Contents
Overview 1
Role of Active Directory in an Enterprise 2
Conducting an Organizational Analysis 3
Architectural Elements of Active Directory 7
Review 15

Module 1: Introduction
to Designing a Directory
Services Infrastructure


Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and
Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead: Andy Sweet (S&T OnSite)
Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente,
Richard Rose, Kathleen Norton
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor)
Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim
Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve
Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite)
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Jeffrey Gilbert (Wasser)
Copy Editor: Patti Neff (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Courseware Testing: Testing Testing 123

Production Support: Ed Casper (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Dean Murray, Ken Rosen
Group Product Manager: Robert Stewart


Module 1: Introduction to Designing a Directory Services Infrastructure iii


Instructor Notes
This module provides students with the basic context and terminology for the
course. It starts by discussing how Microsoft
®
Windows
®
2000 Active
Directory
™
directory service works in an enterprise network. A framework is
presented for identifying the business needs that guide the design of the Active
Directory infrastructure. Finally, an overview of the architectural components
of Active Directory is provided.
At the end of this module, students will be able to:
!
Describe Active Directory in Windows 2000.
!
Explain the importance of determining business needs prior to designing an
Active Directory infrastructure.

!
Describe the architectural elements used in the design of the Active
Directory infrastructure.

Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 1561B_01.ppt.
Preparation Tasks
To prepare for this module, you should:
• Read all of the materials for this module.


Presentation:
30 Minutes

Lab:
00 Minutes
iv Module 1: Introduction to Designing a Directory Services Infrastructure


Module Strategy
Use the following strategy to present this module:
!
Role of Active Directory in an Enterprise
Explain that Active Directory is a directory service. Define the features of a
typical directory service. Then, describe the added functionality that Active

Directory provides.
!
Conducting an Organizational Analysis
Explain that prior to creating the design of the Active Directory
infrastructure, an architect must have a thorough understanding of the
organization and its needs. Emphasize that the business needs rather than
the technology of the organization must guide the design.
!
Architectural Elements of Active Directory
Describe the different elements of Active Directory and how each element
functions within Active Directory. Emphasize that a module will be devoted
to each element.

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
There are no labs in this module, and as a result, there are no lab setup
requirements or configuration changes that affect replication or customization.

Module 1: Introduction to Designing a Directory Services Infrastructure 1


Overview
!
Role of Active Directory in an Enterprise
!
Conducting an Organizational Analysis
!

Architectural Elements of Active Directory


This module provides the basic context and terminology for the course. It starts
by describing how Microsoft
®
Windows
®
2000 Active Directory
™
directory
service works in an enterprise network environment. Prior to designing the
Active Directory structure, the architect must first identify the administrative
and business goals of an organization. General guidelines for identifying
business needs are provided, and a framework for making good design choices
is discussed. Finally, an overview of the architectural elements of Active
Directory is presented.
At the end of this module, you will be able to:
!
Describe Active Directory in Windows 2000.
!
Explain the importance of determining business needs prior to designing an
Active Directory infrastructure.
!
Describe the architectural elements used in the design of the Active
Directory infrastructure.

Slide Objective
To provide an overview of
the module topics and

objectives.
Lead-in
In this module, you will
understand the function and
components of Active
Directory.
2 Module 1: Introduction to Designing a Directory Services Infrastructure


Role of Active Directory in an Enterprise
!
Domains and OUs Form
Hierarchical Structures
!
Multiple Domains Can Form
#
Trees
#
Forests
DomainDomain
Domain
Tree
Tree
Forest
Objects
OU
OU
OU
OU
OU

OU
Domain
Domain
Domain
Domain
Domain
Domain


Active Directory in Windows 2000 is a network directory service.
Administrators use Active Directory to define, arrange, and manage objects,
such as user data, printers, and servers, so that they are available to users and
applications throughout the organization. Objects in Active Directory are
logically organized into a hierarchical structure. The objects that create the
overall structural hierarchy in Active Directory are:
!
Domains. This is the core unit of Active Directory. A domain is a container
of objects that share security requirements, replication processes, and
administration. Active Directory uses a multi-master replication model in
which all domain controllers are equal.
!
Organizational units (OUs). An OU is a container object that is used to
organize objects within a domain into logical administrative groups. Within
a domain, OUs form a hierarchical structure based on the organization’s
administrative model.

Multiple domains within a single Active Directory can create additional
structure in the form of:
!
Trees. A tree is a hierarchical arrangement of one or more domains with a

single root name. Domains within a tree share a common root domain name
and share information through automatic trust relationships.
!
Forests. A forest is a collection of one or more trees. Multiple trees within a
forest do not share a common root domain name, but share information
through automatic trust relationships. Multiple forests can share information
only through explicit trusts.

Slide Objective
To describe the logical
structure of Active Directory.
Lead-in
Active Directory has a
hierarchical structure that
you create with domains
and organizational units.
Module 1: Introduction to Designing a Directory Services Infrastructure 3


$
$$
$

Conducting an Organizational Analysis
!
Identifying Organizational Needs
!
Making Design Choices
!
Planning Guidelines



Enterprise architects must design the Active Directory directory service to meet
the business needs of the customer. The first step in meeting this goal is
performing an organizational analysis to determine the business as well as the
information technology (IT) needs of the customer.
Slide Objective
To identify steps for
obtaining information about
an organization.
Lead-in
Before designing the Active
Directory structure, you
must identify the
organization’s administrative
needs that will influence the
design of the Active
Directory structure.
4 Module 1: Introduction to Designing a Directory Services Infrastructure


Identifying Organizational Needs
!
Determine the Goals of the Organization
!
Analyze the Administrative Model
!
Anticipate Growth and Reorganization
!
Document the Gathered Information



Identifying organizational needs consists of the following steps:
!
Determine Goals of the Organization. As an architect, you must identify and
then prioritize the business needs of an organization. Once you have
identified the goals, you must translate them into a design for the Active
Directory structure that meets those goals. In the design, you must ensure
that Active Directory meets the business needs of the organization, instead
of basing the goals of the organization on the Active Directory structure.
!
Analyze the Administrative Model. The Active Directory directory service is
designed to support the storage and easy retrieval of information. The
design must support the administrative model. The administrators of an
organization support the enterprise. Therefore, you need to design Active
Directory to support administrator needs. These needs may be different from
the business practices of the organization. Identify and analyze the current
administrative model, and determine if any improvements can be made.
!
Anticipate Growth and Reorganization. An Active Directory structure has
an anticipated life span of three to five years. When designing the Active
Directory structure, you must anticipate future growth and reorganization,
and then design Active Directory so it can easily accommodate growth.
!
Document the Gathered Information. After your initial organizational
analysis, document your findings. Documentation will guide you through
the design process and clarify any conflicts that may occur as you design
Active Directory.

Slide Objective

To identify the steps for
identifying organizational
needs.
Lead-in
Identifying the needs of a
business or organization
begins by determining the
goals of the organization.
Module 1: Introduction to Designing a Directory Services Infrastructure 5


Making Design Choices
!
Decision Points
!
Implications
!
Risks and Costs
!
Tradeoffs


When making design choices, identify the following factors that will influence
design:
!
Decision Points. You should filter information you received from your
organizational analysis. Organizations can often provide too little or too
much information about their business needs. Careful examination of your
information will help you incorporate only the most pertinent information
into the design of the Active Directory structure.

!
Implications. Be aware of the implications of making a particular design
decision, and possible alternatives to the decision. There are often several
ways to achieve an intended outcome in the design of the Active Directory
structure. Knowing the implications of each possible option will help guide
your design choices.
!
Risks and Costs. Identifying risks before beginning the design process gives
you an opportunity to mitigate or decrease possible problems. For example,
if there are limited resources for testing, then implementation of a design
can be scheduled for off-peak hours to mitigate any unforeseen results of the
implementation.
!
Tradeoffs. Every organization will have individuals or departments with
different goals for the project. Not all goals may be achievable due to
schedule and resource constraints. By prioritizing goals and identifying
positive and negative characteristics of each goal, you can make effective
tradeoff decisions.

Slide Objective
To describe design choices
that must be identified when
designing Active Directory.
Lead-in
You must evaluate the
information you receive from
your organizational analysis,
as some information may
not be pertinent to the
design of the Active

Directory structure.
6 Module 1: Introduction to Designing a Directory Services Infrastructure


Planning Guidelines
!
Remember Business Needs
!
Maintain a Clear Vision
!
Make Solid Tradeoff Decisions
!
Create a Simple Design
!
Test the Design


When designing an Active Directory structure, ensure that the business needs,
rather than the technology, determine the design. Only allow technology to
influence your design if the technology can provide a more efficient means of
doing business.
As your design progresses, maintain a clear vision of your overall structure.
Carefully consider tradeoff decisions when faced with design options. The best
strategy is to create the simplest design possible. Finally, ensure that the design
is adequately tested before releasing the design to the team responsible for
implementing Active Directory.
Slide Objective
To describe best practices
for planning Active
Directory.

Lead-in
Ensure that the design of
the Active Directory
structure meets the
business needs of the
organization.
Module 1: Introduction to Designing a Directory Services Infrastructure 7


$
$$
$

Architectural Elements of Active Directory
!
Designing a Naming Strategy
!
Designing for Delegation of Administrative Authority
!
Designing Schema Modifications
!
Designing for Group Policy
!
Designing an Active Directory Domain
!
Designing Multiple Domains
!
Designing a Site Topology



An enterprise architect combines the various architectural components of
Active Directory to design a directory services infrastructure that meets the
business needs of the organization. To use these components effectively, you
must understand the capabilities of each component and the design elements
within Active Directory that each component influences.
Slide Objective
To identify the elements of
Active Directory and
strategies for designing
these elements.
Lead-in
There are several
architectural elements of the
Active Directory structure
that need to be included in
the design.
8 Module 1: Introduction to Designing a Directory Services Infrastructure


Designing a Naming Strategy
!
Active Directory Uses DNS as Naming Service
!
Internet Presence a Determining Factor in Selecting
Domain Names
Domain Name System
(DNS)
Domain Name System
Domain Name System
(DNS)

(DNS)
nwtraders.msft
nwtraders.msft


Active Directory follows the Domain Name System (DNS) standard as a basis
for naming domains. Active Directory also uses DNS as the domain locator
service. You can use DNS for name resolution of the organization’s internal
resources, such as its intranet, and external resources, such as the Internet.
An organization’s current and planned presence on the Internet will help
determine Active Directory naming strategies. Carefully selecting an inclusive
DNS name for the root domain is crucial, because a carefully selected name
may make it easier for users to access the network over the Internet. The root
domain name will also be included in any child domains created from the root
domain.
Slide Objective
To introduce the naming
standard used by Active
Directory.
Lead-in
Active Directory uses the
DNS naming convention to
name domains.
Module 1: Introduction to Designing a Directory Services Infrastructure 9


Designing for Delegation of Administrative Authority
!
Relieves Burden of
Centralized Management

!
Separates Administrative
Authority from Rest of
Network
Domain
nwtraders.msft
na.nwtraders.msft
asia.nwtraders.msft
Mfg
Mfg
Mfg
research
research
research
HR
HR
HR
recruiting
recruiting
recruiting
training
training
training


Delegating administrative authority in Active Directory allows network
administrators to grant administrative control of objects in Active Directory to
trusted users. Delegating authority reduces the workload of a centralized
administrator, and also separates the delegated authority from other areas of the
network.

You can create a hierarchical structure of domains and OUs that reflects the
administrative model of an organization. You can also delegate authority to
individual users and computers. By structuring the Active Directory hierarchy
and then managing the permissions on the objects and properties in Active
Directory, you can precisely specify the accounts that can access information in
Active Directory and the level of permissions that they can have. This precise
specification allows network administrators to delegate specific authority over
portions of Active Directory to groups of users, without making its information
vulnerable to unauthorized access.
Slide Objective
To describe how
administrative authority may
be delegated in Active
Directory.
Lead-in
You can create an Active
Directory structure for
delegating administrative
authority.
10 Module 1: Introduction to Designing a Directory Services Infrastructure


Designing Schema Modifications
!
Schema Defines Objects and Attributes
in Active Directory
!
Changing the Schema Can Affect the
Entire Network
!

Create a Schema Modification Policy to
Manage Changes
Schema


The Active Directory schema contains the definitions of all objects, such as
computers, users, and printers, that are stored in Active Directory. The
definitions contained within the schema define the classes of objects Active
Directory may contain, and the types of attributes each object may or must
have.
Schema modification includes adding or changing object class or attribute
definitions. Changing the schema has implications that can affect the entire
network. Schema modifications are rare, but an organization may have business
needs that can only be met by schema modification. You will need to create a
schema modification policy to manage the modification process.
Slide Objective
To describe the function and
scope of the Active
Directory schema.
Lead-in
The Active Directory
schema is the underlying
foundation of Active
Directory, and contains
definitions for all objects and
classes within Active
Directory.
Module 1: Introduction to Designing a Directory Services Infrastructure 11



Designing for Group Policy
!
Group Policy Objects Apply
Configurations to Sites,
Domains, and OUs
!
Group Policy Is Inherited In
Active Directory Hierarchy
Site
GPO
Domain
Domain
OU
OU
OU


Group Policy is used to manage software configurations and regulate security
on computers and users in Active Directory. A Group Policy object (GPO) is
used to apply Group Policy to users and computers in Active Directory at the
site, domain, and OU level.
You can design Active Directory to support the application of Group Policy
through delegation and by the creation of lower-level OUs to contain users and
computers subject to particular GPOs. Group Policy is also inherited through
the site, domain, and OU structure. By carefully designing the Active Directory
infrastructure, you can apply GPOs to intended users and computers in upper-
level domains or OUs so that the GPOs will be inherited to lower-level domains
and OUs.
Slide Objective
To describe the function and

scope of Group Policy
objects in Active Directory.
Lead-in
Group Policy is a powerful
tool for applying
administrative policies within
Active Directory.
12 Module 1: Introduction to Designing a Directory Services Infrastructure


Designing an Active Directory Domain
!
Create OUs to
Support Delegation
and Group Policy
!
Carefully Name the
First Domain
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU

First
Domain
First
Domain
nwtraders.msft


The ongoing administrative tasks of an organization can be simplified by
initially planning how to organize objects in a domain. A well-designed OU
structure comprised of upper- and lower-level OUs will allow administrators to
delegate authority and apply Group Policy.
The first domain created in Active Directory is the root domain of the entire
forest. The first domain is also referred to as the forest root. The forest root
contains the configuration and schema information for the forest. Naming the
first domain is an important design step, since the first domain cannot be
renamed.
Slide Objective
To describe the structure of
an Active Directory domain.
Lead-in
A domain is the basic
administrative object within
Active Directory.
Module 1: Introduction to Designing a Directory Services Infrastructure 13


Designing Multiple Domains
!
Administered Separately But May Share Resources
!

More Complex To Manage
nwtraders.msft
nwtraders.msft
us.nwtraders.msft
us.nwtraders.msft
europe.nwtraders.msft
europe.nwtraders.msft
Child
Domain
Root
Root
Child
Domain


Domains, trees, and forests are bordered units within Microsoft Windows 2000
Active Directory directory service. These units can share resources but can also
be administered separately. Most business needs can be met by a single domain
structure. A single domain is simpler to manage, and it is simple to delegate
administrative authority. However, a business may want to use multiple
domains within Active Directory. You will need to evaluate the need for a
multiple-domain structure and the implications of increasing the complexity of
the Active Directory structure before making this decision.
Domains can be arranged into multiple-domain trees, multiple-tree forests, and
multiple forests. The business drivers that require a multiple-domain design will
also affect the type of design you create.
Slide Objective
To describe how multiple
domains are utilized by
Active Directory.

Lead-in
While a single domain is
sufficient for most
organizations, some
situations may require the
use of multiple domains.
14 Module 1: Introduction to Designing a Directory Services Infrastructure


Designing a Site Topology
!
Sites Define Physical
Structure of Active
Directory
!
Use Sites to Control
Network Traffic Flow
nwtraders.msft
nwtraders.msft
Redmond
Site
Charlotte
Site


Active Directory uses sites to define the physical structure of the network. A
site is a collection of well-connected machines, based on Internet Protocol (IP)
subnets. A site definition is stored as a site object in Active Directory.
Collectively, all sites form a site topology. Because sites represent the physical
structure of your network, they do not need to map to the logical structure of the

Active Directory.
You can use sites to control workstation logon traffic, replication traffic,
Distributed file system (Dfs) topology, and File Replication service (FRS).
Excessive network traffic can occur between remote locations due to frequent
exchange of large amounts of data and directory information. Designing an
appropriate site topology helps you better organize the Windows 2000 network
in your organization and optimize the exchange of data and directory
information.
Slide Objective
To introduce the concept of
sites within an Active
Directory structure.
Lead-in
A site is part of the physical
design of Active Directory.
Module 1: Introduction to Designing a Directory Services Infrastructure 15


Review
!
Role of Active Directory in an Enterprise
!
Conducting an Organizational Analysis
!
Architectural Elements of Active Directory


1. How are the logical structure elements of Active Directory organized and
what relationships do they form in Active Directory?
Elements are organized into OUs within a domain. Domains link

together to form trees. Trees join together to create a forest.


2. What among an organization’s needs should have the greatest influence
upon the design of the Active Directory structure?
The administrative needs of the organization should have the greatest
influence upon the Active Directory structure.


3. How is the physical structure of Active Directory organized?
The physical structure of Active Directory is organized by sites, or
collections of well-connected machines. Sites do not need to map to the
logical structure of Active Directory.


Slide Objective
To reinforce module
objectives by reviewing key
points.
Lead-in
The review questions cover
some of the key concepts
taught in the module.



THIS PAGE INTENTIONALLY LEFT BLANK