Home > Articles > Operating Systems, Server > Microsoft Servers

Designing a Windows Server 2003 Active Directory

Even through mistakes in Active Directory design have become more forgiving than they were with Windows 2000, it is still important to thoroughly examine the various aspects of your organization to design an infrastructure that aligns with your needs. This chapter will guide you toward the domain model that is right for you.
This chapter is from the book

In This Chapter

  • Domain Design Overview

  • Choosing Your Domain Namespace

  • New Domain Design Features in Windows .NET Server 2003

  • Choosing Your Domain Structure

  • Single Domain Model

  • Multiple Subdomain Model

  • Multiple Trees in a Single Forest Model

  • Federated Forests Design Model

  • Peer-Root Domain Model

  • Placeholder Domain Model

  • Special-Purpose Domains

  • Renaming an Active Directory Domain

Domain Design Overview

Proper design of a Windows .NET Active Directory structure is a critical component in the successful deployment of the technology. Mistakes made in the design portion of Active Directory can prove to be costly and difficult to correct. Many assumptions about basic Active Directory domain and functional structure have been made, and many of them have been incorrect or based on erroneous information. Solid understanding of these components is vital, however, and anyone looking at Windows .NET should keep this point in mind.

Active Directory was specifically designed to be scalable. This means that theoretically organizations of every shape and size should be able to implement the technology. For obvious reasons, this means that the structure of the Active Directory forest will vary from organization to organization.

In Windows .NET Server 2003's Active Directory implementation, cross-forest trust ability has been added. This allows for the design of so-called federated forests, a new concept in .NET Server. Federated forests are basically multiple forests with separate schemas and separate administrative teams joined via a cross-forest transitive trust. This allows for greater scalability and enables administrators to completely separate security boundaries within an organization.

In addition, several design decisions that were previously irreversible in Windows 2000, such as forest name and relative domain structure, have been updated to allow changes to take place. Now you can rename your Active Directory domain structure if a merger or acquisition takes place. The psychological factor alone of having to make a decision and not being able to change it has kept some organizations away from deploying Active Directory in the past. Now that those barriers have been removed, more organizations will be able to deploy Active Directory without fear of being painted into a corner later.

Before any domain design decisions can be made, it is important to have a good grasp of Active Directory's domain structure and functionality. Windows 2000 administrators will recognize many of the key components, but some fairly major changes have been made in Windows .NET Server 2003 that require a reintroduction to the domain design process. In addition, real-world experience with AD domain design has changed some of the assumptions that were made previously.

This chapter focuses on best practices for Active Directory design, including a discussion of the specific elements that comprise Active Directory. Various domain design models for Active Directory are presented and identified with specific real-world scenarios. The domain rename procedure is outlined as well, to provide for an understanding of how the concept affects domain design decisions. In addition, step-by-step instructions are presented for several aspects of Windows .NET Server 2003 domain design that have significantly changed since Windows 2000.

Domain Trusts

Windows .NET Server 2003's Active Directory domains can be linked to each other through the use of a concept known as trusts. Many administrators in NT 4.0 remember trusts (although many would likely prefer to forget them). A trust is essentially a mechanism that allows resources in one domain to be accessible by authenticated users from another domain. As many administers will recall, domain trusts in NT 4.0 were one way, and not transitive. In other words, any resource sharing between multiple domains required numerous multiple-trust relationships. Trusts in Active Directory take a different approach than this "connect everything with trusts" approach. In Windows .NET Server 2003's Active Directory, trusts are more powerful and simplistic at the same time. AD trusts take on many forms but typically fall into one of the four categories described in the following sections.

Transitive Trusts

Transitive trusts are automatic two-way trusts that exist between domains in Active Directory. These trusts connect resources between domains in Active Directory and are different from Windows NT trusts in that the trusts flow through from one domain to the other. In other words, if Domain A trusts Domain B, and Domain B trusts Domain C, Domain A trusts Domain C. This flow greatly simplifies the trust relationships between Windows domains because it forgoes the need for multiple exponential trusts between each domain.

Explicit Trusts

An explicit trust is one that is set up manually between domains to provide for a specific path for authentication sharing between domains. This type of trust relationship can be one way or two way, depending on the needs of the environment. In other words, all trusts in NT 4.0 could have been defined as explicit trusts because they all are manually created and do not allow permissions to flow in the same way as transitive trusts do. The use of explicit trusts in Active Directory allows designers to have more flexibility and to be able to establish trusts with external and down-level domains. All trusts between Active Directory domains and NT domains are explicit trusts.

Shortcut Trusts

A shortcut trust is essentially an explicit trust that creates a shortcuts between any two domains in a domain structure. For example, if a domain tree has multiple subdomains that are many layers deep, a shortcut trust can exist between two domains deep within the tree, similar to the shortcut trust shown in Figure 5.1. This relationship allows for increased connectivity between those two domains and decreases the number of hops required for authentication requests. Normally, those requests would have to travel up the transitive trust tree and back down again, thus increasing overhead.

Figure 5.1Figure 5.1 Shortcut trusts minimize hops between domains.

The example in Figure 5.1 shows how a shortcut trust could theoretically be used to reduce the overhead involved in sharing resources between the two sales sub-subdomains in the companyabc.com tree. You can find more information on these trusts in the individual design model sections later in this chapter.

Cross-Forest Trusts

Although not an entirely new form of trust, cross-forest trusts are essentially two-way transitive trusts that exist between two disparate Active Directory forests. While explicit trusts between forests were possible in Windows 2000, the cross-forest trusts in Windows .NET Server 2003 allow for two-way transitive trusts to exist between two separate forests. You can find more information about this new variety of trusts later in this chapter.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020