Contents Overview 1 Identifying Business Needs 2 Designing the Initial Active Directory Domain 3 Planning for Security Groups 4 Discussion: Designing Security Groups 9 Planning for OUs 11 Lab A: Designing a Group and Organizational Unit Strategy 15 Review 22 Module 6: Designing an Active Directory Domain Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart Module 6: Designing an Active Directory Domain iii Instructor Notes This module explains how administrative tasks can be simplified according to the ways objects are organized in the directory. It also explains how to plan the organization of objects by using organizational units (OUs). The module explores the relationship of an organization’s administrative model to the organization of objects in a domain. At the end of this module, students will be able to: ! Identify business needs that determine domain and OU design. ! Design the initial Active Directory ™ domain. ! Plan security groups to support control of objects within OUs. ! Plan a hierarchical OU structure within a domain. Lab A, Designing a Group and Organizational Unit Strategy, is a scenario based planning lab which reinforces the methods discussed in the module for documenting existing administrative organization, planning, and designing an OU structure that meets the business needs of an organization. Students will work as a group through two scenarios, one for designing a single domain, and one for granting access to security groups. The students will be given information about the company’s current administrative structure. They will create an OU structure to support the desired model by using Visio. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft ® PowerPoint ® file 1561b_06.ppt ! Visio 2000 Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the lab. Presentation: 45 Minutes Lab: 75 Minutes iv Module 6: Designing an Active Directory Domain Instructor Setup for a Lab This section provides setup instructions required to prepare the instructor computer or classroom configuration for a lab. Lab A: Designing a Group and Organizational Unit Strategy Ensure that Visio 2000 Enterprise Edition is installed on the instructor computer and all student computers and that the Active Directory template is operational. Also ensure that the \\London\Solutions\Lab6 directory is shared and accessible from the student computers. This planning lab describes the administrative and Group Policy needs of a large organization. Students will design an OU structure based on their knowledge of using OUs to delegate administration and assign Group Policy. Students will work in pairs and will save their design to the share on the instructor computer. Drawings should be saved to this share using a team name or a name that does not personally identify the individuals. Ensure that there is time at the end of the lab to display some student designs and discuss them. Allow the students to make their arguments and discuss among themselves. There may be variations in how the lab is answered and you should be open to them. The solutions share on the instructor computer includes a drawing of an optimal answer. Module Strategy Use the following strategy to present this module: ! Identifying Business Needs This module describes the design of groups and OUs within a domain structure. Explain the importance of gathering information about the administrative model of an organization. ! Designing the Initial Active Directory Domain This section encourages organizations to use a single domain model with multiple domain controllers to provide for fault tolerance. Stress the impact of naming the first domain and the undesirable results of changing the name at a later time. ! Planning for Security Groups Explain the role of security groups in Active Directory. Describe the three security groups (universal, global and domain local) and explain which group to use for a given scenario. Finally describe how nested groups can be used to reduce administrative overhead. ! Discussion: Designing Security Groups Discuss designing security groups with the class. ! Planning for OUs Explain to students that there should be a model to provide a logical pattern for the way that OUs are designed in a domain. Stress that the OU structural design should be based on the administrative model of an organization. Module 6: Designing an Active Directory Domain v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module requires students to use Visio 2000 to document their designs. Visio 2000 is demonstrated in course 1561B, module 3, Designing Active Directory to Delegate Administrative Authority. If Visio has not been previously demonstrated to students, refer to module 3 for instructions on demonstrating Visio 2000. The lab in this module includes a script to be run at the beginning and end of the lab, creating and returning the computer to the default configuration for the course. As a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 6: Designing an Active Directory Domain 1 Overview ! Identifying Business Needs ! Designing the Initial Active Directory Domain ! Planning for Security Groups ! Planning for OUs The ongoing administrative tasks of an organization can be simplified by initially planning how to organize objects in the domain. Within an Active Directory domain, you can create a hierarchical structure of administrative units, or organizational units (OUs), and then group objects into these units. Understanding domains and organizational units, and how you can control objects within each, will help you to plan a structure that fits into your administrative model. At the end of this module, you will be able to: ! Identify business needs that determine domain and OU design. ! Design the initial Active Directory domain. ! Plan security groups to support control of objects within OUs. ! Plan a hierarchical OU structure within a domain. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn how to design a domain structure. 2 Module 6: Designing an Active Directory Domain Identifying Business Needs Before Designing a Domain, You Should: ! Identify Administrative Strategy ! Identify Security Needs ! Plan for Growth and Flexibility The administrative structure of an organization will determine the domain design. When designing a domain, you should always begin by assuming that a single domain can accommodate your organization’s administrative model. Unless there is an important business reason, such as the need for distinct domain-level policies, one domain should suffice for most organizations. Within a domain, your OU design should reflect the organization’s administrative hierarchy of authority. Prior to designing the domain, you should do the following: Identify Administrative Strategy The administrative structure in your organization and the associated plan for delegation of administrative authority together will form the basis for the organization of the domain. Determine if you will use a locational, organizational, functional, or a hybrid structure for your hierarchy design. You must create the plan for delegation of administrative authority prior to creating the domain and OU structure. Identify Security Needs You will need to identify different levels of security that are needed within different areas of the organization. Your OU design will reflect these differing security needs. You can also use security groups to grant groups or individuals access to particular resources. Begin by identifying the groups that require access, the location of the resources to be accessed, and any other restrictions, such as organizational rules that may prohibit access by certain departments. Plan for Growth and Flexibility Within the Organization Make sure the domain name and OU structure you choose will accommodate possible growth, acquisitions, or reorganizations. Slide Objective To show that the administrative structure and security needs of an organization should determine domain and OU design. Lead-in When preparing a domain design, carefully consider the administrative structure and the authority of delegation of the business or organization. Key Points The administrative model of a business should determine the domain design, rather than the actual organizational structure of the business. For more information about the reasons why a business or organization could require multiple domains, direct students to module 7, “Designing an Multiple- Domain Structure” in course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure. Module 6: Designing an Active Directory Domain 3 Designing the Initial Active Directory Domain OU OU OU OU OU OU OU OU OU OU OU OU First Domain First Domain nwtraders.msft Active Directory Active Directory The first domain created in Active Directory is the root domain of the entire forest. The first domain is also referred to as the forest root. The forest root contains the configuration and schema information for the forest. The life of a domain should range from three to five years. To ensure the longevity of your domain structure, include your organization's growth projections and reorganization plans in the Active Directory design. Naming the Domain Transitive trusts are established between the forest root and root domains of other domains in the forest, and therefore, it is important to plan easy-to-use and descriptive name for the forest root. The name of the first domain cannot be altered once it is created. The domain name should broadly identify your organization, because if you create additional domains in the future, any child domains created from the root domain will derive their names from the initial root domain. For example, if you create a root domain named contoso.msft and add a domain under the root domain named Marketing, the new domain will be named marketing.contoso.msft. Remember that the OU structure should reflect the administrative structure and not the organizational structure of the organization because the organizational chart will be of no use to the administrators who will be using the OU structure. Slide Objective To illustrate the design of a domain structure in Active Directory. Lead-in The domain is the core administrative unit in Active Directory. Key Points The first domain is the root of the forest. Choose a name that is permanent enough to reflect the organization adequately and flexible enough to be included in the names of possible child domains. Choose the administrative strategy to use prior to creating the first domain. Note 4 Module 6: Designing an Active Directory Domain # ## # Planning for Security Groups ! Deciding Which Security Group to Use ! Planning for Nested Groups ! Design Guidelines ! Discussion: Designing Security Groups Security groups organize individual user or computer objects for security purposes. The scope of a group dictates who can belong to the group and what permissions that group can be assigned. When designing your OU structure, you will need to consider placement of resources within the OU and the creation and placement of security groups to grant access to these resources. Slide Objective To identify how security groups are used to support OU designs. Lead-in Security groups allow you to set permissions. [...]... universal groups when needed, and global and universal groups in domain local groups, and then grant permissions to domain local groups Module 6: Designing an Active Directory Domain 23 4 Why is the naming of the first Active Directory domain important? The names of all child domains in an Active Directory domain are derived from the root domain Because the name of the first domain cannot be altered once... 22 Module 6: Designing an Active Directory Domain Review Slide Objective To reinforce module objectives by reviewing key points ! Identifying Business Needs Lead-in ! Designing the Initial Active Directory Domain ! Planning for Security Groups ! Planning for OUs The review questions cover some of the key concepts taught in the module 1 What guidelines should you consider before designing an Active Directory. .. Worldwide HR Managers Benefit info changers Domain Local Tokyo Benefits, Tokyo HR managers Benefit forms full Domain Local Tokyo Server Administrators Benefit forms read Domain Local All Tokyo Employees, Worldwide HR Managers Benefit forms change Domain Local Tokyo Benefits, Tokyo HR managers Module 6: Designing an Active Directory Domain 21 (continued) Group Type Members Vendor contracts full Domain Local.. .Module 6: Designing an Active Directory Domain 5 Deciding Which Security Group to Use Slide Objective To explain how to plan for security groups Universal Group Universal Group ! Members from any domain in the forest ! Members from any domain in the forest ! Use for access to resources in any domain ! Use for access to resources in any domain Lead-in Security groups are the single most important... flexibility and less complex administration ! Delegate the authority to manage group memberships This allows the resource owners to manage access to their resource in the domain local groups, and assistant administrators to manage the membership of global groups However, only Enterprise Admins can manage the membership of universal groups Module 6: Designing an Active Directory Domain Discussion: Designing. .. organization Based on your evaluations, make any necessary changes to your OU design so that it supports all administrative needs of your organization Module 6: Designing an Active Directory Domain Lab A: Designing a Group and Organizational Unit Strategy Slide Objective To introduce the lab Lead-in In this lab, you will create the structure of a single domain based on organizational, Group Policy, and... own domain only ! Members from own domain only ! Use for access to resources in any domain ! Use for access to resources in any domain Domain Local Group Domain Local Group ! Members from any domain in the forest ! Members from any domain in the forest ! Use for access to resources in one domain ! Use for access to resources in one domain Key Points Security groups are the units for assigning and maintaining... contracts read Domain Local Worldwide HR Mangers Vendor contracts change Domain Local Tokyo Benefits, Tokyo HR Managers 401K full Domain Local Tokyo Server Administrators 401K read Domain Local Tokyo HR Mangers, Tokyo Payroll 401K change Domain Local Tokyo 401K Medical full Domain Local Tokyo Server Administrators Medical read Domain Local Tokyo HR Managers, Tokyo Payroll clerks Medical change Domain Local... to grant all HR users in both domains change permission to the benefits database? Add the Paris global group and the Chicago global group to a universal group Add the universal group to a domain local group in the Chicago domain that has change permission to the benefits database _ _ Module 6: Designing an Active Directory Domain 11 # Planning... domain, other trusted domains, and universal groups When planning for domain local groups, consider the following: ! Domain local groups are replicated throughout a domain Therefore, you will want to keep membership size small and take advantage of nested groups ! Permissions should be assigned to domain local groups ! Domain local groups can contain members from any domain, but can only be referenced . Module 6: Designing an Active Directory Domain 1 Overview ! Identifying Business Needs ! Designing the Initial Active Directory Domain ! Planning. Infrastructure. Module 6: Designing an Active Directory Domain 3 Designing the Initial Active Directory Domain OU OU OU OU OU OU OU OU OU OU OU OU First Domain First