4.0 domain model and compare it to the business, support, and administration models and goals identified above. Then begin the design of your corporate forest, tree, domain, and organizational unit structure. Figure 2 shows the structure of a forest, with trees and domains.
Steps For Designing the Active Directory Architecture
Figure 3. The Organizational Unit Tree Structure.
Designing Security
Design the security model and policies for each level. With Windows 2000 and the Active Directory, you can become very granular with security. Allow yourself additional time for developing the security model, for there is much to learn.
Next: Designing Your Windows 2000 Active Directory - Part 4
Figure 2. Forest, Tree,and Domain Structure.
First, design what you consider to be the ideal structure, even if it does not reflect your current domain or directory infrastructure. Although what is considered the ideal structure may not seem attainable in the current situation, it may be at a later date or under different circumstances.
Next, review your existing Windows NT Server 4.0 domain model and compare it to the business, support, and administration models and goals identified above. Then begin the design of your corporate forest, tree, domain, and organizational unit structure. Figure 2 shows the structure of a forest, with trees and domains.
Steps For Designing the Active Directory Architecture
- Design forest, tree, and domain structure: When designing your forest, start with one domain; ensure that additional domains are justified. Keep the domain structure as broad and flat as possible to facilitate faster searches for object within directory.
- Design the DNS structure and namespace.
- Justify any additional forests
- Justify additional Windows 2000 domains.
- Justify an explicit trust between domains.
- Select domain migration model.
- Design domain schema: The schema should be consistent throughout the enterprise for ease of administration. Object definitions within a tree must be consistent; however, definitions can differ between the trees in a forest.
- Design site boundaries, intrasite replication, intersite replication, and site scope. Determine the size of a site and the factors affecting site scope. Services performed within a site include the following: client authentication, group policy execution, global catalog sourcing, domain controller sourcing, replication, DFS access, and file replication services (FRS) that replicate system policies and logon scripts stored in System Volume (SYSVOL) and replicate data for distributed file system.
- Design global catalog structure and usage. Design the global catalogs very carefully, specifying attributes that will be indexed for rapid searching.
- Design OU structure and determine what justifies the creation of UOs.
- Delegate administration.
- Design Group Policy object (GPOs); that is, site, domains, and organizational units.
- Design site GPOs.
- Design domain GPOs.
- Design OU GPOs.
- Determine GPO overlap for even more granular permissions.
Figure 3. The Organizational Unit Tree Structure.
Designing Security
Design the security model and policies for each level. With Windows 2000 and the Active Directory, you can become very granular with security. Allow yourself additional time for developing the security model, for there is much to learn.
Next: Designing Your Windows 2000 Active Directory - Part 4
