Home > Active Directory, Microsoft, Windows Server > Windows Server 2003 (R2) Active Directory Best Practices

Windows Server 2003 (R2) Active Directory Best Practices

General:

  • Purchase any external domain namespaces that in theory could be used and bought on the Internet.
  • Don’t set up multiple domains for different remote (branch) offices or sites. Design domains sparingly.
  • Consider using Dynamic DNS in an Active Directory environment.
  • Consider using cross-forest transitive trusts between two different Active Directory forests when merging them is not an option.
  • Establish as a site to every geographic area that requires fast access to the latest directory information.
  • In every site place at least one domain controller. Also in every site make at least one domain controller a global catalog server.
  • Unless all domain controllers in the domain are global catalog servers or you have a single domain environment, place the infrastructure master role on a domain controller that isn’t also a global catalog.
  • To transfer FSMO roles in disaster recovery situations, use the ntdsutil utility.
  • Use global groups to contain users in the domain in which they exist but also to grant access to resources in other trusted domains.
  • Use universal groups to contain users from any domain in the forest and to grant access to any resource in the forest.
  • Perform regular backups of domain controllers in order to preserve all trust relationships within that domain.

Security:

  • Don’t log on to your computer with administrative credentials.
  • Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains.
  • Physically secure all domain controllers in a locked room.
  • Manage the security relationship between two forests and simplify security administration and authentication across forests.
  • To secure AD schema a bit more, remove all users from the Schema Admins group, and add a user to the group only when you need to mate schema changes. Once done, remove the added user from the group again.
  • Restrict user, group, and computer access to shared resources and to filter Group Policy settings.
  • Avoid disabling the use of signed or encrypted LDAP traffic for Active Directory administrative tools.
  • Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organisation must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups.
  • Use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.

 

-Eric

Advertisements
  1. October 28, 2009 at 10:51 pm

    Hi Eric,

    Thanks for sharing your insightful thoughts and suggestions on AD Best Practices, espcially for R2 as well – very helpful, and appreciated indeed.

    On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.

    Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com

    Thought I’d share this with you incase it could help you too, especially if you have like on-demand reporting.

    Thanks again, and looking forward to your next post.

    Best wishes,
    Jonathan

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: