Beruflich Dokumente
Kultur Dokumente
C H A P T E R 1
When you deploy the Microsoft Windows Server 2003 Active Directory directory service in your
environment, you can take advantage of the centralized, delegated administrative model and single sign-on capability that Active Directory provides. After you identify the current environment and deployment goals for your organization, you can create the Active Directory deployment strategy that meets your organizations needs. Testing the deployment in an isolated lab environment and refining the deployment in selected pilot areas of your production environment help to ensure a smooth deployment throughout your organization.
In This Chapter
Overview of Planning an Active Directory Deployment Project...............................5 Determining Your Active Directory Design and Deployment Strategy.....................9 Testing and Verifying the Deployment Process.....................................................20 Additional Resources...........................................................................................28
Related Information
For more information about planning, testing, and piloting a deployment project, see Designing a Test Environment and Planning and Testing for Application Deployment in Planning, Testing, and Piloting Deployment Projects in this kit. For more information about deploying Windows Server 2003 Domain Name System (DNS), see Deploying DNS in Deploying Network Services in this kit.
Chapter 1
For more information about Group Policy, see the Distributed Services Guide of the Microsoft Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit).
Additional Resources
Chapter 1
Although the Windows Server 2003 Active Directory design and deployment strategies that are presented in this book are based on extensive lab and pilot-program testing and successful implementation in customer environments, you might have to customize your Active Directory design and deployment to better suit specific, complex environments. For more information about deploying Active Directory in a branch office environment, see the Active Directory Branch Office Planning Guide. For more information about deploying Active Directory in an Exchange environment, see Best Practice Active Directory Design for Exchange 2000. For more information about deploying Active Directory in a multiple forest environment, see Multiple Forest Considerations. To download these guides, see the Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources, and then click Planning & Deployment Guides. This book also provides flowcharts, job aids, and deployment examples to help you optimize your Active Directory design and deployment process.
Additional Resources
Chapter 1
Additional Resources
Migration
The process of moving an object from a source domain to a target domain, while preserving or modifying characteristics of the object to make it accessible in the new domain.
Domain restructure
A migration process that involves changing the domain structure of a forest. A domain restructure can involve either consolidating or adding domains, and can take place between forests or within a forest.
Domain consolidation
A restructuring process that involves eliminating Microsoft Windows NT 4.0 domains or Active Directory domains by merging their contents with the contents of other domains.
Domain upgrade
The process of upgrading the directory service of a domain to a later version of the directory service. This includes upgrading the operating system on all domain controllers and raising the Active Directory functional level where applicable.
Regional domain
A child domain that is created based on a geographic region in order to optimize replication traffic.
10
Chapter 1
The Active Directory deployment strategy that you apply varies according to your existing network configuration. For example, if your organization currently runs Windows2000, you can simply upgrade your operating system to Windows Server 2003. If your organization currently runs Windows NT 4.0 or a non-Windows network operating system, however, you must design an Active Directory infrastructure before you upgrade to Windows Server 2003. Your deployment process might involve restructuring existing domains, either within an Active Directory forest or between Active Directory forests. You might need to restructure your existing domains after you deploy Windows Server 2003 Active Directory or after organizational changes or corporate acquisitions. You can also restructure domains from a Windows NT 4.0 environment to an Active Directory forest in order to upgrade your production environment to Windows Server 2003.
Additional Resources
11
Table 1.1 lists the possible starting points and goals for a Windows Server 2003 Active Directory deployment and the corresponding deployment steps and chapters in this book that apply to each. Table 1.1 Current Environment, Goals, and Corresponding Chapters for Deploying Windows Server 2003 Active Directory
Environment Deployment Goals Corresponding Chapters Create forest, domain, Chapter 2: Designing the Active DNS, and organizational Directory Logical Structure unit design. Create a site and site link design. Assess hardware requirements. Deploy the forest root domain. Deploy regional domains. Raise the domain and forest functional levels. Windows NT 4.0 Chapter 3: Designing the Site Topology Chapter 4: Planning Domain Controller Capacity Chapter 6: Deploying the Windows Server 2003 Forest Root Domain Chapter 7: Deploying Windows Server 2003 Regional Domains Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Features
New organization
Create forest, domain, Chapter 2: Designing the Active DNS, and organizational Directory Logical Structure unit design. Create a site and site link design. Assess hardware requirements. Deploy the forest root domain. Deploy regional domains. Upgrade in-place Windows NT 4.0 domains that will remain part of your Active Directory domain structure. Restructure other Windows NT 4.0 domains. Chapter 3: Designing the Site Topology Chapter 4: Planning Domain Controller Capacity Chapter 6: Deploying the Windows Server 2003 Forest Root Domain Chapter 7: Deploying Windows Server 2003 Regional Domains Chapter 8: Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
12
Chapter 1
Raise the domain and forest functional levels. Upgrade Windows 2000 domain controllers. Windows 2000 Raise the domain and forest functional levels.
Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Features Chapter 9: Upgrading Windows 2000 Domains to Windows Server 2003 Domains Chapter 5: Enabling Advanced Windows Server 2003 Active Directory Features
Additional Resources
13
Table 1.2 lists the goals and corresponding chapters that apply to restructuring domains either within or between forests. Table 1.2 Goals and Corresponding Chapters for Restructuring Active Directory Domains
Action Deployment Goals Create forest, domain, DNS, and organizational unit design. Restructure domains within a forest Create a site and site link design. Use a tool such as Active Directory Migration Tool (ADMT) to restructure domains within a forest. Create forest, domain, DNS, and organizational unit design. Create a site and site link design. Use a tool such as ADMT to restructure domains between forests. Corresponding Chapters Chapter 2: Designing the Active Directory Logical Structure Chapter 3: Designing the Site Topology Chapter 12: Restructuring Active Directory Domains Within a Forest Chapter 2: Designing the Active Directory Logical Structure Chapter 3: Designing the Site Topology Chapter 11: Restructuring Active Directory Domains Between Forests
14
Chapter 1
Additional Resources
15
16
Chapter 1
SID history is required. Passwords are always retained. For workstations that run Windows 2000 and later, local profiles are migrated automatically because the users GUID is preserved. However, you must use tools such as ADMT to migrate local profiles for workstations that run Windows NT 4.0 and earlier. You must migrate accounts in closed sets.
Closed sets
Additional Resources
17
After reviewing its existing environment and identifying its deployment goals, Contoso established the following Active Directory deployment strategy: Upgrade Windows 2000 domains to Windows Server 2003 domains. Enable advanced Active Directory features by raising the domain and forest functional levels to Windows Server 2003.
After upgrading all Windows 2000 domains to Windows Server 2003 domains, Contoso will restructure the africa.concorp.contoso.com domain within the forest to consolidate it with the emea.concorp.contoso.com domain.
18
Chapter 1
The Contoso corporation is acquiring a company called Trey Research, which is currently running a Windows NT 4.0based environment, as shown in Figure 1.5. Figure 1.5 Current Environment for Trey Research
Contoso established the following Active Directory deployment strategy for their Trey Research acquisition: Design the Active Directory logical structure to create forest, domain, DNS, and organizational unit designs for the new Windows Server 2003 environment. Design the site topology to create the required sites, site links, and site link bridges. Plan domain controller capacity to determine the hardware requirements for the new Windows Server 2003 environment. Deploy trccorp.treyresearch.net as the forest root domain. Deploy three regional domains. Different teams can create these domains simultaneously. Upgrade the EAST domain to Windows Server 2003 to become east.trccorp.treyresearch.net. Create two new Windows Server 2003 regional domains called asia.trccorp.treyresearch.net and west.trccorp.treyresearch.net.
Restructure the BOSTON, MAIL-APPS, PROD-APPS, and OFFICE-APPS domains to the east.trccorp.treyresearch.net Windows Server 2003 domain by using ADMT. Raise the domain and forest functional levels to Windows Server 2003.
Additional Resources
19
At a later time, Contoso determined that a single domain would be more cost-effective for the Europe, Middle East, and Asia region, so the final step in the deployment process is to restructure asia.trccorp.treyresearch.net into the emea.concorp.contoso.com domain in the Contoso forest by using ADMT. Figure 1.7 shows the domain structure for the Contoso corporation after the acquisition of Trey Research and the Windows Server 2003 Active Directory deployment process is complete. Figure 1.7 Final Environment for Contoso and Trey Research
20
Chapter 1
Additional Resources
21
Ensure that the test lab environment is isolated from the rest of your organization's production network and represents, on a small scale, the hardware and operating system configuration of the computers in your organization. Include enough domain controllers in the lab environment to support a representative sample of your site design, including intrasite and intersite replication partners, site links, and realistic replication intervals. Include user and group accounts and other resources that are exclusively designated for testing. Ensure that your test environment provides access to test configurations of external services, such as mainframe or Internet access, as required. Retain the lab permanently to test new procedures and train the deployment team. The deployment team can use the lab environment to learn the specifics of your deployment process and to gain familiarity with the deployment and migration tools that are used during the Active Directory deployment. Typically, the design assumption tests and the deployment process tests are performed by different teams. Table 1.4 lists the lab tests and the team members who perform the tests in the lab. Table 1.4 Lab Tests and Corresponding Team Members
Test Process Lab Tests Analyze Active Directory replication and site topology. Test application and desktop compatibility. Test disaster recovery. Test deployment process Team Members Design team, site topology owner, and deployment team. Design team. Forest owner and deployment team.
Test account and resource Forest owner and migration. deployment team. Evaluate delegation, administration, and management. Forest owner.
22
Chapter 1
Additional Resources
23
Existing desktop applications run correctly when the domain infrastructure is migrated to Windows Server 2003 Active Directory. Existing applications that use integrated Windows security run correctly when the domain infrastructure is migrated to Windows Server 2003 Active Directory.
If you find that a server application cannot be migrated to a Windows Server 2003based domain controller, you can try to reinstall the application or a later version of the application on a Windows Server 2003based member server. If the application cannot run on a server that runs Windows Server 2003, you can continue to run the application on the server that runs Windows NT 4.0 or Windows 2000. Provide feedback to the design team that the server application's domain cannot be upgraded in-place or consolidated and must remain until a version of the application that can run on a Windows Server 2003 based domain controller is available. As a long-term deployment goal, transition any applications that currently run on domain controllers to member servers.
24
Chapter 1
Make sure that the tests represent the slowest connection speeds in your environment and the largest number of user accounts. For example, when you determine the time that is required to restore a failed domain controller, make sure to test the restore of System State data from your backup for any domain controller that is the only one in a site that is connected with a data rate of 128 Kbps or less. In addition, test the restore of System State data from your backup for any domain controller in a domain that contains more than 20,000 user accounts. When a domain controller is connected to other domain controllers with a data rate that is equal to or greater than 128 Kbps, test your process for installing Active Directory on a new domain controller and letting Active Directory replication repopulate the Active Directory database. For more information about testing disaster recovery, see the Active Directory Disaster Recovery (.doc) link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Additional Resources
25
In your pilot deployment, begin with users who are involved in the deployment project, and then include users who are representative of your user population.
26
Chapter 1
Important
When you migrate production users to the pilot, leave the user accounts enabled in the production and the pilot environments. By leaving the user accounts enabled in the production environment, you provide a fallback plan if any problems occur in the pilot environment.
Additional Resources
27
28
Chapter 1
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
Designing the Active Directory Logical Structure in this book. Designing the Site Topology in this book. Planning Domain Controller Capacity in this book. Enabling Advanced Windows Server 2003 Active Directory Features in this book. Deploying the Windows Server 2003 Forest Root Domain in this book.
Additional Resources
29
Deploying the Windows Server 2003 Regional Domains in this book. Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book. Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book. Restructuring Windows NT 4.0 Domains to an Active Directory Forest in this book. Restructuring Active Directory Domains Between Forests in this book. Restructuring Active Directory Domains Within a Forest in this book. Deploying DNS in Deploying Network Services in this kit. The Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Click Planning & Deployment Guides to find additional links where you can download the following guides: Active Directory Branch Office Planning Guide Active Directory Operations Guide Best Practice Active Directory Design for Exchange 2000 Multiple Forest Considerations Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I