Active Directory Installation and Deployment T his chapter deploys an Active Directory infrastructure. Working from the deployment plan blueprint described in this chapter, you will be able to identify and modify the elements of the deployment plan that will suite your configuration. You can make changes as you need, be it a solution for a small network or a WAN connecting multiple domain controllers and an extensive Active Directory tree. Getting Ready to Deploy This chapter takes you through the actual installation of the domain controllers for an Active Directory domain. We will be using our fictitious city, Millennium City (MCITY), as the demo. So far, we have put several structures into place according to the blueprint we will discuss next. You may take this blueprint and deployment plan and use it as a template for your own project, expanding or cutting and pasting to and from it as you need, or just use the examples to establish your own strategy. The text in this chapter is abridged, and a more detailed plan is available in PDF format on the accompanying CD. If the plan appears to be a real-life example, that’s because it is. This Windows 2000 network and namespace have actually been deployed. What we espouse here is not the gospel on Active Directory deployment by any means. It works for our environment, situation, and the diversity of our demo organization. Smaller companies may find it too expensive to implement some of our suggestions; others may garner some deep insight. Our purpose is to show a rich implementation. 9 9 CHAPTER ✦✦✦✦ In This Chapter Presentation of the Deployment Plan Rollout of the Domain Controllers Planning for Replication Traffic Creating Organizational Units ✦✦✦✦ 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 291 292 Part III ✦ Active Directory Services While Millennium City is a fictitious city (modeled on the organizational chart of a real U.S. city), the following deployment plan was executed and actual domain controllers were set up across a simulated WAN in a test environment. We also upgraded a large Windows NT Primary Domain Controller (PDC) containing several hundred accounts from a live domain, and joined it to the MCITY namespace and the GENESIS forest as part of a live pilot project involving actual users. Millennium City Active Directory Deployment Plan The MCITY deployment plan consists of several phases. These phases are described in the plan according to the following contents: A. Executive Summary B. Deployment Phases Phase I: Install and Test Root Active Directory Domain. Phase II: Install and Test Child Active Directory Domains. Phase III: Create Organizational Units. Phase IV: Create Groups and Users (Chapter 10). Phase V: Establish and Implement Security Policy (Chapter 11). Phase VI: Establish Trusts with Windows NT Domains or Domains in Other Forests (Chapter 11). Phase VII: Establish Workplace Management Policy (Chapter 11). Phases IV, V, VI and VII are not included in the actual plan components discussed in this chapter; they relate to chapters 10 and 11. After consulting these chapters, and with practice, you can extend this plan with these latter phases according to your specific needs. Executive Summary The following summary describes the deployment specifics for the GENESIS forest on the MCITY.ORG and GENESIS.MCITY.ORG namespaces (see the MCITY logical structure in Chapter 7). Note 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 292 293 Chapter 9 ✦ Active Directory Installation and Deployment MCITY Network The MCITY network (MCITYNET) is managed in the Department of Technology and Telecommunications (DITT). The backbone at DITT connects to a bank of Cisco 4000 series routers that connect MCITYNET to an ATM backbone. The routers and physical network are provided by and managed by a major long-distance provider that offers managed network services (MNS). MCITYNET comprises both the Internet services required by the city and the private wide area network (WAN) and intranet, known as the GENESIS network. DITT connects to the CITYHALL and MCPD over a dedicated IP network, and to smaller departments over an MNS T1 network. Several locations are connected on smaller pipes from 64 Kbps to 250 Kbps, and so on. The configuration of the GENESIS segment of MCITYNET is outlined in Table 9-1, and also illustrated in Figure 8-7 in the Chapter 8. Table 9-1 Genesis Network Configuration Location Genesis Cityhall DITT MCPD Subnets 100.10.0.0 100.45.0.0 100.50.0.0 100.70.0.0 DHCP 100.10.2.1 to 100.45.2.1 to 100.50.2.1 to 100.70.2.1 to scope 100.10.2.254 100.45.5.254 100.50.5.254 100.70.254.254 Domain MCDC00 MCDC10 MCDC50 MCDC70 to Controllers to MCDC09 to MCDC49 to MCDC69 MCDC129 Reserved Names Sites GEN-ST00 – CH-ST00 – DITT-ST00 – MCPD-ST00 – ST09 ST09 ST09 ST40 JKIJS09K87 J98KIJD654 JKP09KLJ JKDOP843D The GENESIS Domain The root Active Directory (AD) domain and the forest for Millennium City will be called GENESIS. The forest is also called GENESIS because Active Directory forces the forest to take its name from the root domain. After several months of extensive research and testing of Microsoft’s Active Directory services on Windows 2000 Server, the Millennium City Windows 2000 testing team have come to a decision on how to best deploy Active Directory services. 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 293 294 Part III ✦ Active Directory Services It has been decided that for an organization the size of Millennium City, the root domain of the organization’s Active Directory namespace needs to be a secure domain accessible only by a small group of senior administrators. These administrators will have the organization’s highest security clearance. There will be no user accounts in the domain outside of the core administrators, and no active workplace management — other than what is needed for security, domain controller (DC) lockdown, and to protect and administer in this domain — will be put into place. There are several reasons for the need to establish such a domain. First, the root domain in any large organization is a target for e-terrorists. If the root domain contains many user and computer accounts and a lot of information, the organization could suffer extensive damages if this domain is destroyed either physically (removal or destruction of the DC servers) or by a concerted network attack, or if its data is accessed by unauthorized personnel. Naturally, a small concern might not need such a “bastion” root domain, but any large enterprise should seriously consider it. Second, all MCITY first-, second-, and third-level domains are extensively populated by user and computer accounts (security principals) and many groups (see Figure 8-7 in the previous chapter, which identifies the levels on the GENESIS domain tree). There are also numerous OUs in these domains and thus many administrators at various levels of the domain’s OU hierarchy. We thus deemed it necessary to establish a root domain with no more than a handful (preferably no more than five) administrators who by virtue of having accounts in the root domain would have the widest authority over the city’s namespace, starting from GENESIS down. (This security policy is discussed in Chapter 11.) Third, the root domain is critical to the city. It might be feasible — if Microsoft makes it possible — in the future to disconnect the root domain from the rest of the domain tree, and graft the tree to another root. However, at present it is not, and losing the domain root would result in the loss of the entire domain tree, taking with it all levels subordinate to the root, in fact everything on the tree. To thus protect the root domain, we will establish partner DCs of the root domain at several remote locations, primarily for redundancy and to locate the root domain over a wide area. These locations will initially be as follows (see Figure 8-7 in Chapter 8): ✦ Location 1: DITT’s Network Operations Center (NOC) ✦ Location 2: City Hall’s Network Operations Center ✦ Location 3: MCPD (Police Department) Network Operations Center The lightweight (user accounts) nature of the root domain, which in addition to the built-in accounts only contains a handful of users, makes it easier to replicate its databases around the enterprise. (See Chapter 8 for more detailed discussion of replication topology.) 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 294 295 Chapter 9 ✦ Active Directory Installation and Deployment Finally, the root domain controller is also our Schema Operations Master and Domain Naming Operations Master for the forest and holds the master schema and other naming contexts that affect the enterprise as a whole, such as the global catalog (GC), that can only be changed on the operations master. The Schema Operations Master is where all schema updates will be performed, and the Domain Naming Operations Master is where we can make changes to the domain namespace on an enterprise-wide basis. Physical location of GENESIS The GENESIS domain’s first and second DCs will be secured in the main server room of DITT’s network operations center (NOC). These DCs will not be attended to by DITT’s operators, but instead will be administered to by the GENESIS administrators. As stated earlier, GENESIS DCs will also be placed in MCPD and CITYHALL, supported by reliable, high-bandwidth pipes. Although it is important to locate the GENESIS root DC in a secure location, it is also important to make the services of the GENESIS DCs and GC easily available in as many GENESIS locations as possible. This will allow users to be able to obtain the following services without having to contact the DC over many hops on the WAN: ✦ Users should not have to look up the network address of any GENESIS DC, or any DC for that matter. ✦ High availability. The GENESIS DCs need to be in as many places as possible in the city so that the most up-to-date replicas of the GC and other information are nearby. ✦ Reliable query results. Strong and closely located GCs should facilitate rich queries, and users must be able to rely on the currency of the data. They must be able to obtain information on users, groups, and other network services without any interruption in services or lack of data. Network specifics of GENESIS The GENESIS domain will be established on a segment of the physical network on which the Department of Technology and Telecommunications (DITT) currently runs. This network currently is supported on a 100Mbps backbone on which the DITT supports its AS/400, UNIX, and Windows NT systems. GENESIS will be established on the same network, but on its own IP subnet. This IP address space is a network supported by Windows 2000 routing services. It can also be supported behind network address translation services (NAT) running on a Windows 2000 role server. See Chapter 15 for a discussion of Routing and Remote Access (RRAS) and Chapter 12 for a discussion of Network Address Translation. Note 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 295 296 Part III ✦ Active Directory Services GENESIS site object specifics In order to support replication to and from other MCITY domains (inter-site) and between domain controllers belonging to the same domain (intra-site), an Active Directory site will support GENESIS. This site will be named GEN-ST00-JKIJS09K87, as illustrated in Figure 8-7 and Table 9-1. The following DC names have been reserved for this site: MCDC00.GENESIS.MCITY.ORG to MCDC09.GENESIS.MCITY.ORG MCDC50. The NetBIOS name range of these DCs is MCDC00 to MCDC09. GENESIS subnet object specifics The subnet address 100.10.0.0 will be assigned to a subnet object. This subnet object will be associated with the GENESIS site object described previously. Domain health and security Two partner DCs will support the domain in the main DC site. The main DC site will also house a copy of the GC for the entire MCITY Active Directory namespace. The administrators in the GENESIS domain will have administrative authority over the resources in the GENESIS domain. The GENESIS domain also has administrative and security authority over the subordinate domains. The CITYHALL Domain The CITYHALL domain is the first of the Windows 2000 populated domains. There will be several hundred user and computer accounts in this domain. This domain will support the accounts and network resources for the Mayor’s office and the various departments that fall directly under the Mayor. Physical location of CITYHALL The CITYHALL domain controllers will be located at City Hall and will fall under the authority of the City Hall network administrators who work directly for the Mayor. We will supply at least two DCs to support the initial deployment of Windows 2000 into City Hall. Network specifics of CITYHALL The CITYHALL domain is to be established on the actual network segment assigned to CITYHALL by DITT. This segment is the 100.45.0.0 network. CITYHALL currently is supported on a 100Mbps backbone between the ten floors, and the network is collapsed into a 10Mbps network that services the workstations, printers, and other network devices. City Hall’s IT department also supports AS/400 systems, CICS on IBM S390, and several technologies supported on UNIX systems, such as Oracle and Informix database management systems. 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 296 297 Chapter 9 ✦ Active Directory Installation and Deployment CITYHALL site object specifics In order to support replication to and from other MCITY domains and several remote locations that will belong to the CITYHALL domain, an Active Directory site will support CITYHALL. The main site will be named CH-ST00-J98KIJD654. The following DC names have been reserved for this site: MCDC10.CITYHALL.GENESIS.MCITY.ORG to MCDC50.CITYHALL.GENESIS.MCITY.ORG. The NetBIOS name range of these DCs is MCDC10 to MCDC50. CITYHALL subnet object specifics The subnet address 100.45.0.0 will be assigned to a subnet object. This subnet object will be associated with the CITYHALL site (CH-ST00- J98KIJD654) object described previously. Domain health and security At least three partner or peer DCs will support the CITYHALL domain in the main DC site. We have decided to locate one DC in the secure server room of the floor on which the Mayor’s office is located. The remaining two DCs will be located in the main server room in City Hall’s network operations center (NOC). The DCs will also house copies of the GCs for the entire MCITY Active Directory namespace. The administrators in the CITYHALL domain will have administrative authority over the resources only in the CITYHALL domain. Some administrators in CITYHALL are also administrators of the GENESIS domain. The DITT Domain The DITT domain contains the resources for the Department of Information Technology and Telecommunications. There will be several hundred user and computer accounts in this domain. This domain will support the accounts and network resources for the IT staff and consultants, and the various departments, that fall directly under DITT. Network specifics of DITT The DITT domain is to be established on the network segment 100.50.0.0. See Table 9-1 for the configuration specifics of DITT. The MCPD Domain The MCPD domain contains the resources for the Millennium City Police Department. According to the configuration, a large number of IP addresses are required for this network. The IP address range in the DHCP scope will support hundreds of workstations, terminals, and other network devices. This domain is the most complex of the four domains, because numerous domain controllers and 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 297 298 Part III ✦ Active Directory Services sites will have to be configured to cover an extensive network connecting the precincts to the commissioner’s offices, the DA’s office, and various law enforcement agencies. Network specifics of DITT The MCPD domain is to be established on the network segment 100.70.0.0. See Table 9-1 for the configuration specifics of MCPD. Install and Test the Active Directory Domain Controllers There are several deployment phases outlined in this plan. Phase I covers the installation and deployment of the GENESIS, CITYHALL, MCPD, and DITT domains. Instead of repeating the full installation and deployment of each domain, we will first briefly install the root domain. We will then fully demonstrate the promotion of the CITYHALL domain controller and how it joins the GENESIS domain tree and forest. The other domains will join GENESIS in the same fashion. Each domain will then be administered as a separate entity, while still being covered by any policy that might derive from the root. The root administrators have the highest power of administration over all the domains in the forest. The following sequence of events describes the creation of all the domain controllers. These activities will take you through machine preparation to final deployment: 1. Install the DC machine 2. Promote the server to domain controller 3. Make the server the root DC or join forest and trees 4. Establish the DC in DNS/WINS 5. Establish the DC in Active Directory site 6. Build initial OUs 7. Delegate OU administration 8. Secure DC further and follow disaster recovery protocol Install the DC Machine Follow the procedures described in Chapter 5 or Appendix B for installing Windows 2000 Server. Ensure the machine is stable. The best way to do this is to keep it running for about two weeks. You can use Backup/Restore as discussed in Chapter 5 to “burn in” the machine. After several DCs are all built or acquired on the same Note 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 298 299 Chapter 9 ✦ Active Directory Installation and Deployment hardware configuration, you might consider reducing the burn-in period to several days instead of two weeks. If your machine is still running under load after several weeks, consecutive machines configured on identical hardware will likely run without problems. But a few days of tests are required to be certain. You do not need to go to the additional expense of using Advanced Server for a domain controller. All Windows 2000 Servers can be promoted to a domain controller. Providing a fail-over service or a cluster for Active Directory is also a waste of resources and money. A fully redundant server will not only be cheaper, it will make for a more secure Active Directory deployment. Server name Pick a name for your machine from the list provided in the deployment plan. This is the NetBIOS name you will use to construct your DNS name. This name is going to be used again when you promote your server to a domain controller. We used the name MCDC00 for the standalone machine that became the root DC for GENESIS. When we promoted this machine, we reassigned this name and DNS resolved this machine as MCDC00.GENESIS.MCITY.ORG. In the case of CITYHALL, the server name reserved for the first DC in this domain is MCDC10. Its DNS name will thus be MCDC10.CITYHALL.GENESIS.MCITY.ORG. Remember, in the case of CITYHALL, it is the first level down from the root GENESIS domain, and also two levels down from MCITY and ORG, which are both Internet domain names. This information is illustrated in Figure 8-7 in the properties for the GENESIS domain. To check this information, open the Active Directory Domains and Trusts and select the domain in the tree, on the left-hand pane. Right-click the domain name and select Properties. Server IP address Give your machine a static IP address. You do not need to concern yourself about the subnet address you use now because you will change it later in the next phase of the deployment. However, make sure the IP address you choose is not used on any other machine on the network or as part of any DHCP scope listed in Table 9-1. Create a pool of static IP addresses, or reserve a segment of your scope, that you can use in the lab specifically for the purpose of installation and testing. Choose a workgroup During the installation of the server, you will be asked to join it to a domain or a workgroup. You are also given the option of skipping the name and returning to it later. We prefer that you put in a workgroup and that you name the workgroup after the server’s name. It cannot be the same name as the server — the installation will not allow that — so just add “wg” after the server name to keep it simple. For example, MCDC00 is the name we gave the server that was destined to become the first DC for GENESIS. The workgroup name is thus MCDCWG00. Joining a domain is not a good idea because that will force you to create a computer account for the server in the domain, which you have to remove later anyway when you install the server into its new domain. Not only is this inconvenient, but you also have to then make sure you can “see” the network and that the server will be able to find the DC of the domain it wants to join. Note 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 299 300 Part III ✦ Active Directory Services Services Leave as many services out of the installation as possible. It is worth repeating here that it is better to first get a bare-bones machine running before adding additional services. However, there is one exception, as described next. Choose a Terminal Services mode There is one service that we deem to be the most important, and that is Terminal Services (TS). You will have to select TS from the Windows Components dialog box. You do not have to select licensing as well; that is only for application server servers. While choosing services, you will also be asked to choose the mode for TS, so select Remote Administration mode. This will allow you to attach to the machine remotely when it is installed in the new location. The machine can be promoted from the remote location or in the lab, but you should also provide a means to administer it remotely. This is demonstrated shortly. Remote Administration mode, as discussed in Chapter 25, allows up to two concurrent sessions to be used for remote administra- tion without licensing. Promote to Domain Controller The steps we take you through in this section demonstrate installing a root domain and a child domain into an existing domain tree. You would perform these same steps to install Active Directory for any new domain controller. The only difference is that you need to choose to create a domain controller according to the choices outlined in Table 9-2. If you are not sure what you need to be installing, you need to do some more preparation and planning. Read the fine print on the dialog boxes until you are sure about your actions, but do not overly concern yourself until the last step because you can always go backwards and forwards in these dialog boxes until you are sure. Table 9-2 Domain Controller Promotion Choices Action GENESIS CITYHALL DITT MCPD DC for a Yes Yes Yes Yes new domain Additional DC for Yes, at any Yes, at any Yes, at any Yes, at any an existing domain time you time you need time you time you need more more DCs need more need more DCs DCs DCs Create a new tree Yes No No No Create a new domain No Yes Yes Yes in an existing tree 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 300 [...]... site object and relocating a server to it Note It is not necessary to create subnet objects for replication between servers In the GENESIS setup, Active Directory would be able to replicate to each server in the site 4667-8 ch09.f.qc 5/15/00 2:01 PM Page 311 Chapter 9 ✦ Active Directory Installation and Deployment Active Directory sees the root DC server in the site we created in Chapter 8 and puts the... between GENESIS and an NT network If your trusts are working right, you will be able to drill down into the directory and access a domain 309 4667-8 ch09.f.qc 310 5/15/00 2:01 PM Page 310 Part III ✦ Active Directory Services Figure 9-11: Active Directory Domains and Trusts showing the beginnings of the GENESIS tree Creating Sites When you promote the first domain controller, Active Directory creates... been established in DNS and WINS correctly, you should be able to log on to the remote domain and administer it Open Active Directory Domains and Trusts by clicking Start ➪ Administrative Tools ➪ Active Directory Domains and Trusts The snap-in will load, as illustrated in Figure 9-11 Notice that a domain tree is now apparent Right-click the child domain and select Manage If trusts and authentication are... does not yet exist Consult Chapter 14 for a more in-depth discussion of DNS Figure 9-9: Resolving your domain and host names from the command line 4667-8 ch09.f.qc 5/15/00 2:01 PM Page 309 Chapter 9 ✦ Active Directory Installation and Deployment 2 Check your WINS records: Open the command console and ping the host of the domains from any workstation, as illustrated in Figure 9-10 If you just ping the NetBIOS... existing forest that has the authority to create the domain and join it to the domain tree Enter the name and password and click Next In our case, we entered the name of an administrator with such authority in the GENESIS domain 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 303 Chapter 9 ✦ Active Directory Installation and Deployment 6 The Child Domain Installation dialog box now loads Here, you are asked to... in CITYHALL and deploy only Windows 2000 (we have ways and means of spending our taxpayer’s money) CITYHALL will then be a native mode domain For more information on the modes and permissions levels, consult Chapter 10 Click Next Figure 9-5: Permissions for legacy NT server access 4667-8 ch09.f.qc 5/15/00 2:00 PM Page 305 Chapter 9 ✦ Active Directory Installation and Deployment 11 The Directory Services... 9 ✦ Active Directory Installation and Deployment 1 Open the primary DNS snap-in by clicking Start ➪ Administrative Tools ➪ DNS, or run the snap-in from the command line as described in Chapter 6 The DNS snap-in will load In this example, the DNS server is hosted on our root DC, MCDC00 2 Drill down to your root Active Directory domain Notice that we have the higher-level Internet domains of MCITY and. .. previous chapters, and a full discussion about them can be found in Chapters 2 and 7 To recap, OU stands for organizational unit In Active Directory, the OU represents a partitioning of the domain, yes; but it is more than that An OU holds security policy, and it is the location for delegating administrative authority (also known as delegation of control) Now and in the future, the Active Directory OU is... subnet, and this means that we have to manually move the DC object from the site in which it was initially installed to the correct site Before we do that, we need to make a new site for the DC This is done as follows: 1 Load the MMC snap-in Active Directory Site and Services To find the snap-in, go to Start ➪ Administrative Tools ➪ Active Directory Sites and Services, or load it from the command line... illustrated in Figure 9-13 Figure 9-13: The Active Directory Sites and Services snap-in 311 4667-8 ch09.f.qc 312 5/15/00 2:01 PM Page 312 Part III ✦ Active Directory Services 2 Select the site item in the tree and right-click it Choose New Site from the Context Menu The New Site dialog box appears and allows you to create the new site Enter the appropriate site information and choose the transport (IP or SMTP) . Active Directory Installation and Deployment T his chapter deploys an Active Directory infrastructure. Working from the deployment plan. Chapter 9 ✦ Active Directory Installation and Deployment CITYHALL site object specifics In order to support replication to and from other MCITY domains and several