Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion
Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal
Packet Sniffing. One of the reasons for the success of these books has
been our unique program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.
As a registered owner of this book, you will qualify for free access to
our members-only program. Once you have
registered, you will enjoy several benefits, including:
■
Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF
format. They have been selected by our editors from other
best-selling Syngress books as providing topic coverage that
is directly related to the coverage in this book.
■
A comprehensive FAQ page that consolidates all of the key
points of this book into an easy-to-search web page, pro-
viding you with the concise, easy-to-access data you need to
perform your job.
■
A “From the Author” Forum that allows the authors of this
book to post timely updates and links to related sites, or
additional topic coverage that may have been requested by
readers.
Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when

you register.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there is anything else we can do to make your
job easier.
Register for Free Membership to
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page i
Melissa M. Meyer
Michael Cross
Hal Kurz
Brian Barber
How to Cheat at
Designing a Windows Server 2003
Active
Directory
Infrastructure
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The

Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 HH48996VHI
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
How to Cheat at Designing a Windows Server 2003 Active Directory Infrastructure
Copyright © 2006 by Syngress Publishing, Inc.All rights reserved. Printed in Canada. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any
form or by any means, or stored in a database or retrieval system, without the prior written permission of
the publisher, with the exception that the program listings may be entered, stored, and executed in a com-
puter system, but they may not be reproduced for publication.
Printed in Canada
1 2 3 4 5 6 7 8 9 0
ISBN: 159749058X
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Jaime Quigley Cover Designer: Michael Kavish
Technical Editor: Neil Ruston Indexer: Richard Carlson

Copy Editors: Darlene Bordwell,
Beth A. Roberts, Joel Rosenthal
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,
at Syngress Publishing; email or fax to 781-681-3585.
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page iv
Acknowledgments
v
Syngress would like to acknowledge the following people for their kindness and sup-
port in making this book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly
Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would
like to thank everyone there for their time and efforts to bring Syngress books to
market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,
Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark
Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell,
Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce
Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn
Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick
Dirden.
The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian
Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,
Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy
Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy,
Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee,
Nadia Balavoine, and Chris Reinders for making certain that our vision remains
worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua,
Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the
enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen
O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing
our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon
Islands, and the Cook Islands.
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page v
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page vi
vii
Technical Editors
Neil Ruston (MCSE, CNE-4) is an IT Consultant, with more
than 10 years of IT experience. He is currently based at one of the
world’s largest investment banks in London, England. He specializes
in the planning and design phases of large-scale Active Directory
and Windows related technologies within a banking environment.
Previously, Neil worked at another large investment bank, as an
employee of Perot Systems Europe. He has also worked in Dallas at
the Perot Systems head quarters, where he helped design solutions
for other Perot customers, as well as for Perot’s own internal
Windows infrastructure.
Neil also operates as an independent consultant, and supplies
services to other businesses in and around the London area. He has
contributed to several Windows and Active Directory related publi-
cations in both technical editor and authoring roles.
Neil would like to dedicate his work to his wife, Deanne, and
children, George and Charlotte, who all endured his many days and
nights locked away while working on this book.
Jeffery A. Martin (MCSE, MCDBA, MCT, MCP+I, MCNE,
CNI, CCNP, CCI, CCA, CTT, A+, Network+, I-Net+, Project+,
Linux+, CIW, ADPM) has been working with computer networks
for over 15 years. Jeffery spends most of his time managing several
companies including an information technology consulting firm. He

also enjoys working as a technical instructor, training others in the
use of technology.
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page vii
viii
Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3,
CNA-GW) is coauthor of Syngress Publishing’s Configuring
Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring and
Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and
two study guides for the MSCE on Windows Server 2003 track
(exams 70-296 [ISBN: 1-932266-57-7] and 70-297 [ISBN: 1-
932266-54-2]). He is a Senior Technology Consultant with Sierra
Systems Consultants Inc. in Ottawa, Canada. He specializes in IT
service management and technical and infrastructure architecture,
focusing on systems management, multiplatform integration, direc-
tory services, and messaging. In the past he has held the positions of
Senior Technical Analyst at MetLife Canada and Senior Technical
Coordinator at the LGS Group Inc. (now a part of IBM Global
Services).
Melissa M. Meyer is enrolled to practice before the IRS. Melissa
has held positions as a director of a Fortune 500 company and as an
enterprise consultant. She is a member of MENSA and holds a bach-
elor’s degree from the University of Michigan.Together with her
husband, Melissa provides the guidance for the investment and
accounting activities of Dane Holdings, Inc. She holds licenses
and/or registrations in: life insurance, annuities, health insurance, vari-
able life insurance, variable annuities, and income tax preparation.
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet
Specialist/Computer Forensic Analyst with the Niagara Regional
Police Service (NRPS). He performs computer forensic examina-
tions on computers involved in criminal investigation. He also has

consulted and assisted in cases dealing with Internet and computer
related crimes. In addition to designing and maintaining the NRPS
Contributing Authors
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page viii
ix
Web site at www.nrps.com and the NRPS intranet, he has provided
support in the areas of programming, hardware, and network admin-
istration. As part of an information technology team that provides
support to a user base of more than 800 civilian and uniform users,
he has a theory that when the users carry guns, you tend to be
more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which
provides computer-related services such as Web page design, and
Bookworms (www.bookworms.ca), where you can purchase col-
lectibles and other interesting items online. He has been a freelance
writer for several years, and he has been published more than three
dozen times in numerous books and anthologies. He currently
resides in St. Catharines, Ontario, Canada, with his lovely wife,
Jennifer, his darling daughter, Sara, and charming son, Jason.
Hal Kurz (MCSE, CCDP, CCNP, CCDA, CCNA) is CIO of
Innovative Technology Consultants and Company, Inc. (www.itc-
cinc.com), a computer consulting and training company located in
Miami, FL. He is also a chief technologist for ITC-Hosting
(www.itc-hosting.com), a Web hosting and Web-based application
development company. He holds Microsoft MCSE certifications for
Windows 2000 and Windows NT 4.0. He is currently gearing up
for his CCIE lab exam and was a contributor to the previous
Syngress Publishing work MCSE/MCSA Exam 70-291:
Implementing, Managing, and Maintaining a Windows Server 2003
Network Infrastructure Study Guide & DVD Training System. Hal is a

University of Florida engineering graduate with experience in
VMS, Unix, Linux, OS/400, and Microsoft Windows. He lives in
Miami with his wife,Tricia, and four children: Alexa, Andrew, Alivia,
and Adam. Thank you,Tricia and kids, for all of your support!
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page ix
x
Brian P. Mohr (MCSE+I, CNE, CCDA, LPI-1) is a Senior
Consultant at Siemens Business Services, Inc. where his primary
focus is Network Operating System design, which entails Microsoft
Windows NT Domain design, Microsoft Windows 2000/2003
Active Directory design and Novell NDS design. Brian has con-
tributed chapters to four books on Windows 2000 and Windows
2003. Brian served in the United States Air Force for twelve years as
a Computer/Telecommunication Operator. He lives with his wife,
Alice, and two daughters, Rebecca and Jennifer, in Philadelphia, PA.
Paul M. Summitt (MCSE, CCNA, MCP+I, MCP) has a master’s
degree in mass communication. Paul has served as network,
Exchange, and database administrator as well as Web and application
developer. Paul has written on virtual reality and Web development
and has served as technical editor for several books on Microsoft
technologies. Paul lives in Columbia, Missouri with his life and
writing partner, Mary.
371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page x
xi
Contents
Chapter 1 The Assessment Stage . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Assessing the Technical Environment . . . . . . . . . . . . . . . . . . .3
Administrative Models . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Components Used in the Logical Design of

Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
The Current Model . . . . . . . . . . . . . . . . . . . . . . . . . .9
Identifying Limitations . . . . . . . . . . . . . . . . . . . . . . .11
Formulating New Candidate Models . . . . . . . . . . . . .13
Service Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Identifying Existing Service Levels . . . . . . . . . . . . . .16
Identifying Service Levels Requiring Change . . . . . .18
Hardware and Software Deployments . . . . . . . . . . . . . . .19
Performing a Hardware Inventory . . . . . . . . . . . . . . .19
Analyzing Hardware Requirements . . . . . . . . . . . . . .20
Performing a Software Inventory . . . . . . . . . . . . . . . .22
Analyzing Software Requirements . . . . . . . . . . . . . . .23
Interoperability Issues . . . . . . . . . . . . . . . . . . . . . . . . . .24
Identifying Current Interoperability Instances . . . . . .24
Assessing Additional Active Directory
Interoperability Requirements . . . . . . . . . . . . . . . . . .30
Assessing the Current Server Infrastructure . . . . . . . . . . . . .32
The Current Domain Model . . . . . . . . . . . . . . . . . . . . .32
Identifying Existing Windows Domain Installations . .32
Identifying the Current Domain Models . . . . . . . . . .33
Comparing Models with Your Envisaged Design . . . .38
Infrastructure Placement . . . . . . . . . . . . . . . . . . . . . . . .42
Documenting Existing Infrastructure Locations . . . . .44
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xi
xii Contents
Identifying Bottlenecks . . . . . . . . . . . . . . . . . . . . . . .44
Assessing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Analyzing the Existing Namespaces . . . . . . . . . . . . . . . .46
Documenting All Namespaces . . . . . . . . . . . . . . . . . .48
Identifying and Providing Remediation for

Potential Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Assessing the DNS Infrastructure . . . . . . . . . . . . . . . . . .50
Document DNS Server Locations . . . . . . . . . . . . . . .50
Analyzing Zone Configuration and Transfers . . . . . . .51
Identifying Supportability for Active Directory . . . . . . . .53
Assessing BIND Implementations . . . . . . . . . . . . . . .53
Identifying Non-Supported Aspects . . . . . . . . . . . . . .53
Assessing the Physical Network . . . . . . . . . . . . . . . . . . . . . .54
Analyzing the Topology . . . . . . . . . . . . . . . . . . . . . . . . .54
Developing Tools and Methods to Interrogate
the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Collating Routes, Links, and Bandwidths . . . . . . . . . .55
Collating Subnet Data . . . . . . . . . . . . . . . . . . . . . . .56
Creating a Network Map . . . . . . . . . . . . . . . . . . . . . . .56
Documenting Site and Subnet Boundaries . . . . . . . . .57
Drawing the Routes, Links, and Bandwidths Map . . .58
Analyze Network Performance . . . . . . . . . . . . . . . . . . .58
Documenting Current Baselines . . . . . . . . . . . . . . . .59
Identifying Issues and Constraints . . . . . . . . . . . . . . .59
Assessing the Impact of Proposed Designs . . . . . . . . . . . . . .60
Looking at the Existing Infrastructure . . . . . . . . . . . . . .60
Server Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . .61
Service Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Other Network Operating Systems . . . . . . . . . . . . . .61
Other Directories . . . . . . . . . . . . . . . . . . . . . . . . . . .62
The Physical Network . . . . . . . . . . . . . . . . . . . . . . . . . .63
Additional Demands . . . . . . . . . . . . . . . . . . . . . . . . .63
Identify Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . .63

371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xii
Contents xiii
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .67
Chapter 2 Developing the Active Directory
Infrastructure Designs . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Assessing and Designing the Administrative Model . . . . . . . .70
Service Administrators and Data Administrators . . . . . . .71
The Role of the Service Administrator . . . . . . . . . . .71
The Role of the Data Administrator . . . . . . . . . . . . .72
Understanding Isolation and Autonomy . . . . . . . . . . . . .73
Autonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Assessing and Defining the Forest Design . . . . . . . . . . . . . . .75
Forest Design Factors . . . . . . . . . . . . . . . . . . . . . . . . . .76
Organizational . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Operational . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Legal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Naming Considerations . . . . . . . . . . . . . . . . . . . . . .77
Timescales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Management Overhead . . . . . . . . . . . . . . . . . . . . . . .78
Test Environments . . . . . . . . . . . . . . . . . . . . . . . . . .78
Externally Facing Environments . . . . . . . . . . . . . . . .79
Forest Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
The Service Provider Model . . . . . . . . . . . . . . . . . . .79
The Restricted Access Model . . . . . . . . . . . . . . . . . .80
The Resource Forest Model . . . . . . . . . . . . . . . . . . .81
The Organizational Model . . . . . . . . . . . . . . . . . . . .82

The Single Forest Model . . . . . . . . . . . . . . . . . . . . .83
Summary of Forest Models . . . . . . . . . . . . . . . . . . . .84
Ownership,Accountability, and Change Management . . .85
Sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Change Management . . . . . . . . . . . . . . . . . . . . . . . .86
Assessing and Creating a Domain Design . . . . . . . . . . . . . . .88
Domain Design Factors . . . . . . . . . . . . . . . . . . . . . . . . .88
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xiii
xiv Contents
Geographic Separation . . . . . . . . . . . . . . . . . . . . . . .88
Network Limitations . . . . . . . . . . . . . . . . . . . . . . . .89
Service Autonomy . . . . . . . . . . . . . . . . . . . . . . . . . .90
Names and Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . .91
General Considerations . . . . . . . . . . . . . . . . . . . . . . .91
Dedicated Root Domain . . . . . . . . . . . . . . . . . . . . .92
Additional Domains . . . . . . . . . . . . . . . . . . . . . . . . .93
The Dedicated Root Domain . . . . . . . . . . . . . . . . . . . .93
Using a Dedicated Root Domain . . . . . . . . . . . . . . .93
Nondedicated Domain . . . . . . . . . . . . . . . . . . . . . . .95
Regional Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Functional Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Comparing Trees with Domains . . . . . . . . . . . . . . . . . .100
Single Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Multiple Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Single Domain Forest . . . . . . . . . . . . . . . . . . . . . . . . .103
Ownership and Responsibilities . . . . . . . . . . . . . . . . . .104
Developing the OU Model . . . . . . . . . . . . . . . . . . . . . . . .105
OU Design Factors . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Delegation and Admin Models . . . . . . . . . . . . . . . .106

Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Hiding Sensitive Objects . . . . . . . . . . . . . . . . . . . . .109
OU Design Models . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Geographic Models . . . . . . . . . . . . . . . . . . . . . . . . .111
Functional Models . . . . . . . . . . . . . . . . . . . . . . . . .112
Object Type Models . . . . . . . . . . . . . . . . . . . . . . . .113
Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Developing the Replication Design . . . . . . . . . . . . . . . . . .115
Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Resource Location . . . . . . . . . . . . . . . . . . . . . . . . .116
Replication Boundary . . . . . . . . . . . . . . . . . . . . . . .116
Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xiv
Contents xv
Site Link Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Connection Objects . . . . . . . . . . . . . . . . . . . . . . . . . .120
Automatic Connection Objects . . . . . . . . . . . . . . . .120
Manual Connection Objects . . . . . . . . . . . . . . . . . .121
Multimaster Replication . . . . . . . . . . . . . . . . . . . . . . .121
Knowledge Consistency Checker . . . . . . . . . . . . . . . . .122
Inter Site Topology Generator and Bridgehead Servers .123
SYSVOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
File Replication System . . . . . . . . . . . . . . . . . . . . . . . .125
Topology Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Intra-Site Replication . . . . . . . . . . . . . . . . . . . . . . .125
Inter-Site Replication . . . . . . . . . . . . . . . . . . . . . . .126

Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Fully Meshed . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Hub and Spoke . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Hybrid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .133
Chapter 3 Developing the Network Services Design. . 135
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Developing the Network Services Infrastructure Designs . .136
Developing DNS Designs . . . . . . . . . . . . . . . . . . . . . .136
DNS Design Principles . . . . . . . . . . . . . . . . . . . . . .138
Design Features . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Developing WINS Designs . . . . . . . . . . . . . . . . . . . . .160
Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . .161
Design Features . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Phasing Out WINS . . . . . . . . . . . . . . . . . . . . . . . .165
Developing DHCP Approach . . . . . . . . . . . . . . . . . . .165
DHCP Background . . . . . . . . . . . . . . . . . . . . . . . .166
DHCP Design Principles . . . . . . . . . . . . . . . . . . . .168
DHCP Design Features . . . . . . . . . . . . . . . . . . . . . .171
Integration with Existing Deployments . . . . . . . . . .176
Developing Remote Access Strategy . . . . . . . . . . . . . . .177
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xv
xvi Contents
Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . .177
Integrating with Existing Deployments . . . . . . . . . .179
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .184
Chapter 4 Designing the Logical Components . . . . . . 187
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Defining Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Why Standardize? . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
The Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Administrative Overhead . . . . . . . . . . . . . . . . . . . . .190
Understanding the Scope of the Standards . . . . . . . . . .191
Enterprisewide . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Forestwide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Domainwide . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
What Should You Standardize? . . . . . . . . . . . . . . . . . . .193
Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Machine Names . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Group Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Other Object Types . . . . . . . . . . . . . . . . . . . . . . . .196
Defining the Forest Structure, Hierarchy, and
Naming Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Structure and Hierarchy . . . . . . . . . . . . . . . . . . . . . . . .197
Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Internal Versus External Names . . . . . . . . . . . . . . . .201
How Many Domains? . . . . . . . . . . . . . . . . . . . . . . . . .202
Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
The Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Assessing and Defining a Migration Path . . . . . . . . . . .207
In-Place Upgrades . . . . . . . . . . . . . . . . . . . . . . . . .207
Restructuring Domains . . . . . . . . . . . . . . . . . . . . . .209
Migrating to Pristine Environment . . . . . . . . . . . . .210
Defining Authentication Mechanisms . . . . . . . . . . . . . . . . .211

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
The Client Community . . . . . . . . . . . . . . . . . . . . .211
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xvi
Contents xvii
NTLM and Kerberos . . . . . . . . . . . . . . . . . . . . . . .212
Trusts and Collaboration . . . . . . . . . . . . . . . . . . . . . . .217
Between Forests . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Other Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Trusts Within a Forest . . . . . . . . . . . . . . . . . . . . . . .220
Designing the Organizational Unit Model . . . . . . . . . . . . .221
Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Delegating by Function . . . . . . . . . . . . . . . . . . . . . .222
Delegating by Geography . . . . . . . . . . . . . . . . . . . .223
Delegating by Object Type . . . . . . . . . . . . . . . . . . .223
Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Responsibility of Owners . . . . . . . . . . . . . . . . . . . .224
Assign Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Impact on OU Design . . . . . . . . . . . . . . . . . . . . . .229
Defining the Group Policy Object Approach . . . . . . . . . . .229
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
The OU Model . . . . . . . . . . . . . . . . . . . . . . . . . . .231
What Do We Hope to Achieve? . . . . . . . . . . . . . . .232
How Many, and Where Applied? . . . . . . . . . . . . . . .232
Delegating the Group Policy . . . . . . . . . . . . . . . . . . . .233
Centralized Management . . . . . . . . . . . . . . . . . . . .234
Distributed Management . . . . . . . . . . . . . . . . . . . . .235
Mandatory Policy Settings . . . . . . . . . . . . . . . . . . . . . .239
Default Domain Policy . . . . . . . . . . . . . . . . . . . . . .239
The Default Domain Controllers Policy . . . . . . . . .241

Other Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . .243
User Policy Settings . . . . . . . . . . . . . . . . . . . . . . . .244
Machine Policy Settings . . . . . . . . . . . . . . . . . . . . .244
Exploring Groups and Roles . . . . . . . . . . . . . . . . . . . . . . .244
Delegation Using Groups . . . . . . . . . . . . . . . . . . . . . .245
Data Access Groups . . . . . . . . . . . . . . . . . . . . . . . . .245
Administrative Access Groups . . . . . . . . . . . . . . . . .246
Understanding User Roles . . . . . . . . . . . . . . . . . . . . . .247
Identifying Roles . . . . . . . . . . . . . . . . . . . . . . . . . .247
Creating and Managing Roles . . . . . . . . . . . . . . . . .250
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xvii
xviii Contents
Defining Replication Topology . . . . . . . . . . . . . . . . . . . . .250
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Collating Network Data . . . . . . . . . . . . . . . . . . . . . . .251
Identifying Active Directory Sites and Subnets . . . . .252
Selecting a Replication Topology . . . . . . . . . . . . . . . . .259
Creating a Replication Diagram . . . . . . . . . . . . . . .260
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .266
Chapter 5 Name Resolution. . . . . . . . . . . . . . . . . . . . . 271
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Understanding DNS Design . . . . . . . . . . . . . . . . . . . . . . .272
The Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Active Directory Hosting the Only
DNS Namespace . . . . . . . . . . . . . . . . . . . . . . . . . .277
Active Directory Hosting its Own
DNS Namespace . . . . . . . . . . . . . . . . . . . . . . . . . .279
Active Directory Within an Existing DNS

Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
DNS Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Zone Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Identifying DNS Record Requirements . . . . . . . . .285
Identify Zone Requirements . . . . . . . . . . . . . . . . . .291
Identify Zone Placement . . . . . . . . . . . . . . . . . . . . .292
Active Directory Integrated versus Primary Zones . .295
Storing Zones in Application Partitions . . . . . . . . . .297
Delegation and Security . . . . . . . . . . . . . . . . . . . . .298
DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Interoperability with WINS and DHCP . . . . . . . . .309
Understanding WINS Design . . . . . . . . . . . . . . . . . . . . . .311
Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Ensuring Unique NetBIOS Names . . . . . . . . . . . . .312
WINS Topologies and Replication across the Enterprise 313
Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Replication Frequency . . . . . . . . . . . . . . . . . . . . . .313
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xviii
Contents xix
Replication Designs . . . . . . . . . . . . . . . . . . . . . . . .313
Advanced WINS Optimization . . . . . . . . . . . . . . . .317
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .323
Chapter 6 Remote Access and Address Management 325
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Remote Access Service Servers . . . . . . . . . . . . . . . . . . . . .326
The Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Identifying Remote Access Users, Machines, and

Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Assessing and Defining a Remote Access Method . .329
Assessing and Defining the Authentication
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
The Implementation . . . . . . . . . . . . . . . . . . . . . . . . . .338
Active Directory Implications . . . . . . . . . . . . . . . . .350
Defining Security Policies . . . . . . . . . . . . . . . . . . . .350
Identifying an Authentication and Accounting
Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Defining the Audit Strategy . . . . . . . . . . . . . . . . . . .363
IP Address Management and DHCP . . . . . . . . . . . . . . . . .369
Address Assignments . . . . . . . . . . . . . . . . . . . . . . . . . .381
DHCP Security Considerations . . . . . . . . . . . . . . . . . .382
DNS Integration and Client Interoperability . . . . . .385
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .388
Chapter 7 Service Sizing and Placement . . . . . . . . . . . 391
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
The Planning Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Logon Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393
Self-Sufficient Locations . . . . . . . . . . . . . . . . . . . . .397
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Service Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xix
xx Contents
Replication Overhead . . . . . . . . . . . . . . . . . . . . . . .399
Active Directory Aware Applications . . . . . . . . . . . .400
User Populations . . . . . . . . . . . . . . . . . . . . . . . . . . .400

The Implementation Plan . . . . . . . . . . . . . . . . . . . . . .401
Developing a Service Placement Algorithm . . . . . . .401
Create a Project Plan . . . . . . . . . . . . . . . . . . . . . . .406
Sizing and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Sizing Domain Partitions . . . . . . . . . . . . . . . . . . . .407
Application Directory Partitions . . . . . . . . . . . . . . .413
Domain Controller Sizing and Specification . . . . . . . . .413
Choosing a Specification . . . . . . . . . . . . . . . . . . . . .414
Placement Considerations . . . . . . . . . . . . . . . . . . . .416
The Promotion Strategy . . . . . . . . . . . . . . . . . . . . .418
Global Catalog Server Sizing and Specification . . . . . . .426
Additional Requirements . . . . . . . . . . . . . . . . . . . .426
Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Flexible Single Master Operations Roles . . . . . . . . . . .430
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Failover and Recovery . . . . . . . . . . . . . . . . . . . . . .440
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .449
Chapter 8 The Physical Design. . . . . . . . . . . . . . . . . . . 451
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
Networking and Routing . . . . . . . . . . . . . . . . . . . . . . . . .452
Internet Connectivity . . . . . . . . . . . . . . . . . . . . . . . . .452
Domain Name Registration . . . . . . . . . . . . . . . . . .455
Segmenting the Intranet from the Internet . . . . . . . .455
Network Topology Definitions . . . . . . . . . . . . . . . . . . .457

Bus Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Ring Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
Star Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xx
Contents xxi
Segmenting the Organization into Subnets . . . . . . .460
Addressing and DHCP . . . . . . . . . . . . . . . . . . . . . .460
Router Placement . . . . . . . . . . . . . . . . . . . . . . . . .466
The Network Perimeter . . . . . . . . . . . . . . . . . . . . .468
Designing Requirements for Remote Access Infrastructures 469
Design Requirements . . . . . . . . . . . . . . . . . . . . . . . . .470
Perimeter Requirements . . . . . . . . . . . . . . . . . . . . . . .470
Extranet Requirements . . . . . . . . . . . . . . . . . . . . . . . .471
Intranet Authentication Requirements . . . . . . . . . . . . .472
Windows Authentication . . . . . . . . . . . . . . . . . . . . . . .472
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
RADIUS Policies . . . . . . . . . . . . . . . . . . . . . . . . . .474
Determining Sizing and Availability of Remote Access
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Sizing Remote Access Components . . . . . . . . . . . . . . .475
Placing Remote Access Components . . . . . . . . . . . . . .475
Providing Scalability,Availability, and Failover . . . . . . . .476
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .481
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xxi
371_HTC_AD_TOC.qxd 12/13/05 4:53 PM Page xxii
The Assessment
Stage

Solutions in this chapter:
■
Analyze the impact of Active Directory on
the existing technical environment.
■
Analyze hardware and software
requirements.
■
Analyze interoperability requirements.
■
Analyze current level of service within an
existing technical environment.
■
Analyze current network administration
model.
■
Analyze network requirements.
■
Analyze DNS for Active Directory directory
service implementation.
■
Analyze the current DNS infrastructure.
■
Analyze the current namespace.
■
Analyze existing network operating system
implementation.
Chapter 1
1
371_HTC_AD_01.qxd 12/13/05 2:43 PM Page 1

■
Identify the existing domain model.
■
Identify the number and location of domain controllers
on the network.
■
Identify the configuration details of all servers on the
network. Server types might include primary domain
controllers, backup domain controllers, file servers, print
servers, and Web servers.
■
Identify network topology and performance levels.
■
Identify constraints in the current network infrastructure.
■
Interpret current baseline performance requirements for
each major subsystem.
■
Analyze the impact of the infrastructure design on the
existing technical environments.
■
Analyze hardware and software requirements.
■
Analyze interoperability requirements.
■
Analyze current level of service within the existing
technical environment.
■
Analyze network requirements.
Introduction

Before the design of any system implementation may commence, first one must assess the
environment into which that system is to be deployed.This argument holds true especially for
Active Directory (AD). Active Directory has the potential to affect every facet of your IT
infrastructure and every team involved with IT, even in the largest of enterprises.Active
Directory deployments can impact areas including the physical network topology, network
bandwidth and resilience, IP addressing, name resolution hierarchies, administrative proce-
dures, administrative models, and security policies, to name but a few.
This first chapter helps you to better understand which aspects of your environment are
affected by Active Directory, and how to assess whether your IT environment is ready for the
deployment of Active Directory.
www.syngress.com
2 Chapter 1 • The Assessment Stage
371_HTC_AD_01.qxd 12/13/05 2:43 PM Page 2
We start with the assessment of the technical environment.This includes an analysis of
the current administrative model, service levels, existing hardware and software deployments,
and any interoperability issues that need to be considered.
Next we move onto the server environment and analyze the current domain model,
domain controller (DC) and other infrastructure (including WINS and DHCP) placement
and numbers, as well as creating a detailed inventory of all servers installed, including file,
print, and Web servers.
The assessment phase then moves onto the area of DNS. Here we analyze the existing
DNS implementation and its hierarchy, and assess whether it is ready to support Active
Directory.
Finally, the physical network must be scrutinized. Versions of Windows operating systems
prior to Windows 2000 did not rely upon an understanding of the underlying network
topology to function correctly.This is not the case with Active Directory—information can
be replicated between domain controllers in an efficient and timely fashion only if both the
network topology is understood and Active Directory is configured to use that same topology.
Assessing the Technical Environment
Preparation is the key to designing the structure of Active Directory and the network infras-

tructure used by Windows Server 2003. Long before you even unwrap the installation CD
from its packaging, you should have a thorough understanding of the current network and
the organization in which it’s used.The hardware, software, and operating systems used on a
network can impact your design, and determine whether changes need to be made before
Windows Server 2003 is deployed. By analyzing the technical environment and the com-
pany’s structure, you can craft a network that will meet the needs of your organization.
In the sections that follow, we’ll review the components that make up Active Directory
(AD), and see how they are used to mirror the structure of your organization. We’ll discuss
how the administrative model and geographic layout of a company can affect your design of
AD, and examine issues that need to be addressed before installing Windows Server 2003 on
the network. By performing this assessment of the existing environment, you will be well on
your way to devising an effective deployment plan.
Administrative Models
Even in the smallest of businesses, there are those who make the decisions and those who
follow them (even if they make no sense).This command structure becomes more complex
as the business gets larger. Staff will be assigned to different departments, which fall under
the jurisdiction of people in other departments, who answer to divisions of management,
who ultimately answer to senior management. In some cases, the company may be further
broken into branch offices or divisions that reside in different geographic locations, or are
separated for business, political, or security reasons. Because the structure and chain of com-
mand of a business will vary from others, it is important to understand the administrative
model being used before designing Active Directory.
An administrative model describes the organization of a company, and shows how it is
managed. As is seen in a company’s organizational chart, an administrative model is a logical
structure. In other words, it doesn’t tell you where the vice president’s office is located, only
www.syngress.com
The Assessment Stage • Chapter 1 3
371_HTC_AD_01.qxd 12/13/05 2:43 PM Page 3