Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook

You're reading from   Active Directory Administration Cookbook Actionable, proven solutions to identity management and authentication on servers and in the cloud

Arrow left icon
Product type Paperback
Published in May 2019
Publisher Packt
ISBN-13 9781789806984
Length 620 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Optimizing Forests, Domains, and Trusts FREE CHAPTER 2. Managing Domain Controllers 3. Managing Active Directory Roles and Features 4. Managing Containers and Organizational Units 5. Managing Active Directory Sites and Troubleshooting Replication 6. Managing Active Directory Users 7. Managing Active Directory Groups 8. Managing Active Directory Computers 9. Getting the Most Out of Group Policy 10. Securing Active Directory 11. Managing Federation 12. Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO) 13. Handling Synchronization in a Hybrid World (Azure AD Connect) 14. Hardening Azure AD 15. Other Books You May Enjoy

Optimizing Forests, Domains, and Trusts

Back in the year 2000, when Active Directory was introduced to the larger public, we lived in a different world. The internet was only just starting to deliver value to businesses. That's why, in Windows 2000 Server, Active Directory was largely disconnected from the internet. Windows 2000 Server's default Domain Name System (DNS) settings even came with a root domain; so, if you wanted to connect to the internet, you'd need to delete the . DNS zone manually.

Fast forward to today, and the internet and cloud services seem omnipresent. The default . DNS zone has disappeared from Windows Server, but the concepts of trees and forests in Active Directory has persisted, and they still allow for some confusion among Active Directory admins.

To explain domains, trees, and forests in Active Directory, we need to acknowledge Active Directory's past. To create anything in Active Directory, you'll need to create a domain. It starts with the name. For a hypothetical organization, Lucern Publishing, four typical domain names would be as follows:

Type Domain Name
Public DNS domain name lucernpub.com
Internal part of a public DNS domain name ad.lucernpub.com
Non-public DNS domain name lucernpub.local
Single-label domain name lucernpubcom

The first two options are the preferred options, as they adhere to RFC 822 (https://www.w3.org/Protocols/rfc822). The third option is a common option, but doesn't comply with RFC 2606 (https://tools.ietf.org/html/rfc2606) and should be avoided. The fourth option is a typical single-label domain. They are usually the result of a common error among Active Directory admins migrating from Windows NT 4 Server's model to Active Directory. Products that once supported Windows NT 4 Server's single-label domains are no longer around, or they no longer support single-label domain names, including Microsoft.

Lucern Publishing may be quite a successful organization, so they might expand their operations from Switzerland to Europe, North America, and Asia. For reasons that we'll discuss later, they might want to separate Active Directory domains for each of their territories, but they want them to keep working together like one organization. This is where a domain tree comes into play. Now, Lucern Publishing might choose to create three subdomains under lucernpub.com:

  • eu.lucernpub.com
  • usa.lucernpub.com
  • asia.lucernpub.com

They've created a tree of Active Directory domains, sharing the same DNS namespace. Of course, Lucern Publishing might also choose to create multiple trees, next to the lucernpub.com domain or tree, to accommodate an organizational layout with different names for their global expansions, such as Austin Publishing and Wuhan Publishing. In this case, it will make sense to create separate domains such as austinpub.com and wuhanpub.com. Effectively, Lucern Publishing will create three trees this way, belonging to the same Active Directory forest. Yes, some Active Directory environments are large structures with many large trees, but the default Active Directory forest consists of just one tree, with one Active Directory domain.

In this chapter, we'll discuss the reasoning behind creating domains and forests. We'll also discuss userPrincipalName (UPN) suffixes and trusts. The goal of this chapter is to help you make the right choices in terms of your Active Directory structure.

The following recipes will be covered in the chapter:

  • Listing the domains in your forest
  • Using adprep.exe to prepare for new AD functionality
  • Raising the domain functional level to Windows Server 2016
  • Raising the forest functional level to Windows Server 2016
  • Creating the right trust
  • Verifying a trust
  • Securing a trust
  • Extending the schema
  • Enabling the Active Directory Recycle Bin
  • Managing UPN suffixes

Before going through these recipes, we will look at a few aspects that you will need to know for this chapter.

Let's begin!

You have been reading a chapter from
Active Directory Administration Cookbook
Published in: May 2019
Publisher: Packt
ISBN-13: 9781789806984
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at £16.99/month. Cancel anytime