Guest Ricky Posted September 30, 2007 Posted September 30, 2007 Hi At work we thought to build a fresh/new active directory with windows 2003 enterprise edition/exchange 2003 and isa 2004. But we have the following doubts: 1. How should we arquitect our active directory based on organization units (need examples and good white papers) A) Should AD / OU be build based on group policy? B) For better jobs assign should the OU be manage by a group of IT team and other OU by other tecnichians? 2. The actuall distribution list allow to a "normal" user add himself to a group at other group that it doesn't belong. How to correct this issue in the this fresh AD? 3. We have some locations with servers but other don't. Should we create a subnet for each location/ip address or just create a subnet where exists servers? 4. How often should sites replicate with each other? 5. Should be the router distributing the dhcp service or should be the server? What is the better choice?... and why. 6. In the actuall network infraestructure how can I see/do tests so I can be sure what was the first PDC to be build in the actuall network design? I hope someone have the patience/courage to help me out on this issues. Good work week, Thanks Ricky
Guest Jorge Silva Posted October 1, 2007 Posted October 1, 2007 Re: Active Directory Design Hi Check inline: > 1. How should we arquitect our active directory based on organization > units (need examples and good white papers) > A) Should AD / OU be build based on group policy? The three main reasons to create OUs are: -Delegation of control, administer GPO and to hide objects. -If you understand this you can answer to your own question. > B) For better jobs assign should the OU be manage by a group of IT team > and other OU by other tecnichians? ??? Delegation of control is generally given to Security Groups, because you only do it one time and then just add the users to that security group. > 2. The actuall distribution list allow to a "normal" user add himself to a > group at other group that it doesn't belong. How to correct this issue in > the this fresh AD? - To avoid situations like this one, Create a OU that has the security groups, and give access to that OU only to the person or group of users that are allowed to manage these security groups. > 3. We have some locations with servers but other don't. Should we create a > subnet for each location/ip address or just create a subnet where exists > servers? - You should create and assign each existing subnet to a given site. - Sites and subnets play a very important role in user authentication, AD replication, File replication, COs, etc... So make sure that you've everything correctly setup. - Remember you can't associate a site link with a WAN link; however you use your network routing configuration to provide the correct information to ADSS. So configure your routers to provide the correct redundancy, by defining the priorities and links to failover, then go to ADSS and based on that information configure your site link cost (when you have multiple site links). > 4. How often should sites replicate with each other? - Inter-site replication should occur when your WAN schedule is available, more replications per hour means less replication traffic per hour, so is up to you to decide what best suits in your environment. > 5. Should be the router distributing the dhcp service or should be the > server? What is the better choice?... and why. - Windows DHCP service suits better with DNS check: http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true > 6. In the actuall network infraestructure how can I see/do tests so I can > be sure what was the first PDC to be build in the actuall network design? There's not PDC and BDC concept in AD. However there's an PDCemulator that emulates the old PDC for legacy clients, you can find more info about FSMO roles at: http://support.microsoft.com/kb/223346 http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... > Hi > > At work we thought to build a fresh/new active directory with windows 2003 > enterprise edition/exchange 2003 and isa 2004. But we have the following > doubts: > > 1. How should we arquitect our active directory based on organization > units (need examples and good white papers) > A) Should AD / OU be build based on group policy? > B) For better jobs assign should the OU be manage by a group of IT team > and other OU by other tecnichians? > > 2. The actuall distribution list allow to a "normal" user add himself to a > group at other group that it doesn't belong. How to correct this issue in > the this fresh AD? > > 3. We have some locations with servers but other don't. Should we create a > subnet for each location/ip address or just create a subnet where exists > servers? > > 4. How often should sites replicate with each other? > > 5. Should be the router distributing the dhcp service or should be the > server? What is the better choice?... and why. > > 6. In the actuall network infraestructure how can I see/do tests so I can > be sure what was the first PDC to be build in the actuall network design? > > I hope someone have the patience/courage to help me out on this issues. > Good work week, > Thanks > Ricky > > >
Guest Ricky Posted October 2, 2007 Posted October 2, 2007 Re: Active Directory Design "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... > Hi > Check inline: >> 1. How should we arquitect our active directory based on organization >> units (need examples and good white papers) >> A) Should AD / OU be build based on group policy? > > The three main reasons to create OUs are: > -Delegation of control, administer GPO and to hide objects. > -If you understand this you can answer to your own question. Question: I did understand your point of view but what I really need is some white papers or books that could advice me how to build/organize my OU structure based on my company departments/hierarchy (some design structure with draws) > >> B) For better jobs assign should the OU be manage by a group of IT >> team and other OU by other tecnichians? > > ??? > Delegation of control is generally given to Security Groups, because you > only do it one time and then just add the users to that security group. > >> 2. The actuall distribution list allow to a "normal" user add himself to >> a group at other group that it doesn't belong. How to correct this issue >> in the this fresh AD? > > - To avoid situations like this one, Create a OU that has the security > groups, and give access to that OU only to the person or group of users > that are allowed to manage these security groups. > >> 3. We have some locations with servers but other don't. Should we create >> a subnet for each location/ip address or just create a subnet where >> exists servers? > > - You should create and assign each existing subnet to a given site. > - Sites and subnets play a very important role in user authentication, AD > replication, File replication, COs, etc... So make sure that you've > everything correctly setup. > - Remember you can't associate a site link with a WAN link; however you > use your network routing configuration to provide the correct information > to ADSS. So configure your routers to provide the correct redundancy, by > defining the priorities and links to failover, then go to ADSS and based > on that information configure your site link cost (when you have multiple > site links). > >> 4. How often should sites replicate with each other? > > - Inter-site replication should occur when your WAN schedule is available, > more replications per hour means less replication traffic per hour, so is > up to you to decide what best suits in your environment. Question: I thought the best choice were to program schedule replication at lunch or late hours like 1am to 7am once at this time of the day users aren't working so the lines have less traffic to handle. Nevertheless it seems you don't agree based in your words. What do you think?... > >> 5. Should be the router distributing the dhcp service or should be the >> server? What is the better choice?... and why. > - Windows DHCP service suits better with DNS check: > http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true Question: This article is very good and explains very well how the dhcp service interacts with dns but what I really need/intend is to know what is the better option/choice when implementing the dhcp service. If the network behaves better if the dhcp is distributed by a server or by a router?... >> 6. In the actuall network infraestructure how can I see/do tests so I can >> be sure what was the first PDC to be build in the actuall network design? > There's not PDC and BDC concept in AD. However there's an PDCemulator that > emulates the old PDC for legacy clients, you can find more info about FSMO > roles at: > http://support.microsoft.com/kb/223346 > http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm Question: After I read this articles I've search at google and I understand that Microsoft® Exchange Server Analyzer Tool is one of the tools that can see if a server is the first of the domain or not. Can you advice or recommend other(s) tool(s) could be better than this one? (If Microsoft® Exchange Server Analyzer Tool is correct) 7. When should we select the option global catalog? Always or depends based in the issue we need to apply this option? 8. Can you advice me any book(s) that could describe all this subjects and must more so I can learn and became more like you and others who have good knowledge about this issues?... Thanks for all the help and patience/important knowledge you passed me by. [] Ricky > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >> Hi >> >> At work we thought to build a fresh/new active directory with windows >> 2003 enterprise edition/exchange 2003 and isa 2004. But we have the >> following doubts: >> >> 1. How should we arquitect our active directory based on organization >> units (need examples and good white papers) >> A) Should AD / OU be build based on group policy? >> B) For better jobs assign should the OU be manage by a group of IT >> team and other OU by other tecnichians? >> >> 2. The actuall distribution list allow to a "normal" user add himself to >> a group at other group that it doesn't belong. How to correct this issue >> in the this fresh AD? >> >> 3. We have some locations with servers but other don't. Should we create >> a subnet for each location/ip address or just create a subnet where >> exists servers? >> >> 4. How often should sites replicate with each other? >> >> 5. Should be the router distributing the dhcp service or should be the >> server? What is the better choice?... and why. >> >> 6. In the actuall network infraestructure how can I see/do tests so I can >> be sure what was the first PDC to be build in the actuall network design? >> >> I hope someone have the patience/courage to help me out on this issues. >> Good work week, >> Thanks >> Ricky >> >> >> > >
Guest Jorge Silva Posted October 2, 2007 Posted October 2, 2007 Re: Active Directory Design Inline > Question: I did understand your point of view but what I really need is > some white papers or books that could advice me how to build/organize my > OU structure based on my company departments/hierarchy (some design > structure with draws) You can start here. http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html > Question: I thought the best choice were to program schedule replication > at lunch or late hours like 1am to 7am once at this time of the day users > aren't working so the lines have less traffic to handle. Nevertheless it > seems you don't agree based in your words. What do you think?... Not really, I was just giving you a sample to explain how things could work, however this depends of your real needs and priorities, in your case if replication of changes and creation of new objects are less important than WAN traffic then you should go with that plan and limit the replication to non-business hours. > Question: This article is very good and explains very well how the dhcp > service interacts with dns but what I really need/intend is to know what > is the better option/choice when implementing the dhcp service. If the > network behaves better if the dhcp is distributed by a server or by a > router?... The behavior could be good in both cases, however there is a better integration using MS DHCP server in your environment with DNS. > Question: After I read this articles I've search at google and I > understand that Microsoft® Exchange Server Analyzer Tool is one of the > tools that can see if a server is the first of the domain or not. Can you > advice or recommend other(s) tool(s) could be better than this one? (If > Microsoft® Exchange Server Analyzer Tool is correct) For AD there're many free/and builin tools, like, dsquery, dsmod, dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... depends of your needs, each tool can be used for specific operations, search on MS web site for Active Directory Tools. BPA Tools are available for other MS tecnologies, like ISA,SQL, Exchange... However for Active Directory I don't know any BPA. -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... > > "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message > news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >> Hi >> Check inline: >>> 1. How should we arquitect our active directory based on organization >>> units (need examples and good white papers) >>> A) Should AD / OU be build based on group policy? >> >> The three main reasons to create OUs are: >> -Delegation of control, administer GPO and to hide objects. >> -If you understand this you can answer to your own question. > Question: I did understand your point of view but what I really need is > some white papers or books that could advice me how to build/organize my > OU structure based on my company departments/hierarchy (some design > structure with draws) >> >>> B) For better jobs assign should the OU be manage by a group of IT >>> team and other OU by other tecnichians? >> >> ??? >> Delegation of control is generally given to Security Groups, because you >> only do it one time and then just add the users to that security group. >> >>> 2. The actuall distribution list allow to a "normal" user add himself to >>> a group at other group that it doesn't belong. How to correct this issue >>> in the this fresh AD? >> >> - To avoid situations like this one, Create a OU that has the security >> groups, and give access to that OU only to the person or group of users >> that are allowed to manage these security groups. >> >>> 3. We have some locations with servers but other don't. Should we create >>> a subnet for each location/ip address or just create a subnet where >>> exists servers? >> >> - You should create and assign each existing subnet to a given site. >> - Sites and subnets play a very important role in user authentication, >> AD replication, File replication, COs, etc... So make sure that you've >> everything correctly setup. >> - Remember you can't associate a site link with a WAN link; however you >> use your network routing configuration to provide the correct information >> to ADSS. So configure your routers to provide the correct redundancy, by >> defining the priorities and links to failover, then go to ADSS and based >> on that information configure your site link cost (when you have multiple >> site links). >> >>> 4. How often should sites replicate with each other? >> >> - Inter-site replication should occur when your WAN schedule is >> available, more replications per hour means less replication traffic per >> hour, so is up to you to decide what best suits in your environment. > Question: I thought the best choice were to program schedule replication > at lunch or late hours like 1am to 7am once at this time of the day users > aren't working so the lines have less traffic to handle. Nevertheless it > seems you don't agree based in your words. What do you think?... >> >>> 5. Should be the router distributing the dhcp service or should be the >>> server? What is the better choice?... and why. >> - Windows DHCP service suits better with DNS check: >> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true > Question: This article is very good and explains very well how the dhcp > service interacts with dns but what I really need/intend is to know what > is the better option/choice when implementing the dhcp service. If the > network behaves better if the dhcp is distributed by a server or by a > router?... > >>> 6. In the actuall network infraestructure how can I see/do tests so I >>> can be sure what was the first PDC to be build in the actuall network >>> design? >> There's not PDC and BDC concept in AD. However there's an PDCemulator >> that emulates the old PDC for legacy clients, you can find more info >> about FSMO roles at: >> http://support.microsoft.com/kb/223346 >> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm > Question: After I read this articles I've search at google and I > understand that Microsoft® Exchange Server Analyzer Tool is one of the > tools that can see if a server is the first of the domain or not. Can you > advice or recommend other(s) tool(s) could be better than this one? (If > Microsoft® Exchange Server Analyzer Tool is correct) > > 7. When should we select the option global catalog? Always or depends > based in the issue we need to apply this option? > > 8. Can you advice me any book(s) that could describe all this subjects and > must more so I can learn and became more like you and others who have good > knowledge about this issues?... > > Thanks for all the help and patience/important knowledge you passed me by. > [] > Ricky > > >> I hope that the information above helps you. >> Have a Nice day. >> >> Jorge Silva >> MCSE, MVP Directory Services >> >> "Ricky" <newsgroupsmail@gmail.com> wrote in message >> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>> Hi >>> >>> At work we thought to build a fresh/new active directory with windows >>> 2003 enterprise edition/exchange 2003 and isa 2004. But we have the >>> following doubts: >>> >>> 1. How should we arquitect our active directory based on organization >>> units (need examples and good white papers) >>> A) Should AD / OU be build based on group policy? >>> B) For better jobs assign should the OU be manage by a group of IT >>> team and other OU by other tecnichians? >>> >>> 2. The actuall distribution list allow to a "normal" user add himself to >>> a group at other group that it doesn't belong. How to correct this issue >>> in the this fresh AD? >>> >>> 3. We have some locations with servers but other don't. Should we create >>> a subnet for each location/ip address or just create a subnet where >>> exists servers? >>> >>> 4. How often should sites replicate with each other? >>> >>> 5. Should be the router distributing the dhcp service or should be the >>> server? What is the better choice?... and why. >>> >>> 6. In the actuall network infraestructure how can I see/do tests so I >>> can be sure what was the first PDC to be build in the actuall network >>> design? >>> >>> I hope someone have the patience/courage to help me out on this issues. >>> Good work week, >>> Thanks >>> Ricky >>> >>> >>> >> >> > >
Guest Ricky Posted October 2, 2007 Posted October 2, 2007 Re: Active Directory Design "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... > Inline >> Question: I did understand your point of view but what I really need is >> some white papers or books that could advice me how to build/organize my >> OU structure based on my company departments/hierarchy (some design >> structure with draws) > You can start here. > http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx > http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html Note: Good links. I've learn a lot. Thanks >> Question: I thought the best choice were to program schedule replication >> at lunch or late hours like 1am to 7am once at this time of the day users >> aren't working so the lines have less traffic to handle. Nevertheless it >> seems you don't agree based in your words. What do you think?... > > Not really, I was just giving you a sample to explain how things could > work, however this depends of your real needs and priorities, in your case > if replication of changes and creation of new objects are less important > than WAN traffic then you should go with that plan and limit the > replication to non-business hours. > >> Question: This article is very good and explains very well how the dhcp >> service interacts with dns but what I really need/intend is to know what >> is the better option/choice when implementing the dhcp service. If the >> network behaves better if the dhcp is distributed by a server or by a >> router?... > > The behavior could be good in both cases, however there is a better > integration using MS DHCP server in your environment with DNS. Question: Can you give/advice url/sites (microsoft for ie) where I can get/read that kind of comparison? > >> Question: After I read this articles I've search at google and I >> understand that Microsoft® Exchange Server Analyzer Tool is one of the >> tools that can see if a server is the first of the domain or not. Can you >> advice or recommend other(s) tool(s) could be better than this one? (If >> Microsoft® Exchange Server Analyzer Tool is correct) > > For AD there're many free/and builin tools, like, dsquery, dsmod, dsadd, > repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... depends of > your needs, each tool can be used for specific operations, search on MS > web site for Active Directory Tools. > BPA Tools are available for other MS tecnologies, like ISA,SQL, > Exchange... However for Active Directory I don't know any BPA. > -- I know I've been asking many question and you Jorge have been always giving a Good help (thanks). I wonder if you don't mind I ask 2 more questions (I hope no) :) They are: Another Question A) When should we select the option global catalog? Always or depends based in the issue we need to apply this option (ie: should be apllied when is pretended the sysvol (directory that holds all the AD objects) so the authentication on that site could be faster)? Another Question B) Can you advice me any book(s) that could describe all the subjects we have discuss here? Once again and isn't enought keep saying: Thanks... Thanks... Thanks for all the help/patience. [] Ricky > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>> Hi >>> Check inline: >>>> 1. How should we arquitect our active directory based on organization >>>> units (need examples and good white papers) >>>> A) Should AD / OU be build based on group policy? >>> >>> The three main reasons to create OUs are: >>> -Delegation of control, administer GPO and to hide objects. >>> -If you understand this you can answer to your own question. >> Question: I did understand your point of view but what I really need is >> some white papers or books that could advice me how to build/organize my >> OU structure based on my company departments/hierarchy (some design >> structure with draws) >>> >>>> B) For better jobs assign should the OU be manage by a group of IT >>>> team and other OU by other tecnichians? >>> >>> ??? >>> Delegation of control is generally given to Security Groups, because you >>> only do it one time and then just add the users to that security group. >>> >>>> 2. The actuall distribution list allow to a "normal" user add himself >>>> to a group at other group that it doesn't belong. How to correct this >>>> issue in the this fresh AD? >>> >>> - To avoid situations like this one, Create a OU that has the security >>> groups, and give access to that OU only to the person or group of users >>> that are allowed to manage these security groups. >>> >>>> 3. We have some locations with servers but other don't. Should we >>>> create a subnet for each location/ip address or just create a subnet >>>> where exists servers? >>> >>> - You should create and assign each existing subnet to a given site. >>> - Sites and subnets play a very important role in user authentication, >>> AD replication, File replication, COs, etc... So make sure that you've >>> everything correctly setup. >>> - Remember you can't associate a site link with a WAN link; however you >>> use your network routing configuration to provide the correct >>> information to ADSS. So configure your routers to provide the correct >>> redundancy, by defining the priorities and links to failover, then go to >>> ADSS and based on that information configure your site link cost (when >>> you have multiple site links). >>> >>>> 4. How often should sites replicate with each other? >>> >>> - Inter-site replication should occur when your WAN schedule is >>> available, more replications per hour means less replication traffic per >>> hour, so is up to you to decide what best suits in your environment. >> Question: I thought the best choice were to program schedule replication >> at lunch or late hours like 1am to 7am once at this time of the day users >> aren't working so the lines have less traffic to handle. Nevertheless it >> seems you don't agree based in your words. What do you think?... >>> >>>> 5. Should be the router distributing the dhcp service or should be the >>>> server? What is the better choice?... and why. >>> - Windows DHCP service suits better with DNS check: >>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >> Question: This article is very good and explains very well how the dhcp >> service interacts with dns but what I really need/intend is to know what >> is the better option/choice when implementing the dhcp service. If the >> network behaves better if the dhcp is distributed by a server or by a >> router?... >> >>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>> can be sure what was the first PDC to be build in the actuall network >>>> design? >>> There's not PDC and BDC concept in AD. However there's an PDCemulator >>> that emulates the old PDC for legacy clients, you can find more info >>> about FSMO roles at: >>> http://support.microsoft.com/kb/223346 >>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >> Question: After I read this articles I've search at google and I >> understand that Microsoft® Exchange Server Analyzer Tool is one of the >> tools that can see if a server is the first of the domain or not. Can you >> advice or recommend other(s) tool(s) could be better than this one? (If >> Microsoft® Exchange Server Analyzer Tool is correct) >> >> 7. When should we select the option global catalog? Always or depends >> based in the issue we need to apply this option? >> >> 8. Can you advice me any book(s) that could describe all this subjects >> and must more so I can learn and became more like you and others who have >> good knowledge about this issues?... >> >> Thanks for all the help and patience/important knowledge you passed me >> by. >> [] >> Ricky >> >> >>> I hope that the information above helps you. >>> Have a Nice day. >>> >>> Jorge Silva >>> MCSE, MVP Directory Services >>> >>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>> Hi >>>> >>>> At work we thought to build a fresh/new active directory with windows >>>> 2003 enterprise edition/exchange 2003 and isa 2004. But we have the >>>> following doubts: >>>> >>>> 1. How should we arquitect our active directory based on organization >>>> units (need examples and good white papers) >>>> A) Should AD / OU be build based on group policy? >>>> B) For better jobs assign should the OU be manage by a group of IT >>>> team and other OU by other tecnichians? >>>> >>>> 2. The actuall distribution list allow to a "normal" user add himself >>>> to a group at other group that it doesn't belong. How to correct this >>>> issue in the this fresh AD? >>>> >>>> 3. We have some locations with servers but other don't. Should we >>>> create a subnet for each location/ip address or just create a subnet >>>> where exists servers? >>>> >>>> 4. How often should sites replicate with each other? >>>> >>>> 5. Should be the router distributing the dhcp service or should be the >>>> server? What is the better choice?... and why. >>>> >>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>> can be sure what was the first PDC to be build in the actuall network >>>> design? >>>> >>>> I hope someone have the patience/courage to help me out on this issues. >>>> Good work week, >>>> Thanks >>>> Ricky >>>> >>>> >>>> >>> >>> >> >> > >
Guest Jorge Silva Posted October 3, 2007 Posted October 3, 2007 Re: Active Directory Design Inline > Note: Good links. I've learn a lot. Thanks The pleasure was mine > Question: Can you give/advice url/sites (microsoft for ie) where I can > get/read that kind of comparison? For direct compare I don't know any document; however you can take your own conclusions based on your experience and documentation. http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true > I know I've been asking many question and you Jorge have been always > giving a Good help (thanks). I wonder if you don't mind I ask 2 more > questions (I hope no) :) They are: No problem, the pleasure is mine. > Another Question A) When should we select the option global catalog? > Always or depends > based in the issue we need to apply this option (ie: should be apllied > when is pretended the sysvol (directory that holds all the AD objects) so > the authentication on that site could be faster)? - I think that you need more reading about GCs. Sysvol directory doesn't hold all AD objects, you also need to read about sysvol and what is used for. You can check the following links: http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true In my opinion you should have at least 1 GC per site, if you have only one domain in your forest, then the cost of having all DCs = GCs is practically nothing because by default each DC knows everything about its own domain, so making a DC a GC is just a matter of setting up a flag and will benefit all Apps (like exchange), and clients that needs a GC around. Note: Each Forest needs at least One GC. Another thing to keep in mind is related with the Infrastructure Master and you can chek it here: http://support.microsoft.com/kb/223346 > Another Question B) Can you advice me any book(s) that could describe all > the subjects we have discuss here? MSPress, and: http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 > Once again and isn't enought keep saying: Thanks... Thanks... Thanks for > all the help/patience. Any time. Have Fun. -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... > > "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message > news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >> Inline >>> Question: I did understand your point of view but what I really need is >>> some white papers or books that could advice me how to build/organize my >>> OU structure based on my company departments/hierarchy (some design >>> structure with draws) >> You can start here. >> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html > Note: Good links. I've learn a lot. Thanks > > >>> Question: I thought the best choice were to program schedule replication >>> at lunch or late hours like 1am to 7am once at this time of the day >>> users aren't working so the lines have less traffic to handle. >>> Nevertheless it seems you don't agree based in your words. What do you >>> think?... >> >> Not really, I was just giving you a sample to explain how things could >> work, however this depends of your real needs and priorities, in your >> case if replication of changes and creation of new objects are less >> important than WAN traffic then you should go with that plan and limit >> the replication to non-business hours. >> >>> Question: This article is very good and explains very well how the dhcp >>> service interacts with dns but what I really need/intend is to know what >>> is the better option/choice when implementing the dhcp service. If the >>> network behaves better if the dhcp is distributed by a server or by a >>> router?... >> >> The behavior could be good in both cases, however there is a better >> integration using MS DHCP server in your environment with DNS. > Question: Can you give/advice url/sites (microsoft for ie) where I can > get/read that kind of comparison? > >> >>> Question: After I read this articles I've search at google and I >>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>> tools that can see if a server is the first of the domain or not. Can >>> you advice or recommend other(s) tool(s) could be better than this one? >>> (If Microsoft® Exchange Server Analyzer Tool is correct) >> >> For AD there're many free/and builin tools, like, dsquery, dsmod, dsadd, >> repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... depends of >> your needs, each tool can be used for specific operations, search on MS >> web site for Active Directory Tools. >> BPA Tools are available for other MS tecnologies, like ISA,SQL, >> Exchange... However for Active Directory I don't know any BPA. >> -- > I know I've been asking many question and you Jorge have been always > giving a Good help (thanks). I wonder if you don't mind I ask 2 more > questions (I hope no) :) They are: > > Another Question A) When should we select the option global catalog? > Always or depends > based in the issue we need to apply this option (ie: should be apllied > when is pretended the sysvol (directory that holds all the AD objects) so > the authentication on that site could be faster)? > > Another Question B) Can you advice me any book(s) that could describe all > the subjects we have discuss here? > > Once again and isn't enought keep saying: Thanks... Thanks... Thanks for > all the help/patience. > [] > Ricky > > > > > >> >> I hope that the information above helps you. >> Have a Nice day. >> >> Jorge Silva >> MCSE, MVP Directory Services >> >> "Ricky" <newsgroupsmail@gmail.com> wrote in message >> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>> >>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>> Hi >>>> Check inline: >>>>> 1. How should we arquitect our active directory based on organization >>>>> units (need examples and good white papers) >>>>> A) Should AD / OU be build based on group policy? >>>> >>>> The three main reasons to create OUs are: >>>> -Delegation of control, administer GPO and to hide objects. >>>> -If you understand this you can answer to your own question. >>> Question: I did understand your point of view but what I really need is >>> some white papers or books that could advice me how to build/organize my >>> OU structure based on my company departments/hierarchy (some design >>> structure with draws) >>>> >>>>> B) For better jobs assign should the OU be manage by a group of IT >>>>> team and other OU by other tecnichians? >>>> >>>> ??? >>>> Delegation of control is generally given to Security Groups, because >>>> you only do it one time and then just add the users to that security >>>> group. >>>> >>>>> 2. The actuall distribution list allow to a "normal" user add himself >>>>> to a group at other group that it doesn't belong. How to correct this >>>>> issue in the this fresh AD? >>>> >>>> - To avoid situations like this one, Create a OU that has the security >>>> groups, and give access to that OU only to the person or group of users >>>> that are allowed to manage these security groups. >>>> >>>>> 3. We have some locations with servers but other don't. Should we >>>>> create a subnet for each location/ip address or just create a subnet >>>>> where exists servers? >>>> >>>> - You should create and assign each existing subnet to a given site. >>>> - Sites and subnets play a very important role in user authentication, >>>> AD replication, File replication, COs, etc... So make sure that you've >>>> everything correctly setup. >>>> - Remember you can't associate a site link with a WAN link; however you >>>> use your network routing configuration to provide the correct >>>> information to ADSS. So configure your routers to provide the correct >>>> redundancy, by defining the priorities and links to failover, then go >>>> to ADSS and based on that information configure your site link cost >>>> (when you have multiple site links). >>>> >>>>> 4. How often should sites replicate with each other? >>>> >>>> - Inter-site replication should occur when your WAN schedule is >>>> available, more replications per hour means less replication traffic >>>> per hour, so is up to you to decide what best suits in your >>>> environment. >>> Question: I thought the best choice were to program schedule replication >>> at lunch or late hours like 1am to 7am once at this time of the day >>> users aren't working so the lines have less traffic to handle. >>> Nevertheless it seems you don't agree based in your words. What do you >>> think?... >>>> >>>>> 5. Should be the router distributing the dhcp service or should be the >>>>> server? What is the better choice?... and why. >>>> - Windows DHCP service suits better with DNS check: >>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>> Question: This article is very good and explains very well how the dhcp >>> service interacts with dns but what I really need/intend is to know what >>> is the better option/choice when implementing the dhcp service. If the >>> network behaves better if the dhcp is distributed by a server or by a >>> router?... >>> >>>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>>> can be sure what was the first PDC to be build in the actuall network >>>>> design? >>>> There's not PDC and BDC concept in AD. However there's an PDCemulator >>>> that emulates the old PDC for legacy clients, you can find more info >>>> about FSMO roles at: >>>> http://support.microsoft.com/kb/223346 >>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>> Question: After I read this articles I've search at google and I >>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>> tools that can see if a server is the first of the domain or not. Can >>> you advice or recommend other(s) tool(s) could be better than this one? >>> (If Microsoft® Exchange Server Analyzer Tool is correct) >>> >>> 7. When should we select the option global catalog? Always or depends >>> based in the issue we need to apply this option? >>> >>> 8. Can you advice me any book(s) that could describe all this subjects >>> and must more so I can learn and became more like you and others who >>> have good knowledge about this issues?... >>> >>> Thanks for all the help and patience/important knowledge you passed me >>> by. >>> [] >>> Ricky >>> >>> >>>> I hope that the information above helps you. >>>> Have a Nice day. >>>> >>>> Jorge Silva >>>> MCSE, MVP Directory Services >>>> >>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>> Hi >>>>> >>>>> At work we thought to build a fresh/new active directory with windows >>>>> 2003 enterprise edition/exchange 2003 and isa 2004. But we have the >>>>> following doubts: >>>>> >>>>> 1. How should we arquitect our active directory based on organization >>>>> units (need examples and good white papers) >>>>> A) Should AD / OU be build based on group policy? >>>>> B) For better jobs assign should the OU be manage by a group of IT >>>>> team and other OU by other tecnichians? >>>>> >>>>> 2. The actuall distribution list allow to a "normal" user add himself >>>>> to a group at other group that it doesn't belong. How to correct this >>>>> issue in the this fresh AD? >>>>> >>>>> 3. We have some locations with servers but other don't. Should we >>>>> create a subnet for each location/ip address or just create a subnet >>>>> where exists servers? >>>>> >>>>> 4. How often should sites replicate with each other? >>>>> >>>>> 5. Should be the router distributing the dhcp service or should be the >>>>> server? What is the better choice?... and why. >>>>> >>>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>>> can be sure what was the first PDC to be build in the actuall network >>>>> design? >>>>> >>>>> I hope someone have the patience/courage to help me out on this >>>>> issues. >>>>> Good work week, >>>>> Thanks >>>>> Ricky >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Ricky Posted October 4, 2007 Posted October 4, 2007 Re: Active Directory Design "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... > Inline > >> Note: Good links. I've learn a lot. Thanks > The pleasure was mine > >> Question: Can you give/advice url/sites (microsoft for ie) where I can >> get/read that kind of comparison? > For direct compare I don't know any document; however you can take your > own conclusions based on your experience and documentation. > > http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true > >> I know I've been asking many question and you Jorge have been always >> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >> questions (I hope no) :) They are: > No problem, the pleasure is mine. > >> Another Question A) When should we select the option global catalog? >> Always or depends >> based in the issue we need to apply this option (ie: should be apllied >> when is pretended the sysvol (directory that holds all the AD objects) so >> the authentication on that site could be faster)? > - I think that you need more reading about GCs. Sysvol directory doesn't > hold all AD objects, you also need to read about sysvol and what is used > for. You can check the following links: > http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true > http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true Note: As always they were good links/stuff to read :) > In my opinion you should have at least 1 GC per site, if you have only one > domain in your forest, then the cost of having all DCs = GCs is > practically nothing because by default each DC knows everything about its > own domain, so making a DC a GC is just a matter of setting up a flag and > will benefit all Apps (like exchange), and clients that needs a GC around. > Note: Each Forest needs at least One GC. > Another thing to keep in mind is related with the Infrastructure Master > and you can chek it here: > http://support.microsoft.com/kb/223346 Note: Once again I've been learning a lot in the past few days with your help/advices. I feel I have a private teacher... :) Question: Still about GC we have almost one server per site (location) where exists a number of users = or > 15 users. Doubt: A) Should we keep implementing this kind of topology? B) Set up the servers with AD and CG or just AD? C) I don't know if exists any kind of formula that could help IT System Administrators calculating/have an ideia when to buy a ser to alocate in sites (locations) based on the number of users? (I've read in the first link you've write they talk about 500 users for a GC but I didn't understand very well this issue) D) Is the GC more used when exists more than one domain at a forest? Others Questions(sorry): A) Where can I see/read what are the best requirements for a server with Windows 2003+AD B) Where can I see/read what are the best requirements for a server with Exchange 2007 By the way is better having AD and Exchange in the same server or distinguish servers for a storage solution? C) How can I monitor AD replication? (just by replmon or repadmin or it exists a better tool(s)?...) D) At users and computers -> operations masters -> RID (? what stands for) | PDC (primary domain controller right?) | Infrastructure (what for?) After this you're going to deserve heaven... ;) []'s to my private teacher. A good example how a newbie becomes more expert. Thanks Ricky > >> Another Question B) Can you advice me any book(s) that could describe all >> the subjects we have discuss here? > MSPress, and: > http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 > http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 > >> Once again and isn't enought keep saying: Thanks... Thanks... Thanks for >> all the help/patience. > Any time. > Have Fun. > -- > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>> Inline >>>> Question: I did understand your point of view but what I really need is >>>> some white papers or books that could advice me how to build/organize >>>> my OU structure based on my company departments/hierarchy (some design >>>> structure with draws) >>> You can start here. >>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >> Note: Good links. I've learn a lot. Thanks >> >> >>>> Question: I thought the best choice were to program schedule >>>> replication at lunch or late hours like 1am to 7am once at this time of >>>> the day users aren't working so the lines have less traffic to handle. >>>> Nevertheless it seems you don't agree based in your words. What do you >>>> think?... >>> >>> Not really, I was just giving you a sample to explain how things could >>> work, however this depends of your real needs and priorities, in your >>> case if replication of changes and creation of new objects are less >>> important than WAN traffic then you should go with that plan and limit >>> the replication to non-business hours. >>> >>>> Question: This article is very good and explains very well how the dhcp >>>> service interacts with dns but what I really need/intend is to know >>>> what is the better option/choice when implementing the dhcp service. If >>>> the network behaves better if the dhcp is distributed by a server or by >>>> a router?... >>> >>> The behavior could be good in both cases, however there is a better >>> integration using MS DHCP server in your environment with DNS. >> Question: Can you give/advice url/sites (microsoft for ie) where I can >> get/read that kind of comparison? >> >>> >>>> Question: After I read this articles I've search at google and I >>>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>>> tools that can see if a server is the first of the domain or not. Can >>>> you advice or recommend other(s) tool(s) could be better than this one? >>>> (If Microsoft® Exchange Server Analyzer Tool is correct) >>> >>> For AD there're many free/and builin tools, like, dsquery, dsmod, dsadd, >>> repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... depends >>> of your needs, each tool can be used for specific operations, search on >>> MS web site for Active Directory Tools. >>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>> Exchange... However for Active Directory I don't know any BPA. >>> -- >> I know I've been asking many question and you Jorge have been always >> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >> questions (I hope no) :) They are: >> >> Another Question A) When should we select the option global catalog? >> Always or depends >> based in the issue we need to apply this option (ie: should be apllied >> when is pretended the sysvol (directory that holds all the AD objects) so >> the authentication on that site could be faster)? >> >> Another Question B) Can you advice me any book(s) that could describe all >> the subjects we have discuss here? >> >> Once again and isn't enought keep saying: Thanks... Thanks... Thanks for >> all the help/patience. >> [] >> Ricky >> >> >> >> >> >>> >>> I hope that the information above helps you. >>> Have a Nice day. >>> >>> Jorge Silva >>> MCSE, MVP Directory Services >>> >>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>> >>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>> Hi >>>>> Check inline: >>>>>> 1. How should we arquitect our active directory based on organization >>>>>> units (need examples and good white papers) >>>>>> A) Should AD / OU be build based on group policy? >>>>> >>>>> The three main reasons to create OUs are: >>>>> -Delegation of control, administer GPO and to hide objects. >>>>> -If you understand this you can answer to your own question. >>>> Question: I did understand your point of view but what I really need is >>>> some white papers or books that could advice me how to build/organize >>>> my OU structure based on my company departments/hierarchy (some design >>>> structure with draws) >>>>> >>>>>> B) For better jobs assign should the OU be manage by a group of IT >>>>>> team and other OU by other tecnichians? >>>>> >>>>> ??? >>>>> Delegation of control is generally given to Security Groups, because >>>>> you only do it one time and then just add the users to that security >>>>> group. >>>>> >>>>>> 2. The actuall distribution list allow to a "normal" user add himself >>>>>> to a group at other group that it doesn't belong. How to correct this >>>>>> issue in the this fresh AD? >>>>> >>>>> - To avoid situations like this one, Create a OU that has the security >>>>> groups, and give access to that OU only to the person or group of >>>>> users that are allowed to manage these security groups. >>>>> >>>>>> 3. We have some locations with servers but other don't. Should we >>>>>> create a subnet for each location/ip address or just create a subnet >>>>>> where exists servers? >>>>> >>>>> - You should create and assign each existing subnet to a given site. >>>>> - Sites and subnets play a very important role in user >>>>> authentication, AD replication, File replication, COs, etc... So make >>>>> sure that you've everything correctly setup. >>>>> - Remember you can't associate a site link with a WAN link; however >>>>> you use your network routing configuration to provide the correct >>>>> information to ADSS. So configure your routers to provide the correct >>>>> redundancy, by defining the priorities and links to failover, then go >>>>> to ADSS and based on that information configure your site link cost >>>>> (when you have multiple site links). >>>>> >>>>>> 4. How often should sites replicate with each other? >>>>> >>>>> - Inter-site replication should occur when your WAN schedule is >>>>> available, more replications per hour means less replication traffic >>>>> per hour, so is up to you to decide what best suits in your >>>>> environment. >>>> Question: I thought the best choice were to program schedule >>>> replication at lunch or late hours like 1am to 7am once at this time of >>>> the day users aren't working so the lines have less traffic to handle. >>>> Nevertheless it seems you don't agree based in your words. What do you >>>> think?... >>>>> >>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>> the server? What is the better choice?... and why. >>>>> - Windows DHCP service suits better with DNS check: >>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>> Question: This article is very good and explains very well how the dhcp >>>> service interacts with dns but what I really need/intend is to know >>>> what is the better option/choice when implementing the dhcp service. If >>>> the network behaves better if the dhcp is distributed by a server or by >>>> a router?... >>>> >>>>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>>>> can be sure what was the first PDC to be build in the actuall network >>>>>> design? >>>>> There's not PDC and BDC concept in AD. However there's an PDCemulator >>>>> that emulates the old PDC for legacy clients, you can find more info >>>>> about FSMO roles at: >>>>> http://support.microsoft.com/kb/223346 >>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>> Question: After I read this articles I've search at google and I >>>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>>> tools that can see if a server is the first of the domain or not. Can >>>> you advice or recommend other(s) tool(s) could be better than this one? >>>> (If Microsoft® Exchange Server Analyzer Tool is correct) >>>> >>>> 7. When should we select the option global catalog? Always or depends >>>> based in the issue we need to apply this option? >>>> >>>> 8. Can you advice me any book(s) that could describe all this subjects >>>> and must more so I can learn and became more like you and others who >>>> have good knowledge about this issues?... >>>> >>>> Thanks for all the help and patience/important knowledge you passed me >>>> by. >>>> [] >>>> Ricky >>>> >>>> >>>>> I hope that the information above helps you. >>>>> Have a Nice day. >>>>> >>>>> Jorge Silva >>>>> MCSE, MVP Directory Services >>>>> >>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>> Hi >>>>>> >>>>>> At work we thought to build a fresh/new active directory with windows >>>>>> 2003 enterprise edition/exchange 2003 and isa 2004. But we have the >>>>>> following doubts: >>>>>> >>>>>> 1. How should we arquitect our active directory based on organization >>>>>> units (need examples and good white papers) >>>>>> A) Should AD / OU be build based on group policy? >>>>>> B) For better jobs assign should the OU be manage by a group of IT >>>>>> team and other OU by other tecnichians? >>>>>> >>>>>> 2. The actuall distribution list allow to a "normal" user add himself >>>>>> to a group at other group that it doesn't belong. How to correct this >>>>>> issue in the this fresh AD? >>>>>> >>>>>> 3. We have some locations with servers but other don't. Should we >>>>>> create a subnet for each location/ip address or just create a subnet >>>>>> where exists servers? >>>>>> >>>>>> 4. How often should sites replicate with each other? >>>>>> >>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>> the server? What is the better choice?... and why. >>>>>> >>>>>> 6. In the actuall network infraestructure how can I see/do tests so I >>>>>> can be sure what was the first PDC to be build in the actuall network >>>>>> design? >>>>>> >>>>>> I hope someone have the patience/courage to help me out on this >>>>>> issues. >>>>>> Good work week, >>>>>> Thanks >>>>>> Ricky >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Jorge Silva Posted October 4, 2007 Posted October 4, 2007 Re: Active Directory Design inline > Question: Still about GC we have almost one server per site (location) > where exists a number of users = or > 15 users. > Doubt: > A) Should we keep implementing this kind of topology? If you have exchange or any other app that needs GC you probably need a GC, if you don't check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html or you can assign these subets for these remote offices a an existing Site with a DC > B) Set up the servers with AD and CG or just AD? As I told you before with only 1 domain/forest, I think that all DCs could be GCs without any problems. > C) I don't know if exists any kind of formula that could help IT System > Administrators calculating/have an ideia when to buy a ser to alocate in > sites (locations) based on the number of users? (I've read in the first > link you've write they talk about 500 users for a GC but I didn't > understand very well this issue) There're some tools that did that type of statistics, but in some cases end up with servers without job to do that justified their investment. As I told you bedore depends on many other things. > D) Is the GC more used when exists more than one domain at a forest? The GC is always used by Apps that need a GC, or by users that do UPN logon, queries, etc... In multiple domain scenario you have more information replicated to the GC because the GC also stores a partial, read-only replica of all other domain directory partitions in the forest. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest > Others Questions(sorry): > A) Where can I see/read what are the best requirements for a server with > Windows 2003+AD MS Web site. > B) Where can I see/read what are the best requirements for a server with > Exchange 2007 MS Web Site. > By the way is better having AD and Exchange in the same server or > distinguish servers for a storage solution? Keep Exxchange away from a DC, meaning that exchange shouldn't be in the same server that plays the DC role. > C) How can I monitor AD replication? (just by replmon or repadmin or it > exists a better tool(s)?...) These should be enough; repadmin in this case can achieve that job easily through a simple scheduled batch file > D) At users and computers -> operations masters -> RID (? what stands for) > | > PDC (primary domain controller right?) | Infrastructure (what for?) check http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... > > "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message > news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >> Inline >> >>> Note: Good links. I've learn a lot. Thanks >> The pleasure was mine >> >>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>> get/read that kind of comparison? >> For direct compare I don't know any document; however you can take your >> own conclusions based on your experience and documentation. >> >> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >> >>> I know I've been asking many question and you Jorge have been always >>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>> questions (I hope no) :) They are: >> No problem, the pleasure is mine. >> >>> Another Question A) When should we select the option global catalog? >>> Always or depends >>> based in the issue we need to apply this option (ie: should be apllied >>> when is pretended the sysvol (directory that holds all the AD objects) >>> so the authentication on that site could be faster)? >> - I think that you need more reading about GCs. Sysvol directory doesn't >> hold all AD objects, you also need to read about sysvol and what is used >> for. You can check the following links: >> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true > Note: As always they were good links/stuff to read :) > > >> In my opinion you should have at least 1 GC per site, if you have only >> one domain in your forest, then the cost of having all DCs = GCs is >> practically nothing because by default each DC knows everything about its >> own domain, so making a DC a GC is just a matter of setting up a flag and >> will benefit all Apps (like exchange), and clients that needs a GC >> around. Note: Each Forest needs at least One GC. >> Another thing to keep in mind is related with the Infrastructure Master >> and you can chek it here: >> http://support.microsoft.com/kb/223346 > Note: Once again I've been learning a lot in the past few days with your > help/advices. I feel I have a private teacher... :) > Question: Still about GC we have almost one server per site (location) > where exists a number of users = or > 15 users. > Doubt: > A) Should we keep implementing this kind of topology? > B) Set up the servers with AD and CG or just AD? > C) I don't know if exists any kind of formula that could help IT System > Administrators calculating/have an ideia when to buy a ser to alocate in > sites (locations) based on the number of users? (I've read in the first > link you've write they talk about 500 users for a GC but I didn't > understand very well this issue) > D) Is the GC more used when exists more than one domain at a forest? > > Others Questions(sorry): > A) Where can I see/read what are the best requirements for a server with > Windows 2003+AD > B) Where can I see/read what are the best requirements for a server with > Exchange 2007 > By the way is better having AD and Exchange in the same server or > distinguish servers for a storage solution? > C) How can I monitor AD replication? (just by replmon or repadmin or it > exists a better tool(s)?...) > D) At users and computers -> operations masters -> RID (? what stands for) > | PDC (primary domain controller right?) | Infrastructure (what for?) > > After this you're going to deserve heaven... ;) > []'s to my private teacher. A good example how a newbie becomes more > expert. > Thanks > Ricky > > >> >>> Another Question B) Can you advice me any book(s) that could describe >>> all the subjects we have discuss here? >> MSPress, and: >> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >> >>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks for >>> all the help/patience. >> Any time. >> Have Fun. >> -- >> >> I hope that the information above helps you. >> Have a Nice day. >> >> Jorge Silva >> MCSE, MVP Directory Services >> >> "Ricky" <newsgroupsmail@gmail.com> wrote in message >> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>> >>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>> Inline >>>>> Question: I did understand your point of view but what I really need >>>>> is some white papers or books that could advice me how to >>>>> build/organize my OU structure based on my company >>>>> departments/hierarchy (some design structure with draws) >>>> You can start here. >>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>> Note: Good links. I've learn a lot. Thanks >>> >>> >>>>> Question: I thought the best choice were to program schedule >>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>> of the day users aren't working so the lines have less traffic to >>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>> What do you think?... >>>> >>>> Not really, I was just giving you a sample to explain how things could >>>> work, however this depends of your real needs and priorities, in your >>>> case if replication of changes and creation of new objects are less >>>> important than WAN traffic then you should go with that plan and limit >>>> the replication to non-business hours. >>>> >>>>> Question: This article is very good and explains very well how the >>>>> dhcp service interacts with dns but what I really need/intend is to >>>>> know what is the better option/choice when implementing the dhcp >>>>> service. If the network behaves better if the dhcp is distributed by a >>>>> server or by a router?... >>>> >>>> The behavior could be good in both cases, however there is a better >>>> integration using MS DHCP server in your environment with DNS. >>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>> get/read that kind of comparison? >>> >>>> >>>>> Question: After I read this articles I've search at google and I >>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>>>> tools that can see if a server is the first of the domain or not. Can >>>>> you advice or recommend other(s) tool(s) could be better than this >>>>> one? (If Microsoft® Exchange Server Analyzer Tool is correct) >>>> >>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... >>>> depends of your needs, each tool can be used for specific operations, >>>> search on MS web site for Active Directory Tools. >>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>> Exchange... However for Active Directory I don't know any BPA. >>>> -- >>> I know I've been asking many question and you Jorge have been always >>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>> questions (I hope no) :) They are: >>> >>> Another Question A) When should we select the option global catalog? >>> Always or depends >>> based in the issue we need to apply this option (ie: should be apllied >>> when is pretended the sysvol (directory that holds all the AD objects) >>> so the authentication on that site could be faster)? >>> >>> Another Question B) Can you advice me any book(s) that could describe >>> all the subjects we have discuss here? >>> >>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks for >>> all the help/patience. >>> [] >>> Ricky >>> >>> >>> >>> >>> >>>> >>>> I hope that the information above helps you. >>>> Have a Nice day. >>>> >>>> Jorge Silva >>>> MCSE, MVP Directory Services >>>> >>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>> >>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>> Hi >>>>>> Check inline: >>>>>>> 1. How should we arquitect our active directory based on >>>>>>> organization units (need examples and good white papers) >>>>>>> A) Should AD / OU be build based on group policy? >>>>>> >>>>>> The three main reasons to create OUs are: >>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>> -If you understand this you can answer to your own question. >>>>> Question: I did understand your point of view but what I really need >>>>> is some white papers or books that could advice me how to >>>>> build/organize my OU structure based on my company >>>>> departments/hierarchy (some design structure with draws) >>>>>> >>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>> IT team and other OU by other tecnichians? >>>>>> >>>>>> ??? >>>>>> Delegation of control is generally given to Security Groups, because >>>>>> you only do it one time and then just add the users to that security >>>>>> group. >>>>>> >>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>> correct this issue in the this fresh AD? >>>>>> >>>>>> - To avoid situations like this one, Create a OU that has the >>>>>> security groups, and give access to that OU only to the person or >>>>>> group of users that are allowed to manage these security groups. >>>>>> >>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>> create a subnet for each location/ip address or just create a subnet >>>>>>> where exists servers? >>>>>> >>>>>> - You should create and assign each existing subnet to a given site. >>>>>> - Sites and subnets play a very important role in user >>>>>> authentication, AD replication, File replication, COs, etc... So make >>>>>> sure that you've everything correctly setup. >>>>>> - Remember you can't associate a site link with a WAN link; however >>>>>> you use your network routing configuration to provide the correct >>>>>> information to ADSS. So configure your routers to provide the correct >>>>>> redundancy, by defining the priorities and links to failover, then go >>>>>> to ADSS and based on that information configure your site link cost >>>>>> (when you have multiple site links). >>>>>> >>>>>>> 4. How often should sites replicate with each other? >>>>>> >>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>> available, more replications per hour means less replication traffic >>>>>> per hour, so is up to you to decide what best suits in your >>>>>> environment. >>>>> Question: I thought the best choice were to program schedule >>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>> of the day users aren't working so the lines have less traffic to >>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>> What do you think?... >>>>>> >>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>> the server? What is the better choice?... and why. >>>>>> - Windows DHCP service suits better with DNS check: >>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>> Question: This article is very good and explains very well how the >>>>> dhcp service interacts with dns but what I really need/intend is to >>>>> know what is the better option/choice when implementing the dhcp >>>>> service. If the network behaves better if the dhcp is distributed by a >>>>> server or by a router?... >>>>> >>>>>>> 6. In the actuall network infraestructure how can I see/do tests so >>>>>>> I can be sure what was the first PDC to be build in the actuall >>>>>>> network design? >>>>>> There's not PDC and BDC concept in AD. However there's an PDCemulator >>>>>> that emulates the old PDC for legacy clients, you can find more info >>>>>> about FSMO roles at: >>>>>> http://support.microsoft.com/kb/223346 >>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>> Question: After I read this articles I've search at google and I >>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of the >>>>> tools that can see if a server is the first of the domain or not. Can >>>>> you advice or recommend other(s) tool(s) could be better than this >>>>> one? (If Microsoft® Exchange Server Analyzer Tool is correct) >>>>> >>>>> 7. When should we select the option global catalog? Always or depends >>>>> based in the issue we need to apply this option? >>>>> >>>>> 8. Can you advice me any book(s) that could describe all this subjects >>>>> and must more so I can learn and became more like you and others who >>>>> have good knowledge about this issues?... >>>>> >>>>> Thanks for all the help and patience/important knowledge you passed me >>>>> by. >>>>> [] >>>>> Ricky >>>>> >>>>> >>>>>> I hope that the information above helps you. >>>>>> Have a Nice day. >>>>>> >>>>>> Jorge Silva >>>>>> MCSE, MVP Directory Services >>>>>> >>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>> Hi >>>>>>> >>>>>>> At work we thought to build a fresh/new active directory with >>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But we >>>>>>> have the following doubts: >>>>>>> >>>>>>> 1. How should we arquitect our active directory based on >>>>>>> organization units (need examples and good white papers) >>>>>>> A) Should AD / OU be build based on group policy? >>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>> IT team and other OU by other tecnichians? >>>>>>> >>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>> correct this issue in the this fresh AD? >>>>>>> >>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>> create a subnet for each location/ip address or just create a subnet >>>>>>> where exists servers? >>>>>>> >>>>>>> 4. How often should sites replicate with each other? >>>>>>> >>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>> the server? What is the better choice?... and why. >>>>>>> >>>>>>> 6. In the actuall network infraestructure how can I see/do tests so >>>>>>> I can be sure what was the first PDC to be build in the actuall >>>>>>> network design? >>>>>>> >>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>> issues. >>>>>>> Good work week, >>>>>>> Thanks >>>>>>> Ricky >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Ricky Posted October 5, 2007 Posted October 5, 2007 Re: Active Directory Design "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:Ot2YKsiBIHA.324@TK2MSFTNGP04.phx.gbl... > inline >> Question: Still about GC we have almost one server per site (location) >> where exists a number of users = or > 15 users. >> Doubt: >> A) Should we keep implementing this kind of topology? > If you have exchange or any other app that needs GC you probably need a > GC, if you don't check: > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html > or you can assign these subets for these remote offices a an existing Site > with a DC Note: A very good url. I've learn and understand quite well when to use or not GC. Thanks I would like to be as you once it seems you find the right link quickly. What's the secret?... > >> B) Set up the servers with AD and CG or just AD? > As I told you before with only 1 domain/forest, I think that all DCs could > be GCs without any problems. Question: Depending on the bandwidth available, right? > >> C) I don't know if exists any kind of formula that could help IT System >> Administrators calculating/have an ideia when to buy a ser to alocate in >> sites (locations) based on the number of users? (I've read in the first >> link you've write they talk about 500 users for a GC but I didn't >> understand very well this issue) > > There're some tools that did that type of statistics, but in some cases > end up with servers without job to do that justified their investment. As > I told you bedore depends on many other things. Question: Nevertheless can you advice me some tools that do that type of statistics so I can test them and learn a little more? > >> D) Is the GC more used when exists more than one domain at a forest? > > The GC is always used by Apps that need a GC, or by users that do UPN > logon, queries, etc... > > In multiple domain scenario you have more information replicated to the GC > because the GC also stores a partial, read-only replica of all other > domain directory partitions in the forest. > > The global catalog is a distributed data repository that contains a > searchable, partial representation of every object in every domain in a > multidomain Active Directory forest > > >> Others Questions(sorry): >> A) Where can I see/read what are the best requirements for a server with >> Windows 2003+AD > MS Web site. Question: You're right it exists at microsoft site (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it doesn't say what raid to use > >> B) Where can I see/read what are the best requirements for a server with >> Exchange 2007 > MS Web Site. Question: You're right it exists at microsoft site (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it doesn't say what raid to use > >> By the way is better having AD and Exchange in the same server or >> distinguish servers for a storage solution? > Keep Exxchange away from a DC, meaning that exchange shouldn't be in the > same server that plays the DC role. Question: Nevertheless the DNS and DHCP service should stay at the same machine that contains AD, right? > >> C) How can I monitor AD replication? (just by replmon or repadmin or it >> exists a better tool(s)?...) > These should be enough; repadmin in this case can achieve that job easily > through a simple scheduled batch file Question: Can you send me that batch file, please? (newsgroupsmail@gmail.com) > > >> D) At users and computers -> operations masters -> RID (? what stands >> for) | >> PDC (primary domain controller right?) | Infrastructure (what for?) > check > > http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm Note: Once more a good advice url so people like me (newbies) can learn. Thanks. []'s Ricky > > -- > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... >> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >> news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >>> Inline >>> >>>> Note: Good links. I've learn a lot. Thanks >>> The pleasure was mine >>> >>>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>>> get/read that kind of comparison? >>> For direct compare I don't know any document; however you can take your >>> own conclusions based on your experience and documentation. >>> >>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>> >>>> I know I've been asking many question and you Jorge have been always >>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>> questions (I hope no) :) They are: >>> No problem, the pleasure is mine. >>> >>>> Another Question A) When should we select the option global catalog? >>>> Always or depends >>>> based in the issue we need to apply this option (ie: should be apllied >>>> when is pretended the sysvol (directory that holds all the AD objects) >>>> so the authentication on that site could be faster)? >>> - I think that you need more reading about GCs. Sysvol directory doesn't >>> hold all AD objects, you also need to read about sysvol and what is used >>> for. You can check the following links: >>> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >>> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true >> Note: As always they were good links/stuff to read :) >> >> >>> In my opinion you should have at least 1 GC per site, if you have only >>> one domain in your forest, then the cost of having all DCs = GCs is >>> practically nothing because by default each DC knows everything about >>> its own domain, so making a DC a GC is just a matter of setting up a >>> flag and will benefit all Apps (like exchange), and clients that needs a >>> GC around. Note: Each Forest needs at least One GC. >>> Another thing to keep in mind is related with the Infrastructure Master >>> and you can chek it here: >>> http://support.microsoft.com/kb/223346 >> Note: Once again I've been learning a lot in the past few days with your >> help/advices. I feel I have a private teacher... :) >> Question: Still about GC we have almost one server per site (location) >> where exists a number of users = or > 15 users. >> Doubt: >> A) Should we keep implementing this kind of topology? >> B) Set up the servers with AD and CG or just AD? >> C) I don't know if exists any kind of formula that could help IT System >> Administrators calculating/have an ideia when to buy a ser to alocate in >> sites (locations) based on the number of users? (I've read in the first >> link you've write they talk about 500 users for a GC but I didn't >> understand very well this issue) >> D) Is the GC more used when exists more than one domain at a forest? >> >> Others Questions(sorry): >> A) Where can I see/read what are the best requirements for a server with >> Windows 2003+AD >> B) Where can I see/read what are the best requirements for a server with >> Exchange 2007 >> By the way is better having AD and Exchange in the same server or >> distinguish servers for a storage solution? >> C) How can I monitor AD replication? (just by replmon or repadmin or it >> exists a better tool(s)?...) >> D) At users and computers -> operations masters -> RID (? what stands >> for) | PDC (primary domain controller right?) | Infrastructure (what >> for?) >> >> After this you're going to deserve heaven... ;) >> []'s to my private teacher. A good example how a newbie becomes more >> expert. >> Thanks >> Ricky >> >> >>> >>>> Another Question B) Can you advice me any book(s) that could describe >>>> all the subjects we have discuss here? >>> MSPress, and: >>> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >>> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >>> >>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>> for all the help/patience. >>> Any time. >>> Have Fun. >>> -- >>> >>> I hope that the information above helps you. >>> Have a Nice day. >>> >>> Jorge Silva >>> MCSE, MVP Directory Services >>> >>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>>> >>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>>> Inline >>>>>> Question: I did understand your point of view but what I really need >>>>>> is some white papers or books that could advice me how to >>>>>> build/organize my OU structure based on my company >>>>>> departments/hierarchy (some design structure with draws) >>>>> You can start here. >>>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>>> Note: Good links. I've learn a lot. Thanks >>>> >>>> >>>>>> Question: I thought the best choice were to program schedule >>>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>>> of the day users aren't working so the lines have less traffic to >>>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>>> What do you think?... >>>>> >>>>> Not really, I was just giving you a sample to explain how things could >>>>> work, however this depends of your real needs and priorities, in your >>>>> case if replication of changes and creation of new objects are less >>>>> important than WAN traffic then you should go with that plan and limit >>>>> the replication to non-business hours. >>>>> >>>>>> Question: This article is very good and explains very well how the >>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>> know what is the better option/choice when implementing the dhcp >>>>>> service. If the network behaves better if the dhcp is distributed by >>>>>> a server or by a router?... >>>>> >>>>> The behavior could be good in both cases, however there is a better >>>>> integration using MS DHCP server in your environment with DNS. >>>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>>> get/read that kind of comparison? >>>> >>>>> >>>>>> Question: After I read this articles I've search at google and I >>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>> the tools that can see if a server is the first of the domain or not. >>>>>> Can you advice or recommend other(s) tool(s) could be better than >>>>>> this one? (If Microsoft® Exchange Server Analyzer Tool is correct) >>>>> >>>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... >>>>> depends of your needs, each tool can be used for specific operations, >>>>> search on MS web site for Active Directory Tools. >>>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>>> Exchange... However for Active Directory I don't know any BPA. >>>>> -- >>>> I know I've been asking many question and you Jorge have been always >>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>> questions (I hope no) :) They are: >>>> >>>> Another Question A) When should we select the option global catalog? >>>> Always or depends >>>> based in the issue we need to apply this option (ie: should be apllied >>>> when is pretended the sysvol (directory that holds all the AD objects) >>>> so the authentication on that site could be faster)? >>>> >>>> Another Question B) Can you advice me any book(s) that could describe >>>> all the subjects we have discuss here? >>>> >>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>> for all the help/patience. >>>> [] >>>> Ricky >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> I hope that the information above helps you. >>>>> Have a Nice day. >>>>> >>>>> Jorge Silva >>>>> MCSE, MVP Directory Services >>>>> >>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>>> >>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>>> Hi >>>>>>> Check inline: >>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>> organization units (need examples and good white papers) >>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>> >>>>>>> The three main reasons to create OUs are: >>>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>>> -If you understand this you can answer to your own question. >>>>>> Question: I did understand your point of view but what I really need >>>>>> is some white papers or books that could advice me how to >>>>>> build/organize my OU structure based on my company >>>>>> departments/hierarchy (some design structure with draws) >>>>>>> >>>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>>> IT team and other OU by other tecnichians? >>>>>>> >>>>>>> ??? >>>>>>> Delegation of control is generally given to Security Groups, because >>>>>>> you only do it one time and then just add the users to that security >>>>>>> group. >>>>>>> >>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>> correct this issue in the this fresh AD? >>>>>>> >>>>>>> - To avoid situations like this one, Create a OU that has the >>>>>>> security groups, and give access to that OU only to the person or >>>>>>> group of users that are allowed to manage these security groups. >>>>>>> >>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>> subnet where exists servers? >>>>>>> >>>>>>> - You should create and assign each existing subnet to a given site. >>>>>>> - Sites and subnets play a very important role in user >>>>>>> authentication, AD replication, File replication, COs, etc... So >>>>>>> make sure that you've everything correctly setup. >>>>>>> - Remember you can't associate a site link with a WAN link; however >>>>>>> you use your network routing configuration to provide the correct >>>>>>> information to ADSS. So configure your routers to provide the >>>>>>> correct redundancy, by defining the priorities and links to >>>>>>> failover, then go to ADSS and based on that information configure >>>>>>> your site link cost (when you have multiple site links). >>>>>>> >>>>>>>> 4. How often should sites replicate with each other? >>>>>>> >>>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>>> available, more replications per hour means less replication traffic >>>>>>> per hour, so is up to you to decide what best suits in your >>>>>>> environment. >>>>>> Question: I thought the best choice were to program schedule >>>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>>> of the day users aren't working so the lines have less traffic to >>>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>>> What do you think?... >>>>>>> >>>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>>> the server? What is the better choice?... and why. >>>>>>> - Windows DHCP service suits better with DNS check: >>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>> Question: This article is very good and explains very well how the >>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>> know what is the better option/choice when implementing the dhcp >>>>>> service. If the network behaves better if the dhcp is distributed by >>>>>> a server or by a router?... >>>>>> >>>>>>>> 6. In the actuall network infraestructure how can I see/do tests so >>>>>>>> I can be sure what was the first PDC to be build in the actuall >>>>>>>> network design? >>>>>>> There's not PDC and BDC concept in AD. However there's an >>>>>>> PDCemulator that emulates the old PDC for legacy clients, you can >>>>>>> find more info about FSMO roles at: >>>>>>> http://support.microsoft.com/kb/223346 >>>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>>> Question: After I read this articles I've search at google and I >>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>> the tools that can see if a server is the first of the domain or not. >>>>>> Can you advice or recommend other(s) tool(s) could be better than >>>>>> this one? (If Microsoft® Exchange Server Analyzer Tool is correct) >>>>>> >>>>>> 7. When should we select the option global catalog? Always or depends >>>>>> based in the issue we need to apply this option? >>>>>> >>>>>> 8. Can you advice me any book(s) that could describe all this >>>>>> subjects and must more so I can learn and became more like you and >>>>>> others who have good knowledge about this issues?... >>>>>> >>>>>> Thanks for all the help and patience/important knowledge you passed >>>>>> me by. >>>>>> [] >>>>>> Ricky >>>>>> >>>>>> >>>>>>> I hope that the information above helps you. >>>>>>> Have a Nice day. >>>>>>> >>>>>>> Jorge Silva >>>>>>> MCSE, MVP Directory Services >>>>>>> >>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>>> Hi >>>>>>>> >>>>>>>> At work we thought to build a fresh/new active directory with >>>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But we >>>>>>>> have the following doubts: >>>>>>>> >>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>> organization units (need examples and good white papers) >>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>>> IT team and other OU by other tecnichians? >>>>>>>> >>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>> correct this issue in the this fresh AD? >>>>>>>> >>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>> subnet where exists servers? >>>>>>>> >>>>>>>> 4. How often should sites replicate with each other? >>>>>>>> >>>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>>> the server? What is the better choice?... and why. >>>>>>>> >>>>>>>> 6. In the actuall network infraestructure how can I see/do tests so >>>>>>>> I can be sure what was the first PDC to be build in the actuall >>>>>>>> network design? >>>>>>>> >>>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>>> issues. >>>>>>>> Good work week, >>>>>>>> Thanks >>>>>>>> Ricky >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Jorge Silva Posted October 5, 2007 Posted October 5, 2007 Re: Active Directory Design Ricky, all the information that you are searching for can be found either on the provided links or in the books that I mentioned, keep in mind that for each AD environment the configurations may change, first try to understand how things work and how should be used for each environment. -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:urnVu7uBIHA.4568@TK2MSFTNGP02.phx.gbl... > > "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message > news:Ot2YKsiBIHA.324@TK2MSFTNGP04.phx.gbl... >> inline >>> Question: Still about GC we have almost one server per site (location) >>> where exists a number of users = or > 15 users. >>> Doubt: >>> A) Should we keep implementing this kind of topology? >> If you have exchange or any other app that needs GC you probably need a >> GC, if you don't check: >> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html >> or you can assign these subets for these remote offices a an existing >> Site with a DC > Note: A very good url. I've learn and understand quite well when to use or > not GC. Thanks > I would like to be as you once it seems you find the right link quickly. > What's the secret?... > >> >>> B) Set up the servers with AD and CG or just AD? >> As I told you before with only 1 domain/forest, I think that all DCs >> could be GCs without any problems. > Question: Depending on the bandwidth available, right? > >> >>> C) I don't know if exists any kind of formula that could help IT System >>> Administrators calculating/have an ideia when to buy a ser to alocate in >>> sites (locations) based on the number of users? (I've read in the first >>> link you've write they talk about 500 users for a GC but I didn't >>> understand very well this issue) >> >> There're some tools that did that type of statistics, but in some cases >> end up with servers without job to do that justified their investment. As >> I told you bedore depends on many other things. > Question: Nevertheless can you advice me some tools that do that type of > statistics so I can test them and learn a little more? > >> >>> D) Is the GC more used when exists more than one domain at a forest? >> >> The GC is always used by Apps that need a GC, or by users that do UPN >> logon, queries, etc... >> >> In multiple domain scenario you have more information replicated to the >> GC because the GC also stores a partial, read-only replica of all other >> domain directory partitions in the forest. >> >> The global catalog is a distributed data repository that contains a >> searchable, partial representation of every object in every domain in a >> multidomain Active Directory forest >> >> >>> Others Questions(sorry): >>> A) Where can I see/read what are the best requirements for a server with >>> Windows 2003+AD >> MS Web site. > Question: You're right it exists at microsoft site > (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it > doesn't say what raid to use > >> >>> B) Where can I see/read what are the best requirements for a server with >>> Exchange 2007 >> MS Web Site. > Question: You're right it exists at microsoft site > (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it > doesn't say what raid to use > >> >>> By the way is better having AD and Exchange in the same server or >>> distinguish servers for a storage solution? >> Keep Exxchange away from a DC, meaning that exchange shouldn't be in the >> same server that plays the DC role. > Question: Nevertheless the DNS and DHCP service should stay at the same > machine that contains AD, right? > > >> >>> C) How can I monitor AD replication? (just by replmon or repadmin or it >>> exists a better tool(s)?...) >> These should be enough; repadmin in this case can achieve that job easily >> through a simple scheduled batch file > Question: Can you send me that batch file, please? > (newsgroupsmail@gmail.com) > > >> >> >>> D) At users and computers -> operations masters -> RID (? what stands >>> for) | >>> PDC (primary domain controller right?) | Infrastructure (what for?) >> check >> >> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm > Note: Once more a good advice url so people like me (newbies) can learn. > Thanks. > > []'s > Ricky >> >> -- >> >> I hope that the information above helps you. >> Have a Nice day. >> >> Jorge Silva >> MCSE, MVP Directory Services >> >> "Ricky" <newsgroupsmail@gmail.com> wrote in message >> news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... >>> >>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>> news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >>>> Inline >>>> >>>>> Note: Good links. I've learn a lot. Thanks >>>> The pleasure was mine >>>> >>>>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>>>> get/read that kind of comparison? >>>> For direct compare I don't know any document; however you can take your >>>> own conclusions based on your experience and documentation. >>>> >>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>> >>>>> I know I've been asking many question and you Jorge have been always >>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>> questions (I hope no) :) They are: >>>> No problem, the pleasure is mine. >>>> >>>>> Another Question A) When should we select the option global catalog? >>>>> Always or depends >>>>> based in the issue we need to apply this option (ie: should be apllied >>>>> when is pretended the sysvol (directory that holds all the AD objects) >>>>> so the authentication on that site could be faster)? >>>> - I think that you need more reading about GCs. Sysvol directory >>>> doesn't hold all AD objects, you also need to read about sysvol and >>>> what is used for. You can check the following links: >>>> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >>>> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true >>> Note: As always they were good links/stuff to read :) >>> >>> >>>> In my opinion you should have at least 1 GC per site, if you have only >>>> one domain in your forest, then the cost of having all DCs = GCs is >>>> practically nothing because by default each DC knows everything about >>>> its own domain, so making a DC a GC is just a matter of setting up a >>>> flag and will benefit all Apps (like exchange), and clients that needs >>>> a GC around. Note: Each Forest needs at least One GC. >>>> Another thing to keep in mind is related with the Infrastructure Master >>>> and you can chek it here: >>>> http://support.microsoft.com/kb/223346 >>> Note: Once again I've been learning a lot in the past few days with your >>> help/advices. I feel I have a private teacher... :) >>> Question: Still about GC we have almost one server per site (location) >>> where exists a number of users = or > 15 users. >>> Doubt: >>> A) Should we keep implementing this kind of topology? >>> B) Set up the servers with AD and CG or just AD? >>> C) I don't know if exists any kind of formula that could help IT System >>> Administrators calculating/have an ideia when to buy a ser to alocate in >>> sites (locations) based on the number of users? (I've read in the first >>> link you've write they talk about 500 users for a GC but I didn't >>> understand very well this issue) >>> D) Is the GC more used when exists more than one domain at a forest? >>> >>> Others Questions(sorry): >>> A) Where can I see/read what are the best requirements for a server with >>> Windows 2003+AD >>> B) Where can I see/read what are the best requirements for a server with >>> Exchange 2007 >>> By the way is better having AD and Exchange in the same server or >>> distinguish servers for a storage solution? >>> C) How can I monitor AD replication? (just by replmon or repadmin or it >>> exists a better tool(s)?...) >>> D) At users and computers -> operations masters -> RID (? what stands >>> for) | PDC (primary domain controller right?) | Infrastructure (what >>> for?) >>> >>> After this you're going to deserve heaven... ;) >>> []'s to my private teacher. A good example how a newbie becomes more >>> expert. >>> Thanks >>> Ricky >>> >>> >>>> >>>>> Another Question B) Can you advice me any book(s) that could describe >>>>> all the subjects we have discuss here? >>>> MSPress, and: >>>> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >>>> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >>>> >>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>> for all the help/patience. >>>> Any time. >>>> Have Fun. >>>> -- >>>> >>>> I hope that the information above helps you. >>>> Have a Nice day. >>>> >>>> Jorge Silva >>>> MCSE, MVP Directory Services >>>> >>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>>>> >>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>>>> Inline >>>>>>> Question: I did understand your point of view but what I really need >>>>>>> is some white papers or books that could advice me how to >>>>>>> build/organize my OU structure based on my company >>>>>>> departments/hierarchy (some design structure with draws) >>>>>> You can start here. >>>>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>>>> Note: Good links. I've learn a lot. Thanks >>>>> >>>>> >>>>>>> Question: I thought the best choice were to program schedule >>>>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>>>> of the day users aren't working so the lines have less traffic to >>>>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>>>> What do you think?... >>>>>> >>>>>> Not really, I was just giving you a sample to explain how things >>>>>> could work, however this depends of your real needs and priorities, >>>>>> in your case if replication of changes and creation of new objects >>>>>> are less important than WAN traffic then you should go with that plan >>>>>> and limit the replication to non-business hours. >>>>>> >>>>>>> Question: This article is very good and explains very well how the >>>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>>> know what is the better option/choice when implementing the dhcp >>>>>>> service. If the network behaves better if the dhcp is distributed by >>>>>>> a server or by a router?... >>>>>> >>>>>> The behavior could be good in both cases, however there is a better >>>>>> integration using MS DHCP server in your environment with DNS. >>>>> Question: Can you give/advice url/sites (microsoft for ie) where I can >>>>> get/read that kind of comparison? >>>>> >>>>>> >>>>>>> Question: After I read this articles I've search at google and I >>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>> the tools that can see if a server is the first of the domain or >>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>> correct) >>>>>> >>>>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, etc... >>>>>> depends of your needs, each tool can be used for specific operations, >>>>>> search on MS web site for Active Directory Tools. >>>>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>>>> Exchange... However for Active Directory I don't know any BPA. >>>>>> -- >>>>> I know I've been asking many question and you Jorge have been always >>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>> questions (I hope no) :) They are: >>>>> >>>>> Another Question A) When should we select the option global catalog? >>>>> Always or depends >>>>> based in the issue we need to apply this option (ie: should be apllied >>>>> when is pretended the sysvol (directory that holds all the AD objects) >>>>> so the authentication on that site could be faster)? >>>>> >>>>> Another Question B) Can you advice me any book(s) that could describe >>>>> all the subjects we have discuss here? >>>>> >>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>> for all the help/patience. >>>>> [] >>>>> Ricky >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> I hope that the information above helps you. >>>>>> Have a Nice day. >>>>>> >>>>>> Jorge Silva >>>>>> MCSE, MVP Directory Services >>>>>> >>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>>>> >>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>>>> Hi >>>>>>>> Check inline: >>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>> organization units (need examples and good white papers) >>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>> >>>>>>>> The three main reasons to create OUs are: >>>>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>>>> -If you understand this you can answer to your own question. >>>>>>> Question: I did understand your point of view but what I really need >>>>>>> is some white papers or books that could advice me how to >>>>>>> build/organize my OU structure based on my company >>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>> >>>>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>>>> IT team and other OU by other tecnichians? >>>>>>>> >>>>>>>> ??? >>>>>>>> Delegation of control is generally given to Security Groups, >>>>>>>> because you only do it one time and then just add the users to that >>>>>>>> security group. >>>>>>>> >>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>> correct this issue in the this fresh AD? >>>>>>>> >>>>>>>> - To avoid situations like this one, Create a OU that has the >>>>>>>> security groups, and give access to that OU only to the person or >>>>>>>> group of users that are allowed to manage these security groups. >>>>>>>> >>>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>>> subnet where exists servers? >>>>>>>> >>>>>>>> - You should create and assign each existing subnet to a given >>>>>>>> site. >>>>>>>> - Sites and subnets play a very important role in user >>>>>>>> authentication, AD replication, File replication, COs, etc... So >>>>>>>> make sure that you've everything correctly setup. >>>>>>>> - Remember you can't associate a site link with a WAN link; however >>>>>>>> you use your network routing configuration to provide the correct >>>>>>>> information to ADSS. So configure your routers to provide the >>>>>>>> correct redundancy, by defining the priorities and links to >>>>>>>> failover, then go to ADSS and based on that information configure >>>>>>>> your site link cost (when you have multiple site links). >>>>>>>> >>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>> >>>>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>>>> available, more replications per hour means less replication >>>>>>>> traffic per hour, so is up to you to decide what best suits in your >>>>>>>> environment. >>>>>>> Question: I thought the best choice were to program schedule >>>>>>> replication at lunch or late hours like 1am to 7am once at this time >>>>>>> of the day users aren't working so the lines have less traffic to >>>>>>> handle. Nevertheless it seems you don't agree based in your words. >>>>>>> What do you think?... >>>>>>>> >>>>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>>>> the server? What is the better choice?... and why. >>>>>>>> - Windows DHCP service suits better with DNS check: >>>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>>> Question: This article is very good and explains very well how the >>>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>>> know what is the better option/choice when implementing the dhcp >>>>>>> service. If the network behaves better if the dhcp is distributed by >>>>>>> a server or by a router?... >>>>>>> >>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>> so I can be sure what was the first PDC to be build in the actuall >>>>>>>>> network design? >>>>>>>> There's not PDC and BDC concept in AD. However there's an >>>>>>>> PDCemulator that emulates the old PDC for legacy clients, you can >>>>>>>> find more info about FSMO roles at: >>>>>>>> http://support.microsoft.com/kb/223346 >>>>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>>>> Question: After I read this articles I've search at google and I >>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>> the tools that can see if a server is the first of the domain or >>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>> correct) >>>>>>> >>>>>>> 7. When should we select the option global catalog? Always or >>>>>>> depends based in the issue we need to apply this option? >>>>>>> >>>>>>> 8. Can you advice me any book(s) that could describe all this >>>>>>> subjects and must more so I can learn and became more like you and >>>>>>> others who have good knowledge about this issues?... >>>>>>> >>>>>>> Thanks for all the help and patience/important knowledge you passed >>>>>>> me by. >>>>>>> [] >>>>>>> Ricky >>>>>>> >>>>>>> >>>>>>>> I hope that the information above helps you. >>>>>>>> Have a Nice day. >>>>>>>> >>>>>>>> Jorge Silva >>>>>>>> MCSE, MVP Directory Services >>>>>>>> >>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> At work we thought to build a fresh/new active directory with >>>>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But we >>>>>>>>> have the following doubts: >>>>>>>>> >>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>> organization units (need examples and good white papers) >>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>> B) For better jobs assign should the OU be manage by a group of >>>>>>>>> IT team and other OU by other tecnichians? >>>>>>>>> >>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>> correct this issue in the this fresh AD? >>>>>>>>> >>>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>>> subnet where exists servers? >>>>>>>>> >>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>> >>>>>>>>> 5. Should be the router distributing the dhcp service or should be >>>>>>>>> the server? What is the better choice?... and why. >>>>>>>>> >>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>> so I can be sure what was the first PDC to be build in the actuall >>>>>>>>> network design? >>>>>>>>> >>>>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>>>> issues. >>>>>>>>> Good work week, >>>>>>>>> Thanks >>>>>>>>> Ricky >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Ricky Posted October 6, 2007 Posted October 6, 2007 Re: Active Directory Design Jorge, I understand you must me tired of telling so must things/asnwers in this last days. Maybe I'm pushing your patience a little... sorry... but once I have some must doubts about AD stuff and you "offer" availability/likeable I was enthusiastic... I hope you understand it. But besides I haven't seen inside the books (it seen to me they were for win2000 and not for win2003) you've advice me I hope you tell me what tools should I look for to calculate when to put/buy a server for sites(location) based on the bandwidth available and send me the batch file that contains the code to use repadmin to achieve the monitor processe for the replication between servers. I promise after this I will not go bother you in the next weeks... ;) Once again thanks for what I learn with you in the last days because besides this is forum you were the only one who worried. THANKS []'s Ricky "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:eED%23EZ1BIHA.3616@TK2MSFTNGP04.phx.gbl... > Ricky, all the information that you are searching for can be found either > on the provided links or in the books that I mentioned, keep in mind that > for each AD environment the configurations may change, first try to > understand how things work and how should be used for each environment. > > -- > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:urnVu7uBIHA.4568@TK2MSFTNGP02.phx.gbl... >> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >> news:Ot2YKsiBIHA.324@TK2MSFTNGP04.phx.gbl... >>> inline >>>> Question: Still about GC we have almost one server per site (location) >>>> where exists a number of users = or > 15 users. >>>> Doubt: >>>> A) Should we keep implementing this kind of topology? >>> If you have exchange or any other app that needs GC you probably need a >>> GC, if you don't check: >>> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html >>> or you can assign these subets for these remote offices a an existing >>> Site with a DC >> Note: A very good url. I've learn and understand quite well when to use >> or not GC. Thanks >> I would like to be as you once it seems you find the right link quickly. >> What's the secret?... >> >>> >>>> B) Set up the servers with AD and CG or just AD? >>> As I told you before with only 1 domain/forest, I think that all DCs >>> could be GCs without any problems. >> Question: Depending on the bandwidth available, right? >> >>> >>>> C) I don't know if exists any kind of formula that could help IT System >>>> Administrators calculating/have an ideia when to buy a ser to alocate >>>> in sites (locations) based on the number of users? (I've read in the >>>> first link you've write they talk about 500 users for a GC but I didn't >>>> understand very well this issue) >>> >>> There're some tools that did that type of statistics, but in some cases >>> end up with servers without job to do that justified their investment. >>> As I told you bedore depends on many other things. >> Question: Nevertheless can you advice me some tools that do that type of >> statistics so I can test them and learn a little more? >> >>> >>>> D) Is the GC more used when exists more than one domain at a forest? >>> >>> The GC is always used by Apps that need a GC, or by users that do UPN >>> logon, queries, etc... >>> >>> In multiple domain scenario you have more information replicated to the >>> GC because the GC also stores a partial, read-only replica of all other >>> domain directory partitions in the forest. >>> >>> The global catalog is a distributed data repository that contains a >>> searchable, partial representation of every object in every domain in a >>> multidomain Active Directory forest >>> >>> >>>> Others Questions(sorry): >>>> A) Where can I see/read what are the best requirements for a server >>>> with Windows 2003+AD >>> MS Web site. >> Question: You're right it exists at microsoft site >> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >> doesn't say what raid to use >> >>> >>>> B) Where can I see/read what are the best requirements for a server >>>> with Exchange 2007 >>> MS Web Site. >> Question: You're right it exists at microsoft site >> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >> doesn't say what raid to use >> >>> >>>> By the way is better having AD and Exchange in the same server or >>>> distinguish servers for a storage solution? >>> Keep Exxchange away from a DC, meaning that exchange shouldn't be in the >>> same server that plays the DC role. >> Question: Nevertheless the DNS and DHCP service should stay at the same >> machine that contains AD, right? >> >> >>> >>>> C) How can I monitor AD replication? (just by replmon or repadmin or it >>>> exists a better tool(s)?...) >>> These should be enough; repadmin in this case can achieve that job >>> easily through a simple scheduled batch file >> Question: Can you send me that batch file, please? >> (newsgroupsmail@gmail.com) >> >> >>> >>> >>>> D) At users and computers -> operations masters -> RID (? what stands >>>> for) | >>>> PDC (primary domain controller right?) | Infrastructure (what for?) >>> check >>> >>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >> Note: Once more a good advice url so people like me (newbies) can learn. >> Thanks. >> >> []'s >> Ricky >>> >>> -- >>> >>> I hope that the information above helps you. >>> Have a Nice day. >>> >>> Jorge Silva >>> MCSE, MVP Directory Services >>> >>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>> news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... >>>> >>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>> news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>> Inline >>>>> >>>>>> Note: Good links. I've learn a lot. Thanks >>>>> The pleasure was mine >>>>> >>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>> can get/read that kind of comparison? >>>>> For direct compare I don't know any document; however you can take >>>>> your own conclusions based on your experience and documentation. >>>>> >>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>> >>>>>> I know I've been asking many question and you Jorge have been always >>>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>>> questions (I hope no) :) They are: >>>>> No problem, the pleasure is mine. >>>>> >>>>>> Another Question A) When should we select the option global catalog? >>>>>> Always or depends >>>>>> based in the issue we need to apply this option (ie: should be >>>>>> apllied when is pretended the sysvol (directory that holds all the AD >>>>>> objects) so the authentication on that site could be faster)? >>>>> - I think that you need more reading about GCs. Sysvol directory >>>>> doesn't hold all AD objects, you also need to read about sysvol and >>>>> what is used for. You can check the following links: >>>>> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >>>>> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true >>>> Note: As always they were good links/stuff to read :) >>>> >>>> >>>>> In my opinion you should have at least 1 GC per site, if you have only >>>>> one domain in your forest, then the cost of having all DCs = GCs is >>>>> practically nothing because by default each DC knows everything about >>>>> its own domain, so making a DC a GC is just a matter of setting up a >>>>> flag and will benefit all Apps (like exchange), and clients that needs >>>>> a GC around. Note: Each Forest needs at least One GC. >>>>> Another thing to keep in mind is related with the Infrastructure >>>>> Master and you can chek it here: >>>>> http://support.microsoft.com/kb/223346 >>>> Note: Once again I've been learning a lot in the past few days with >>>> your help/advices. I feel I have a private teacher... :) >>>> Question: Still about GC we have almost one server per site (location) >>>> where exists a number of users = or > 15 users. >>>> Doubt: >>>> A) Should we keep implementing this kind of topology? >>>> B) Set up the servers with AD and CG or just AD? >>>> C) I don't know if exists any kind of formula that could help IT System >>>> Administrators calculating/have an ideia when to buy a ser to alocate >>>> in sites (locations) based on the number of users? (I've read in the >>>> first link you've write they talk about 500 users for a GC but I didn't >>>> understand very well this issue) >>>> D) Is the GC more used when exists more than one domain at a forest? >>>> >>>> Others Questions(sorry): >>>> A) Where can I see/read what are the best requirements for a server >>>> with Windows 2003+AD >>>> B) Where can I see/read what are the best requirements for a server >>>> with Exchange 2007 >>>> By the way is better having AD and Exchange in the same server or >>>> distinguish servers for a storage solution? >>>> C) How can I monitor AD replication? (just by replmon or repadmin or it >>>> exists a better tool(s)?...) >>>> D) At users and computers -> operations masters -> RID (? what stands >>>> for) | PDC (primary domain controller right?) | Infrastructure (what >>>> for?) >>>> >>>> After this you're going to deserve heaven... ;) >>>> []'s to my private teacher. A good example how a newbie becomes more >>>> expert. >>>> Thanks >>>> Ricky >>>> >>>> >>>>> >>>>>> Another Question B) Can you advice me any book(s) that could describe >>>>>> all the subjects we have discuss here? >>>>> MSPress, and: >>>>> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >>>>> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >>>>> >>>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>>> for all the help/patience. >>>>> Any time. >>>>> Have Fun. >>>>> -- >>>>> >>>>> I hope that the information above helps you. >>>>> Have a Nice day. >>>>> >>>>> Jorge Silva >>>>> MCSE, MVP Directory Services >>>>> >>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>>>>> >>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>>>>> Inline >>>>>>>> Question: I did understand your point of view but what I really >>>>>>>> need is some white papers or books that could advice me how to >>>>>>>> build/organize my OU structure based on my company >>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>> You can start here. >>>>>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>>>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>>>>> Note: Good links. I've learn a lot. Thanks >>>>>> >>>>>> >>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>> time of the day users aren't working so the lines have less traffic >>>>>>>> to handle. Nevertheless it seems you don't agree based in your >>>>>>>> words. What do you think?... >>>>>>> >>>>>>> Not really, I was just giving you a sample to explain how things >>>>>>> could work, however this depends of your real needs and priorities, >>>>>>> in your case if replication of changes and creation of new objects >>>>>>> are less important than WAN traffic then you should go with that >>>>>>> plan and limit the replication to non-business hours. >>>>>>> >>>>>>>> Question: This article is very good and explains very well how the >>>>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>>>> know what is the better option/choice when implementing the dhcp >>>>>>>> service. If the network behaves better if the dhcp is distributed >>>>>>>> by a server or by a router?... >>>>>>> >>>>>>> The behavior could be good in both cases, however there is a better >>>>>>> integration using MS DHCP server in your environment with DNS. >>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>> can get/read that kind of comparison? >>>>>> >>>>>>> >>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>>> the tools that can see if a server is the first of the domain or >>>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>>> correct) >>>>>>> >>>>>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>>>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, >>>>>>> etc... depends of your needs, each tool can be used for specific >>>>>>> operations, search on MS web site for Active Directory Tools. >>>>>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>>>>> Exchange... However for Active Directory I don't know any BPA. >>>>>>> -- >>>>>> I know I've been asking many question and you Jorge have been always >>>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>>> questions (I hope no) :) They are: >>>>>> >>>>>> Another Question A) When should we select the option global catalog? >>>>>> Always or depends >>>>>> based in the issue we need to apply this option (ie: should be >>>>>> apllied when is pretended the sysvol (directory that holds all the AD >>>>>> objects) so the authentication on that site could be faster)? >>>>>> >>>>>> Another Question B) Can you advice me any book(s) that could describe >>>>>> all the subjects we have discuss here? >>>>>> >>>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>>> for all the help/patience. >>>>>> [] >>>>>> Ricky >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> I hope that the information above helps you. >>>>>>> Have a Nice day. >>>>>>> >>>>>>> Jorge Silva >>>>>>> MCSE, MVP Directory Services >>>>>>> >>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>>>>> >>>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>>>>> Hi >>>>>>>>> Check inline: >>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>> >>>>>>>>> The three main reasons to create OUs are: >>>>>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>>>>> -If you understand this you can answer to your own question. >>>>>>>> Question: I did understand your point of view but what I really >>>>>>>> need is some white papers or books that could advice me how to >>>>>>>> build/organize my OU structure based on my company >>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>>> >>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>> >>>>>>>>> ??? >>>>>>>>> Delegation of control is generally given to Security Groups, >>>>>>>>> because you only do it one time and then just add the users to >>>>>>>>> that security group. >>>>>>>>> >>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>>> correct this issue in the this fresh AD? >>>>>>>>> >>>>>>>>> - To avoid situations like this one, Create a OU that has the >>>>>>>>> security groups, and give access to that OU only to the person or >>>>>>>>> group of users that are allowed to manage these security groups. >>>>>>>>> >>>>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>>>> subnet where exists servers? >>>>>>>>> >>>>>>>>> - You should create and assign each existing subnet to a given >>>>>>>>> site. >>>>>>>>> - Sites and subnets play a very important role in user >>>>>>>>> authentication, AD replication, File replication, COs, etc... So >>>>>>>>> make sure that you've everything correctly setup. >>>>>>>>> - Remember you can't associate a site link with a WAN link; >>>>>>>>> however you use your network routing configuration to provide the >>>>>>>>> correct information to ADSS. So configure your routers to provide >>>>>>>>> the correct redundancy, by defining the priorities and links to >>>>>>>>> failover, then go to ADSS and based on that information configure >>>>>>>>> your site link cost (when you have multiple site links). >>>>>>>>> >>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>> >>>>>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>>>>> available, more replications per hour means less replication >>>>>>>>> traffic per hour, so is up to you to decide what best suits in >>>>>>>>> your environment. >>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>> time of the day users aren't working so the lines have less traffic >>>>>>>> to handle. Nevertheless it seems you don't agree based in your >>>>>>>> words. What do you think?... >>>>>>>>> >>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>> - Windows DHCP service suits better with DNS check: >>>>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>>>> Question: This article is very good and explains very well how the >>>>>>>> dhcp service interacts with dns but what I really need/intend is to >>>>>>>> know what is the better option/choice when implementing the dhcp >>>>>>>> service. If the network behaves better if the dhcp is distributed >>>>>>>> by a server or by a router?... >>>>>>>> >>>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>>> so I can be sure what was the first PDC to be build in the >>>>>>>>>> actuall network design? >>>>>>>>> There's not PDC and BDC concept in AD. However there's an >>>>>>>>> PDCemulator that emulates the old PDC for legacy clients, you can >>>>>>>>> find more info about FSMO roles at: >>>>>>>>> http://support.microsoft.com/kb/223346 >>>>>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>>> the tools that can see if a server is the first of the domain or >>>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>>> correct) >>>>>>>> >>>>>>>> 7. When should we select the option global catalog? Always or >>>>>>>> depends based in the issue we need to apply this option? >>>>>>>> >>>>>>>> 8. Can you advice me any book(s) that could describe all this >>>>>>>> subjects and must more so I can learn and became more like you and >>>>>>>> others who have good knowledge about this issues?... >>>>>>>> >>>>>>>> Thanks for all the help and patience/important knowledge you passed >>>>>>>> me by. >>>>>>>> [] >>>>>>>> Ricky >>>>>>>> >>>>>>>> >>>>>>>>> I hope that the information above helps you. >>>>>>>>> Have a Nice day. >>>>>>>>> >>>>>>>>> Jorge Silva >>>>>>>>> MCSE, MVP Directory Services >>>>>>>>> >>>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> At work we thought to build a fresh/new active directory with >>>>>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But >>>>>>>>>> we have the following doubts: >>>>>>>>>> >>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>>> >>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>>> correct this issue in the this fresh AD? >>>>>>>>>> >>>>>>>>>> 3. We have some locations with servers but other don't. Should we >>>>>>>>>> create a subnet for each location/ip address or just create a >>>>>>>>>> subnet where exists servers? >>>>>>>>>> >>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>>> >>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>>> >>>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>>> so I can be sure what was the first PDC to be build in the >>>>>>>>>> actuall network design? >>>>>>>>>> >>>>>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>>>>> issues. >>>>>>>>>> Good work week, >>>>>>>>>> Thanks >>>>>>>>>> Ricky >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Jorge Silva Posted October 7, 2007 Posted October 7, 2007 Re: Active Directory Design I Ricky, once gain you search for sample scripts and batch files at the links provided before, also have a look at MS script center. -- I hope that the information above helps you. Have a Nice day. Jorge Silva MCSE, MVP Directory Services "Ricky" <newsgroupsmail@gmail.com> wrote in message news:eQATr3CCIHA.3900@TK2MSFTNGP02.phx.gbl... > Jorge, > > I understand you must me tired of telling so must things/asnwers in this > last days. Maybe I'm pushing your patience a little... sorry... but once I > have some must doubts about AD stuff and you "offer" availability/likeable > I was enthusiastic... I hope you understand it. > > But besides I haven't seen inside the books (it seen to me they were for > win2000 and not for win2003) you've advice me I hope you tell me what > tools should I look for to calculate when to put/buy a server for > sites(location) based on the bandwidth available and send me the batch > file that contains the code to use repadmin to achieve the monitor > processe for the replication between servers. > > I promise after this I will not go bother you in the next weeks... ;) > Once again thanks for what I learn with you in the last days because > besides this is forum you were the only one who worried. > THANKS > []'s > Ricky > > > "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message > news:eED%23EZ1BIHA.3616@TK2MSFTNGP04.phx.gbl... >> Ricky, all the information that you are searching for can be found either >> on the provided links or in the books that I mentioned, keep in mind that >> for each AD environment the configurations may change, first try to >> understand how things work and how should be used for each environment. >> >> -- >> >> I hope that the information above helps you. >> Have a Nice day. >> >> Jorge Silva >> MCSE, MVP Directory Services >> >> "Ricky" <newsgroupsmail@gmail.com> wrote in message >> news:urnVu7uBIHA.4568@TK2MSFTNGP02.phx.gbl... >>> >>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>> news:Ot2YKsiBIHA.324@TK2MSFTNGP04.phx.gbl... >>>> inline >>>>> Question: Still about GC we have almost one server per site (location) >>>>> where exists a number of users = or > 15 users. >>>>> Doubt: >>>>> A) Should we keep implementing this kind of topology? >>>> If you have exchange or any other app that needs GC you probably need a >>>> GC, if you don't check: >>>> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html >>>> or you can assign these subets for these remote offices a an existing >>>> Site with a DC >>> Note: A very good url. I've learn and understand quite well when to use >>> or not GC. Thanks >>> I would like to be as you once it seems you find the right link quickly. >>> What's the secret?... >>> >>>> >>>>> B) Set up the servers with AD and CG or just AD? >>>> As I told you before with only 1 domain/forest, I think that all DCs >>>> could be GCs without any problems. >>> Question: Depending on the bandwidth available, right? >>> >>>> >>>>> C) I don't know if exists any kind of formula that could help IT >>>>> System Administrators calculating/have an ideia when to buy a ser to >>>>> alocate in sites (locations) based on the number of users? (I've read >>>>> in the first link you've write they talk about 500 users for a GC but >>>>> I didn't understand very well this issue) >>>> >>>> There're some tools that did that type of statistics, but in some cases >>>> end up with servers without job to do that justified their investment. >>>> As I told you bedore depends on many other things. >>> Question: Nevertheless can you advice me some tools that do that type of >>> statistics so I can test them and learn a little more? >>> >>>> >>>>> D) Is the GC more used when exists more than one domain at a forest? >>>> >>>> The GC is always used by Apps that need a GC, or by users that do UPN >>>> logon, queries, etc... >>>> >>>> In multiple domain scenario you have more information replicated to the >>>> GC because the GC also stores a partial, read-only replica of all other >>>> domain directory partitions in the forest. >>>> >>>> The global catalog is a distributed data repository that contains a >>>> searchable, partial representation of every object in every domain in a >>>> multidomain Active Directory forest >>>> >>>> >>>>> Others Questions(sorry): >>>>> A) Where can I see/read what are the best requirements for a server >>>>> with Windows 2003+AD >>>> MS Web site. >>> Question: You're right it exists at microsoft site >>> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >>> doesn't say what raid to use >>> >>>> >>>>> B) Where can I see/read what are the best requirements for a server >>>>> with Exchange 2007 >>>> MS Web Site. >>> Question: You're right it exists at microsoft site >>> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >>> doesn't say what raid to use >>> >>>> >>>>> By the way is better having AD and Exchange in the same server or >>>>> distinguish servers for a storage solution? >>>> Keep Exxchange away from a DC, meaning that exchange shouldn't be in >>>> the same server that plays the DC role. >>> Question: Nevertheless the DNS and DHCP service should stay at the same >>> machine that contains AD, right? >>> >>> >>>> >>>>> C) How can I monitor AD replication? (just by replmon or repadmin or >>>>> it exists a better tool(s)?...) >>>> These should be enough; repadmin in this case can achieve that job >>>> easily through a simple scheduled batch file >>> Question: Can you send me that batch file, please? >>> (newsgroupsmail@gmail.com) >>> >>> >>>> >>>> >>>>> D) At users and computers -> operations masters -> RID (? what stands >>>>> for) | >>>>> PDC (primary domain controller right?) | Infrastructure (what for?) >>>> check >>>> >>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>> Note: Once more a good advice url so people like me (newbies) can learn. >>> Thanks. >>> >>> []'s >>> Ricky >>>> >>>> -- >>>> >>>> I hope that the information above helps you. >>>> Have a Nice day. >>>> >>>> Jorge Silva >>>> MCSE, MVP Directory Services >>>> >>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>> news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... >>>>> >>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>> news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>> Inline >>>>>> >>>>>>> Note: Good links. I've learn a lot. Thanks >>>>>> The pleasure was mine >>>>>> >>>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>>> can get/read that kind of comparison? >>>>>> For direct compare I don't know any document; however you can take >>>>>> your own conclusions based on your experience and documentation. >>>>>> >>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>> >>>>>>> I know I've been asking many question and you Jorge have been always >>>>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>>>> questions (I hope no) :) They are: >>>>>> No problem, the pleasure is mine. >>>>>> >>>>>>> Another Question A) When should we select the option global catalog? >>>>>>> Always or depends >>>>>>> based in the issue we need to apply this option (ie: should be >>>>>>> apllied when is pretended the sysvol (directory that holds all the >>>>>>> AD objects) so the authentication on that site could be faster)? >>>>>> - I think that you need more reading about GCs. Sysvol directory >>>>>> doesn't hold all AD objects, you also need to read about sysvol and >>>>>> what is used for. You can check the following links: >>>>>> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >>>>>> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true >>>>> Note: As always they were good links/stuff to read :) >>>>> >>>>> >>>>>> In my opinion you should have at least 1 GC per site, if you have >>>>>> only one domain in your forest, then the cost of having all DCs = GCs >>>>>> is practically nothing because by default each DC knows everything >>>>>> about its own domain, so making a DC a GC is just a matter of setting >>>>>> up a flag and will benefit all Apps (like exchange), and clients that >>>>>> needs a GC around. Note: Each Forest needs at least One GC. >>>>>> Another thing to keep in mind is related with the Infrastructure >>>>>> Master and you can chek it here: >>>>>> http://support.microsoft.com/kb/223346 >>>>> Note: Once again I've been learning a lot in the past few days with >>>>> your help/advices. I feel I have a private teacher... :) >>>>> Question: Still about GC we have almost one server per site (location) >>>>> where exists a number of users = or > 15 users. >>>>> Doubt: >>>>> A) Should we keep implementing this kind of topology? >>>>> B) Set up the servers with AD and CG or just AD? >>>>> C) I don't know if exists any kind of formula that could help IT >>>>> System Administrators calculating/have an ideia when to buy a ser to >>>>> alocate in sites (locations) based on the number of users? (I've read >>>>> in the first link you've write they talk about 500 users for a GC but >>>>> I didn't understand very well this issue) >>>>> D) Is the GC more used when exists more than one domain at a forest? >>>>> >>>>> Others Questions(sorry): >>>>> A) Where can I see/read what are the best requirements for a server >>>>> with Windows 2003+AD >>>>> B) Where can I see/read what are the best requirements for a server >>>>> with Exchange 2007 >>>>> By the way is better having AD and Exchange in the same server or >>>>> distinguish servers for a storage solution? >>>>> C) How can I monitor AD replication? (just by replmon or repadmin or >>>>> it exists a better tool(s)?...) >>>>> D) At users and computers -> operations masters -> RID (? what stands >>>>> for) | PDC (primary domain controller right?) | Infrastructure (what >>>>> for?) >>>>> >>>>> After this you're going to deserve heaven... ;) >>>>> []'s to my private teacher. A good example how a newbie becomes more >>>>> expert. >>>>> Thanks >>>>> Ricky >>>>> >>>>> >>>>>> >>>>>>> Another Question B) Can you advice me any book(s) that could >>>>>>> describe all the subjects we have discuss here? >>>>>> MSPress, and: >>>>>> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >>>>>> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >>>>>> >>>>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>>>> for all the help/patience. >>>>>> Any time. >>>>>> Have Fun. >>>>>> -- >>>>>> >>>>>> I hope that the information above helps you. >>>>>> Have a Nice day. >>>>>> >>>>>> Jorge Silva >>>>>> MCSE, MVP Directory Services >>>>>> >>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>>>>>> >>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>>>>>> Inline >>>>>>>>> Question: I did understand your point of view but what I really >>>>>>>>> need is some white papers or books that could advice me how to >>>>>>>>> build/organize my OU structure based on my company >>>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>> You can start here. >>>>>>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>>>>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>>>>>> Note: Good links. I've learn a lot. Thanks >>>>>>> >>>>>>> >>>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>>> time of the day users aren't working so the lines have less >>>>>>>>> traffic to handle. Nevertheless it seems you don't agree based in >>>>>>>>> your words. What do you think?... >>>>>>>> >>>>>>>> Not really, I was just giving you a sample to explain how things >>>>>>>> could work, however this depends of your real needs and priorities, >>>>>>>> in your case if replication of changes and creation of new objects >>>>>>>> are less important than WAN traffic then you should go with that >>>>>>>> plan and limit the replication to non-business hours. >>>>>>>> >>>>>>>>> Question: This article is very good and explains very well how the >>>>>>>>> dhcp service interacts with dns but what I really need/intend is >>>>>>>>> to know what is the better option/choice when implementing the >>>>>>>>> dhcp service. If the network behaves better if the dhcp is >>>>>>>>> distributed by a server or by a router?... >>>>>>>> >>>>>>>> The behavior could be good in both cases, however there is a better >>>>>>>> integration using MS DHCP server in your environment with DNS. >>>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>>> can get/read that kind of comparison? >>>>>>> >>>>>>>> >>>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>>>> the tools that can see if a server is the first of the domain or >>>>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>>>> correct) >>>>>>>> >>>>>>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>>>>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, >>>>>>>> etc... depends of your needs, each tool can be used for specific >>>>>>>> operations, search on MS web site for Active Directory Tools. >>>>>>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>>>>>> Exchange... However for Active Directory I don't know any BPA. >>>>>>>> -- >>>>>>> I know I've been asking many question and you Jorge have been always >>>>>>> giving a Good help (thanks). I wonder if you don't mind I ask 2 more >>>>>>> questions (I hope no) :) They are: >>>>>>> >>>>>>> Another Question A) When should we select the option global catalog? >>>>>>> Always or depends >>>>>>> based in the issue we need to apply this option (ie: should be >>>>>>> apllied when is pretended the sysvol (directory that holds all the >>>>>>> AD objects) so the authentication on that site could be faster)? >>>>>>> >>>>>>> Another Question B) Can you advice me any book(s) that could >>>>>>> describe all the subjects we have discuss here? >>>>>>> >>>>>>> Once again and isn't enought keep saying: Thanks... Thanks... Thanks >>>>>>> for all the help/patience. >>>>>>> [] >>>>>>> Ricky >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> I hope that the information above helps you. >>>>>>>> Have a Nice day. >>>>>>>> >>>>>>>> Jorge Silva >>>>>>>> MCSE, MVP Directory Services >>>>>>>> >>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>>>>>> >>>>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>>>>>> Hi >>>>>>>>>> Check inline: >>>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>>> >>>>>>>>>> The three main reasons to create OUs are: >>>>>>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>>>>>> -If you understand this you can answer to your own question. >>>>>>>>> Question: I did understand your point of view but what I really >>>>>>>>> need is some white papers or books that could advice me how to >>>>>>>>> build/organize my OU structure based on my company >>>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>>>> >>>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>>> >>>>>>>>>> ??? >>>>>>>>>> Delegation of control is generally given to Security Groups, >>>>>>>>>> because you only do it one time and then just add the users to >>>>>>>>>> that security group. >>>>>>>>>> >>>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>>>> correct this issue in the this fresh AD? >>>>>>>>>> >>>>>>>>>> - To avoid situations like this one, Create a OU that has the >>>>>>>>>> security groups, and give access to that OU only to the person or >>>>>>>>>> group of users that are allowed to manage these security groups. >>>>>>>>>> >>>>>>>>>>> 3. We have some locations with servers but other don't. Should >>>>>>>>>>> we create a subnet for each location/ip address or just create a >>>>>>>>>>> subnet where exists servers? >>>>>>>>>> >>>>>>>>>> - You should create and assign each existing subnet to a given >>>>>>>>>> site. >>>>>>>>>> - Sites and subnets play a very important role in user >>>>>>>>>> authentication, AD replication, File replication, COs, etc... So >>>>>>>>>> make sure that you've everything correctly setup. >>>>>>>>>> - Remember you can't associate a site link with a WAN link; >>>>>>>>>> however you use your network routing configuration to provide the >>>>>>>>>> correct information to ADSS. So configure your routers to provide >>>>>>>>>> the correct redundancy, by defining the priorities and links to >>>>>>>>>> failover, then go to ADSS and based on that information configure >>>>>>>>>> your site link cost (when you have multiple site links). >>>>>>>>>> >>>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>>> >>>>>>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>>>>>> available, more replications per hour means less replication >>>>>>>>>> traffic per hour, so is up to you to decide what best suits in >>>>>>>>>> your environment. >>>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>>> time of the day users aren't working so the lines have less >>>>>>>>> traffic to handle. Nevertheless it seems you don't agree based in >>>>>>>>> your words. What do you think?... >>>>>>>>>> >>>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>>> - Windows DHCP service suits better with DNS check: >>>>>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>>>>> Question: This article is very good and explains very well how the >>>>>>>>> dhcp service interacts with dns but what I really need/intend is >>>>>>>>> to know what is the better option/choice when implementing the >>>>>>>>> dhcp service. If the network behaves better if the dhcp is >>>>>>>>> distributed by a server or by a router?... >>>>>>>>> >>>>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>>>> so I can be sure what was the first PDC to be build in the >>>>>>>>>>> actuall network design? >>>>>>>>>> There's not PDC and BDC concept in AD. However there's an >>>>>>>>>> PDCemulator that emulates the old PDC for legacy clients, you can >>>>>>>>>> find more info about FSMO roles at: >>>>>>>>>> http://support.microsoft.com/kb/223346 >>>>>>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one of >>>>>>>>> the tools that can see if a server is the first of the domain or >>>>>>>>> not. Can you advice or recommend other(s) tool(s) could be better >>>>>>>>> than this one? (If Microsoft® Exchange Server Analyzer Tool is >>>>>>>>> correct) >>>>>>>>> >>>>>>>>> 7. When should we select the option global catalog? Always or >>>>>>>>> depends based in the issue we need to apply this option? >>>>>>>>> >>>>>>>>> 8. Can you advice me any book(s) that could describe all this >>>>>>>>> subjects and must more so I can learn and became more like you and >>>>>>>>> others who have good knowledge about this issues?... >>>>>>>>> >>>>>>>>> Thanks for all the help and patience/important knowledge you >>>>>>>>> passed me by. >>>>>>>>> [] >>>>>>>>> Ricky >>>>>>>>> >>>>>>>>> >>>>>>>>>> I hope that the information above helps you. >>>>>>>>>> Have a Nice day. >>>>>>>>>> >>>>>>>>>> Jorge Silva >>>>>>>>>> MCSE, MVP Directory Services >>>>>>>>>> >>>>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> At work we thought to build a fresh/new active directory with >>>>>>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But >>>>>>>>>>> we have the following doubts: >>>>>>>>>>> >>>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>>>> >>>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>>> himself to a group at other group that it doesn't belong. How to >>>>>>>>>>> correct this issue in the this fresh AD? >>>>>>>>>>> >>>>>>>>>>> 3. We have some locations with servers but other don't. Should >>>>>>>>>>> we create a subnet for each location/ip address or just create a >>>>>>>>>>> subnet where exists servers? >>>>>>>>>>> >>>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>>>> >>>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>>>> >>>>>>>>>>> 6. In the actuall network infraestructure how can I see/do tests >>>>>>>>>>> so I can be sure what was the first PDC to be build in the >>>>>>>>>>> actuall network design? >>>>>>>>>>> >>>>>>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>>>>>> issues. >>>>>>>>>>> Good work week, >>>>>>>>>>> Thanks >>>>>>>>>>> Ricky >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Guest Ricky Posted October 10, 2007 Posted October 10, 2007 Re: Active Directory Design OK! Thanks Jorge for sharing your experience/advices with me. []'s Ricky "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message news:%23it32aOCIHA.324@TK2MSFTNGP04.phx.gbl... >I Ricky, once gain you search for sample scripts and batch files at the >links provided before, also have a look at MS script center. > > -- > > I hope that the information above helps you. > Have a Nice day. > > Jorge Silva > MCSE, MVP Directory Services > > "Ricky" <newsgroupsmail@gmail.com> wrote in message > news:eQATr3CCIHA.3900@TK2MSFTNGP02.phx.gbl... >> Jorge, >> >> I understand you must me tired of telling so must things/asnwers in this >> last days. Maybe I'm pushing your patience a little... sorry... but once >> I have some must doubts about AD stuff and you "offer" >> availability/likeable I was enthusiastic... I hope you understand it. >> >> But besides I haven't seen inside the books (it seen to me they were for >> win2000 and not for win2003) you've advice me I hope you tell me what >> tools should I look for to calculate when to put/buy a server for >> sites(location) based on the bandwidth available and send me the batch >> file that contains the code to use repadmin to achieve the monitor >> processe for the replication between servers. >> >> I promise after this I will not go bother you in the next weeks... ;) >> Once again thanks for what I learn with you in the last days because >> besides this is forum you were the only one who worried. >> THANKS >> []'s >> Ricky >> >> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >> news:eED%23EZ1BIHA.3616@TK2MSFTNGP04.phx.gbl... >>> Ricky, all the information that you are searching for can be found >>> either on the provided links or in the books that I mentioned, keep in >>> mind that for each AD environment the configurations may change, first >>> try to understand how things work and how should be used for each >>> environment. >>> >>> -- >>> >>> I hope that the information above helps you. >>> Have a Nice day. >>> >>> Jorge Silva >>> MCSE, MVP Directory Services >>> >>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>> news:urnVu7uBIHA.4568@TK2MSFTNGP02.phx.gbl... >>>> >>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>> news:Ot2YKsiBIHA.324@TK2MSFTNGP04.phx.gbl... >>>>> inline >>>>>> Question: Still about GC we have almost one server per site >>>>>> (location) where exists a number of users = or > 15 users. >>>>>> Doubt: >>>>>> A) Should we keep implementing this kind of topology? >>>>> If you have exchange or any other app that needs GC you probably need >>>>> a GC, if you don't check: >>>>> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Whentouseandnotuseuniversalgroupmembershipcaching.html >>>>> or you can assign these subets for these remote offices a an existing >>>>> Site with a DC >>>> Note: A very good url. I've learn and understand quite well when to use >>>> or not GC. Thanks >>>> I would like to be as you once it seems you find the right link >>>> quickly. What's the secret?... >>>> >>>>> >>>>>> B) Set up the servers with AD and CG or just AD? >>>>> As I told you before with only 1 domain/forest, I think that all DCs >>>>> could be GCs without any problems. >>>> Question: Depending on the bandwidth available, right? >>>> >>>>> >>>>>> C) I don't know if exists any kind of formula that could help IT >>>>>> System Administrators calculating/have an ideia when to buy a ser to >>>>>> alocate in sites (locations) based on the number of users? (I've read >>>>>> in the first link you've write they talk about 500 users for a GC but >>>>>> I didn't understand very well this issue) >>>>> >>>>> There're some tools that did that type of statistics, but in some >>>>> cases end up with servers without job to do that justified their >>>>> investment. As I told you bedore depends on many other things. >>>> Question: Nevertheless can you advice me some tools that do that type >>>> of statistics so I can test them and learn a little more? >>>> >>>>> >>>>>> D) Is the GC more used when exists more than one domain at a forest? >>>>> >>>>> The GC is always used by Apps that need a GC, or by users that do UPN >>>>> logon, queries, etc... >>>>> >>>>> In multiple domain scenario you have more information replicated to >>>>> the GC because the GC also stores a partial, read-only replica of all >>>>> other domain directory partitions in the forest. >>>>> >>>>> The global catalog is a distributed data repository that contains a >>>>> searchable, partial representation of every object in every domain in >>>>> a multidomain Active Directory forest >>>>> >>>>> >>>>>> Others Questions(sorry): >>>>>> A) Where can I see/read what are the best requirements for a server >>>>>> with Windows 2003+AD >>>>> MS Web site. >>>> Question: You're right it exists at microsoft site >>>> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >>>> doesn't say what raid to use >>>> >>>>> >>>>>> B) Where can I see/read what are the best requirements for a server >>>>>> with Exchange 2007 >>>>> MS Web Site. >>>> Question: You're right it exists at microsoft site >>>> (http://technet.microsoft.com/en-us/windowsserver/bb430827.aspx) but it >>>> doesn't say what raid to use >>>> >>>>> >>>>>> By the way is better having AD and Exchange in the same server or >>>>>> distinguish servers for a storage solution? >>>>> Keep Exxchange away from a DC, meaning that exchange shouldn't be in >>>>> the same server that plays the DC role. >>>> Question: Nevertheless the DNS and DHCP service should stay at the same >>>> machine that contains AD, right? >>>> >>>> >>>>> >>>>>> C) How can I monitor AD replication? (just by replmon or repadmin or >>>>>> it exists a better tool(s)?...) >>>>> These should be enough; repadmin in this case can achieve that job >>>>> easily through a simple scheduled batch file >>>> Question: Can you send me that batch file, please? >>>> (newsgroupsmail@gmail.com) >>>> >>>> >>>>> >>>>> >>>>>> D) At users and computers -> operations masters -> RID (? what stands >>>>>> for) | >>>>>> PDC (primary domain controller right?) | Infrastructure (what for?) >>>>> check >>>>> >>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>> Note: Once more a good advice url so people like me (newbies) can >>>> learn. Thanks. >>>> >>>> []'s >>>> Ricky >>>>> >>>>> -- >>>>> >>>>> I hope that the information above helps you. >>>>> Have a Nice day. >>>>> >>>>> Jorge Silva >>>>> MCSE, MVP Directory Services >>>>> >>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>> news:uY163phBIHA.3916@TK2MSFTNGP02.phx.gbl... >>>>>> >>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>> news:eVzpfCVBIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>> Inline >>>>>>> >>>>>>>> Note: Good links. I've learn a lot. Thanks >>>>>>> The pleasure was mine >>>>>>> >>>>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>>>> can get/read that kind of comparison? >>>>>>> For direct compare I don't know any document; however you can take >>>>>>> your own conclusions based on your experience and documentation. >>>>>>> >>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>>> >>>>>>>> I know I've been asking many question and you Jorge have been >>>>>>>> always giving a Good help (thanks). I wonder if you don't mind I >>>>>>>> ask 2 more questions (I hope no) :) They are: >>>>>>> No problem, the pleasure is mine. >>>>>>> >>>>>>>> Another Question A) When should we select the option global >>>>>>>> catalog? Always or depends >>>>>>>> based in the issue we need to apply this option (ie: should be >>>>>>>> apllied when is pretended the sysvol (directory that holds all the >>>>>>>> AD objects) so the authentication on that site could be faster)? >>>>>>> - I think that you need more reading about GCs. Sysvol directory >>>>>>> doesn't hold all AD objects, you also need to read about sysvol and >>>>>>> what is used for. You can check the following links: >>>>>>> http://technet2.microsoft.com/windowsserver/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true >>>>>>> http://technet2.microsoft.com/windowsserver/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true >>>>>> Note: As always they were good links/stuff to read :) >>>>>> >>>>>> >>>>>>> In my opinion you should have at least 1 GC per site, if you have >>>>>>> only one domain in your forest, then the cost of having all DCs = >>>>>>> GCs is practically nothing because by default each DC knows >>>>>>> everything about its own domain, so making a DC a GC is just a >>>>>>> matter of setting up a flag and will benefit all Apps (like >>>>>>> exchange), and clients that needs a GC around. Note: Each Forest >>>>>>> needs at least One GC. >>>>>>> Another thing to keep in mind is related with the Infrastructure >>>>>>> Master and you can chek it here: >>>>>>> http://support.microsoft.com/kb/223346 >>>>>> Note: Once again I've been learning a lot in the past few days with >>>>>> your help/advices. I feel I have a private teacher... :) >>>>>> Question: Still about GC we have almost one server per site >>>>>> (location) where exists a number of users = or > 15 users. >>>>>> Doubt: >>>>>> A) Should we keep implementing this kind of topology? >>>>>> B) Set up the servers with AD and CG or just AD? >>>>>> C) I don't know if exists any kind of formula that could help IT >>>>>> System Administrators calculating/have an ideia when to buy a ser to >>>>>> alocate in sites (locations) based on the number of users? (I've read >>>>>> in the first link you've write they talk about 500 users for a GC but >>>>>> I didn't understand very well this issue) >>>>>> D) Is the GC more used when exists more than one domain at a forest? >>>>>> >>>>>> Others Questions(sorry): >>>>>> A) Where can I see/read what are the best requirements for a server >>>>>> with Windows 2003+AD >>>>>> B) Where can I see/read what are the best requirements for a server >>>>>> with Exchange 2007 >>>>>> By the way is better having AD and Exchange in the same server or >>>>>> distinguish servers for a storage solution? >>>>>> C) How can I monitor AD replication? (just by replmon or repadmin or >>>>>> it exists a better tool(s)?...) >>>>>> D) At users and computers -> operations masters -> RID (? what stands >>>>>> for) | PDC (primary domain controller right?) | Infrastructure (what >>>>>> for?) >>>>>> >>>>>> After this you're going to deserve heaven... ;) >>>>>> []'s to my private teacher. A good example how a newbie becomes more >>>>>> expert. >>>>>> Thanks >>>>>> Ricky >>>>>> >>>>>> >>>>>>> >>>>>>>> Another Question B) Can you advice me any book(s) that could >>>>>>>> describe all the subjects we have discuss here? >>>>>>> MSPress, and: >>>>>>> http://www.amazon.com/gp/product/0321228480/ref=s9_flash_asin_image_10/102-3703184-4972958?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-3&pf_rd_r=1HD99RPYVX9SGNTTTBD1&pf_rd_t=101&pf_rd_p=291314201&pf_rd_i=507846 >>>>>>> http://www.amazon.com/Active-Directory-3rd-Joe-Richards/dp/0596101732 >>>>>>> >>>>>>>> Once again and isn't enought keep saying: Thanks... Thanks... >>>>>>>> Thanks for all the help/patience. >>>>>>> Any time. >>>>>>> Have Fun. >>>>>>> -- >>>>>>> >>>>>>> I hope that the information above helps you. >>>>>>> Have a Nice day. >>>>>>> >>>>>>> Jorge Silva >>>>>>> MCSE, MVP Directory Services >>>>>>> >>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>> news:uYsYTMUBIHA.5196@TK2MSFTNGP02.phx.gbl... >>>>>>>> >>>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>>> news:eMHofaJBIHA.464@TK2MSFTNGP02.phx.gbl... >>>>>>>>> Inline >>>>>>>>>> Question: I did understand your point of view but what I really >>>>>>>>>> need is some white papers or books that could advice me how to >>>>>>>>>> build/organize my OU structure based on my company >>>>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>>> You can start here. >>>>>>>>> http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx >>>>>>>>> http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html >>>>>>>> Note: Good links. I've learn a lot. Thanks >>>>>>>> >>>>>>>> >>>>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>>>> time of the day users aren't working so the lines have less >>>>>>>>>> traffic to handle. Nevertheless it seems you don't agree based in >>>>>>>>>> your words. What do you think?... >>>>>>>>> >>>>>>>>> Not really, I was just giving you a sample to explain how things >>>>>>>>> could work, however this depends of your real needs and >>>>>>>>> priorities, in your case if replication of changes and creation of >>>>>>>>> new objects are less important than WAN traffic then you should go >>>>>>>>> with that plan and limit the replication to non-business hours. >>>>>>>>> >>>>>>>>>> Question: This article is very good and explains very well how >>>>>>>>>> the dhcp service interacts with dns but what I really need/intend >>>>>>>>>> is to know what is the better option/choice when implementing the >>>>>>>>>> dhcp service. If the network behaves better if the dhcp is >>>>>>>>>> distributed by a server or by a router?... >>>>>>>>> >>>>>>>>> The behavior could be good in both cases, however there is a >>>>>>>>> better integration using MS DHCP server in your environment with >>>>>>>>> DNS. >>>>>>>> Question: Can you give/advice url/sites (microsoft for ie) where I >>>>>>>> can get/read that kind of comparison? >>>>>>>> >>>>>>>>> >>>>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one >>>>>>>>>> of the tools that can see if a server is the first of the domain >>>>>>>>>> or not. Can you advice or recommend other(s) tool(s) could be >>>>>>>>>> better than this one? (If Microsoft® Exchange Server Analyzer >>>>>>>>>> Tool is correct) >>>>>>>>> >>>>>>>>> For AD there're many free/and builin tools, like, dsquery, dsmod, >>>>>>>>> dsadd, repadmin, netdiag, replmon, adsiedit, ld, ADModify.net, >>>>>>>>> etc... depends of your needs, each tool can be used for specific >>>>>>>>> operations, search on MS web site for Active Directory Tools. >>>>>>>>> BPA Tools are available for other MS tecnologies, like ISA,SQL, >>>>>>>>> Exchange... However for Active Directory I don't know any BPA. >>>>>>>>> -- >>>>>>>> I know I've been asking many question and you Jorge have been >>>>>>>> always giving a Good help (thanks). I wonder if you don't mind I >>>>>>>> ask 2 more questions (I hope no) :) They are: >>>>>>>> >>>>>>>> Another Question A) When should we select the option global >>>>>>>> catalog? Always or depends >>>>>>>> based in the issue we need to apply this option (ie: should be >>>>>>>> apllied when is pretended the sysvol (directory that holds all the >>>>>>>> AD objects) so the authentication on that site could be faster)? >>>>>>>> >>>>>>>> Another Question B) Can you advice me any book(s) that could >>>>>>>> describe all the subjects we have discuss here? >>>>>>>> >>>>>>>> Once again and isn't enought keep saying: Thanks... Thanks... >>>>>>>> Thanks for all the help/patience. >>>>>>>> [] >>>>>>>> Ricky >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> I hope that the information above helps you. >>>>>>>>> Have a Nice day. >>>>>>>>> >>>>>>>>> Jorge Silva >>>>>>>>> MCSE, MVP Directory Services >>>>>>>>> >>>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>>> news:%23dEmJgIBIHA.748@TK2MSFTNGP04.phx.gbl... >>>>>>>>>> >>>>>>>>>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message >>>>>>>>>> news:%23vxwTW8AIHA.5960@TK2MSFTNGP05.phx.gbl... >>>>>>>>>>> Hi >>>>>>>>>>> Check inline: >>>>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>>>> >>>>>>>>>>> The three main reasons to create OUs are: >>>>>>>>>>> -Delegation of control, administer GPO and to hide objects. >>>>>>>>>>> -If you understand this you can answer to your own question. >>>>>>>>>> Question: I did understand your point of view but what I really >>>>>>>>>> need is some white papers or books that could advice me how to >>>>>>>>>> build/organize my OU structure based on my company >>>>>>>>>> departments/hierarchy (some design structure with draws) >>>>>>>>>>> >>>>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>>>> >>>>>>>>>>> ??? >>>>>>>>>>> Delegation of control is generally given to Security Groups, >>>>>>>>>>> because you only do it one time and then just add the users to >>>>>>>>>>> that security group. >>>>>>>>>>> >>>>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>>>> himself to a group at other group that it doesn't belong. How >>>>>>>>>>>> to correct this issue in the this fresh AD? >>>>>>>>>>> >>>>>>>>>>> - To avoid situations like this one, Create a OU that has the >>>>>>>>>>> security groups, and give access to that OU only to the person >>>>>>>>>>> or group of users that are allowed to manage these security >>>>>>>>>>> groups. >>>>>>>>>>> >>>>>>>>>>>> 3. We have some locations with servers but other don't. Should >>>>>>>>>>>> we create a subnet for each location/ip address or just create >>>>>>>>>>>> a subnet where exists servers? >>>>>>>>>>> >>>>>>>>>>> - You should create and assign each existing subnet to a given >>>>>>>>>>> site. >>>>>>>>>>> - Sites and subnets play a very important role in user >>>>>>>>>>> authentication, AD replication, File replication, COs, etc... So >>>>>>>>>>> make sure that you've everything correctly setup. >>>>>>>>>>> - Remember you can't associate a site link with a WAN link; >>>>>>>>>>> however you use your network routing configuration to provide >>>>>>>>>>> the correct information to ADSS. So configure your routers to >>>>>>>>>>> provide the correct redundancy, by defining the priorities and >>>>>>>>>>> links to failover, then go to ADSS and based on that information >>>>>>>>>>> configure your site link cost (when you have multiple site >>>>>>>>>>> links). >>>>>>>>>>> >>>>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>>>> >>>>>>>>>>> - Inter-site replication should occur when your WAN schedule is >>>>>>>>>>> available, more replications per hour means less replication >>>>>>>>>>> traffic per hour, so is up to you to decide what best suits in >>>>>>>>>>> your environment. >>>>>>>>>> Question: I thought the best choice were to program schedule >>>>>>>>>> replication at lunch or late hours like 1am to 7am once at this >>>>>>>>>> time of the day users aren't working so the lines have less >>>>>>>>>> traffic to handle. Nevertheless it seems you don't agree based in >>>>>>>>>> your words. What do you think?... >>>>>>>>>>> >>>>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>>>> - Windows DHCP service suits better with DNS check: >>>>>>>>>>> http://technet2.microsoft.com/windowsserver/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true >>>>>>>>>> Question: This article is very good and explains very well how >>>>>>>>>> the dhcp service interacts with dns but what I really need/intend >>>>>>>>>> is to know what is the better option/choice when implementing the >>>>>>>>>> dhcp service. If the network behaves better if the dhcp is >>>>>>>>>> distributed by a server or by a router?... >>>>>>>>>> >>>>>>>>>>>> 6. In the actuall network infraestructure how can I see/do >>>>>>>>>>>> tests so I can be sure what was the first PDC to be build in >>>>>>>>>>>> the actuall network design? >>>>>>>>>>> There's not PDC and BDC concept in AD. However there's an >>>>>>>>>>> PDCemulator that emulates the old PDC for legacy clients, you >>>>>>>>>>> can find more info about FSMO roles at: >>>>>>>>>>> http://support.microsoft.com/kb/223346 >>>>>>>>>>> http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm >>>>>>>>>> Question: After I read this articles I've search at google and I >>>>>>>>>> understand that Microsoft® Exchange Server Analyzer Tool is one >>>>>>>>>> of the tools that can see if a server is the first of the domain >>>>>>>>>> or not. Can you advice or recommend other(s) tool(s) could be >>>>>>>>>> better than this one? (If Microsoft® Exchange Server Analyzer >>>>>>>>>> Tool is correct) >>>>>>>>>> >>>>>>>>>> 7. When should we select the option global catalog? Always or >>>>>>>>>> depends based in the issue we need to apply this option? >>>>>>>>>> >>>>>>>>>> 8. Can you advice me any book(s) that could describe all this >>>>>>>>>> subjects and must more so I can learn and became more like you >>>>>>>>>> and others who have good knowledge about this issues?... >>>>>>>>>> >>>>>>>>>> Thanks for all the help and patience/important knowledge you >>>>>>>>>> passed me by. >>>>>>>>>> [] >>>>>>>>>> Ricky >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> I hope that the information above helps you. >>>>>>>>>>> Have a Nice day. >>>>>>>>>>> >>>>>>>>>>> Jorge Silva >>>>>>>>>>> MCSE, MVP Directory Services >>>>>>>>>>> >>>>>>>>>>> "Ricky" <newsgroupsmail@gmail.com> wrote in message >>>>>>>>>>> news:O4JOj77AIHA.3900@TK2MSFTNGP02.phx.gbl... >>>>>>>>>>>> Hi >>>>>>>>>>>> >>>>>>>>>>>> At work we thought to build a fresh/new active directory with >>>>>>>>>>>> windows 2003 enterprise edition/exchange 2003 and isa 2004. But >>>>>>>>>>>> we have the following doubts: >>>>>>>>>>>> >>>>>>>>>>>> 1. How should we arquitect our active directory based on >>>>>>>>>>>> organization units (need examples and good white papers) >>>>>>>>>>>> A) Should AD / OU be build based on group policy? >>>>>>>>>>>> B) For better jobs assign should the OU be manage by a group >>>>>>>>>>>> of IT team and other OU by other tecnichians? >>>>>>>>>>>> >>>>>>>>>>>> 2. The actuall distribution list allow to a "normal" user add >>>>>>>>>>>> himself to a group at other group that it doesn't belong. How >>>>>>>>>>>> to correct this issue in the this fresh AD? >>>>>>>>>>>> >>>>>>>>>>>> 3. We have some locations with servers but other don't. Should >>>>>>>>>>>> we create a subnet for each location/ip address or just create >>>>>>>>>>>> a subnet where exists servers? >>>>>>>>>>>> >>>>>>>>>>>> 4. How often should sites replicate with each other? >>>>>>>>>>>> >>>>>>>>>>>> 5. Should be the router distributing the dhcp service or should >>>>>>>>>>>> be the server? What is the better choice?... and why. >>>>>>>>>>>> >>>>>>>>>>>> 6. In the actuall network infraestructure how can I see/do >>>>>>>>>>>> tests so I can be sure what was the first PDC to be build in >>>>>>>>>>>> the actuall network design? >>>>>>>>>>>> >>>>>>>>>>>> I hope someone have the patience/courage to help me out on this >>>>>>>>>>>> issues. >>>>>>>>>>>> Good work week, >>>>>>>>>>>> Thanks >>>>>>>>>>>> Ricky >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Recommended Posts