This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This essay will discuss the configuration and management of multiple domains in an Active Directory Environment. Topics chosen to address that will relate to this essay include the creation of domains, tees, forming of trust relationships, forest, global catalog, schemas, replication, group management and time synchronisation.
Domains and domain controllers:
A domain is a group consisting of all computers and devices that share the same resources such as printers and drivers.
A domain controller is a server that functions within a domain and manages system security such as user logins and allocating permissions. Its main purpose is to control all the users, groups and computers within a domain.
To create a domain controller a system administrator would have to go through the active
directory installation wizard using the command dcpromo.exe. This would install both the Active Directory Domain Services (used to store information on, organise, set security and control access to objects within a domain), and the Domain Name System (a namespace provided to identify a domain e.g. rafiq.local) together.
Apart from promoting (creating) the Active Directory, the DC promo command is also used to demote a domain controller. One of the main reasons for demoting the Active Directory is by removing it from one domain to another. The administrator would be prompted to decide whether or not they want to remove the machine from the current domain. It would then be created in the new domain.
A domain or set of domains that share the same namespace form a tree. These are created using the Active Directory Installation Wizard. An example would be:
(May have child domains created underneath)
A trust relationship is created when users and computer within an Active Directory domain have access to resources from another domain. This forms a "trust" between the two domains. A forest is created by trust relationships that link trees together. However a forest may also be made up of a single tree which doesn't link to another tree.
There are two types of trusts:
Transitive-This type of trust allows each trusted domain to link together. An example would be if domain 1 and domain 2 trust each other and domain 2 trusts domain 3, then domain 1 would also trust domain 3.
Non-Transitive- This is the opposite of transitive. The trust relationship would only end with two domains trusting each other and not link to any other trusted domain. For example if domain 1 and domain 2 trust each other and domain 2 and domain 3 trust each other, domain 1 would not trust domain 3. It would only trust domain 2.
Trusts can be:
One way (unidirectional) - These trusts can only be shared in the trusted domain.
They can be either transitive or non-transitive. One way trusts are broken down into either
incoming or outgoing trusts.
Two way-(bidirectional) Trusts that can be shared both in the trusted and non-trusted domain.
Trust relationships can either be created automatically (implicate) or manually (explicate).
*A forest is one or more trees that don't share a contiguous namespace e.g. you could join the organisational1.com and organisational 2.com domains together to create a single AD environment.*
A forest is made up of one or more domain trees that share the same schema, organisational unit, global catalog and configurations made in the active directory for communication by implicating trust relationships between the trees. This procedure is helpful for an administrator who wishes to use more than one DNS IP address.
Joining a new domain tree to a forest:
A set of domains that share the same namespace and resources make up a domain tree. Trust relationships are used to link these domains together.
Again the dcpromo.exe command is needed to create another tree to add to a forest. A parent domain must exist in a forest before an administrator can start adding child domains. The root domain can only be removed if an administrator wants to remove the entire forest.
You need to use the AD installation wizard to create a new domain tree to add to a forest. In order to add a new domain to an existing forest, you may already have another domain which is the root domain. The entire forest structure could be destroyed if the original root domain is entirely removed. It is recommended for the parent domain to contain more than one domain controller for protection in case the first one fails to work.
Adding additional domain controllers:
A domain controller can be added to either be part of an existing domain or the first in a new domain as the Primary Domain Controller (PDC).
Adding additional domain controllers can be created easily through the active directory installation wizard. The main benefits of adding extra domain controllers are to provide:
Fault tolerance and reliability. This ensures that if one server breaks down there is a Backup Domain Controller (BDC) available to carry out tasks including browsing for resources and user accounts.
Better Performance. This is achieved by distributing the performance monitoring tasks between multiple domains.
The schema is shared among all the domains in Active Directory. It is used to organise the data stored on each domain and make sure they remains consistent. If any changes are made to the schema it makes the same changes to all the domain controllers in the AD. "If you add another field for employee's benefits plan number, all the domain controllers throughout the environment need to recognise this before the information is stored among them." An example taken from MCTS: Windows 2008 R2 Complete Study Guide by William Panek 2011.
The purpose of a Global Catalog is to reduce costs of sharing network and resource information across multiple domains.
It is stated that "The Global Catalog is a meta data repository" according to MCTS: Windows 2008 R2 Complete Study Guide written by William Panek 2011. It is a separate database located in the active directory, used to query a read-only duplicate of the database objects found in the AD domains forest. It is useful for users to perform quick searches across the entire AD forest.
The system administrator mainly stores general data that is used quite often within the global catalog. These include information on each domains users, groups, computers and printers. For example if a user wants to find all the employees in the company who have a name starting with 'M', they just need to query it in the GC. It can also be used to query resources in domains e.g. printers.
The main purpose for replication is that it makes sure all information stored on domain controllers stay the same. This achieves updated information on the domain controllers within a domain.
There are two types of replication:
Intrasite replication is connected to high speed bandwidth. It is used to synchronise information between domain controllers in the active directory.
Intersite replication is used to reduce network traffic occurring between different sites. It is found between domain controllers in different sites, therefore it uses low speed connections e.g. WANs.
*Sites: Collection of database controllers that serves a common group of users. "One of the most important aspects of designing and implementing AD is understanding how AD allows you to separate the logical components of the directory services from the physical components."*
Apart from the DNS, time synchronisation is another important thing the AD depends on for replication and trusts. It is essential that its Domain Controllers share roughly the same current time & date (difference between up to 5 minutes is acceptable) which is set up by the Primary Domain Controller emulator (which acts like the Primary Domain Controller). However if time goes more than 5 minutes then it would cause problems as replication wouldn't take place between the domain controllers and users will be unable to login to their accounts. (Time Synchronisation in Active Directory-February 2, 2012 by Brandon Lawson)
Multiple domains may also be created for an administrator who intends to use many DNS names.
Reasons for creating multiple domains:
Most organisational units can be structured in a single domain as they are easier to manage and are cost efficient. However there are many reasons why an organisation may want to create more than one domain depending on the organisation's needs.
There are benefits to creating multiple domains; however there are also potential drawbacks.
Disadvantages of multiple domains:
Security consistency issues:
"The security policies in Windows 2008 R2 are different between and within the same domains." (MCTS: Windows 2008 R2 Complete Study Guide by William Panek 2011).
As an administrator has to maintain the security setting in the Active Directory, they have to take care when dealing with group policy and security settings with multiple domains or else the security settings may be inconsistent. This will become a problem for those organisations wishing to apply the same security setting for all the users in each domain.
Challenges of managing a large number of domains:
It is much more difficult to manage multiple domains as the administrator has to manage each domains users, groups and computers separately.
"It becomes challenging to manage multiple domains because many more administrative units are required." (MCTS: Windows 2008 R2 Complete Study Guide by William Panek 2011). However it also makes it easier for handling the allocation of permissions within the organisational unit.
With more domains there are more domain controllers which means there is more data stored. This would result in information becoming harder to synchronise.
Flexibility is reduced:
There is reduced flexibility when managing multiple domains. According to the book MCTS: Windows 2008 R2 Complete Study Guide by William Panek 2011 "When planning domains, you should ensure that domain structures don't change often if at all."* It is simple to create a domain controller after creating a new domain. Structuring an Organisational Unit in Active Directory is easier than rearranging a domain topology.* It is also harder for an administrator to move a user between domains than it is to move them from one organisational unit to another.
Another disadvantage would be an increase in the global catalog size due to the large number of users, computers and groups from each domain.
Having multiple domains is also more expensive than using a single domain as they require more domain controllers.
*Advantages of Multiple domains:
Microsoft enables AD to support millions of objects, although this might not be practical for your environment. You need a lot of disk space and greater CPU use to support
As mentioned before multiple domains mean the use of multiple DNS (domain) names.
Some organisations may have to keep in mind laws and regulations
Another reason for using multiple domains is legal reasons. Some organisations may need to follow certain laws and regulations which can be overcome with the use of multiple domains.
Group policy management console: Controls user and computer accounts. It provides management and configuration of operating systems, applications, and users' settings in an AD environment.*