1
00:00:01,340 --> 00:00:05,460
Now more about Active Directory domains in that tree‑like hierarchy.

2
00:00:05,460 --> 00:00:08,320
The forest root domain is the most important one, that's where

3
00:00:08,320 --> 00:00:11,980
your enterprise admin group lives and this is where the heavy

4
00:00:11,980 --> 00:00:15,140
lifting of the forest happens, at least initially.

5
00:00:15,140 --> 00:00:18,060
Some businesses actually will use the forest root for

6
00:00:18,060 --> 00:00:21,060
management purposes, and then for your users and your

7
00:00:21,060 --> 00:00:23,150
workloads, bring out child domains.

8
00:00:23,150 --> 00:00:23,490
Again,

9
00:00:23,490 --> 00:00:27,250
we're using domain name system DNS listening on TCP

10
00:00:27,250 --> 00:00:30,250
and UDP port 53 for name resolution.

11
00:00:30,250 --> 00:00:34,450
So we, therefore, have a DNS namespace that makes it easier for you to see

12
00:00:34,450 --> 00:00:37,460
the relationship between the parent and child domains.

13
00:00:37,460 --> 00:00:40,090
Now notice you can do a disjoint namespace.

14
00:00:40,090 --> 00:00:42,500
You don't have to have your child domain of

15
00:00:42,500 --> 00:00:47,040
company.pri, denver.company.pri.syracuse,

16
00:00:47,040 --> 00:00:48,690
you know, you don't have to do that.

17
00:00:48,690 --> 00:00:52,640
That's an architectural question how you're dividing your child domains

18
00:00:52,640 --> 00:00:55,540
if you need to. Most of the time, in my experience,

19
00:00:55,540 --> 00:00:59,380
it's by physical location. You've got your headquarters in the root and then

20
00:00:59,380 --> 00:01:04,360
you have your branches defined by their geolocation. Some businesses will do

21
00:01:04,360 --> 00:01:07,290
child domains on business unit levels, but again,

22
00:01:07,290 --> 00:01:11,260
I would strongly recommend you simplify as much as possible,

23
00:01:11,260 --> 00:01:14,520
especially given the high cost of a security breach,

24
00:01:14,520 --> 00:01:18,760
so you can do a non‑contiguous or a disjoint namespace.

25
00:01:18,760 --> 00:01:19,080
Again,

26
00:01:19,080 --> 00:01:21,860
I would recommend against that, unless you're in the middle of a

27
00:01:21,860 --> 00:01:25,980
migration and you just have to retain that disjoint name because it

28
00:01:25,980 --> 00:01:29,680
makes DNS a lot more difficult to configure. You're using the

29
00:01:29,680 --> 00:01:33,320
traditional delegated subdomain model, it's much,

30
00:01:33,320 --> 00:01:34,040
much easier,

31
00:01:34,040 --> 00:01:37,710
particularly when you're replicating your DNS zone or

32
00:01:37,710 --> 00:01:40,080
zones in Active Directory itself.

33
00:01:40,080 --> 00:01:40,960
But as you can see,

34
00:01:40,960 --> 00:01:44,510
you can build out your tree to several levels and we've got these

35
00:01:44,510 --> 00:01:47,220
two‑way transitive trust relationships among them.

36
00:01:47,220 --> 00:01:52,600
So a user who signs into test.denver.company.pri can be given access

37
00:01:52,600 --> 00:01:57,410
to resources in any other domain, and part of the DNS is lookups

38
00:01:57,410 --> 00:01:59,830
travel from child domain to the parent.

39
00:01:59,830 --> 00:02:02,660
You can actually create a shortcut trust relationship,

40
00:02:02,660 --> 00:02:03,350
for example,

41
00:02:03,350 --> 00:02:07,710
between test.denver.company.pri directly to company.com in

42
00:02:07,710 --> 00:02:10,260
order to shorten that name resolution path,

43
00:02:10,260 --> 00:02:13,280
but more in time, we'll get to trusts, believe we cover

44
00:02:13,280 --> 00:02:15,740
that in the next module in more detail.

45
00:02:15,740 --> 00:02:16,610
As I mentioned,

46
00:02:16,610 --> 00:02:22,040
the domain controller is the authentication source. By default, your domain

47
00:02:22,040 --> 00:02:26,600
controllers host your DNS zones with Active Directory so you want to think

48
00:02:26,600 --> 00:02:29,420
about high availability for these, at the very least,

49
00:02:29,420 --> 00:02:32,740
having more than one domain controller for each domain.

50
00:02:32,740 --> 00:02:35,870
Now, whether you have single domain or multiple domain,

51
00:02:35,870 --> 00:02:38,740
if you're broken out into Active Directory sites,

52
00:02:38,740 --> 00:02:42,320
you'll also want a couple of domain controllers in each site

53
00:02:42,320 --> 00:02:45,920
as well so that you can ensure that authentication requests

54
00:02:45,920 --> 00:02:47,790
happen in a time‑efficient manner.

55
00:02:47,790 --> 00:02:49,240
Speaking of which, as I said,

56
00:02:49,240 --> 00:02:53,630
sites are mapped normally to the physical network infrastructure of your

57
00:02:53,630 --> 00:02:56,830
organization and you'll see that in Active Directory, if you don't

58
00:02:56,830 --> 00:03:00,530
already know, there are a number of tools that allow you to map those

59
00:03:00,530 --> 00:03:05,190
locations and you can place your domain controllers associated with

60
00:03:05,190 --> 00:03:06,960
particular sites and subnets.

61
00:03:06,960 --> 00:03:08,180
And this is great, again,

62
00:03:08,180 --> 00:03:11,650
because we want to give users and other security principles

63
00:03:11,650 --> 00:03:14,650
that need to interact with Active Directory an efficient

64
00:03:14,650 --> 00:03:16,420
communication path between them.

65
00:03:16,420 --> 00:03:16,940
In other words,

66
00:03:16,940 --> 00:03:21,040
we don't want somebody in Denver being authenticated in Las Vegas unless

67
00:03:21,040 --> 00:03:24,020
Denver domain controllers are unavailable for some reason,

68
00:03:24,020 --> 00:03:26,580
but notice that that will happen automatically,

69
00:03:26,580 --> 00:03:31,230
that if the DCs are offline in Denver, then a user may be authenticated either

70
00:03:31,230 --> 00:03:36,070
in Las Vegas or Phoenix depending upon how the knowledge consistency checker,

71
00:03:36,070 --> 00:03:42,070
or KCC, component of Active Directory determines the lowest cost route to a

72
00:03:42,070 --> 00:03:44,740
remote site for a domain controller.

73
00:03:44,740 --> 00:03:48,750
Here is another graphic that just shows some of the flexibility that you have as

74
00:03:48,750 --> 00:03:52,050
an Active Directory administrator in laying out your sites.

75
00:03:52,050 --> 00:03:56,410
Now you might be wondering, how does this relate to Azure AD and running,

76
00:03:56,410 --> 00:04:01,440
say, a hybrid cloud environment between local and Azure Virtual Networks.

77
00:04:01,440 --> 00:04:05,470
The general guidance from Microsoft is to create sites for

78
00:04:05,470 --> 00:04:08,910
your virtual networks. Even though you may have a very fast

79
00:04:08,910 --> 00:04:11,010
connection from on‑prem and Azure,

80
00:04:11,010 --> 00:04:13,430
maybe you have an express route circuit, still,

81
00:04:13,430 --> 00:04:18,100
the guidance is to create sites for your Azure Virtual Networks, place those

82
00:04:18,100 --> 00:04:22,870
domain controllers in those subnet objects in those sites and make sure that

83
00:04:22,870 --> 00:04:28,540
you've got the Azure VNets involved in your sites and services topology.

84
00:04:28,540 --> 00:04:33,320
Organizational units, like I mentioned, consist of top‑level containers that

85
00:04:33,320 --> 00:04:37,090
are given to you by default, one for users and one for computers.

86
00:04:37,090 --> 00:04:41,450
You cannot attach a Group Policy Object to these containers, but the idea is

87
00:04:41,450 --> 00:04:45,000
that you can create a collection of organizational units.

88
00:04:45,000 --> 00:04:47,420
Maybe you're doing it by, in this example,

89
00:04:47,420 --> 00:04:51,980
finance users you're organizing by job role, but I've also seen businesses

90
00:04:51,980 --> 00:04:57,020
that organize their OUs by location, or geo division, or organization

91
00:04:57,020 --> 00:04:59,860
within the organizational chart of the company.

92
00:04:59,860 --> 00:05:03,160
It's totally an architectural question that you and your team need to

93
00:05:03,160 --> 00:05:07,180
decide, but those built‑in containers are just given as a starter and then

94
00:05:07,180 --> 00:05:11,080
it's presumed that you're going to create OUs to organize your users and

95
00:05:11,080 --> 00:05:19,000
computers for both delegated administration, as well as most efficient Group Policy Management and processing.