Windows Active Directory Family---Distributed Active Directory Deployment Overview (bottom)

Source: Internet
Author: User
Tags dns names

On-premises adds deployment integrates with cloud services:

There are two ways to extend adds to the cloud. One is through Windows Azure AD, the other is a server that installs Windows 2012R2 on a Windows Azure virtual machine, and then promotes the server to a DC.


What is Windows Azure AD?

Windows Azure AD is a Windows Azure-based service that is used to provide ID management and access control to applications on the cloud. Windows Azure AD is typically used when you subscribe to some of the services in Office365,exchange Online,sharepoint Online,lync Online, and you can add windows that require validation actions Azure apps or Internet-connected apps integrates with Windows Azure AD. You can have your on-premises adds synchronized with Windows Azure AD so that your company's users can access resources on-premises and on the cloud using the same ID.

Windows Azure AD does not contain all of the services features that are deployed locally in adds, and Windows Server 5 supports different services: AD Domain Services, ad Lightweight Directory services, AD Federation Services, ad Certificate Services, and AD rights Management services. In addition to providing Windows Azure ad services, Windows Azure now supports the Windows Azure Access Control Service, which supports the integration of third-party ID management tools and the Federation of on-premises AD Domain Services.


Install the Active Directory on Windows Azure

Windows Azure provides infrastructure-as-a-service (IaaS) capabilities that are essentially virtual machines in the cloud. All on-premises virtualized applications and servers can be considered for deployment on Windows Azure. When you deploy Active Directory on Windows Azure, you can promote a virtual machine to a domain controller, and all of the deployment rules are exactly the same as the local deployment Active Directory.

You can deploy AD Domain Services on Windows Azure to support user authentication and as a protection mechanism for disaster recovery. If all your local domain controllers fail, the AD domain service on Windwos Azure retains a full copy of your ad database, allowing you to quickly restore and restore network functionality.

Here are two things to consider when you want to deploy AD Domain Services on Windows Azure:

1. Service recovery. Windows Azure server can be rolled back according to a daily maintenance plan, but it does not provide a rollback service for the customer. The domain controller replication is dependent on the Update Sequence number (USN), when an AD domain Service system is rolled back to the previous state, there will be a duplicate USN being created, in order to avoid this situation, Windows Server AD introduces a new identifier "Virtual machine generation ID", The virtual machine Generation ID detects a rollback state that prevents the virtual DC's change data from being replicated until data from the virtual AD domain service and other domain controllers in the domain are aggregated.

2. Limitations of virtual machines. Windows Azure's virtual machine has a maximum memory limit of 14G and only one NIC, and it does not support the snapshot functionality of the virtual machine.


Special considerations are needed when running AD services on Windows Azure:

Because there are several aspects of Windows Azure virtual machines that you can't control, there are a few special places you need to consider before you install AD to Windows Azure:

1.IP address. All Windows Azure virtual machines are assigned IP through DHCP, and your Windows Azure virtual network must be delivered before you install domain control for the first time.

2.DNS. Windows Azure built-in DNS is not compliant with AD requirements, such as Dynamic DNS and SRV records. You can install DNS roles on your DC, but DCs cannot be set to static IP addresses, and to avoid these potential problems, Windows Azure's DHCP leases will never expire.

Note: Do not change the dynamic IP of the DC on Windows Azure to a static IP, otherwise your network ID on Windows Azure will be affected by the change, and if you set a static IP to the DC, they may end up losing the connection.

3. Hard drive. Windows Azure Virtual machine's operating system virtual hard disk uses host cache read and write, which improves the performance of the virtual machine, but if the ad component is installed on the operating system disk, the data may be lost due to a hard disk failure. Using a different Windows Azure hard drive to connect to the virtual machine does not use the caching feature. When you install AD on Windows Azure, the Ntds.dit and SYSVOL folders are placed on an additional hard disk in the Windows Azure virtual machine instead of on the system disk.


Requirements for DNS in a complex AD domain environment:

The ad domain requires DNS to work properly, so deploying DNS in a multi-domain or multi-forest environment requires some additional planning design. When you want to deploy a DNS architecture to support complex AD domain environments, you need to focus on several important configuration areas:

  1. Verify the DNS client configuration. It is best to configure at least two available DNS servers for all computations in the ad domain, and all computers must be able to maintain a good network of DNS traffic.

  2. Verify and monitor DNS for name resolution. Verify that all computers, including DCs, are able to resolve successfully to all DCs in the forest. The change data for the ad domain must be successfully replicated between DCs. The client computer must be able to locate the DC server through the SRV record and be able to resolve to the corresponding IP address based on the name of the DC. In a multi-domain or multi-forest environment, client computers may need to locate multiple cross-forest services, such as KMS servers, TS licensing servers, authorization servers for special applications, and DC servers for each domain, so that proper DNS name resolution is required to ensure that the service is properly applied.

  3. Optimizes DNS name resolution between multiple namespaces. When an enterprise deploys multiple trees in an ad forest, or when multiple forests are deployed, name resolution becomes more complex because of the presence of multiple domain namespaces, conditional forwarding using DNS, and the stub zone and delegation capabilities make name resolution across namespaces easier and more efficient.

  4. Use AD domain to integrate with DNS. When you integrate DNS zones with the AD domain, the DNS information is kept in the ad domain, and the DNS information is replicated synchronously through the replication process of the ad domain. This greatly optimizes the DNS replication process in the forest, and you can define the replication scope of the DNS zone yourself, by default, DNS records for specific domains will be replicated to other DCs with DNS roles installed in the domain. DNS records that allow cross-domain resolution are stored in _msdcs.forestrootdomainname (if your domain is contoso.com, then the name of this zone is the _msdcs.contoso.com) zone, The records for this zone are copied to the DNS-installed DC in the entire forest, and this default configuration is best not to be modified.

  5. Deploy a GlobalNames zone. The GlobalNames zone allows you to configure single-name resolution for DNS names in the forest. In the past, a WINS server was deployed in the domain to support single name resolution, and the GlobalNames zone could replace the existence of wins, especially when you deployed the IPV6 protocol because WINS does not support IPV6 addressing.

  6. When you extend the AD domain to Windows Azure, you need to do some extra configuration. Windows Azure built-in DNS is not supported for AD Domain Services, and if you want to support domain feature components on the cloud, you need to configure the following:

    A. Configuring an ad domain site for Windows Azure subnets

    B. Register the locally deployed DNS on Windows Azure so that you can access DNS records from Windows Azure.

    C. Registering a cloud-based DNS on Windows Azure



This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1581814

Windows Active Directory Family---Distributed Active Directory Deployment Overview (bottom)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.