Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 42 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
42
Dung lượng
180,55 KB
Nội dung
LogicalDomainStructure T his chapter takes you into the realm of enterprise analy- sis, which is new ground for most system administrators. Sanity Check By now, you are probably pretty psyched about Active Directory. And you probably thought we were nuts in the opening chapters when we urged you not to install Active Directory and to deploy standalone servers until you are at home with the new operating system. Now we are going to go overboard. We are going to tell you not to build your new domain until you have a) read this chapter, b) done psycho- analysis of your company, and c) designed your domain on a whiteboard or a math pad and come up with a blueprint. Why? Does Microsoft recommend this? The answer is: Well, sort of. Microsoft, in both official documentation and in training, is not firm enough in stressing that the root of a namespace can- not be renamed, changed, or deleted without first hacking down the forest and completely reinstalling the domain con- troller. And this will remain the situation until Microsoft or third parties ship some series Active Directory manipulation and administration tools. So, before you start, know this: When you delete the root domain, or the last domain on a domain tree, from the server (demotion), you uninstall the namespace. If you screw up the namespace and decide, after many hours of hard work, that you started wrong, you could end up losing those hours spent creating user and computer accounts and configuring domain controllers. And if you go into production, you also take down several colleagues. We thus offer you a mini-guide to enterprise analysis in this chapter in the hope that when you get ready to break ground, you don’t slice your toes off in the process. 7 7 CHAPTER ✦✦✦✦ In This Chapter Planning the LogicalDomainStructure Partitioning the Domain Using Organizational Units to Create DomainStructure Creating the Design Blueprint ✦✦✦✦ 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 223 224 Part III ✦ Active Directory Services Keepers of the New Order These are exciting times for network administrators. We spoke at length in Chapter 1 about the paradigm shift underway in corporate communications, networking, and administration. As a Windows 2000 administrator, you now find yourself at the center of the paradigm shift. You are also a pivotal component in the change that is underway on the planet, in all forms of enterprise and institutional management. Windows 2000 is a great facilitator in that paradigm shift. Companies are changing; a new order is emerging. The way businesses communicate with their customers is changing. Very little is regarded from a flat or uni-dimensional perspective. Today, corporate workers, owners, and administrators need a multifaceted view of their environment. Managers and executives need to look at everything from a 360- degree panorama of the business— its external environment and its internal environment. You, the network administrator, specifically the Windows 2000 network administra- tor, now have a lot more on your shoulders. Everyone is looking at you — what you’re worth, what you know, how you conduct yourself — from the boardroom members to the mailroom members, you are the person to take the company beyond the perimeter of the old order. Why? The tools to facilitate the shift can be found, for one reason or another, in Microsoft Windows 2000. You learned a lot about the Windows 2000 architecture in Chapter 1, so we won’t repeat it here, except to say that Windows 2000 Directory, Security, Availability, Networking, and Application services are in your hands, and those of your peer server administrators. The tools you will use to manage all the informa- tion pertaining to these services and objects are the Active Directory and the Windows 2000 network. As mentioned in earlier chapters, Windows 2000 domains are very different from legacy Windows domains. They are also very different from the network manage- ment philosophies of other operating systems such as UNIX, NetWare, OS/2, and the mid-range platforms such as AS400, VMS, and so on. Before you begin to design your enterprise’s logicaldomainstructure (LDS), there are a number of important preparations to make. Besides items such as meditating, education, lots of exercise, and a good diet, there are some network administration specifics to consider. We discuss these items in the following sections. Planning for the LDS Back in Chapter 4, we discussed the steps to installation and conversion. One of those steps was designing the logicaldomain structure. If you have been tasked 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 224 225 Chapter 7 ✦ LogicalDomainStructure with the installation of or conversion to Windows 2000, the first item on your list should be to understand the steps to achieving the LDS and then implementing it. Unless you can create an LDS blueprint, the myriad of other management functions, such as creating and managing user accounts, groups, policies, shares and more, will be difficult to implement and cost you a lot in time and material. The following list represents the steps we will take in this chapter to arrive at the point when we can begin the conversion process or even install in a clean or new environment. 1. Prepare yourself mentally. 2. Assemble an LDS team. 3. Survey the enterprise. 4. Design the LogicalDomainStructure (LDS). 5. Produce the blueprint. Preparing Yourself Mentally Long gone are the days when installing a Windows-based network could be handled with a sprinkling of administration experience gleaned from a few books or an edu- cation based on crammed MCSE courses. Running a successful Windows 2000 domain (no matter what the size) is going to require more than a magazine education in networking, telecommunications, secu- rity, and administration. If you have been managing or working with Windows NT server, you have a headstart on the new administrators and administrators from the other technologies who have chosen to defect. Nevertheless, the conversion and installation process is arduous and mentally taxing. And how much time you spend on fixing problems in the future will depend on how well you lay your foundations now. Here is some advice that will help stem the migraine tide from the get-go. Forget about Windows NT Trying to create the LDS of Windows 2000 while thinking about Windows NT, and even managing Windows NT, is like trying to meditate at a heavy metal concert. In other words, it is very distracting. We would say that if you are involved in the day- to-day management of Windows NT domains, you should take a break from being an NT administrator while involved in the Windows 2000 LDS planning efforts, at least in the initial phases. You will find it very frustrating to work in both environments at the same time. This is sobering advice if you have to manage an NT domain while you plan a Windows 2000 domain. You will need to make a special effort to separate the old from the new, the legacy from the up-and-coming. 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 225 226 Part III ✦ Active Directory Services Forget about Conversion Trying to think about retrofitting, upgrading, or converting your legacy Windows domains, and even your NetWare or UNIX environments, will only get you into a lot of trouble. Forget about what everyone, including Microsoft, says about this, at least until you have the new domainstructure in place and are fully versed in the techniques described in this chapter and the others described in this book. Only when you fully understand the possibilities and the limitations of Windows 2000 domains should you begin to plan your conversion process. If you try to convert before the Windows 2000 LDS is in place, as we discussed in more detail in Chapter 4, you risk an IT disaster, and losing money and opportunity in many respects. Set up a lab as we discussed in Chapter 4. We can’t tell you every- thing you need to know or beware of in this book, nor can Microsoft. Only you will discover how Windows 2000 accommodates your needs, and how you accommo- date its needs. No two organizations are alike. Stay Out of Active Directory Before you break out into a cold sweat, this advice applies only to this chapter. The Windows 2000 LDS is just that, logical. Until you have your blueprint in place, your plans approved, the budget in the bank, you don’t need to do a thing in the Active Directory. Yes, Active Directory is the technology that makes the new LDS a reality, and yes, we would not be discussing LDS in such direct terms as we do here if Active Directory were not a reality, but trying to do LDS while tinkering around in Active Directory is counter-productive. Don’t think you can stumble your way to a design or blueprint. We’re not saying you shouldn’t try to learn about Active Directory hands-on. Learn as much about it as you can. If you know nothing about Active Directory, then you should not be in this chapter just yet, because you should already be au fait with directory service terms and concepts. If you are not yet up to speed with Active Directory, study Chapter 2, read the wealth of information in the help system, download as much information as you can from Microsoft, and get stuck into books about Active Directory and LDAP. Chapter 2 is the chapter in which you can test examples and concepts in Active Directory. In this chapter, you should be working with design tools and a whiteboard, a very large one. For information on LDAP, you can download RFC 2254, 2255, 2307 from the Internet. These can usually be located at the Internet Engineering Task Force Web site (www.ietf.org), but you can find these and many other LDAP references at any main search engine. Note 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 226 227 Chapter 7 ✦ LogicalDomainStructure Assembling the Team Before you begin, it is vital to assemble a design team. No matter if you are a con- sultant or administrator for a small company and are attacking this single-handedly, or if you are a leader or part of a team working in a mega-enterprise, designing the domain requires the input of a number of people. In very small companies adopting Windows 2000, the team might consist of you and the owner or CEO. The Domain Planning Committee Your domain planning committee will include a number of people, especially if the task is huge, who will assist you in the enterprise analysis you need to undertake. Your team might be made up of the following members. ✦ Assistant analysts and consultants to help you quickly survey a large enter- prise. The Millennium City example in this book, which is an Active Directory domainstructure that spans an entire city, replete with departments and divi- sions, might need to employ about a hundred analysts to get the survey job done as quickly as possible. It depends on how quickly you need to move, or want to move. If you plan to use your IT department as a test case (going from development to production), then you could probably get away with one or two analysts. ✦ Documentation experts to assist you to get information down and in an accessible form as soon as possible. These people should as far as possible be trained in desktop publishing and documentation software, illustration and chart-making software, group-ware, and so on. The documents should be stored in a network share-point. ✦ Administrators to be involved in preparing the installation and conversion process. These might include technicians and engineers currently involved in the day-to-day administration of domains, technical support, special projects, and so on. Domain Management As the LDS plan progresses from enterprise analysis to approval and implementa- tion and conversion, you will need to appoint people who initially will be involved in the day–to-day administration and management of the new domains. If you have the resources at your disposal, it will make sense to appoint newly trained staff or hire and train administrators from the legacy pool. These people will help you to build the new Windows 2000 domain and will need to communicate with the administrators of the old domains, and so on. If you are doing everything yourself, then you have your work cut out for you. 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 227 228 Part III ✦ Active Directory Services Change Control Appoint a person responsible for change management and control (see Chapter 11). As the development domain begins to roll out phases into production, the conversion team change control process will need to communicate with the MIS/Operations’ change control team, discussed in Chapter 4. All proposed changes need to be fully discussed, and all teammates need to have the opportunity to assess the impact and prepare for it . . . or argue against it. Trust us, you don’t want to roll out anything without it being signed off at the appropriate levels. Domain Security You will need to appoint people or yourself to manage all the security aspects of the new domains. Their role will be to test security in the development domain and to apply the appropriate security mechanisms in the production domains. In addi- tion, they will help you to determine domain policy, Group Policy, delegation, workspace management, and so on. See Chapter 3 for information on Windows 2000 security, and Chapter 11 for information on security policies. Intra-Domain Communication A very important component is intra-domain communication, or the communica- tions between Windows 2000 domain users and legacy domain users. You’ll need to appoint an Exchange administrator if you plan on integrating Exchange, or else Lotus Notes administrators, Send Mail people, and so on. A vital component of the LDS is that information is able to flow freely through the enterprise information network and between the operational environments in which the company will find itself when a Windows 2000 domain greets the world. Education and Information You will need to generate information to keep management abreast of the develop- ment with respect to the conversion process and the emergence of the LDS. Once a plan has been approved, this information will need to be extended to educate peo- ple throughout the enterprise. Surveying the Enterprise Before you can begin to plan the LDS, you need to survey your enterprise. Consider the job of the land surveyor. He or she sets up the theodolite — an instrument that measures horizontal and vertical angles — and charts the hills and valleys, the lay Cross- Reference 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 228 229 Chapter 7 ✦ LogicalDomainStructure of the land, the contours, and more. These scientists and engineers determine where it is safe to build a house or skyscraper, where to bring a new road or a bridge, where to place a town or a city. You need to do the same, not to determine where the company is going (which is what enterprise analysts do), but how to plan an LDS with what is already in place and what might be around the corner. In surveying the corporate structure, you are not going to take on the role of offer- ing management advice about its business, nor will you suggest that new depart- ments or units should be added, moved, or removed to suit the new domain structure. Not only would that be impossible, but also it would likely get you fired or promoted out of networking. On the other hand, the Windows 2000 LDS needs to be filtered up to the highest lev- els of management. In fact, the LDS blueprint is what the CIO or CTO is going to drop on the boardroom table, and the IT department is expected to implement the changes desired by management to affect the DNA, e-commerce, the paradigm shift, and more. The Windows 2000 LDS, because of what it may expose, may indeed result in enterprise or organizational change, just don’t say it too loud. Windows 2000 domains reflect the enterprise structure more than any other tech- nology, and the domainstructure will be representative of the layout and the land- scape of your company, from an administrative and a functional point of view. Windows NT domain administrators, network administrators, and IT/IS managers have never before contemplated that their careers would take them into enterprise analysis. Large organizations will no doubt hire expensive enterprise analysts, but for the most part it will be an unnecessary expense, unless some serious first aid is needed before a conversion to Windows 2000 can be considered. In many cases, you already have the resources at hand. They exist in you, and in your peers. You do not have to go overboard studying enterprise analysis, enter- prise resource planning (ERP), and customer relationship management (CRM). Of course, having the knowledge will help and may even get you the job you’re after. This chapter serves as a guide if you are not sure where to start. The following sec- tions discuss the key concepts of enterprise analysis. Enterprise Analysis Enterprise analysis is enterprise land surveying and enterprise engineering come together for the future and good of the company. Enterprise analysts examine where the company is today, what business it is in (many don’t know), and where it wants to go (or where the board or shareholders want it to go), and make sugges- tions on how it should go about achieving its objectives. Enterprise analysts help suggest changes at all levels of the enterprise, in particular in information systems and technology. They provide management with critical actionable information . . . blueprints that start the wheels of change turning. 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 229 230 Part III ✦ Active Directory Services Without technology, very few of the desires of the corporation will become a reality. You do not need to look far to see how misguided efforts in IT/IS have wrecked some companies, while making others more competitive and profitable. In your new role as enterprise analyst, you are surveying the corporate landscape to best deter- mine how to implement a new Windows 2000-based logicaldomain structure. You have two responsibilities. First, you have to study the enterprise with the objective of implementing the new LDS as quickly and painlessly as possible. You may have a lot of money to work with, or you may not have much of a budget. In either case, you are going to need facts fast. Second, you have to study the enterprise and forecast or project where it might be heading. Is the business getting ready for IPO, to merge, to file Chapter 11, or to be acquired? Is it changing focus? All these items and more will affect the LDS of not only a company, but also the LDS of a city, a hospital, a school, and a government. You might consider that you are doing the enterprise analysis for the good of the company, but you are doing it for your own good. You will be expected to cater to any change that may happen between sunrise and sunset. And not having the wherewithal to implement or accommodate the sudden business direction that management may throw at you is not good IT administration. So where do you start? As mentioned before, you can’t plan the LDS by just looking up all the groups you created in Windows NT and figuring that just importing them all will do the trick. That would be the worst place to start, and the worst advice anyone can take. Microsoft, we believe, makes too much noise about upgrading Windows NT; we believe that countermands strategic LDS planning. The new Group Policy technology is so sophisticated that it makes upgrading an NT domain and inheriting its groups and user accounts a tricky business. Make sure you fully understand Group Policy before you upgrade an NT domain. It is dis- cussed in detail in Chapter 11. Here is a short list of starting points. The items may be better in another order for you, and you may add to the list as you deem fit: ✦ Get management on your side: This may not be difficult if you are the CIO, or if the LDS directives come from the CIO or CTO. But in order to do the job well, you need to have access to more than would be expected of network or domain administrators. This means that management and HR are going to have to trust you with sensitive information. We would like to add to this point: Get the CEO on board. You are going to need to set up appointments with the most senior staff in the enterprise. They need to know that your research is sanctioned at the very top. You will probably encounter resistance at the departmental head level, where change may be deemed a threat. Advise them in writing that if you do not get cooperation their departments will be left out of the domain conver- sion or “new order.” People tend to go crazy if their e-mail gets cut off, so you can use this as a foot in the door. Note 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 230 231 Chapter 7 ✦ LogicalDomainStructure ✦ Get hold of organizational charts: Most enterprises and organizations have these. Hopefully, they are up to date. If they are not, or they do not exist, you are going to have to invest in a software tool that can make organizational charts. ✦ Tell people what you are doing: It is important to be frank and open about the process, without exposing the team to security risks. Enterprise Environments Before you begin an exhaustive enterprise analysis project, you should take some time to understand the environments in which the enterprise or organization oper- ates. Enterprise analysts often refer to these environments as operational environ- ments. We have been teaching companies about their respective operational environments for several years, long before the advent of Windows 2000. The ele- ments in these environments will feature heavily on both the LDS and physical domainstructure (PDS). There were once only two environments in which an enterprise operated. They were the external and internal environments. The advent of the Internet and wide area networks have resulted in a third environment: the extra environment or the environment “in-between.” An analysis of these environments is essential in the formulation of both the LDS and PDS. To fully investigate the environments, you need to build lists of items to look for, otherwise you will not know where to start and when to finish. The external environment The external environment is made up of several components: customers, suppliers, distributors, cleaning staff, and so on. At the physical level, the corporation or enterprise has to deal with the elements of the external environment directly. Examples are: providing access to cleaning staff, dealing with customers, delivery pick up, and more. The external environment of a city, for example, includes voters, tourists and visi- tors, businesses, foreign nationals, embassies, consulates, divisions of the United Nations, organized crime, private hospitals, schools and universities, government- sponsored bodies, such as the FBI, INS, and DEA, religious congregations, religious boards, and so on. The most important technological factor in the external environment is the Internet. Like all enterprises and organizations, the Internet provides resources with which to deal with the elements in the external environment electronically and a means of interconnecting partitions of the internal environment. Any modern city is as pre- sent in cyberspace as it is in the physical realm. 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 231 232 Part III ✦ Active Directory Services Today, the neural network in the external environment is the Internet. The tele- phone system still plays an important and indispensable part, but it is becoming less pervasive as people find the Internet more convenient in many respects. The enterprise depends on several components on the Internet that are vital to its existence in general. These include DNS, the locator service for the entity on the Internet, and the Internet registration authorities that provide the entity the right (for a fee) to participate in a global Internet infrastructure. These rights include the registration of your domain names and the assignment of IP addresses, without which you are unreachable. Here is a short list of items you should pay attention to when you examine the external environment: ✦ How is the company connected to the Internet? ✦ How does the company use the Internet’s DNS system? ✦ What are the public domains used by the enterprise? ✦ Who keeps the domains, and makes sure the fees are paid on time? ✦ Are the domains you need to register available? The internal environment The internal environment comprises all the departments, divisions, organizational units, and key management entities (KMEs) that work together for the benefit of the enterprise. This environment includes employees, contractors, executives and man- agement, subsidiaries, divisions, acquisitions, equipment, intelligence, information, data, and more. The internal environment’s neural network is the private intranet and its relative KMEs and administrative functions. The intranet is a private network, which is the medium for the Internet protocols, TCP/IP. The local area network is fast becoming a passe term, associated with outmoded and confining protocols such as NetBEUI, Pathworks, IPX, and more. Windows 2000 is, for all intents and purposes, an intranet operating system that still knows how to function on a LAN for backward compatibility. Very important to consider in the internal environment are all the legacy systems and mid-range systems that are going to need facilities in the new realm. Here is a short list of items you should pay attention to when you examine the internal environment: ✦ How many employees work for the company? ✦ How many remote divisions or branches does the company have? 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 232 [...]... illustrated in Figure 7-6 DNS Domain AD Domain Internet Intranet MCDCO1.MCITY.ORG (Active Directory Root) 100.40.X.X MCDCXX.MCEAST.MCITY 100.50.X.X MCDC.MCWEST.MCITY.ORG 100.10.X.X MCDCXX.MCSOUTH.MCITY.ORG 100.70.X.X Figure 7-6: Enterprise-wide domainstructure 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 249 Chapter 7 ✦ LogicalDomainStructure There is only one caveat Our shogun in the root domain might come under... its own domain, in its own forest, and appropriate trust relationships between the forests In our example, we feel that one forest suffices Managing a diversity of domain policy When you create a domain, you need to apply domain policy to the domainDomain policy governs many domain- wide properties, such as password expiration, account lockout, UPN style, and so on Policy and the attributes of domain. .. Page 243 Chapter 7 ✦ LogicalDomainStructure You have two options: 1 You can leave your public domain name applicable only in the external environment, resolved by an ISP’s DNS server 2 You can use your public domain name also as the root domain in the directory and on your intranet We have pondered over this extensively Let’s examine the two options a little closely: If your domain name is listed... Chapter 7 ✦ LogicalDomainStructure whether your external DNS domain name is identical to your internal DNS domain name Most companies already deploy mirrored sites on both sides of a firewall The second reason not to use your public domain name is that the identity of the company may change You could get acquired or broken up, and it would be almost impossible to change the existing root domain to... the logical units of the enterprise and begin enterprise analysis in a logical fashion Figure 7-1 represents a portion of the organizational chart of Millennium City (the entire chart is on the CD in the Millennium City DomainStructure Blueprint PDF) The chart has been adopted from the organizational chart of a major U.S city, and we will use it throughout the book to see examples of both logical domain. .. second domain in another region, be sure the plan indicates unique NetBIOS names The two DNS domains will be different, but identical NetBIOS names will not work The Second-Level Domains To add second- and third-level domains under the root, you need good reasons Each new domain adds administrative burden, additional expenses, and increased 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 253 Chapter 7 ✦ Logical Domain. .. integrated LogicalDomain Structure: The Blueprint The logical container for domains in Windows 2000 is a forest Forests contain trees, which have roots, and domain trees make up a Windows 2000 network It is not necessary to understand forests to design a namespace, and forests are discussed in various contexts in Chapters 2, 3, and 8 As stressed at the beginning of this chapter, once a domain root... conversion of a Windows NT domain must be controlled by a phased implementation plan that dictates having your NT domains around for a while In some cases, we do not even recommend converting NT 4.0 domain controllers to Active Directory domain controllers (see Chapters 4, 5, and 10) NT 4.0 domains cannot be attached to your domain tree, so you are just going to have to treat them as domains that belong in... can always create a domain and attach it to the root 2 The administrator in the root domain can reign supreme over the fiefdom like a shogun A small group of forest-wide “samurai” administrators, serving the shogun, can be located in the root domain, which allows you tighter control over domain administrators in the lower-level domains The only drawback is the additional hardware for domain controllers,... concern when extending the domain to remote locations that are further away than the uptown-downtown 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 255 Chapter 7 ✦ LogicalDomainStructure example described previously Again, there are many factors to consider before you create separate domains Here are four important ones: 1 Size and nature of the remote location 2 Distance from the existing domain 3 Number of remote . In This Chapter Planning the Logical Domain Structure Partitioning the Domain Using Organizational Units to Create Domain Structure Creating the Design. designing the logical domain structure. If you have been tasked 4667-8 ch07.f.qc 5/15/00 2:00 PM Page 224 225 Chapter 7 ✦ Logical Domain Structure with