You are to create a deployment plan that incorporates the newly acquired organizations into ESI’s existing Active Directory. Also consider replication possibilities while minimizing WAN traffic.
I. Deploying Active Directory
Upgrading, Migration and Restructuring
As your enterprise environment grows, you will need to add additional components such as additional domain controllers (DC). Upgrading the domain controllers in an enterprise usually means you will be adding a new DC with an upgraded operating system or actually upgrading the version of Windows running on the current domain controllers.
Another upgrade involves what is called a restructure. A restructure involves adding more domain controllers to the enterprise core or decommissioning some older ones. Either way, the current active directory structure is undergoing a restructure.
Lastly, there is the migration. A migration means you will be moving objects between two or more domains. One of the most typical scenarios for this is when one company takes over or buys another company. Usually they will want to merge the business data and Active Directory databases, so you perform a migration from one domain into the other.
Windows Server 2008 provides tools to help with these tasks. The table below from LabSim lists some of the tools you can use.
|Active Directory Migration Tool (ADMT)||Use the Active Directory Migration Tool (ADMT) to move user, group, and computer accounts within a domain or forest, to move objects between forests, or to migrate objects from an NT domain to Active Directory.
|Movetree||Use MoveTree to move user objects within a domain or forest. MoveTree does not work between forests.|
|Dsmove||Use Dsmove to move or rename objects within a domain.|
|User State Migration Tool (USMT)||Use the User State Migration Tool (USMT) to move user profiles, containing user preferences and user documents, from one computer to another. You would typically use USMT when you are replacing a user’s workstation with a new workstation. USMT works on the files stored on the computer, regardless of whether the computer is a domain member or member of a workgroup.|
When you begin to transfer objects or data into your enterprise, they will be assigned a new SID. A SID is a security identifier issued by Windows Server that identifies objects throughout the domain. If you wish to keep the SID that was assigned on the old domain so that permissions are not changed, you will need to preserve the SID history. Keep in mind that you will not have to retain SID history if the old domain is to be decommissioned.
LabSim lists several other things to consider during an Enterprise migration.
- When user accounts are moved to a new domain or forest, the User Principal Name (UPN) suffix might change. To allow users to continue using the previous UPN suffix, add an alternate UPN suffix to the domain using Active Directory Domains and Trusts. Then edit the user account properties to select the UPN suffix for the user account.
- When migrating objects between forests, establish a trust relationship between the two forests. You can use an external trust or a forest root trust for this purpose.
- The InetOrg object in Active Directory can be used to represent user accounts, although Active Directory includes a user class for this purpose. The InetOrg object is typically used for migration of users to another LDAP directory.
Adprep.exe is a command line utility that ships with Windows Server 2008. It does not install by default, but can be located on the software media. It comes in both a 32- and 64-bit version. The purpose of using this utility is to prepare a forest or a domain to acknowledge and admit a new domain controller into the enterprise that is running Windows Server 2008. It can also be used if you are upgrading an existing domain controller to Windows Server 2008.
LabSim advises you to be aware of the following:
- An existing domain controller must be running Windows 2000 SP4 or Windows Server 2003 SP1 to upgrade to Windows Server 2008
- You cannot change versions when upgrading. For example, you cannot upgrade a server running Windows Server 2003 Standard edition to Windows Server 2008 Enterprise edition
- Before adding the first domain controller running Windows Server 2008 to an existing Windows 2000 or Windows Server 2003 Active Directory environment, the forest and domain levels must be set appropriately
- Windows NT 4.0 domain controllers require the Windows 2000 Mixed functional level; you cannot have NT 4.0 and 2008 domain controllers within the same forest or domain
II. Active Directory in the Enterprise
Many enterprise administrators will find themselves having to deal with remote offices. Windows Server 2008 refers to these as branch offices. A branch office has some degree of access to the network but must balance access to the main network’s resources while keeping security intact. Each branch office should have a catalog server in-house in case access to the WAN goes down. If access were to be interrupted, users would still be able to authenticate using the catalog server. You should also have users in the branch using local resources before network resources. This improves performance and also controls replication problems.
Many branch offices use a read-only domain controller because they do not need to make changes to any of the Active Directory objects. If you find yourself in a situation where you do need to write, then you would need to use a regular domain controller.
Read-Only Domain Controllers
As we discussed above, many enterprise environments use read-only domain controllers (RODC) in their remote branch locations. It is especially useful if physical security cannot be assured. An RODC improves the amount of time it takes your remote users to log on to the network. It also improves security and access to network resources. If you decide to use an RODC, the domain and forest level must be at Windows Server 2003 or higher. If the enterprise does not have any domain controllers running Windows Server 2008, you will need to run the ADPREP tool. A read-only domain controller can only support inbound replication.
Managing Resources in Your Enterprise
There are a few solutions provided with Windows Server 2008 to help you manage resources and authentication between locations in your enterprise.
- Trusts are a recognized association set up between domains throughout the enterprise that allow communication, access to common resources and authentication.
- Active Directory Federation Services is a secure utility that permits access to applications between organizations whose users are accessing them via a Web browser.
- Identity Lifecycle Manager is a tool that automates managing user credentials, such as passwords, distribution lists, and certificates.
I. Active Directory Redundancy
Network Load Balancing
When it comes to accessing your data, there are several ways to improve performance and efficiency throughout your enterprise. Network load balancing (NLB) and Failover Clustering are two of the services that can be used. We will discuss network load balancing first. In Windows Server 2008, network load balancing acts like a traffic cop to direct IP traffic workloads across the enterprise using multiple servers. One of the main goals of NLB is to make sure no one server is overloaded.
The list below from LabSim provides more information about NLB.
- An NLB cluster can have between 2-32 nodes.
- Each node maintains its own data, typically on directly-attached storage. NLB is best suited for services with static data; if the data changes, you must implement a solution to synchronize data between the nodes.
- NLB can be configured on all Windows Server 2008 editions.
- NLB uses convergence to dynamically synchronize the configuration (but not the data) when nodes are added or removed.
- Implement multiple NICs to provide network redundancy for NLB nodes.
- Common services used with NLB have static data and include IIS, Terminal Services, Routing and Remote Access, and VPN access.
- Cluster nodes are typically located in the same location.
The following diagram from Microsoft’s TechNet Website shows how a four-host cluster works as a single virtual server to handle network traffic. Each host runs its own copy of the server with Network Load Balancing distributing the work among the four hosts.
Failover Clustering provides redundant services out of the box with Windows Server 2008 R2 Enterprise Edition. It eliminates that single point of failure that can take your enterprise’s productivity to a complete stop and protects your mission-critical applications. Should a server crash or go offline for any number of reasons, another server is waiting to take over and respond to requests. It is a very affordable option as well, since it comes packaged with the Datacenter and Enterprise versions of Server 2008. It is also one of the easier solutions to deploy in an enterprise environment.
You can create multiple clusters, and each cluster may have up to eight nodes. All nodes must share from a universal storage pool. Nodes are then granted access dependent upon the type of service you set up. Anywhere from one to all eight nodes may access the data pool independently or at the same time. Secondary nodes in a cluster setting are set up in a listening mode. When the active node goes down, the secondary node takes right over. Once the failed node comes back online, the secondary node goes back into listening mode and allows the main node to become the active node again.
The following are a few more facts about Failover Clustering.
- Redundancy for multiple hardware and network components is typical to prevent a single failure from making a node unavailable.
- Common services used with Failover Clustering must make frequent changes to data and include SQL, DHCP, Exchange, and Certificate Services.
- Cluster nodes can be more geographically dispersed.
II. Active Directory Recovery and Maintenance
Recovering Active Directory
What happens when an Active Directory domain controller fails? If you do not have a second domain controller running a concurrent up-to-date Active Directory database, then your users will be offline for quite some time while you scramble to recover the server and hope to restore a good recent backup of your Active Directory scheme. If you do not have a good backup of the system state of that domain controller, then you don’t even want to think about the headache that awaits you while you re-create every one of your users and assign permissions again. However, if your enterprise is configured correctly, then the scenario above will not happen to you and it will never be a cause for concern.
Recovering Active Directory from a secondary domain controller on your enterprise is actually not very hard. If a domain controller goes down, a second domain controller will provide the Active Directory functions required to keep business up and running. In fact, no one will ever know the first domain controller ever had a problem. Once you bring the failed domain controller back online, either after a repair or with a new server, the active domain controller will begin the replication process and the recovery will be complete.
Remember that a good backup routine can save you many hours or even days of downed production time. One of the most important things to back up when dealing with Active Directory is the system state. You can back up the entire contents of the server, but if you fail to get a good system state backup, your Active Directory database will not run. Therefore, it is imperative to back up the system state.
Keeping the Enterprise Current
The final thing we will discuss regarding data availability is keeping your systems throughout the enterprise up to date. The last thing you need is for a system to fail because it did not receive the latest update from Microsoft.
The following are some of the solutions available to you.
- Windows Updates provide updates to the operating system. There are two types of updates available: critical and non-critical. Critical updates should be downloaded as soon as they are available, since there is the potential that your system will be compromised if these are not installed immediately. Windows updates can be configured several ways. You can automate the download and install of updates on each device or you can download the updates and install them at a time of your own choosing.
- Microsoft Updates work the same as above, but with Microsoft applications like Office rather than operating systems.
- Windows Server Update Services (WSUS) is an application that needs to run on a server. It does the job of both services above and can be automated and customized to your specific requirements. No enterprise should be without a WSUS server. It will become your first line of defense against the type of problems that can occur when systems and applications are not patched and up to date.