Designing and Deploying Directory and Security Services

Microsoft® Windows® Server2003
Deployment Kit

Designing and Deploying
Directory and
Security Services

A Resource Kit Publication

Microsoft Corporation

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation.

© 2003 Microsoft Corporation. All rights reserved.

Active Directory, ActiveX, FrontPage, JScript, Microsoft, Microsoft Press, MS, MSDN, MS-DOS, Notepad, SQL Server, Visual Basic, Visual Studio, Windows, WindowsMedia, WindowsNT, and Win32 are registered trademarks of Microsoft Corporation in the USA and other countries.

Microsoft may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property rights except as expressly provided in any written license agreement from Microsoft.

IBM is a registered trademark of International Business Machines Corporation.

NetWare is a registered trademark of the Novell Corporation.

Apple and Macintosh are registered trademarks of the Apple Corporation.

ActivePerl is a registered trademark of the ActiveState Corporation.

Document No.X08-39350

Printed in the United States of America.

Contents1

Contents at a glance

INTRODUCTION ...... xxvii

PART I Designing and Deploying Directory Services ...... 1

CHAPTER 1 Planning an Active Directory Deployment Project ...... 3

CHAPTER 2 Designing the Active Directory Logical Structure ...... 29

CHAPTER 3 Designing the Site Topology ...... 137

CHAPTER 4 Planning Domain Controller Capacity ...... 185

CHAPTER 5 Enabling Advanced Windows Server2003
Active Directory Features ...... 205

CHAPTER 6 Deploying the Windows Server2003 Forest Root Domain ...... 227

CHAPTER 7 Deploying Windows Server2003 Regional Domains ...... 259

CHAPTER 8 Upgrading WindowsNT4.0 Domains to
WindowsServer2003 Active Directory ...... 287

CHAPTER 9 Upgrading Windows2000 Domains to
Windows Server2003 Domains ...... 355

CHAPTER 10 Restructuring WindowsNT4.0 Domains to an
Active Directory Forest ...... 399

CHAPTER 11 Restructuring Active Directory Domains Between Forests ...... 467

CHAPTER 12 Restructuring Active Directory Domains Within a Forest ...... 573

PART II Designing and Deploying Distributed Security Services ...... 623

CHAPTER 13 Planning a Secure Environment ...... 625

CHAPTER 14 Designing an Authentication Strategy ...... 653

CHAPTER 15 Designing a Resource Authorization Strategy ...... 699

CHAPTER 16 Designing a Public Key Infrastructure ...... 725

CHAPTER 17 Planning a Smart Card Deployment ...... 839

GLOSSARY ...... 871

INDEX ...... 899

Contents1

Contents

INTRODUCTION ...... xxvii

Deployment Kit Compact Disc...... xxviii

Document Conventions...... xxix

Support Policy...... xxxiii

PART I Designing and Deploying Directory Services ...... 1

CHAPTER 1 Planning an Active Directory Deployment Project ...... 3

Overview of Planning an Active Directory Deployment Project...... 4

Process for Planning an Active Directory Deployment Project ...... 5

Active Directory Background Information ...... 6

Active Directory Deployment Project Cycle ...... 6

Terms and Definitions ...... 7

Determining Your Active Directory Design and Deployment Strategy ...... 8

Determining Your Active Directory Design Requirements ...... 11

Determining Your Active Directory Deployment Requirements ...... 12

WindowsServer2003 Forest Root ...... 12

Windows Server2003 Regional Domains ...... 13

WindowsNT4.0 Domain Upgrade to Windows Server2003 13

Windows2000 Domain Upgrade to Windows Server2003 .13

Determining Your Restructure Requirements ...... 13

WindowsNT4.0 Domain Restructure to a
Windows Server2003 Forest ...... 13

Interforest Active Directory Domain Restructure ...... 14

Intraforest Active Directory Domain Restructure ...... 14

Example: Establishing an Active Directory Deployment Strategy ...... 15

Testing and Verifying the Deployment Process ...... 18

Testing the Design and Deployment in a Lab Environment ...... 18

Testing Design Assumptions ...... 19

Testing Deployment Processes ...... 21

Verifying the Deployment in a Pilot Program ...... 23

Example: Creating a Pilot Deployment Program for Trey Research .....24

Completing the Pilot Deployment Program ...... 25

Example: Completing the Pilot Deployment Program for Trey Research ..26

Additional Resources ...... 26

CHAPTER 2 Designing the Active Directory Logical Structure ...... 29

Overview of Designing the Active Directory Logical Structure ...... 30

Process for Designing the Active Directory Logical Structure ...... 31

Active Directory Logical Structure Background Information ...... 32

Identifying the Deployment Project Participants ...... 35

Defining Project-Specific Roles ...... 36

Establishing Owners and Administrators ...... 38

Building Project Teams ...... 42

Identifying Potential Forest Owners ...... 42

Establishing a Design Team ...... 43

Establishing a Deployment Team ...... 44

Document the Design and Deployment Teams ...... 45

Example: Identifying Deployment Project Participants ...... 45

Creating a Forest Design ...... 47

Identifying Forest Design Requirements ...... 48

Service Administrator Scope of Authority ...... 49

Autonomy vs. Isolation ...... 50

Isolation and Autonomy Requirements ...... 51

Documenting the Forest Design Requirements ...... 52

Determining the Number of Forests Required ...... 54

Forest Design Models ...... 55

Mapping Design Requirements to Forest Design Models ...... 58

Using the Organizational Domain Forest Model ...... 65

Documenting the Forest Design ...... 68

Example: Documenting the Forest Design ...... 68

Creating a Domain Design ...... 70

Reviewing the Domain Models ...... 71

Single Domain Model ...... 72

Regional Domain Model ...... 72

Determining the Number of Domains Required ...... 74

Dividing the Organization into Regional Domains ...... 75

Documenting the Regions Identified ...... 80

Determining Whether to Upgrade Existing or Deploy New Domains ...... 81

Evaluating Current Master User Domains ...... 82

Documenting Plans for New and Upgraded Domains ...... 83

Assigning Domain Names ...... 85

Documenting Domain Names ...... 85

Selecting the Forest Root Domain ...... 87

Choosing a Regional or Dedicated Forest Root Domain ...... 87

Assigning the Forest Root Domain Name ...... 91

Documenting the Forest Root Domain Name ...... 93

Creating a Consolidation Plan ...... 95

Restructuring WindowsNT4.0 MUDs into
Windows Server2003 Domains ...... 95

Documenting the Migration Plan for WindowsNT4.0
Master User Domains ...... 96

Restructuring WindowsNT4.0 Resource Domains ...... 98

Documenting the Migration Plan for WindowsNT4.0

Resource Domains ...... 100

Designing a DNS Infrastructure to Support Active Directory ...... 102

DNS Concepts ...... 104

Delegation ...... 104

Recursive Name Resolution ...... 105

DNS and Active Directory ...... 108

Domain Controller Location ...... 109

Active Directory–Integrated Zones ...... 109

Computer Naming ...... 110

Assigning the Active Directory DNS Owner Role ...... 110

Identifying the DNS Infrastructure Requirements ...... 110

Integrating Active Directory into an Existing DNS Infrastructure ...... 111

Creating a DNS Server Configuration ...... 111

Creating the DNS Client Configuration ...... 114

Documenting Your DNS Infrastructure Design ...... 114

Designing Organizational Units for Delegation of Administration ...... 116

Reviewing Organizational Unit Design Concepts ...... 117

Organizational Unit Owner Role ...... 119

Delegating Administration by Using OU Objects ...... 120

Administration of Default Containers and OUs ...... 120

Delegating Administration of Account and Resource OUs ...... 123

Creating Account OUs ...... 132

Creating Resource OUs ...... 132

Documenting the OU Design for Each Domain ...... 133

Applying Group Policy to OUs ...... 134

Additional Resources ...... 135

CHAPTER 3 Designing the Site Topology ...... 137

Overview of Designing a Site Topology ...... 138

Process for Designing a Site Topology ...... 139

Site Topology Design Background Information ...... 139

Functions for Sites in Windows Server2003 ...... 140

Site Topology Owner Role ...... 141

Network Topologies ...... 142

Active Directory Replication Concepts ...... 143

Collecting Network Information ...... 148

Creating a Location Map ...... 148

Listing Communication Links and Available Bandwidth ...... 149

Listing IP Subnets Within Each Location ...... 150

Listing Domains and Number of Users for Each Location ...... 151

Planning Domain Controller Placement ...... 152

Planning Forest Root Domain Controller Placement ...... 154

Planning Regional Domain Controller Placement ...... 154

Planning Global Catalog Server Placement ...... 158

Planning Operations Master Role Placement ...... 160

Example: Determining Domain Controller Placement ...... 163

Creating a Site Design ...... 165

Creating a Site Link Design ...... 168

Connecting Sites with Site Links ...... 169

Setting Site Link Properties ...... 171

Determining the Cost ...... 171

Determining the Schedule ...... 173

Determining the Interval ...... 174

Example: Creating a Site Link Design ...... 176

Creating a Site Link Bridge Design ...... 178

Creating a Site Link Bridge Design for Disjointed Networks ...... 179

Creating a Site Link Bridge Design to Control Active Directory
Replication Flow ...... 179

Additional Resources ...... 182

CHAPTER 4 Planning Domain Controller Capacity ...... 185

Overview of Planning Domain Controller Capacity ...... 186

Process for Planning Domain Controller Capacity ...... 187

Background Information for Planning Domain Controller Capacity ...... 188

Collecting Site Topology Design Information ...... 190

Determining the Number of Domain Controllers ...... 192

Determining the Minimum Number of Domain Controllers Required ...... 193

Adding Domain Controllers to Support Replication Between Sites ...... 194

Assessing Disk Space and Memory Requirements ...... 195

Determining Required Disk Space ...... 196

Determining Minimum Disk Space Requirements ...... 196

Adding Disk Space for Global Catalog Servers ...... 197

Adding Disk Space for Application Directory Partitions ...... 198

Determining Required Memory Allocation ...... 199

Example: Assessing Disk Space and Memory Requirements ...... 200

Monitoring Domain Controller Performance ...... 202

Additional Resources ...... 204

CHAPTER 5 Enabling Advanced Windows Server2003
Active Directory Features ...... 205

Overview of Enabling Advanced Active Directory Features ...... 206

Process for Enabling Advanced Active Directory Features ...... 207

Functional Levels Background Information ...... 207

Preparing to Enable Functional Levels ...... 214

Assess Your Current Environment ...... 215

Identify Your Functional Level Scenario ...... 216

Enabling Windows Server2003 Active Directory Functional Levels ....217

Enabling Windows Server2003 Functional Levels in a
WindowsNT4.0 Environment ...... 218

Raise the Domain Functional Level to Windows Server2003 ....220

Raise the Forest Functional Level to Windows Server2003 .....222

Enabling Windows Server2003 Functional Levels in a
Mixed Windows2000 Environment ...... 222

Enabling Windows Server2003 Functional Levels in a
Native Windows2000 Environment ...... 223

Enabling Windows Server2003 Functional Levels in a
New Windows Server2003 Forest ...... 224

Additional Resources ...... 225

CHAPTER 6 Deploying the Windows Server2003 Forest Root Domain ...... 227

Overview of Deploying the Forest Root Domain ...... 228

Process for Deploying the Forest Root Domain ...... 229

Background Information for Deploying the Forest Root Domain ...... 230

Reviewing the Active Directory Design ...... 231

Review the Active Directory Logical Structure Design ...... 232

Review Site Topology Design ...... 234

Review Hardware Requirements ...... 235

Configuring DNS for the Forest Root Domain ...... 235

Creating the Forest Root Domain ...... 237

Deploy the First Forest Root Domain Controller ...... 238

Install Windows Server2003 on the First Forest Root
Domain Controller ...... 238

Install Active Directory on the First Forest Root Domain Controller ....239

Verify the Active Directory Installation on the First Forest
Root Domain Controller ...... 241

Configure the Windows Time Service ...... 241

Verify DNS Server Recursive Name Resolution on the
First Forest Root Domain Controller ...... 242

Deploy the Second Domain Controller in the Same Site ...... 244

Install Windows Server2003 on the Second Domain Controller ..244

Install Active Directory on the Second Domain Controller ...... 245

Install DNS Server on the Second Domain Controller ...... 247

Verify the Active Directory Installation on the
Second Domain Controller ...... 247

Reconfigure the DNS Service ...... 247

Enable Aging and Scavenging for DNS ...... 248

Configure the DNS Client Settings of the First and
Subsequent Domain Controllers ...... 249

Update the DNS Delegation ...... 250

Configure Site Topology ...... 250

Delegate Active Directory Site Topology Administration ...... 251

Create Active Directory Sites ...... 251

Create and Assign Active Directory Subnets ...... 251

Create Active Directory Site Links ...... 252

Deploy Additional Domain Controllers in Other Sites ...... 252

Configure Operations Master Roles ...... 252

Raising the Functional Level ...... 255

Additional Resources ...... 256

CHAPTER 7 Deploying Windows Server2003 Regional Domains ...... 259

Overview of Deploying Regional Domains ...... 260

Process for Deploying Regional Domains ...... 261

Background Information for Deploying Regional Domains ...... 262

Reviewing the Regional Domain Design ...... 263

Collect Regional Domain Design Information ...... 264

Review Hardware Requirements ...... 265

Delegating the DNS Domain for the New Regional Domain ...... 266

Deploying the First Domain Controller in a New Regional Domain ...... 268

Install Windows Server2003 ...... 269

Install Active Directory ...... 270

Verify the Active Directory Installation ...... 272

Verify DNS Server Recursive Name Resolution ...... 273

Deploying Additional Domain Controllers in a New Regional Domain ...... 274

Reconfiguring the DNS Service ...... 278

Enable Aging and Scavenging for DNS ...... 279

Configure the DNS Client Settings of the First and
Subsequent Domain Controllers ...... 281

Update the DNS Delegation for the Regional Domain ...... 281

Configuring Operations Master Roles ...... 282

Additional Resources ...... 285

CHAPTER 8 Upgrading WindowsNT4.0 Domains to
WindowsServer2003 Active Directory ...... 287

Overview of Upgrading WindowsNT4.0 Domains ...... 288

Process for Upgrading WindowsNT4.0 Domains to
Windows Server2003 Active Directory ...... 289

Background Information for Upgrading to Windows Server2003
Active Directory ...... 290

Collecting Design Information ...... 295

Document the Existing Environment ...... 296

Document Domain Controllers and Services ...... 297

Document the Existing Hardware Configuration ...... 299

Document the Existing Network Configuration ...... 301

Document Domain Controller Role Assignments ...... 303

Determine the Domain Upgrade Order ...... 304

Determine Supported Operating System Upgrades ...... 305

Develop a Test Plan ...... 306

Develop a Recovery Plan ...... 308

Completing Pre-Upgrade Tasks ...... 310

Relocate the LMRepl File Replication Service ...... 310

Ensure Remote Access Service Compatibility ...... 311

Enable the WindowsNT4.0 Environment Change Freeze ....311

Upgrading Domains from WindowsNT4.0 to Windows Server2003
Active Directory ...... 312

Upgrade to a Regional Domain in an Existing Forest ...... 314

Back Up the Domain Data ...... 314

Enable the Windows Server2003 Interim Forest Functional Level 315

Delegate the DNS Zone for the New Regional Domain ...... 316

Configure Protection Against Domain Controller Overload ...... 317

Upgrade the Operating System of the WindowsNT4.0 PDC 318

Install Active Directory ...... 319

Verify DNS Server Recursive Name Resolution ...... 322

Perform Post-Upgrade Tests ...... 323

Upgrade to a Single Domain Forest ...... 323

Back Up the Domain Data ...... 324

Delegate the DNS Zone for the Windows Server2003 Domain ..324

Configure Protection Against Domain Controller Overload ...... 325

Upgrade the Operating System of the WindowsNT4.0 PDC 326

Install Active Directory ...... 327

Configure the Site Topology ...... 330

Configure the Windows Time Service on the Forest Root
Domain Controller ...... 330

Enable Aging and Scavenging for DNS ...... 331

Verify DNS Server Recursive Name Resolution ...... 333

Perform Post-Upgrade Tests ...... 334

Modify Security Policies ...... 334

Synchronize File Replication Services ...... 336

Recreate Trusts ...... 338

Use DNS Registration to Decrease the Workload on the PDC Emulator ....338

Upgrade Additional Domain Controllers ...... 340

Configure Protection Against Domain Controller Overload on
Additional Domain Controllers ...... 341

Neutralize WindowsNT4.0 Domain Controller Emulation 342

Upgrade WindowsNT4.0 BDCs ...... 343

Install Active Directory on the Additional Domain Controllers ...... 344

Install DNS on Additional Domain Controllers ...... 347

Reconfigure the DNS Service ...... 347

Add WindowsNT4.0 BDCs to Windows Server2003 Domain 348

Perform Post-Upgrade Tests ...... 348

Completing Post-Upgrade Tasks ...... 349

Eliminate Anonymous Connections to Domain Controllers ...... 350

Raise Domain and Forest Functional Levels ...... 350

Redirect the Users and Computers Containers ...... 351

Completing the Upgrade ...... 352

Additional Resources ...... 353

CHAPTER 9 Upgrading Windows2000 Domains to
Windows Server2003 Domains ...... 355

Overview of Upgrading Your Windows2000 Domains to
Windows Server2003 Domains ...... 356

Process for Upgrading Windows2000 Domains to
Windows Server2003 Domains ...... 357

Background Information for Upgrading Windows2000
Domains to Windows Server2003 Domains ...... 358

Planning to Upgrade Windows2000 Domains to
Windows Server2003 Domains ...... 364

Create a Pre-Upgrade Task Checklist ...... 366

Assign Appropriate Credentials ...... 366

Introduce a WindowsServer2003–Based Member Server ....368

Determine Supported Software Upgrades ...... 368

Assess Hardware Requirements ...... 369

Determine Domain Controller Upgrade Order ...... 370

Develop a Test Plan ...... 371

Develop a Recovery Plan ...... 374

Completing Pre-Upgrade Tasks ...... 374

Determine Service Pack Levels ...... 375

Backup Domain Data ...... 376

Resolve Upgrade and Application Compatibility Problems ...... 376

Prepare Your Infrastructure for Upgrade ...... 377

Upgrading Windows2000 Domains to Windows Server2003 Domains 384

Install Active Directory on Windows Server2003–Based
Member Servers ...... 385

Upgrade Existing Windows2000–Based Domain Controllers ...... 388

Modify Security Policies ...... 389

Update Group Policy Permissions ...... 391

Perform Clean-up Tasks ...... 392

Completing Post-Upgrade Tasks ...... 393

Raise Domain and Forest Functional Levels ...... 394

Use DNS Application Directory Partitions ...... 394

Redirect Users and Computers ...... 396

Completing the Upgrade ...... 397

Additional Resources ...... 397

CHAPTER 10 Restructuring WindowsNT4.0 Domains to an
Active Directory Forest ...... 399

Overview of Restructuring WindowsNT4.0 Domains to an
Active Directory Forest ...... 400

Process for Restructuring WindowsNT4.0 Domains to an
Active Directory Forest ...... 401

WindowsNT4.0 Domain Migration Background Information ...... 402

Terms and Definitions ...... 402

Active Directory Migration Tool ...... 403

Planning to Restructure WindowsNT4.0 Domains to an
Active Directory Forest ...... 407

Assigning Object Locations and Roles ...... 409

Developing a Test Plan ...... 410

Creating a Rollback Plan ...... 412

Planning for User Profile Migration ...... 413

Establishing Administrative Procedures ...... 414

Creating an End-User Communication Plan ...... 415

Preparing the Source and Target Domains for Restructuring ...... 416

Installing High Encryption Software ...... 418

Establishing Required Trusts ...... 418

Establishing Migration Accounts ...... 419

Configuring the Source and Target Domains to Migrate SID History ...... 421

Configuring the Target Domain OU Structure for Administration ...... 422

Installing ADMT ...... 422

Enabling Password Migration ...... 423

Initializing ADMT ...... 424

Identifying Service Accounts ...... 426

Restructuring Account Domains ...... 429

Transitioning Service Accounts ...... 430

Migrating Global Groups ...... 434

Migrating Users in Batches ...... 438

Migrating User Accounts ...... 439

Translating Local User Profiles ...... 444

Migrating User Workstations ...... 448

Remigrating Global Groups ...... 452

Completing the Account Migration ...... 456

Restructuring Resource Domains ...... 457

Migrating Workstations and Member Servers ...... 458

Migrating Domain Controllers ...... 461

Completing the Resource Migration ...... 463

Translating Security on Member Servers ...... 463

Decommissioning the Source Resource Domain ...... 464

Additional Resources ...... 465

CHAPTER 11 Restructuring Active Directory Domains Between Forests ...... 467

Overview of Restructuring Active Directory Domains Between Forests ...... 468

Process for Restructuring Active Directory Domains Between Forests .....469

Background Information for Restructuring Active Directory Domains
Between Forests ...... 470

Planning to Restructure Active Directory Domains Between Forests ...... 478

Determining Your Account Migration Process ...... 479

Using SID History to Preserve Resource Access ...... 481

Using SID Filtering When Migrating User Accounts ...... 481

Assigning Object Locations and Roles ...... 482

Developing a Test Plan ...... 484

Creating a Rollback Plan ...... 487

Planning for User Profile Migration ...... 488

Establishing Administrative Procedures ...... 489

Creating an End-User Communication Plan ...... 491

Preparing the Source and Target Domains ...... 493

Installing High Encryption Software ...... 494

Establishing Required Trusts ...... 494

Establishing Migration Accounts ...... 494

Configuring the Source and Target Domains for SID History Migration ....497

Configuring the Target Domain OU Structure for Administration ...... 498

Installing ADMT ...... 498

Enabling Password Migration ...... 499

Initializing ADMT ...... 500

Identifying Service Accounts ...... 502

Migrating Accounts ...... 506

Transitioning Service Accounts ...... 507

Migrating Global Groups ...... 511

Migrating Accounts While Using SID History ...... 515

Migrating All User Accounts ...... 518

Remigrating User Accounts and Workstations in Batches ...... 522

Remigrating All Global Groups After All Batches Are Migrated ...... 534

Migrating Accounts Without Using SID History ...... 537

Migrating All User Accounts ...... 539

Translating Security in Add Mode ...... 542

Remigrating User Accounts and Workstations in Batches ...... 544

Remigrating All Global Groups After All Batches Are Migrated ...... 553

Translating Security in Remove Mode ...... 555

Migrating Resources ...... 558

Migrating Workstations and Member Servers ...... 559

Migrating Domain and Shared Local Groups ...... 563

Migrating Domain Controllers ...... 565

Completing the Migration ...... 566

Translating Security on Member Servers ...... 567

Decommissioning the Source Domain ...... 569