Active Directory Risks

What kinds of risks do you associate with your active directory outside of “security”? Do your auditors take any focus on your AD environment for any non “security” issues, if so can you let me know some examples of what? Do these risks match up with those associated with security, in terms of likelihood/impact?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Availibility: Do you have redundancy. Ie. avoid a single DC domain.

Performance: Does the HW need the requirements for the number of users authenticating.

Backup: Always have backups not older than the tombstone lifetime and is containing System state. Restore testing.

Network: Site to site replication. Enough bandwith. Placement of Global Catalogs (and RODCs).

Documentation: If your Enterprise admin become unavalible. Can another admin take over the task with ease.

I'm not sure that this was what you was thinking of?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
That is exactly what I was after - and its most appreciated.

>>Placement of Global Catalogs (and RODCs).

This is not something I am familiar with, can you clarify?
pma111Author Commented:
And some clarity on this point would be most useful:

Do you have redundancy. i.e. avoid a single DC domain.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!


DC is so critical you should aways have at least 2

Also, availability of systems themselves:
In my setup each physical server has redundant CPUs, redundant RAM, and redundant PSU's, and each is plugged into a different mains power ring
Virtual Servers use the Failover Cluster Manager so if our servers have a power cut somehow the server fails over to the other host
Our SAN volumes are replicated across 2 SANs so even if we drop a SAN we dont lose data or have any down time
Oh, and of course we have a UPS on everything...
And on top of the UPS we have a backup generator...

And each of our data lines has a DSL backup line on it (via a different ISP)

Sometimes we forget the physical thinking too much about the system
pma111Author Commented:
WHen you say redundant, for someone not really from network backgrounds, how do you mean, and how important is such redundancy, i.e. if you didnt have this redundancy what risks, and is redundancy of such items like CPU, RAM, PSU common or rare?
>>Placement of Global Catalogs (and RODCs).

Do you have multiple sites then you should have atleast one GC in each site. But that again increases the replication traffic. If you have limited bandwidh this might be a bottleneck.

RODC (Read Only DC) comes under security. Ie. you have an "unsecure" site (not placed in a secure data room). A RODC will be a good choice to place there.

Do you have redundancy. i.e. avoid a single DC domain.

This is maybe the most important step. If a DC goes awol in a single DC domain, users can't authenticate and get access to resources. If you don't have a good backup, your domain is lost!
If you have a backup, then you'll have downtime. So it is best practice to have atleast two DCs (both as GC, DNS, DHCP split scope).

Redundant: Means you have an "offline" backup, that will automatically take over in the event of a fault

Redundant CPU, memory - these are available on some servers, so that if the RAM or CPU goes pop, the server just switches over to the other and carries on

Same for the PSU (Power Supply Unit) - automatic switching saves any downtime if the main PSU goes bang

And of course this also applies to your software setup - redundant Domain Controllers in case one goes down. Redundant Firewalls. Redundant Leased Lines.

You could go on forever but there comes a point where you decide the risk has been minimised to an acceptable level
pma111Author Commented:
Thanks both very much
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.