itblog.team-holm.net
Active Directory tagged blogs

Active Directory Forests and Domains

Notes about Active Directory Forests and Domains

-13th of August 2009

This text will contain notes and links to sources for further reading. It touches the subject of forest and domain structures for Active Directory, considerations for planning, and considerations for managing and administrating delegation in the domain. These notes are created to make a simple overview of these topics. Further reading is recommended for a deeper study.

1. When considering the active directory structure's forests and domains for a company, the following considerations should be considered:

*Organizational structural requirements
*Operation requirements
*Legal Requirements
*Limited connectivity requirements

A understanding of these requirements are essential to the forest and domain structure of Active Directory.
->More about this subject.
2. Isolation and autonomy requirements are also important aspects when considering forest and domain structures. This aspect breakes into four different categories:

*Service Autonomy - non-exclusive service control
*Data Autonomy - non-exclusive data control
*Service Isolation - exclusive service control for intended individuals
*Data Isolation - exclusive data control for intended individuals

With these four areas of consideration, follows the question of how many forests that are required.
->More about this subject.
3. When the above information is collected and considered, the forest model will be the next thing to evaluate. We have three forest models defined by Microsoft as listed here:

*Organizational forest model - service autonomy, service isolation and data isolation
*Resource forest model - service and resource isolation
*Restricted access forest model - data isolation

In deciding the forest model, many aspects should be considered.
->More about this subject.
4. In addition, when considering administrative delegation, a list of areas of focus when planning for Active Directory should be as follows:

*Organizational structure requirements
*Operational requirements
*Legal requirements
*Administrative requirements
*Organization size
*Consideration of service management
*Consideration of data management
*Consideration of the geographical infrastructure
*Consideration of the business infrastructure
*Consideration of the technical infrastructure

Relevant information is noted here, but for a deeper understanding it is recommended to follow the links in the text to more sources that cover the subjects.
5. Eventually we get to evaluate the domain model and the number of domains that are required. For the domain model, we have defined by Microsoft two models:

*Single domain model
*Regional domain model

In these domain models, the number of domains to implement is a question that will rise. Whether to upgrade or deploy new domains, and decide to have a dedicated forest root domain or a regional forest root domain. Forest and domain functional levels also have to be considered.
->More about this subject.


Source: Windows Server Enterprise Administration. ISBN: 9780735625099

Tagged as: Active Directory

Active Directory Trust Relationships

Active Directory Trust Relationships

-26th of October 2013

Configure DNS before setting up trusts.
For the two forests to be able to trust each other, they have to be able to resolve each others domain names. Here follows a quick simplified quide on how to set this up.
1. Open up DNS manager in the first domain controller in the first domain(sccmlab.local here).
2. Right click forward lookup zones and choose new zone.
3. In the wizard that appears("Welcome to The New Zone Wizard"):
   a) choose Stub Zone for Zone Type
   b) the dns suffix for the other domain to trust under the Zone Name page (ad4.local here)
   c) and the IP-address of the Master DNS Server(192.168.1.10 here).
4. Select the "Use The Above List Of Servers To Create A Local List of Master Servers" check box when that option appears.
On the other domain controller in the other domain(ad4.local here):
1. Open up DNS manager.
2. Right click the Conditional Forwarders folder, and choose New Conditional Forwarder.
3. In the wizard that appears;
   a) type the domain name of the first domain in the DNS Domain box(here sccmlab.local)
   b) add the IP of the DNS Server/AD Controller where this is applicable
   c) then select "Store this Conditional Forwarder in Active Directory, And Replicate It As Follows." Choose "All DNS Servers in Forest" and then click OK.

Create a Trust Relationship
1. Open up Active Directory Domains and Trusts in the first domain controller in the first domain(here sccmlab.local).
2. Right click sccmlab.local and choose properties. Then click the Trusts tab, New Trust, Next, in the Name Box enter "AD4.local."
3. Select Forest Trust, click Next,
   a) select "Two-way" and click next,
   b) select "Both this domain and the specified domain" and click next,
   c) fill in the credentials to authenticate to the other domain and click next,
   d) select "Forest-wide authentication" and click next,
   e) select "Forest-wide authentication" again and click next,
   f) continue the wizard until you can choose "Yes, Confirm the outgoing trust" and click next,
   g) select "Yes, Confirm the incoming trust" and click next,
   h) then click Finish.
   i) You can now see the new trust in the sccmlab.local Properties box.
4. You can now see the new trust in the ad4.local Properties box in Active Directory Domains and Trusts on the ad4.local domain controller as well.


Source: Configuring Windows Server 2008 Active Directory. ISBN: 978-0-470-22509-7

Tagged as: Active DirectoryHowTo

Main page
Security
Crypto
Microsoft
Linux
Scripts
VMWare Hyper-V
Taglist
Active Directory
Citrix
Commands
Cryptography
Hyper-V
Linux
Network
Scripts
SQL 2008
SQL 2016
Tools
VMWare
Games
HowTo
Routers