• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

Building a new AD

Do there exist any best practice configuration guides for configuring and maintaing a new active directory. Not just security issues but any misconfiguration that can cause a risk. We have a new AD design document for a new IT environment and I need something to see that all areas of risk are covered in the design, and a benchmark to see designs against best practices.
0
pma111
Asked:
pma111
2 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
If you're interested, you may follow an article on my blog for forest root domain
http://kpytko.wordpress.com/2011/09/02/configuring-a-forest-root-domain-on-windows-server-2008-r2/

and adding additional DC
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

and after all run Best Practices Analyzer to see what Microsoft recommends you.

Regards,
Krzysztof
0
 
pma111Author Commented:
Which BPA's are specific to AD?  And what kind of issues/risks are they looking at?

I will print out your documents, but from a risk/auditor perspective, what would be perhaps the top 10 main areas to review in new AD designs? I.e. areas of concern prior to the new AD being built.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Auditors would be interested in:

1) Domain Controllers redundancy (at least 2 DCs per Site)
2) Security logging on Domain Controllers (by default enabled)
3) Regular system state backup of DCs
4) Restricted membership in Schema/Enterprise/Domain Admins groups
5) Documented delegated permissions to other users/groups in your environmnet
6) GPO management
7) No other roles on a DC like print server, file server
8) no additional shares on DCs except defaults
9) Backup and Recovery procedure for DC crash
10) at this moment have no idea ;)

Krzysztof
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pma111Author Commented:
Thank you, what are the various pieces of an AD that need to be reviewed, i.e. I know AD has domain controllers, what else is there, if you split the AD into various pieces, and what do the various pieces actually do, in terms of AD (in low tech management freindly speak)....

1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....
0
 
pma111Author Commented:
PS - when you build a new active directory, is there a particular order in which you build things in a new AD, if so can you produce the pertinant workflow.

And where is the AD built, i.e. are the various servers just added tot he new domain, or built in a test environment not joined to the current live domain?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
How big a directory are we talking about?  5 users?  50?  500?  5000? 50,000?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
pma111,

can you tell me please what do you mean saying

1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....


?

I would like to answer you but I'm not sure what exactly do you expect? :)

Krzysztof
0
 
David Johnson, CD, MVPOwnerCommented:
Biggest items are AD and DNS replication settings.. use the strongest available.. BPA will tell you what it wants changed.  But whether or not you can do it depends upon what clients you have connecting to AD.
0
 
pma111Author Commented:
Directory >1000

Isiek I was just after a breakdown of all the elements that make up an AD, and what each element does. 1 element being domain controllers..
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, I hope I understood it properly ;)

1) Redundant Domain Contollers
2) Redundant DNS Servers
3) GPO and GPOs backup
4) System State backup of DCs
5) DHCP server(s)


AD1) At least 2 DCs per Site to prevent single point of failure (recommended configuration, all DCs with Global Catalog).
AD2) At least 2 DNS servers with appropriate forwarders or root hints configuration
AD3) Group Policies to manage AD and perform their backup
AD4) System State backup of at least one DC
AD5) Split scopes between 2 DHCP servers

If that is not  the answer, please let me know and show some guides to be able to answetr properly ;)

Krzysztof
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now