Windows Server 2003 (R2) Active Directory Infrastructure Best Practices

Make sure that schema version has been upgraded to R2 levels before installing Windows Server 2003 R2 on any DC.

Make sure that all sites listed in DNS contain proper SRV (Service) records.

Use automatically generated connection objects, unless a specific reason exists to hard-code replication pathways.

To troubleshoot and validate AD replication use repadmin and replmon.

Don’t turn off site link bridging unless you want to make your DC replication dependent on the explicit site links that your created.

-Eric

Best Practices of designing a Windows Server 2003 (R2) AD Organisational Unit and Group structure

If you are confused about domain groups, try to remember the following. Use domain local groups to control access to resources, and use global groups to organise similar groups of users.

• Set up OU structure, and move your user and computer objects from default Users and Computers containers.
• While designing the OU structure, keep in mind the principle as simple as possible.
• When designing OU structure, try to keep OUs 3 layers deep, if possible. You can use more layers, if needed, but don’t nest OUs more than 10 layers deep.
• Use OUs only when necessary, and try to keep their number minimal.
• Apply Group Policy to members of groups through Group Policy Membership Filtering where possible.
• Use domain local groups to control access to resources, and use global groups to organize similar groups of users.
• Use distribution groups or mail-enabled security groups to create email distribution lists in environments with Exchange 2003/2007.
• Mail-enable security groups if separation of security and email functionality is not required.
• Don’t delete/re-create groups randomly, because each of them has a unique SID.
• Don’t include users from other Mixed mode domains in a forest in universal groups.
• Don’t use local groups for permissions in a domain environment.

-Eric

Best Practices of designing a Windows Server 2003 (R2) Active Directory

• Understand completely Active Directory’s structure before designing.
• Secure external namespaces via registration, so that i can’t be used anywhere on the Internet.
• Start your domain design by considering the simplest solution/model first (single domain model).
• Consider using multiple domains only for specific reasons.
• Consider using federated forest design, when uniting two different Active Directory structures.
• Use sites to control and optimize replication traffic.
• Upgrade any down-level clients to reduce administration and maintenance.
• Use domain rename only when faced with no other alternative.

 

-Eric

Windows Server 2003 (R2) Active Directory Best Practices

General:

• Purchase any external domain namespaces that in theory could be used and bought on the Internet.
• Don’t set up multiple domains for different remote (branch) offices or sites. Design domains sparingly.
• Consider using Dynamic DNS in an Active Directory environment.
• Consider using cross-forest transitive trusts between two different Active Directory forests when merging them is not an option.
• Establish as a site to every geographic area that requires fast access to the latest directory information.
• In every site place at least one domain controller. Also in every site make at least one domain controller a global catalog server.
• Unless all domain controllers in the domain are global catalog servers or you have a single domain environment, place the infrastructure master role on a domain controller that isn’t also a global catalog.
• To transfer FSMO roles in disaster recovery situations, use the ntdsutil utility.
• Use global groups to contain users in the domain in which they exist but also to grant access to resources in other trusted domains.
• Use universal groups to contain users from any domain in the forest and to grant access to any resource in the forest.
• Perform regular backups of domain controllers in order to preserve all trust relationships within that domain.

Security:

• Don’t log on to your computer with administrative credentials.
• Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains.
• Physically secure all domain controllers in a locked room.
• Manage the security relationship between two forests and simplify security administration and authentication across forests.
• To secure AD schema a bit more, remove all users from the Schema Admins group, and add a user to the group only when you need to mate schema changes. Once done, remove the added user from the group again.
• Restrict user, group, and computer access to shared resources and to filter Group Policy settings.
• Avoid disabling the use of signed or encrypted LDAP traffic for Active Directory administrative tools.
• Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organisation must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups.
• Use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.

 

-Eric