Professional Documents
Culture Documents
Executive Summary
Many organizations have sub-optimal AD structures that are focused more on organizational hierarchy or political motivators leading to unnecessary complexity and higher administration costs.
A single forest and single domain is best for most small or mid-sized companies.
Introduce multiple forests or domains only when there are justifiable legal, business, or technical needs to isolate parts of the organization or grant autonomy.
A key decision facing organizations is when to migrate to Windows 2008 R2 AD. Although the new security and administration features are significant, by themselves they do not warrant a migration project.
Wait for opportunities to migrate as part of another project, such as a hardware refresh or an overall mandate to standardize on Windows 2008 or 2008 R2.
Companies who take full advantage of online Microsoft resources have good success with migration, and do not need third-party consultants or tools.
Feature Descriptions
Feature Rankings
Migration Decision
Migration Workflow
Use Active Directory to organize your network, facilitate administration, and in some cases isolate resources
Active Directorys primary purpose is authenticating users logging on to the network and granting access rights. AD uses the concept of containers to organize users and computers into a hierarchical framework to facilitate administration or isolate resources.
Container Forest Description The top of the AD hierarchy it provides a boundary between the organizations network and external networks. Multiple forests are required only if parts of the organization must be completely isolated from each other. Domains provide administrative and network boundaries within a forest. A forest requires at least one domain and it may be divided into multiple domains. Each domain contains at least one Domain Controller (DC) server which holds the AD configuration settings and user credentials required for authentication.
Domain
Access between domains can be accomplished where required through trust relationships.
Organizational Units (OUs) Groups OUs are optional. They are used to divide the domain into smaller units to facilitate or delegate administration. Groups are not a subset of OUs, but are a way to organize users within a domain for the purpose of applying group policies and permissions. Software can also be deployed based on group membership. Group policies cannot cross domains, so they must be duplicated when there are multiple domains.
Info-Tech Research Group 5
Optimize the replication topology to reduce the need for regional domains or more expensive WAN links
The Domain Controller (DC) servers hold the AD configuration settings and user credentials. The DC databases are replicated to every other DC in the domain to allow authentication and administration to take place at any location. This generates significant network traffic. Creating regional domains is one way to reduce cross-country replication traffic, but is often not necessary if you can optimize the replication topology:
Replication Topology: The network connections that enable DCs to be replicated to all other DCs. Knowledge Consistency Checker (KCC): Creates the replication topology based on the best available connections between DCs. Sites: Each location can be identified as a site to optimize network traffic between locations as follows: Authentication and service requests are directed to the closest DC. While the KCC will define the replication topology within a site, you define the links between sites to minimize WAN traffic. For example, funnel the replication through a central site to minimize east-west traffic, as shown in the diagram.
Info-Tech Research Group
Single domain with three locations/sites. DC servers in each location allow for local authentication. Cross-country replication traffic is funneled through DCs in a central site.
6
Understand the concepts of administration, isolation and autonomy to further assess the need for multiple forests/domains
Restricting administrator access is the primary reason for isolation and autonomy.
Concept Service Administrators Data Administrators Description Manage the overall AD environment, including configuration settings and DC maintenance. Service administrators are, in effect, also data administrators since they have access to all systems. Manage a subset of the AD environment e.g., manage data and member computers.
Isolation
Required when its necessary to keep other administrators from viewing a subset of data or interfering with administration. For example, legal factors may require certain data or business units to be isolated.
Isolation requires a separate forest since any other level (e.g., a domain) would fall under the supervision and control of a higher-level administrator.
Autonomy
Required when part of the AD environment needs to be managed independently. Since autonomy rather than isolation is required, this need can be met with separate domains or potentially OUs depending on the level of autonomy required.
Info-Tech Insight:
Small and mid-sized organizations often have a single centralized administration team, so they have no requirement to create isolation or autonomy from other administrators.
Info-Tech Research Group 7
Multiple forests and domains lead to greater complexity and higher administration costs
Multiple forests and multiple autonomous domains require dedicated administration teams, increasing costs. The added complexity also requires more administration effort. Examples of costs due to multiple forests and domains include: To achieve true isolation, each forest requires its own administration team. Similarly, multiple domains when created to achieve autonomy require their own administration teams.
Unless each forest or domain is completely independent e.g., no shared resources and no users who require access to the other forest multiple forests/domains typically require trust relationships to allow some access.
Group policy settings need to be duplicated in each domain. I dont want to create a separate domain and give the local IT guy the keys to the kingdom just because he wants to administer his own users.
Senior Systems Administrator, National Transportation Company
Info-Tech Research Group 8
Avoid politically motivated Active Directory designs that lead to unnecessary multiple forests or domains
Ensure your requirements for multiple forests or domains are real business or technical needs. Below are examples of potential needs:
Organizational Need For security or legal reasons, a data subset must be isolated Account for anticipated divestiture AD-related development projects Design Requirement Isolation Recommendations This will require a separate forest to achieve isolation. Limit the number of forest administrators and members. If you are certain that a division will be sold, you can simplify eventually splitting off that AD environment by setting it up as a separate forest. Minimize the risk of developers inadvertently affecting the rest of the network by creating a separate forest for the development work.
Isolation
Isolation
Autonomy
Autonomy or Administration Delegation
Further improve administration by using Groups rather than OUs to organize users for the purpose of applying group policies
The primary purpose of OUs is to delegate administration, not to administer group polices.
Its not necessary to create an OU for each department if it serves no administrative purpose. When it comes to organizing users and resources for the purpose of administering policies, use groups rather than OUs:
OUs demand exclusive membership, meaning a system allocated to one OU can't be allocated to another. A user that belongs to the Sales OU but has tasks requiring R&D systems would require the creation of a dedicated Sales/R&D hybrid OU to ensure that appropriate permissions exist.
Groups are non-exclusive so our example user could be enrolled in both the Sales and R&D groups with no additional administration requirements. Info-Tech Insight:
Software can also be deployed based on group membership. Using the scenario above, if deploying software to the R&D group, the Sales staff who also perform R&D are included.
Info-Tech Research Group 10
Case Study: Use a single forest and single domain design to streamline administration complexity and costs
Many organizations large and small have a single forest and domain, and instead use organizational units to subdivide administration.
AD Design Explanation Single forest, single domain, so no domain trust relationships are required. Each location has its own local administrator, so they are set up as separate OUs. DC replication is funneled through the central location to minimize cross-country traffic. A single set of Sales and Management group policies can be applied to users in all locations because they are all in the same domain.
Info-Tech Research Group 11
The west coast location is set up as a separate forest with its own domain.
A one-way trust enables the west coast facility to access east coast resources, but reverse access is not permitted. Each location has its own local administrator, so they are set up as separate OUs. Sales and Management groups and policies must be duplicated in each forest/domain.
12
Feature Descriptions
Feature Rankings
Migration Decision
Migration Workflow
14
Windows 2008 (R1) added security enhancements such as Fine-Grained Password Policies and Read-Only Domain Controllers
Feature Auditing Fine-Grained Password Policies Owner Rights Read-Only Domain Controllers Restartable Active Directory Domain Services Database Mounting Tool Description Enables you to specify which operations to audit and include in the security log. Supports multiple password policies per domain, enabling administrators to easily implement more restrictive policies where warranted. Enables administrators to specify Owner Rights to override default access rights. Does not contain account passwords and replication is one-way only inbound to the RODC. So if the RODC is compromised, user credentials and the rest of the network are not at risk. Provides the ability to stop and start AD Domain Services to perform tasks such as security updates without having to restart the DC server. In a recovery situation, enables you to compare AD backups or snapshots that were performed at different times to determine which backup is the best one to restore.
15
Windows 2008 R2 introduced the Administrative Center and more security enhancements
Feature Administrative Center Authentication Mechanism Assurance Description Centralizes administration tools and objects in a task-oriented interface. Search function for locating and navigating to an object. Recognizes the device used to log in, enabling administrators to impose greater restrictions on users logging in from personal devices.
The new Administrative Center was voted as offering the most benefit to organizations
Security features such as Managed Service Accounts, Fine-Grained Password Policies, and Authentication Mechanism Assurance also scored high.
Administrative Center: Saves time with a task oriented interface and features such as a welcome page that remembers your common tasks. Managed Service Accounts: Automated password management and improved service principal names (SPN) management makes it easier to isolate key shared applications. Fine-Grained Password Policies: Allows for multiple password policies without having to create multiple domains. Authentication Mechanism Assurance: Provides the means to apply greater restrictions when users log in from a personal device.
For more details on these features, including special considerations, see Appendix B: New Active Directory Features. In addition, there have been several group policy enhancements as described in the Microsoft article Whats New in Group Policy for Windows 7 and Windows Server 2008 R2.
Info-Tech Research Group 17
Although the new Active Directory features are significant, they do not justify a migration on their own for most companies
Many companies have deferred migrating to 2008 or 2008 R2 because their Windows 2003 DCs continue to meet their needs and are compatible with most Windows 2008-based applications and systems.
Over 80% of survey respondents indicated Standardizing on Windows 2008 among their reasons to migrate their AD. Although the new AD features also scored high, only 2% of respondents selected that as the only reason to migrate. As more companies begin to plan a Windows 7 rollout, the Windows 7 functionality supported by AD is also becoming a motivating factor. Similarly, a need to restructure the AD environment or refresh DCs provides a reason to migrate.
Info-Tech Research Group
Source: Info-Tech survey. N=98
18
Wait for opportunities to migrate, such as a project that requires 2008 functionality or an infrastructure upgrade
Examples of Opportunities Hardware Refresh Standardize on Windows 2008 Why Migrate? When a DC is due for a refresh, replace it with a Windows 2008 R2 server to put you in a position to later migrate your AD environment to 2008. Corporate Standard is the leading adoption driver for Windows 2008 (see Info-Techs article Why Windows Server 2008? Users Speak Out). Note that Windows 2003 continues to be compatible with most Windows 2008based systems, include Exchange Server 2007 and 2010 (see Microsofts Exchange Server Supportability Matrix). Windows 7 Rollout Active Directory Needs to be Restructured Windows 7 remote connectivity features (BranchCache, DirectAccess) available with 2008 R2 AD make it worthwhile to consider migrating your AD environment to 2008 R2 as part of your overall Windows 7 project. If your AD structure is in need of an overhaul, consider migrating to 2008 R2 at the same time to leverage the new features such as the improved administration functionality.
I like the compatibility with Windows 7, and the additional group policy settings. IT Manager, Marketing Company
Info-Tech Research Group 19
Use the Active Directory Migration Readiness Assessment Tool tool to determine when, how, and if you are ready to migrate
This tool will identify whether to migrate, based on your needs and opportunity, and recommend a migration method (in-place, transition, or restructure).
The tool will ask you to indicate the following: 1. Critical needs for the new AD features. 2. Projects underway that would require 2008/2008 R2 AD.
Feature Descriptions
Feature Rankings
Migration Decision
Migrating to 2008 R2
Migration Workflow
21
Once you have decided to migrate, choose the migration method that fits your circumstances
Three migration methods are available, which depend partly on the source server: In-Place Upgrade (stay on the existing server) Transitioning (maintaining existing structure while migrating to a new server)
2000 to 2008 R2
NT to 2008 R2
The general workflows described in this section also apply to migration to Windows 2008 (R1), with the exception of system requirements specific to 2008 R2 (e.g., R1 can be 32- or 64-bit).
Info-Tech Research Group 22
Frequency
160%
140% 120% 100%
80%
60% 40%
Low
20%
0%
Xaxis1 Xaxis15 Xaxis29 Xaxis43 Xaxis57 Xaxis71 Xaxis85 Xaxis99 Xaxis113 Xaxis127 Xaxis141 Xaxis155 Xaxis169 Xaxis183 Xaxis197 Xaxis211 Xaxis225 Xaxis239 Xaxis253
0%
100%
23
Regardless of migration method, always back up DCs and assess your environment for 2008 R2 compatibility before you begin
Before You Begin
Record your current Services Restore Mode (DSRM) password in case you need to revert back.
Our biggest lesson learned was that we didnt do a good job of documenting the customized settings. We will now for next time.
Server Systems Administrator, Government Agency
Info-Tech Research Group 24
In-Place Upgrade offers the cheapest, but also the riskiest and least beneficial migration
Whats Involved?
Info-Tech Insight:
If a new Domain Controller or 2008 R2 license is not in your budget, defer migration if possible until you have the resources to migrate to a new server.
Info-Tech Research Group 25
4
5
6 7 8
Raise the forest functional level. Caution: Once youve raised the forest functional level, you cannot roll it back. Enable AD optional features such as Recycle Bin if you wish to take advantage of them. Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on the analysis results.
26
Transitioning provides a safe migration path plus the benefits of either new hardware or a move to virtualization
Whats Involved? The AD environment is transferred from existing DCs to Windows 2008 R2 servers. The existing DCs are decommissioned or repurposed. Benefits Current AD settings are retained schema, group policies, etc. Can migrate to new hardware (longer shelf-life going forward and better performance) or to a virtualized server. Less downtime because the existing DC can stay operational during most of the migration. Disadvantages More expensive, requiring either a new server or an additional virtual server license. Additional Information Active Directory Domain Services and DNS Server Migration Guide Active Directory Certificate Services Migration Guide
Info-Tech Insight:
Transitioning is the most common migration method, offers the least disruption to services, and provides the option of migrating from a physical server to a virtualized environment.
Info-Tech Research Group 27
Add a Windows 2008 R2 server to your AD environment, and then promote the server to a DC (dcpromo command). Keep the domain functional level at 2003 until the end of the migration process. For details, see Microsofts document Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2.
4 5
Check the dcpromo.log and dcpromoui.log log files to ensure there are no issues. Install additional 2008 R2 DCs if applicable. Follow the steps in Microsofts AD DS and DNS Server Migration: Preparing to Migrate to get ready to migrate. Transfer DNS settings and FSMOs to the new server, as outlined in Microsofts AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles.
28
6
7
9 10 11 12
Raise the domain functional level. Caution: Once youve raised the domain functional level, you cannot roll it back. Raise the forest functional level. Caution: Once youve raised the forest functional level, you cannot roll it back. Enable AD optional features such as Recycle Bin if you wish to take advantage of those features. Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on the analysis results.
29
Use Restructuring when your current environment is sub-optimal to the point where starting from scratch is the best recourse
Restructuring will add time to the migration; however, if a restructure is required, its also an opportunity to start over in a clean environment.
Whats Involved? A new AD structure is built on new Windows 2008 R2 servers. The existing DCs are decommissioned or repurposed. Benefits Less downtime because the existing DC can stay operational during most of the migration. An opportunity to revamp your AD environment and put in place an optimal structure. Disadvantages More expensive, requiring either a new server or an additional virtual server license. More time required to plan and create the new AD environment as well as plan the move to 2008 R2. Additional Information Best Practice Active Directory Design for Managing Windows Networks ADMT Guide: Migrating and Restructuring Active Directory Domains
30
2
3 4 5
After you have allowed a settling in period and there are no replication errors or other issues, demote the old DCs.
31
If you are considering virtual DCs, use a combination of physical and virtual DCs to meet performance demands
While virtualization enables hardware cost savings, it is not ideal for Domain Controllers.
Potential Performance Issues DCs make intensive use of RAM. Since RAM is shared with all the other virtual servers hosted by the same hardware, the RAM may not be sufficient to support a busy DC. MS recommends that you use physical DCs for the following roles: Global Catalogs FSMO roles DNS server Additional Information: Microsoft KB article 888794 Deployment Considerations for Virtualized Domain Controllers
Info-Tech Research Group
Potential Support Issues As a general rule, MS does not test or support MS software running on non-MS virtualization technology (e.g., VMware). Those with Premium level support do qualify for assistance but may need to reproduce the problem on a physical server or MS virtualization product. Supported MS virtualization environments: Windows 2008 and later with Hyper-V Microsoft Hyper-V Server 2008 and later Server Virtualization Validation Program Additional Information: Microsoft KB article 897615 Microsoft KB article 957006
32
Summary
When creating your AD environment, use a single forest and single domain design unless there are strong business or technical reasons for multiple forests or domains.
Use groups rather than OUs to organize users and facilitate applying group policies. Use OUs when you need to delegate administration.
The new 2008 R2 Administrative Center centralizes and streamlines administration. Key security enhancements include Managed Service Accounts, Fine-Grained Password Policies, and Authentication Mechanism Assurance. Although the new features are significant, they do not warrant a migration project for most companies. Instead wait for opportunities to migrate as part of another project, such as a Windows 7 rollout or overall mandate to standardize on 2008/2008 R2.
Once the migration decision is made, use the available online resources to help you execute a successful migration. The use of third-party consultants does not improve the success rate.
33
34
Also described in this appendix: Auditing Enhancements Owner Rights Management Pack Restartable Active Directory Domain Services Web Services
Info-Tech Research Group
35
Centralizes administration tools and objects in a task-oriented interface for easier navigation.
The Welcome page remembers which tasks you perform most often, and provides quick links to those tasks. New search function expedites locating and navigating to an object.
Depending on access rights and trusts between domains, you can view and manage objects in all domains from a single Administrative Center instance.
Special Considerations Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools (RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source). Additional Information What's New in AD DS: Active Directory Administrative Center (Microsoft TechNet)
36
Additional Information
Service Accounts Step-by-Step Guide (Microsoft TechNet)
37
Fine-Grained Password Policies feature enables multiple password and lockout policies per domain
Description and Benefits Previous AD versions permitted only a single password and accounts lockout policy per domain. To have separate policies for different sets of users required a password filter or multiple domains, adding to the administrative burden and complicating the AD environment. With the ability to have multiple password policies per domain, its much easier to implement more restrictive policies where warranted. Special Considerations Fine-grained password policies are assigned at the group level. If users are grouped only into Organizational Units, then set up a shadow group for the OU. Custom password filters are not affected and can still be used to apply additional restrictions.
Additional Information
AD DS: Fine-Grained Password Policies (Microsoft TechNet)
38
Special Considerations
This feature is disabled by default. Requires a certificate-based authentication infrastructure (e.g., smart card or tokenbased authentication). Additional Information What's New in AD DS: Authentication Mechanism Assurance (Microsoft TechNet)
39
Remote Windows 7 users gain seamless connectivity and improved file access speed
Description and Benefits The following Windows 7 features are possible in a 2008 R2 Active Directory environment: BranchCache Stores commonly accessed files locally in branch offices for much faster file access. DirectAccess Automatically establishes a VPN link when connecting remotely, bypassing manual steps such as launching a VPN connection. If the connection drops, the VPN is automatically re-established when the network becomes available again. Offline Domain Join Enables pre-provisioning Windows 7 PCs so they automatically join the network when they first start up. Special Considerations BranchCache and DirectAccess are available only for Windows Server 2008 R2 and Windows 7 computers. DirectAccess also requires IPv6 or transition technologies. Offline Domain Join can also be used with earlier AD environments by using a /downlevel parameter.
Additional Information
BranchCache and DirectAccess: Improving the Branch Office Experience (Microsoft TechNet) BranchCache for Windows Server 2008 R2 (Microsoft TechNet) What's New in AD DS: Offline Domain Join (Microsoft TechNet)
Info-Tech Research Group 40
41
Read-Only Domain Controllers (RODCs) provide a security option for less-secure locations
Description and Benefits The RODC is designed for remote locations that have poor physical security. The RODC does not contain account passwords and replication is one-way only inbound to the RODC. So if the RODC is compromised, user credentials are not at risk, and any changes to the RODC cannot spread to the rest of the network. Without an RODC, the alternative when security is a concern is to authenticate over a WAN to a DC in another location, which can be slow depending on network bandwidth. Special Considerations The domain must include at least one Windows 2008 DC. Functional level can be Windows 2003 or higher.
Domain admin accounts cannot be replicated to an RODC. As a result, you have to set up a separate account on the RODC to administer it.
A separate group must be set up that identifies all the accounts that can be replicated to the RODC. Additional Information AD DS: Read-Only Domain Controllers (Microsoft TechNet) Read-Only Domain Controllers and Account Lockouts (Microsoft TechNet)
42
Description and Benefits Also known as Snapshot Viewer or Snapshot Browser. Enables you to compare AD backups or snapshots that were performed at different times to determine which backup is the best one to restore. Previously the only option was to restore each backup to determine which one to use. Can also be used to review changes made to your AD environment.
Special Considerations
The snapshots could potentially be used to examine sensitive data, so they warrant the same level of security provided to AD DS backups. Additional Information AD DS: Database Mounting Tool (Microsoft TechNet)
43
PowerShell is a scripting language that administrators can use to simplify and automate configuration, administration and diagnostic tasks.
Examples of tasks that can be performed include: disable/enable accounts, search for accounts, add or remove accounts, and create, modify or remove objects. Special Considerations Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools (RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source). This module uses the ADWS service. TCP port 9389 must be open on the DC running the ADWS service. Additional Information What's New in AD DS: Active Directory Module for Windows PowerShell (Microsoft TechNet)
44
Description and Benefits With 2003 DCs, deleted objects could be recovered from Windows Server backups, but the DC had to be offline. The Tombstone reanimation method allowed recovery while online, but attributes such as group memberships were lost. With 2008 R2 DCs, the Tombstone process saves the attributes, making it a viable recovery method; deleted objects can be retrieved without any downtime. Special Considerations
45
Additional security and workflow features include Auditing and Restartable Domain Services
Auditing Enhancements: Enables you to specify which operations to audit and include in the security log. For more details, see AD DS: Auditing (Microsoft TechNet). Owner Rights: Enables you to specify Owner Rights to override default access rights. For more details, see AD DS: Owner Rights (Microsoft TechNet). Management Pack: Monitors computer and software states to assess availability and performance. For more details, see Active Directory Federation Services Management Pack Readme (Microsoft TechNet). Restartable Active Directory Domain Services: Provides the ability to stop and start AD Domain Services to perform tasks such as security updates without having to restart the DC server. For more details, see AD DS: Restartable Active Directory Domain Services (Microsoft TechNet). Web Services: Provides a Web service interface to AD domains and AD LDS instances. For more details, see What's New in AD DS: Active Directory Web Services (Microsoft TechNet).
46
47
48
49
50
51
52