Pau Lo
asked on
Building a new AD
Do there exist any best practice configuration guides for configuring and maintaing a new active directory. Not just security issues but any misconfiguration that can cause a risk. We have a new AD design document for a new IT environment and I need something to see that all areas of risk are covered in the design, and a benchmark to see designs against best practices.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Auditors would be interested in:
1) Domain Controllers redundancy (at least 2 DCs per Site)
2) Security logging on Domain Controllers (by default enabled)
3) Regular system state backup of DCs
4) Restricted membership in Schema/Enterprise/Domain Admins groups
5) Documented delegated permissions to other users/groups in your environmnet
6) GPO management
7) No other roles on a DC like print server, file server
8) no additional shares on DCs except defaults
9) Backup and Recovery procedure for DC crash
10) at this moment have no idea ;)
Krzysztof
1) Domain Controllers redundancy (at least 2 DCs per Site)
2) Security logging on Domain Controllers (by default enabled)
3) Regular system state backup of DCs
4) Restricted membership in Schema/Enterprise/Domain Admins groups
5) Documented delegated permissions to other users/groups in your environmnet
6) GPO management
7) No other roles on a DC like print server, file server
8) no additional shares on DCs except defaults
9) Backup and Recovery procedure for DC crash
10) at this moment have no idea ;)
Krzysztof
ASKER
Thank you, what are the various pieces of an AD that need to be reviewed, i.e. I know AD has domain controllers, what else is there, if you split the AD into various pieces, and what do the various pieces actually do, in terms of AD (in low tech management freindly speak)....
1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....
1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....
ASKER
PS - when you build a new active directory, is there a particular order in which you build things in a new AD, if so can you produce the pertinant workflow.
And where is the AD built, i.e. are the various servers just added tot he new domain, or built in a test environment not joined to the current live domain?
And where is the AD built, i.e. are the various servers just added tot he new domain, or built in a test environment not joined to the current live domain?
How big a directory are we talking about? 5 users? 50? 500? 5000? 50,000?
pma111,
can you tell me please what do you mean saying
1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....
?
I would like to answer you but I'm not sure what exactly do you expect? :)
Krzysztof
can you tell me please what do you mean saying
1) Domain controllers - purpose.....
2) piece 2 - purpose .......
3) piece 3 - purpose.....
?
I would like to answer you but I'm not sure what exactly do you expect? :)
Krzysztof
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Directory >1000
Isiek I was just after a breakdown of all the elements that make up an AD, and what each element does. 1 element being domain controllers..
Isiek I was just after a breakdown of all the elements that make up an AD, and what each element does. 1 element being domain controllers..
OK, I hope I understood it properly ;)
1) Redundant Domain Contollers
2) Redundant DNS Servers
3) GPO and GPOs backup
4) System State backup of DCs
5) DHCP server(s)
AD1) At least 2 DCs per Site to prevent single point of failure (recommended configuration, all DCs with Global Catalog).
AD2) At least 2 DNS servers with appropriate forwarders or root hints configuration
AD3) Group Policies to manage AD and perform their backup
AD4) System State backup of at least one DC
AD5) Split scopes between 2 DHCP servers
If that is not the answer, please let me know and show some guides to be able to answetr properly ;)
Krzysztof
1) Redundant Domain Contollers
2) Redundant DNS Servers
3) GPO and GPOs backup
4) System State backup of DCs
5) DHCP server(s)
AD1) At least 2 DCs per Site to prevent single point of failure (recommended configuration, all DCs with Global Catalog).
AD2) At least 2 DNS servers with appropriate forwarders or root hints configuration
AD3) Group Policies to manage AD and perform their backup
AD4) System State backup of at least one DC
AD5) Split scopes between 2 DHCP servers
If that is not the answer, please let me know and show some guides to be able to answetr properly ;)
Krzysztof
ASKER
I will print out your documents, but from a risk/auditor perspective, what would be perhaps the top 10 main areas to review in new AD designs? I.e. areas of concern prior to the new AD being built.