4-19
Based on the newly approved forest and domain design, create the organizational unit structure for Northwind Traders. Use the table to complete your design.
Domain Organizational units
nwtraders.local Corp.nwtraders.local NAwest.nwtraders.local NAeast.nwtraders.local Glasgow.RDNwtraders.local AsiaPacific.nwtraders.local None HQ Management Finance IT Sales Marketing IT Customer Service Customer Support Training Research Development Sustained Engineering IT Consulting Production
Page Lesson 1 Review
1. What are the three specific purposes for which you would create an OU? Of those three, which should be the driving influence of your overall OU design?
The three purposes for using OUs are to delegate administrative control of objects, to limit the visibility of objects, and to control the application of group policy. Of these, you should let the delegation of administrative control be the driving design influence.
2. Describe the difference between an object-based and a task-based OU structure. In an object-based OU structure, delegation of control is assigned according to the type of object that will be stored in the OUs. In a task-based OU structure, delegation of control is assigned based on the administrative tasks that need to be accomplished rather than on the objects that need administration.
3. You are preparing your directory plan. One of the requirements is that you be able to delegate control of user objects by assigning Group Policy. What must you do? Because the built-in Users container is not an OU, you cannot link a GPO to it. You will need to create a new OU, place users inside it, and then link a GPO to that OU.
Page 4-31
Page 4-41
4. What are the advantages of using a location-based OU model? What are the disadvantages?
The advantages include greater resistance to company reorganization; easier implementation of domain-wide policies by a central administrative staff; greater ease locating resources; and ease in creating new OUs for new locations. The disadvantages include potential difficulty restricting administrative rights; the possible need for administrators at each location; and a design that may not follow any business or administrative structure.
Lesson 2 Review
1. What are the five types of accounts you can create in Active Directory for Windows Server 2003?
The five types of accounts you can create are computer, user, group, contact, and InetOrgPerson.
2. You are creating a password policy. What are the recommended requirements you should impose for passwords?
At least the last 24 passwords used should be remembered. Users should also be required to change their passwords at regular intervals. The default (and Microsoft’s recommendation) is 42 days. Users should also have to retain passwords for at least one day to prevent them from rapidly switching back to their favored passwords. Passwords should be at least seven charac ters and should be complex (a mix of alphanumeric and non-alphanumeric characters and a mix of upper and lower case).
3. What is the recommended strategy for placing users into security groups? Place user accounts into global groups. Place global groups into universal groups. Place univer sal groups into domain local groups. Assign permissions to the domain local groups. Lesson 3 Practice
1. Which additional OUs must be created to support Group Policy?
Creating OUs is only one possible way to filter the application of Group Policy. You can use other methods, such as security groups, to accomplish the same goal.
Create a new OU in the HQ Management OU named Laptops. This OU will contain all the com puter accounts for the executives’ laptop computers.
Create a new OU named LaptopComputers in the NAwest domain to simplify the application of Group Policy settings to all laptop computers in this location.
Create a new OU named CallCenter in the CustomerSupport OU. This OU will contain all the computer accounts for the computers in the call center and will enable you to easily apply spe cific group policy settings to these computers.
Create a new OU in the Glasgow domain named ComputerAccounts, and use the redircmp.exe command to cause all newly created computer accounts to be redirected to the new OU.
2. Who will be responsible for managing Group Policy in each domain?
The IT group in Paris will manage all Group Policy settings in Atlanta, Paris, and Sydney. The local IT staff will manage Group Policy settings in all other locations.
Page 4-42
Page 4-44
Lesson 3 Review
1. To what objects can you apply settings using Group Policy? What types of settings can you enforce using Group Policy?
Group Policy lets you apply settings to users and computers in Active Directory. You can use Group Policy to deploy and update software, configure Windows settings, and distribute registry settings via Administrative Templates.
2. In what order are GPOs resolved when they come from multiple sources? What happens when multiple GPOs are linked to a single container in Active Directory? GPOs on the local computer are always resolved first. After this, Active Directory GPOs are resolved. First, GPOs linked to the site are resolved, followed by GPOs linked to the domain, and, finally, GPOs linked to OUs. If settings are compatible, they are combined. Otherwise, each subsequent GPO overrides settings made by the previously applied GPO. If multiple GPOs are configured for a single container, the administrator can determine the order in which they should be applied.
3. You are preparing a plan for a GPO that will be linked to an OU that contains user and group accounts. You want the GPO to apply settings to all accounts in the OU except for two group accounts. What could you do?
You have a couple of options. You could create a new child OU in the existing OU and then move the two group accounts into it. You would then need to override the settings made by the GPO or block the inheritance of that GPO from the parent container. Your other option is to leave the two groups where they are and filter out the GPO by removing the permissions for those two groups from reading or applying the GPO.
Case Scenario Exercise
1. Sketch out an OU design for the company using the location-based model. What would be the advantages and disadvantages of using the location-based model? A location-based design would have an OU for each of the major corporate locations and prob ably just one OU that encompassed all of the branch offices together. The location-based model provides several advantages, including being resistant to corporate restructuring, letting a cen tralized staff implement domain-wide policies, and making it easier to find resources based on their location. The disadvantages include the possible need for network administrators at each location and a design that doesn’t really follow administrative procedures.
2. Based on the company’s corporate requirements, what password policy settings would you enforce? What authentication policy settings would you use?
To meet requirements, you should implement password policy settings that include the follow ing: Maximum Password Age policy set to 30 days and Enforce Password History policy set to 12 passwords. Password security is further supported by the default settings that require pass- word complexity and a minimum password age of 1 day. Authentication requirements could be met by creating an account lockout policy that disables accounts after five failed password attempts. You could strengthen authentication requirements further by implementing logon hours and creating a ticket expiration policy.
3. What computer-account naming strategy would you use for servers on the net- work? For user workstations?
Servers should be identified by location and function. Ideally, the server name should indicate that the computer is a server. Using the letters SRV is a popular way to achieve this. The loca tion could be identified by the first three letters of the city name (another solution would be to use three-letter airport codes). How you identify the function is pretty much up to you, but you should be consistent throughout the network. Using a computer name such as SRV-DAL-EXCH could indicate a server in Dallas that runs Exchange Server, for example.
4. Based on the scenario, what method would you use to deploy software using Group Policy?
You should use Group Policy to assign the applications to computers. When an application is assigned to a computer, the application is installed the first time the computer starts up follow ing the assignment.
5
Designing a Site Plan
Exam Objectives in this Chapter:■ Design the Active Directory infrastructure to meet business and technical requirements.
❑ Design the Active Directory replication strategy. ■ Design an Active Directory directory service site topology.
❑ Design sites. ❑ Identify site links.
■ Design an Active Directory implementation plan.
❑ Design the placement of domain controllers and global catalog servers. ❑ Plan the placement of flexible operations master roles.
❑ Select the domain controller creation process. ■ Design migration paths to Active Directory.
❑ Define whether the migration will include an in-place upgrade, domain restructuring, or migration to a new Active Directory environment.
Why This Chapter Matters
In Chapter 3, “Planning an Active Directory Structure,” and Chapter 4, “Designing an Administrative Security Structure,” you learned to design the logical side of an Active Directory (AD) infrastructure. This included the forest and domain struc ture as well as an administrative structure of organizational units, users, and groups. In this chapter, you learn to use sites to define the physical structure of a network. One of the primary tasks of any network designer is controlling the traf fic that occurs between remote locations over WAN links, and sites are the main tool you will use to achieve that control.
In this chapter, you learn to determine the placement of sites and specify how those sites are linked. You also learn to create designs that optimize the intrasite and intersite replication process. You learn how to determine the placement of domain controllers and how to plan other roles your servers may play. Finally, you learn how to plan a migration path from previous versions of Windows.
Lessons in this Chapter:
■ Lesson 1: Designing a Site Topology . . . 5-3 ■ Lesson 2: Planning Domain Controllers . . . 5-10 ■ Lesson 3: Planning a Replication Strategy . . . 5-22 ■ Lesson 4: Designing a Migration Path . . . 5-33
Before You Begin
To complete this chapter, make sure you are familiar with the Active Directory concepts described in Chapter 1, “Introduction to Active Directory and Network Infrastructure.” You should also have gathered and analyzed any information about the existing Active Directory infrastructure of your company, as discussed in Chapter 2, “Analyzing an Existing Infrastructure.” In particular, you use the geographic and network topology information you gathered about a company to design a site topology.