Domain controllers authenticate users and perform many other administrative functions that keep AD running smoothly. If at all possible, you should try to include one domain controller for each replication site where interactive logins occur. Funneling all the login traffic for a network into a small number of remote computers significantly decreases overall network performance and user satisfaction.

Domain controllers tend to use more expensive hardware than typical workstations. If cost is an issue and you are limited in the number of domain controllers, don’t skimp on the connectivity speed between domain controllers. If you are using an Ethernet network, try to have 100 Mbit connections between domain controllers and, if possible, across the entire network.

The first domain controller in an Active Directory network usually hosts the different operations master roles. There are a few different types of operations masters, and they aren’t all used or manually modified very often. You can usually just allow the first domain controller to retain the operations master’s functions.

Global catalog servers keep track of just about everything to do with objects and replicate that information on a regular basis. This means that global catalog servers need a lot of bandwidth. You have to strike a balance between the number of global catalog servers and the amount of available bandwidth you have supporting them.

The more global catalog servers you have, the faster the response for each request, assuming there is enough bandwidth to run at full capacity with room to spare for periodic fluctuations in network traffic.

Although it’s possible to have multiple domains sharing a single Active Directory, most of the time a well-designed single domain with multiple subdomains is an easier and more efficient solution to create and maintain. Active Directory can encompass multiple domains, sites, and forests. This can become very complex, so if you’re given a choice between single or multiple domains, always choose single unless there is a compelling reason to do otherwise. In a few cases, a multiple domain strategy is the best solution:

Domains within an Active Directory are automatically arranged in a hierarchical tree structure. The first domain in a tree is called a root tree . Every domain tree has a single root tree. Root trees and their child domains can be linked into a forest of domain trees. All trees in the forest have two-way transitive trust relationships, which means all user accounts in a forest can potentially access all resources in all domains in the forest.

The domain that will act as the root tree is created first. Most of the time, the root domain contains many of the resources and structures that will be used throughout all the child domains. You can name the root domain with the company name and create child domains for each department within a company. Sometimes, a company will want to further separate the branches of a tree from a common root domain without resorting to creating a multiple tree domain. This is made possible by creating an empty root domain .

Suppose two companies merge and they want to have the benefits of automatic two-way trusts and a single domain tree while still maintaining a bit of separation between each domain. If the departmental structure of the companies is quite different, it might be easier not to have a common Organizational Unit structure.

If the first domain in a tree is left relatively empty, the child domains will be starting with a nearly clean organizational slate. This is a good way of organizing a company with one name and many separate divisions. In a smaller company, the same principle applies to a single domain’s Organizational Unit structure. Each parent OU can be separated from the other’s while still being connected with a hierarchical tree structure.

You probably won’t want to create a multiple forest structure for a single organization, regardless of how many divisions they have. Because they only allow for specific one-way trusts between two domains, linking the forests can be an administrative nightmare. In a few specific cases, a multiple forest may be your best option:

Many businesses have a central ownership, but have separate names to describe each division. It is especially important to maintain name identification throughout the company if you choose to use the same domains for internal and external use. You can maintain brand identity through separate names while maintaining all the benefits of a single forest structure by naming each domain root for each separate division.

A multiple-tree forest is far easier to manage than a multiple forest. All trust relationships are two-way and are configured automatically. Replication among domains is easy to accomplish by the strategic division of replication sites that can encompass just about any well connected area of the forest, regardless of domain.

An Organizational Unit (OU) is a group of related objects that share access permissions. They are used similarly to the way groups were used in Windows NT, except that OUs can contain just about any type of object, not only user accounts.

Organizational Units provide a logical way to group and collectively manage such network resources as user accounts, files, folders, and printers. Usually, the OU matches a real-life department or team within a company. There are many benefits to dividing up the Active Directory into OUs.

The most obvious benefit is the ability to quickly map a company’s departmental structure to permissions-based groups, where all the objects that need to perform job functions can be administered together as a unit.

The other benefit is the ability to easily delegate authority. You can assign administrator-like privileges to the manager of the web design department for all the scanners, printers, and web directories used by the department without giving that manager an Administrator account for the whole network.

By repeating this process, you can allow departmental managers to have day-to-day control over their work environment without any undue security risks. This will free more time for you to manage, monitor, and maintain the network as a whole without micromanaging every department.

The best part is that, when a new resource or employee is added or removed, you can simply drag and drop that resource in or out of the OU. What you’ll do is create a domain for the company, create subdomains where appropriate, and divide the remaining resources into OUs based on departmental divisions.

This is the easiest component to remember. Any individual network resource in the Active Directory is considered an object. User accounts, files, folders, printers, and Organizational Units are all objects.

Objects have properties that describe what they are and permissions to control who has access to them. Objects can generally be moved around the Active Directory by dragging and dropping them in the Microsoft Management Console (MMC). The definitions of all objects are stored in the schema, which is covered in more detail later in this chapter as well as in other sections of the book.

It’s a lot easier to manage security for a group of similar users rather than to assign permissions to each individual user account. Windows 2000 has three types of security groups detailed in Table 23-3.

All of the groups can contain other groups. Putting one group inside another is called nesting. Nesting is an efficient way to manage permissions for a large number of users while limiting the number of groups you have to directly manage on a regular basis. You can take the following approach to help organize groups:

Transitive trusts are by far the most common type of trusts you’ll run into. They are automatically created between parent and child domains within a tree structure and between domain roots. This means that every domain within a forest automatically has a two-way trust relationship with every other domain in the forest. This is why it is so important that permissions be assigned properly, especially if certain domains in the forest need tight security.

Sometimes domains in different forests need to trust each other. This type of relationship is not automatic. There are a couple of rules you’ll need to know about external trusts in order to determine if they meet a company’s goals:

The Active Directory uses a totally different method of authentication than Windows NT. Windows 2000 uses the Kerberos model of authentication, which involves the use of keys. The Kerberos model is discussed throughout the book and in detail in the security chapter.

Only Windows 2000 networks running in native mode can take full advantage of all the trust relationships described in this section. When attempting to make a trust relationship with a remote Windows 2000 domain, be sure to check to see if their network is in mixed mode or native mode.

All child domains have a transitive trust with their parent domains, but domains may be in different trees with several transitive trusts separating them from each other. This can cause more authentication overhead than is necessary. Active Directory allows you to specifically create a two-way transitive trust between two domains within the forest without having to rely on the series of two-way transitive trusts that automatically link them via the tree structure.

Group Policies can be used to define which programs are to be installed on which computers. This can be done by department, with web development getting Photoshop and Flash, sales getting Outlook and Excel, and technical support getting Quake. Actually, the Group Policy can be used to make sure technical support doesn’t install unauthorized programs, which brings us to another of GPO’s benefits: security.

Group Policies can allow certain users to log in to any workstation and have access to only their authorized applications, regardless of whether the unauthorized application is installed on the workstation that they are locally logged in to. GPOs can also restrict physical and remote access to sensitive computers, such as domain controllers.

If you’ve created the OU structure to match the company’s real-world departmental structure, assigning permissions by OU is a convenient way to provide access to those who need it and deny access to everyone else. Also, if you arrange to have the employee transfer process include a notification to the network administrator, employees can be moved in and out of OUs faster than they can clean out their cubicle.

If you want to create a Group Policy that applies to the whole domain or multiple domains, it’s better to apply the policy on the domain level rather than the site level. This is more work initially, because Group Policies only apply to the local domain. You’ll have to apply the same policy to each domain separately. This should help avoid accidental policy application.

Overall, I think the best approach is to apply no Group Policies at the site level, general policies at the domain level, and specific policies at the OU level. This hierarchical approach has less risk and gives you more granular control over policies. The up-front investment in time usually pays off later.

Members of a security group can be prevented from inheriting a GPO, even it if applies to their entire domain. This is especially useful for users with elevated privileges who need to retain access to secure objects.

In addition to blocking GPOs with security groups, you can also block GPOs at the OU level. Normally, Group Policies are automatically inherited from any parent OU. You can set an OU to block policy inheritance, but it only works if the parent OU doesn’t have a No Override setting. You’re better off just taking the time to plan Group Policies thoroughly, rather than worrying about whether or not they will apply and what the exceptions are.

The first step to creating a solid delegation plan is to create an inventory of the type and number of objects you have. Every object must be owned by somebody who will be responsible for its safekeeping. If you find an object that is improperly owned, a member of the Domain Administrators group can take ownership and temporarily or permanently assign ownership to themselves or another user.

You can delegate permissions by object or by task. A task might be backing up files or clearing a print spool. Task-based delegation is generally more difficult and time consuming, so it is used much less frequently than object-based delegation.

Objects automatically inherit permissions from their containers further up the AD structure. Sometimes, it is necessary to prevent this from happening. Be very careful if you block permissions inheritance, because if you forget you did it, making a change to the parent object will no longer be passed on down the line to the blocked object. Be sure to document every case of blocked inheritance.

One of the simplest and most effect ways to organize a hierarchical naming scheme like DNS is to mirror the actual geographic and departmental hierarchy of the company. You have to take into account whether or not the business wants to use the same domain name for internal and Internet addressing. Table 23-4 shows an example of DNS Naming Scheme.

The DNS naming system is from left to right, specific to general. A final example would be if the marketing office in Sebastopol had a server named zookeeper. In that case, that server’s DNS address would be zookeeper.marketing.sebastopol.oreilly.com. Every unique DNS name has to have a unique Internet Protocol (IP) address.

You’ll notice that the parent company name is part of all the subdomain names. You can create as many subdomains as you’d like. However, you cannot change the original parent domain name. The name is called the forest root domain.

Because the forest root domain name cannot be changed, if the company is going to merge or otherwise change names in the near future, you may want to consider registering the new name and using it internally, especially if it’s going to be a hyphenated name. When the merger is finalized, the new domain name can be made public.

If you choose to use the same domain name both internally and externally, you’ll probably want to set up a firewall . A firewall can separate DNS zones from one another. You may put network resources in any zone you’d like and make any zone either public (accessible from the Internet) or private (accessible only from within your local network).

If the company wants the least amount of risk, you should suggest that they use separate domain names for internal and external use. It’s conceivable that a resource could be accidentally (or intentionally) put in the wrong DNS zone or otherwise made accessible to the outside world. Not only is the use of separate internal and external domain names a bit more secure, it makes it easy to determine which resources are public just by the domain name.

The attribute-schema objects define the rules and structure of an attribute of an object. A folder is an object that needs many different attributes to describe it in its entirety. Each attribute, such as its name, will need rules to define it and make sure it behaves in a similar way to all other folders. Can a folder have the same name as another folder in the same location? How long can that name be? These attributes can be combined into a group called a class .

An object usually has multiple attributes. Because each attribute is defined in a separate attribute-schema object, these objects have to be unified to create an encompassing definition of the familiar object, such as a file, folder, or user account. The collection of attribute-schema objects that define a common object (like a folder) is called a class-schema object.

A class-schema object can require certain attribute-schema objects and allow others if needed. For example, a file has to have a name, but not necessarily an application-mapped file extension.

Class-schema objects also determine the structural hierarchy attributes of an object. You can put a file in a folder or a folder in a folder, but you can’t put a folder in a file.

There are two ways the schema can be modified: by using the Active Directory Schema snap-in for the Microsoft Management Console (MMC) or through the installation of an application that modifies the schema automatically. Objects in the schema have a unique identification number called an object identifier . There is a worldwide hierarchical numbering scheme that is similar to the IP address system used on the Internet. The International Organization for Standardization (ISO), an international standards body, maintains this hierarchy and can assign numbers for use in the schema.

The are a few potentially negative side effects of modifying the schema that you should consider. Before you change the attributes of an object, check to make sure you won’t have conflicts with existing objects. Modifying the schema requires that all domain controllers replicate the change. This can cause a lot of traffic, so you may want to time it when network usage is low. Also, replication is not instantaneous throughout the domain, so inconsistencies can occur until the replication is completed.

Sites are the basic physical structures that allow the replication of data on the network. The strategy for creating an efficient replication environment is fairly straightforward: find the best available bandwidth between potential sites, look at bandwidth utilization on each subnet, and link sites accordingly. Your goal is to link sites so that they have the greatest bandwidth between them (see Table 23-5).

By creating a table like Table 23-5, you can easily to see that you want to avoid the DCA to DCC connection of 5.2 Mbit and link DCA to DCB at 7.8 Mbit and DCB to DCC at 6.1 Mbit. Keep in mind that bandwidth usage can change very rapidly on a network, and you should consistently monitor network utilization.

Proper division of replication sites can help the overall performance of Active Directory. Many of the features of Active Directory that were not present in the NT directory structure require the efficient transfer of information throughout the entire network. Some of this traffic can be optimized by placing commonly needed resources within a site. A decrease in the number of sites, so that each site has access to the servers it needs to operate relatively autonomously, may outweigh the raw replication speed achieved by having smaller sites. Table 23-6 shows some examples of where site design can pay traffic dividends.

Replication of data within a site is called intrasite replication. Replication between sites is called intersite replication. It is important that bandwidth between domain controllers be as high as possible, because they will be involved in both intersite and intrasite replication. You should always map out the physical location of all the domain controllers and the nearby hubs and switches that connect them. If possible, try to have 100 Mbit connections between all domain controllers and have at least one domain controller in each replication site.

The amount of time it takes to exchange replication data between domain controllers is called replication latency . Don’t confuse the amount of time it takes to complete a transfer, replication latency, with the total amount of bandwidth needed for the transfer, replication cost . Each replication session has a certain amount of setup and teardown traffic, in addition to the actual data transfer. If you configure the site replication to save changes in a batch and send them all at once, you’ll reduce the overall replication latency and lower the replication cost by transferring fewer setup and teardown packets.

Sites can be adjusted after they are created. Whenever there are changes to the network, you should re-evaluate your site borders to make sure you still have the most efficient replication setup. Adding a single computer to a site can significantly change the available bandwidth, which can have a cascading effect on the performance of seemingly unrelated parts of the network. Always perform a check on the current situation, called a baseline , so you’ll have something to compare the new numbers to after a change.

All the sites in Active Directory have to be able to share information. The way in which they replicate information is not random, you can choose which sites share a replication link and when they transfer data. You have to take into account employee shift schedules and sometimes differences in time zone when determining the most efficient timing of replication on large networks. The connection between two sites for the purpose of replicating data is referred to as a site link.

Most site links connect two locations, but each of those locations probably has a site link to somewhere else. Site links on fully routed IP networks are transitive, which means that, if site A is connected to site B and site B is connected to site C, then site A is effectively connected to site C via a site link bridge.

Because sites can span multiple domains and some domains have several domain controllers, you may want to specify which domain controller in a site will handle replication duties. The chosen domain controller is referred to as a bridgehead server. The domain controller that has the most unused bandwidth to another site is a good choice to be a bridgehead server.