Home > Active Directory, Microsoft, Windows Server > Windows Server 2003 (R2) Active Directory Best Practices
Windows Server 2003 (R2) Active Directory Best Practices
- Purchase any external domain namespaces that in theory could be used and bought on the Internet.
- Don’t set up multiple domains for different remote (branch) offices or sites. Design domains sparingly.
- Consider using Dynamic DNS in an Active Directory environment.
- Consider using cross-forest transitive trusts between two different Active Directory forests when merging them is not an option.
- Establish as a site to every geographic area that requires fast access to the latest directory information.
- In every site place at least one domain controller. Also in every site make at least one domain controller a global catalog server.
- Unless all domain controllers in the domain are global catalog servers or you have a single domain environment, place the infrastructure master role on a domain controller that isn’t also a global catalog.
- To transfer FSMO roles in disaster recovery situations, use the ntdsutil utility.
- Use global groups to contain users in the domain in which they exist but also to grant access to resources in other trusted domains.
- Use universal groups to contain users from any domain in the forest and to grant access to any resource in the forest.
- Perform regular backups of domain controllers in order to preserve all trust relationships within that domain.
- Don’t log on to your computer with administrative credentials.
- Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains.
- Physically secure all domain controllers in a locked room.
- Manage the security relationship between two forests and simplify security administration and authentication across forests.
- To secure AD schema a bit more, remove all users from the Schema Admins group, and add a user to the group only when you need to mate schema changes. Once done, remove the added user from the group again.
- Restrict user, group, and computer access to shared resources and to filter Group Policy settings.
- Avoid disabling the use of signed or encrypted LDAP traffic for Active Directory administrative tools.
- Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organisation must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups.
- Use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.