Practical IT Research that Drives Measurable Results

Develop an Up-to-Date Active Directory Strategy, and Implement

Info-Tech Research Group

Active Directory Strategy and Migration

Active Directory (AD) is network security solution included in Windows Server operating systems. AD provides user authentication, manages access to network resources, and can be used to deploy software. To facilitate security and administration, AD enables companies to organize users and systems on the network into a tree-like hierarchical structure. Windows 2008 and 2008 R2 introduced significant AD security and administration enhancements. The migration to a 2008 platform will be inevitable as earlier OSs no longer meet IT requirements or reach end-of-life. The questions are: when to migrate, and what are the migration best practices?

Those who should read this:

Clients looking to improve their Active Directory structure Clients evaluating Windows Server 2008 R2 Active Directory Clients planning/executing a migration to Windows Server 2008 R2

At the end, you will have:

An optimal Active Directory structure for your environment. An understanding of whats new in 2008 R2 Active Directory. The criteria required to decide when, and if, to migrate to 2008 R2. Migration best practices.
2

Info-Tech Research Group

Executive Summary
Many organizations have sub-optimal AD structures that are focused more on organizational hierarchy or political motivators leading to unnecessary complexity and higher administration costs.
A single forest and single domain is best for most small or mid-sized companies.
Introduce multiple forests or domains only when there are justifiable legal, business, or technical needs to isolate parts of the organization or grant autonomy.

A key decision facing organizations is when to migrate to Windows 2008 R2 AD. Although the new security and administration features are significant, by themselves they do not warrant a migration project.
Wait for opportunities to migrate as part of another project, such as a hardware refresh or an overall mandate to standardize on Windows 2008 or 2008 R2.

Companies who take full advantage of online Microsoft resources have good success with migration, and do not need third-party consultants or tools.

Info-Tech Research Group

Active Directory Introduction, Planning, and Design

Planning and Design

Whats New in 2008 R2 Migrating to 2008 R2

About Active Directory

Best Practices for Design

Feature Descriptions

Feature Rankings

Migration Decision

Preparing for Migration

Migration Workflow

Info-Tech Research Group

Use Active Directory to organize your network, facilitate administration, and in some cases isolate resources
Active Directorys primary purpose is authenticating users logging on to the network and granting access rights. AD uses the concept of containers to organize users and computers into a hierarchical framework to facilitate administration or isolate resources.
Container Forest Description The top of the AD hierarchy it provides a boundary between the organizations network and external networks. Multiple forests are required only if parts of the organization must be completely isolated from each other. Domains provide administrative and network boundaries within a forest. A forest requires at least one domain and it may be divided into multiple domains. Each domain contains at least one Domain Controller (DC) server which holds the AD configuration settings and user credentials required for authentication.

Domain

Access between domains can be accomplished where required through trust relationships.
Organizational Units (OUs) Groups OUs are optional. They are used to divide the domain into smaller units to facilitate or delegate administration. Groups are not a subset of OUs, but are a way to organize users within a domain for the purpose of applying group policies and permissions. Software can also be deployed based on group membership. Group policies cannot cross domains, so they must be duplicated when there are multiple domains.
Info-Tech Research Group 5

Optimize the replication topology to reduce the need for regional domains or more expensive WAN links
The Domain Controller (DC) servers hold the AD configuration settings and user credentials. The DC databases are replicated to every other DC in the domain to allow authentication and administration to take place at any location. This generates significant network traffic. Creating regional domains is one way to reduce cross-country replication traffic, but is often not necessary if you can optimize the replication topology:
Replication Topology: The network connections that enable DCs to be replicated to all other DCs. Knowledge Consistency Checker (KCC): Creates the replication topology based on the best available connections between DCs. Sites: Each location can be identified as a site to optimize network traffic between locations as follows: Authentication and service requests are directed to the closest DC. While the KCC will define the replication topology within a site, you define the links between sites to minimize WAN traffic. For example, funnel the replication through a central site to minimize east-west traffic, as shown in the diagram.
Info-Tech Research Group

Single domain with three locations/sites. DC servers in each location allow for local authentication. Cross-country replication traffic is funneled through DCs in a central site.
6

Understand the concepts of administration, isolation and autonomy to further assess the need for multiple forests/domains
Restricting administrator access is the primary reason for isolation and autonomy.
Concept Service Administrators Data Administrators Description Manage the overall AD environment, including configuration settings and DC maintenance. Service administrators are, in effect, also data administrators since they have access to all systems. Manage a subset of the AD environment e.g., manage data and member computers.

Isolation

Required when its necessary to keep other administrators from viewing a subset of data or interfering with administration. For example, legal factors may require certain data or business units to be isolated.
Isolation requires a separate forest since any other level (e.g., a domain) would fall under the supervision and control of a higher-level administrator.

Autonomy

Required when part of the AD environment needs to be managed independently. Since autonomy rather than isolation is required, this need can be met with separate domains or potentially OUs depending on the level of autonomy required.

Info-Tech Insight:
Small and mid-sized organizations often have a single centralized administration team, so they have no requirement to create isolation or autonomy from other administrators.
Info-Tech Research Group 7

Multiple forests and domains lead to greater complexity and higher administration costs
Multiple forests and multiple autonomous domains require dedicated administration teams, increasing costs. The added complexity also requires more administration effort. Examples of costs due to multiple forests and domains include: To achieve true isolation, each forest requires its own administration team. Similarly, multiple domains when created to achieve autonomy require their own administration teams.

Unless each forest or domain is completely independent e.g., no shared resources and no users who require access to the other forest multiple forests/domains typically require trust relationships to allow some access.
Group policy settings need to be duplicated in each domain. I dont want to create a separate domain and give the local IT guy the keys to the kingdom just because he wants to administer his own users.
Senior Systems Administrator, National Transportation Company
Info-Tech Research Group 8

Avoid politically motivated Active Directory designs that lead to unnecessary multiple forests or domains
Ensure your requirements for multiple forests or domains are real business or technical needs. Below are examples of potential needs:
Organizational Need For security or legal reasons, a data subset must be isolated Account for anticipated divestiture AD-related development projects Design Requirement Isolation Recommendations This will require a separate forest to achieve isolation. Limit the number of forest administrators and members. If you are certain that a division will be sold, you can simplify eventually splitting off that AD environment by setting it up as a separate forest. Minimize the risk of developers inadvertently affecting the rest of the network by creating a separate forest for the development work.

Isolation

Isolation

Multiple namespaces are required

Administrative support for national or international locations
Info-Tech Research Group

Autonomy
Autonomy or Administration Delegation

A separate domain must be created for each DNS namespace.

Regional domains can ease administrative burden due to time zone and language issues. However, if autonomy is not required, and network bandwidth is not an issue, instead use regional organizational units to delegate administration and maintain a single forest, single domain design.
9

Further improve administration by using Groups rather than OUs to organize users for the purpose of applying group policies
The primary purpose of OUs is to delegate administration, not to administer group polices.
Its not necessary to create an OU for each department if it serves no administrative purpose. When it comes to organizing users and resources for the purpose of administering policies, use groups rather than OUs:

OUs demand exclusive membership, meaning a system allocated to one OU can't be allocated to another. A user that belongs to the Sales OU but has tasks requiring R&D systems would require the creation of a dedicated Sales/R&D hybrid OU to ensure that appropriate permissions exist.
Groups are non-exclusive so our example user could be enrolled in both the Sales and R&D groups with no additional administration requirements. Info-Tech Insight:
Software can also be deployed based on group membership. Using the scenario above, if deploying software to the R&D group, the Sales staff who also perform R&D are included.
Info-Tech Research Group 10

Case Study: Use a single forest and single domain design to streamline administration complexity and costs
Many organizations large and small have a single forest and domain, and instead use organizational units to subdivide administration.
AD Design Explanation Single forest, single domain, so no domain trust relationships are required. Each location has its own local administrator, so they are set up as separate OUs. DC replication is funneled through the central location to minimize cross-country traffic. A single set of Sales and Management group policies can be applied to users in all locations because they are all in the same domain.
Info-Tech Research Group 11

Case Study: Create a separate forest to address isolation needs

The west coast facility has dealings with the military. To meet security requirements, the location must be isolated.
AD Design Explanation

The west coast location is set up as a separate forest with its own domain.
A one-way trust enables the west coast facility to access east coast resources, but reverse access is not permitted. Each location has its own local administrator, so they are set up as separate OUs. Sales and Management groups and policies must be duplicated in each forest/domain.

Info-Tech Research Group

12

Use this flowchart to determine Active Directory design requirements

Follow the steps below to determine whether you need a dedicated (separate) forest, domain or organizational unit to address organizational needs.
1. Identify potential needs in your organization for isolation, autonomy, or delegating administration. 2. For each need, follow the flowchart to identify structure requirements. 3. Diagram the resulting structure and confirm that it meets your overall needs while avoiding unnecessary complexity. For more information on AD design, see Appendix A: Active Directory Planning and Design Resources.
Info-Tech Research Group 13

Whats new in Windows 2008 R2 Active Directory

Planning and Design

About Active Directory

Best Practices for Design

Whats New in 2008 R2

Migrating to 2008 R2

Feature Descriptions

Feature Rankings

Migration Decision

Preparing for Migration

Migration Workflow

Info-Tech Research Group

14

Windows 2008 (R1) added security enhancements such as Fine-Grained Password Policies and Read-Only Domain Controllers
Feature Auditing Fine-Grained Password Policies Owner Rights Read-Only Domain Controllers Restartable Active Directory Domain Services Database Mounting Tool Description Enables you to specify which operations to audit and include in the security log. Supports multiple password policies per domain, enabling administrators to easily implement more restrictive policies where warranted. Enables administrators to specify Owner Rights to override default access rights. Does not contain account passwords and replication is one-way only inbound to the RODC. So if the RODC is compromised, user credentials and the rest of the network are not at risk. Provides the ability to stop and start AD Domain Services to perform tasks such as security updates without having to restart the DC server. In a recovery situation, enables you to compare AD backups or snapshots that were performed at different times to determine which backup is the best one to restore.

Info-Tech Research Group

15

Windows 2008 R2 introduced the Administrative Center and more security enhancements
Feature Administrative Center Authentication Mechanism Assurance Description Centralizes administration tools and objects in a task-oriented interface. Search function for locating and navigating to an object. Recognizes the device used to log in, enabling administrators to impose greater restrictions on users logging in from personal devices.

Best Practices Analyzer

Managed Service Accounts Management Pack Module for Windows PowerShell Recycle Bin Web Services Windows 7 Features

Scans your AD environment to check if the configuration is following best practices.

Simplifies the administration of isolated key shared applications such as Exchange Server and IIS. Monitors computer and software states to assess availability and performance. A scripting language that administrators can use to simplify and automate configuration, administration and diagnostic tasks. Provides an undo capability without any downtime. Uses the Tombstone reanimation method which now saves the attributes. Provides a Web service interface to AD domains and AD LDS instances. BranchCache and DirectAccess provide seamless connectivity for remote Windows 7 users. Offline Domain Join enables pre-provisioning Windows 7 PCs so they automatically join the network at startup.
16

Info-Tech Research Group

The new Administrative Center was voted as offering the most benefit to organizations
Security features such as Managed Service Accounts, Fine-Grained Password Policies, and Authentication Mechanism Assurance also scored high.
Administrative Center: Saves time with a task oriented interface and features such as a welcome page that remembers your common tasks. Managed Service Accounts: Automated password management and improved service principal names (SPN) management makes it easier to isolate key shared applications. Fine-Grained Password Policies: Allows for multiple password policies without having to create multiple domains. Authentication Mechanism Assurance: Provides the means to apply greater restrictions when users log in from a personal device.

Scores based on feature rankings in an Info-Tech survey. N=84

For more details on these features, including special considerations, see Appendix B: New Active Directory Features. In addition, there have been several group policy enhancements as described in the Microsoft article Whats New in Group Policy for Windows 7 and Windows Server 2008 R2.
Info-Tech Research Group 17

Although the new Active Directory features are significant, they do not justify a migration on their own for most companies
Many companies have deferred migrating to 2008 or 2008 R2 because their Windows 2003 DCs continue to meet their needs and are compatible with most Windows 2008-based applications and systems.
Over 80% of survey respondents indicated Standardizing on Windows 2008 among their reasons to migrate their AD. Although the new AD features also scored high, only 2% of respondents selected that as the only reason to migrate. As more companies begin to plan a Windows 7 rollout, the Windows 7 functionality supported by AD is also becoming a motivating factor. Similarly, a need to restructure the AD environment or refresh DCs provides a reason to migrate.
Info-Tech Research Group
Source: Info-Tech survey. N=98

18

Wait for opportunities to migrate, such as a project that requires 2008 functionality or an infrastructure upgrade
Examples of Opportunities Hardware Refresh Standardize on Windows 2008 Why Migrate? When a DC is due for a refresh, replace it with a Windows 2008 R2 server to put you in a position to later migrate your AD environment to 2008. Corporate Standard is the leading adoption driver for Windows 2008 (see Info-Techs article Why Windows Server 2008? Users Speak Out). Note that Windows 2003 continues to be compatible with most Windows 2008based systems, include Exchange Server 2007 and 2010 (see Microsofts Exchange Server Supportability Matrix). Windows 7 Rollout Active Directory Needs to be Restructured Windows 7 remote connectivity features (BranchCache, DirectAccess) available with 2008 R2 AD make it worthwhile to consider migrating your AD environment to 2008 R2 as part of your overall Windows 7 project. If your AD structure is in need of an overhaul, consider migrating to 2008 R2 at the same time to leverage the new features such as the improved administration functionality.

I like the compatibility with Windows 7, and the additional group policy settings. IT Manager, Marketing Company
Info-Tech Research Group 19

Use the Active Directory Migration Readiness Assessment Tool tool to determine when, how, and if you are ready to migrate
This tool will identify whether to migrate, based on your needs and opportunity, and recommend a migration method (in-place, transition, or restructure).
The tool will ask you to indicate the following: 1. Critical needs for the new AD features. 2. Projects underway that would require 2008/2008 R2 AD.

3. Your current OS.

4. If you plan to move to new servers. 5. If your current AD structure is in need of an overhaul.
Download the

Active Directory Migration Readiness Assessment Tool

Info-Tech Research Group 20

Migrating to Windows 2008 R2 Active Directory

Planning and Design Whats New in 2008 R2

About Active Directory

Best Practices for Design

Feature Descriptions

Feature Rankings

Migration Decision

Migrating to 2008 R2

Preparing for Migration

Migration Workflow

Info-Tech Research Group

21

Once you have decided to migrate, choose the migration method that fits your circumstances
Three migration methods are available, which depend partly on the source server: In-Place Upgrade (stay on the existing server) Transitioning (maintaining existing structure while migrating to a new server)

Restructuring (building a new AD environment on new servers)

2003 to 2008 R2
In-Place Upgrade: Must be an x64-based Windows Server 2003 (R2) Transition and Restructuring: Available for x86- or x64-based Windows 2003 systems. In-Place Upgrade: The hardware must be compatible with Windows 2008 R2. If the 2008 R2 requirements are met, then ensure you are at 2000 SP4, upgrade to 2003 R2, and then to 2008 R2. Transition and Restructuring: Both are available options as long as the existing server is running at least Windows 2000 native. You must perform an in-place upgrade to either Windows 2000 SP4 or 2003 R2. After that, follow the guidelines above for 2000 or 2003 to 2008 R2 accordingly.

2000 to 2008 R2

NT to 2008 R2

The general workflows described in this section also apply to migration to Windows 2008 (R1), with the exception of system requirements specific to 2008 R2 (e.g., R1 can be 32- or 64-bit).
Info-Tech Research Group 22

Make extensive use of Microsoft resources to ensure a successful migration

An Info-Tech survey found that using third-party consultants had no impact on migration success. Use the available online resources to help you execute a successful migration.
Among respondents who have completed a migration to 2008 AD: Over 70% reported no unexpected delays, user interruption, or network disruption. Only 28% used third-party consultants. Those who used consultants had the same success rate as those who did not. Migration Success Distribution of Success Scores by Third-Party Consultant Usage
220% High
200% 180%

Frequency

160%
140% 120% 100%

80%
60% 40%

Low

20%

0%

Source: Info-Tech survey. N=35

Info-Tech Research Group

Xaxis1 Xaxis15 Xaxis29 Xaxis43 Xaxis57 Xaxis71 Xaxis85 Xaxis99 Xaxis113 Xaxis127 Xaxis141 Xaxis155 Xaxis169 Xaxis183 Xaxis197 Xaxis211 Xaxis225 Xaxis239 Xaxis253

0%

Migration Success Score

100%

Did Not Use Third-Party Consultants Used Third-Party Consultants

23

Regardless of migration method, always back up DCs and assess your environment for 2008 R2 compatibility before you begin
Before You Begin

Ensure your AD environment is stable (e.g., no replication errors).

Back up your DCs and test the backups. If possible, also disconnect one DC from the network to preserve the previous configuration and provide another recovery option. Use the Microsoft Assessment and Planning (MAP) tool to assess whether your IT environment can support 2008 R2. See Microsoft Assessment and Planning (MAP) Toolkit. Similarly, check that your IT environment is 64-bit ready. Document your current AD environment: e.g., group memberships, replication topology, DNS settings, etc. Microsoft provides a worksheet for some of this. Document any special configuration or workarounds they may cause conflicts when you upgrade, so you must account for these.

Record your current Services Restore Mode (DSRM) password in case you need to revert back.

Our biggest lesson learned was that we didnt do a good job of documenting the customized settings. We will now for next time.
Server Systems Administrator, Government Agency
Info-Tech Research Group 24

In-Place Upgrade offers the cheapest, but also the riskiest and least beneficial migration
Whats Involved?

The OS on the existing DCs are upgraded to Windows 2008 R2.

Benefits Current AD settings are retained schema, group policies, etc. Least expensive option (no new hardware) Disadvantages Staying on old hardware, so typically lower performance than a new system, and shorter shelf life going forward than a new server. Old data and workaround configurations are retained not a clean system. More downtime since the server cannot stay operational during the OS upgrade steps. Additional Information Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

Info-Tech Insight:
If a new Domain Controller or 2008 R2 license is not in your budget, defer migration if possible until you have the resources to migrate to a new server.
Info-Tech Research Group 25

In-Place Upgrade: Preparation and upgrade steps

Microsoft provides several online resources to assist with this procedure. Below are the high-level steps. 1 2 3
Follow the steps outlined on slide 24, Before You Begin. Perform pre-upgrade steps as outlined Microsoft Pre-Upgrade checklist. Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows 2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next steps. For details, see Microsofts document Prepare Your Infrastructure for Upgrade. Upgrade the first DC OS to 2008 R2. Once that is successful, upgrade remaining DCs. After you have allowed a settling in period (e.g., a week) and there are no replication errors or other issues, raise the domain functional level to 2008 R2. Caution: Once youve raised the domain functional level, you cannot roll it back.

4
5

6 7 8

Raise the forest functional level. Caution: Once youve raised the forest functional level, you cannot roll it back. Enable AD optional features such as Recycle Bin if you wish to take advantage of them. Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on the analysis results.
26

Info-Tech Research Group

Transitioning provides a safe migration path plus the benefits of either new hardware or a move to virtualization
Whats Involved? The AD environment is transferred from existing DCs to Windows 2008 R2 servers. The existing DCs are decommissioned or repurposed. Benefits Current AD settings are retained schema, group policies, etc. Can migrate to new hardware (longer shelf-life going forward and better performance) or to a virtualized server. Less downtime because the existing DC can stay operational during most of the migration. Disadvantages More expensive, requiring either a new server or an additional virtual server license. Additional Information Active Directory Domain Services and DNS Server Migration Guide Active Directory Certificate Services Migration Guide

Info-Tech Insight:
Transitioning is the most common migration method, offers the least disruption to services, and provides the option of migrating from a physical server to a virtualized environment.
Info-Tech Research Group 27

Transitioning: Preparation and migration steps

As with the In-Place Upgrade, Microsoft provides several online resources to assist with this procedure. Below are the high-level steps. 1 2
Follow the steps outlined on slide 24, Before You Begin. Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows 2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next steps. For details, see Microsofts document Prepare Your Infrastructure for Upgrade.

Add a Windows 2008 R2 server to your AD environment, and then promote the server to a DC (dcpromo command). Keep the domain functional level at 2003 until the end of the migration process. For details, see Microsofts document Install Active Directory Domain Services on the Member Server That Runs Windows Server 2008 or Windows Server 2008 R2.

4 5

Check the dcpromo.log and dcpromoui.log log files to ensure there are no issues. Install additional 2008 R2 DCs if applicable. Follow the steps in Microsofts AD DS and DNS Server Migration: Preparing to Migrate to get ready to migrate. Transfer DNS settings and FSMOs to the new server, as outlined in Microsofts AD DS and DNS Server Migration: Migrating the AD DS and DNS Server Roles.
28

6
7

Info-Tech Research Group

Transitioning: Post-migration steps

To begin taking advantage of the new 2008 and 2008 R2 features, follow the steps below. 8
After you have allowed a settling in period (e.g., a week) and there are no replication errors or other issues, demote the old DCs. Caution: If a DC has Exchange Server or IIS installed on it, transfer those to a different server before demoting. Once youve done that, reduce your future admin headaches by demoting the old DCs.

9 10 11 12

Raise the domain functional level. Caution: Once youve raised the domain functional level, you cannot roll it back. Raise the forest functional level. Caution: Once youve raised the forest functional level, you cannot roll it back. Enable AD optional features such as Recycle Bin if you wish to take advantage of those features. Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on the analysis results.

Info-Tech Research Group

29

Use Restructuring when your current environment is sub-optimal to the point where starting from scratch is the best recourse
Restructuring will add time to the migration; however, if a restructure is required, its also an opportunity to start over in a clean environment.
Whats Involved? A new AD structure is built on new Windows 2008 R2 servers. The existing DCs are decommissioned or repurposed. Benefits Less downtime because the existing DC can stay operational during most of the migration. An opportunity to revamp your AD environment and put in place an optimal structure. Disadvantages More expensive, requiring either a new server or an additional virtual server license. More time required to plan and create the new AD environment as well as plan the move to 2008 R2. Additional Information Best Practice Active Directory Design for Managing Windows Networks ADMT Guide: Migrating and Restructuring Active Directory Domains

Info-Tech Research Group

30

Restructuring: Preparation, migration, and post-migration steps

Microsoft provides an Active Directory Migration Tool (ADMT) to facilitate this process. 1
Follow the steps outlined on slide 24, Before You Begin. In addition, review Microsofts Best Practices for Active Directory Migration. Create the new AD environment on Windows 2008 R2 DCs. Review the slides earlier in this deck for AD design best practices and refer to Microsofts TechNet for Windows 2008 R2 and AD installation instructions. Add test users to the new environment. Monitor logs to ensure that the new environment is functioning properly. Migrate resources to the new environment as outlined in Microsofts guide on Interforest Active Directory Domain Restructure. Transfer administration and user accounts to the new environment.

2
3 4 5

After you have allowed a settling in period and there are no replication errors or other issues, demote the old DCs.

Info-Tech Research Group

31

If you are considering virtual DCs, use a combination of physical and virtual DCs to meet performance demands
While virtualization enables hardware cost savings, it is not ideal for Domain Controllers.
Potential Performance Issues DCs make intensive use of RAM. Since RAM is shared with all the other virtual servers hosted by the same hardware, the RAM may not be sufficient to support a busy DC. MS recommends that you use physical DCs for the following roles: Global Catalogs FSMO roles DNS server Additional Information: Microsoft KB article 888794 Deployment Considerations for Virtualized Domain Controllers
Info-Tech Research Group

Potential Support Issues As a general rule, MS does not test or support MS software running on non-MS virtualization technology (e.g., VMware). Those with Premium level support do qualify for assistance but may need to reproduce the problem on a physical server or MS virtualization product. Supported MS virtualization environments: Windows 2008 and later with Hyper-V Microsoft Hyper-V Server 2008 and later Server Virtualization Validation Program Additional Information: Microsoft KB article 897615 Microsoft KB article 957006
32

Summary
When creating your AD environment, use a single forest and single domain design unless there are strong business or technical reasons for multiple forests or domains.

Use groups rather than OUs to organize users and facilitate applying group policies. Use OUs when you need to delegate administration.
The new 2008 R2 Administrative Center centralizes and streamlines administration. Key security enhancements include Managed Service Accounts, Fine-Grained Password Policies, and Authentication Mechanism Assurance. Although the new features are significant, they do not warrant a migration project for most companies. Instead wait for opportunities to migrate as part of another project, such as a Windows 7 rollout or overall mandate to standardize on 2008/2008 R2.

Once the migration decision is made, use the available online resources to help you execute a successful migration. The use of third-party consultants does not improve the success rate.

Info-Tech Research Group

33

Appendix A: Active Directory Planning and Design Resources

Info-Tech Resources on Planning and Design:
Efficient Active Directory Deployments Require Significant Planning Active Directory Topology: Seeing the Trees in the Forest Active Directory Topology: Cultivating Forests Active Directory Topology: Dividing by Domains Delegated Administration is the Role of Organizational Units

Additional Microsoft Resources on AD Design:

Best Practice Active Directory Design for Managing Windows Networks Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units How Active Directory Replication Topology Works Whats New in Group Policy for Windows 7 and Windows Server 2008 R2

Info-Tech Research Group

34

Appendix B: New Active Directory Features

This section describes the following new 2008 and 2008 R2 features in the order that they ranked in the Info-Tech Survey in terms of offering the most benefit to the organization:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Administrative Center Managed Service Accounts Fine-Grained Password Policies Authentication Mechanism Assurance Windows 7 Enhancements Best Practices Analyzer Read-Only Domain Controllers Database Mounting Tool Module for PowerShell Recycle Bin

Also described in this appendix: Auditing Enhancements Owner Rights Management Pack Restartable Active Directory Domain Services Web Services
Info-Tech Research Group

Scores based on feature rankings in an Info-Tech survey. N=84

35

New Administrative Center streamlines administration

Description and Benefits

Centralizes administration tools and objects in a task-oriented interface for easier navigation.
The Welcome page remembers which tasks you perform most often, and provides quick links to those tasks. New search function expedites locating and navigating to an object.

Depending on access rights and trusts between domains, you can view and manage objects in all domains from a single Administrative Center instance.
Special Considerations Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools (RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source). Additional Information What's New in AD DS: Active Directory Administrative Center (Microsoft TechNet)

Info-Tech Research Group

36

Managed Service Accounts simplifies locking down key shared applications

Description and Benefits Isolating accounts for key shared applications such as Exchange Server and IIS is a recommended security practice. This feature simplifies the administration of these accounts with automated password management and improved service principal names (SPN) management. Managing these accounts was more complex and time-consuming in previous AD versions (e.g., required manual password management). Special Considerations Managed service accounts can be used only for applications installed on Windows Server 2008 R2 or Windows 7.

Additional Information
Service Accounts Step-by-Step Guide (Microsoft TechNet)

Info-Tech Research Group

37

Fine-Grained Password Policies feature enables multiple password and lockout policies per domain
Description and Benefits Previous AD versions permitted only a single password and accounts lockout policy per domain. To have separate policies for different sets of users required a password filter or multiple domains, adding to the administrative burden and complicating the AD environment. With the ability to have multiple password policies per domain, its much easier to implement more restrictive policies where warranted. Special Considerations Fine-grained password policies are assigned at the group level. If users are grouped only into Organizational Units, then set up a shadow group for the OU. Custom password filters are not affected and can still be used to apply additional restrictions.

Additional Information
AD DS: Fine-Grained Password Policies (Microsoft TechNet)

Info-Tech Research Group

38

Authentication Mechanism Assurance strengthens security against personal devices

Description and Benefits The new Authentication Mechanism Assurance feature recognizes who is logging in and the device being used (e.g., company-assigned PC vs. a home computer or personal mobile device). Personal devices create a security risk since you cannot guarantee that they meet corporate security standards. The extra level of identification enables administrators to impose greater restrictions on users logging in from personal devices.

Special Considerations
This feature is disabled by default. Requires a certificate-based authentication infrastructure (e.g., smart card or tokenbased authentication). Additional Information What's New in AD DS: Authentication Mechanism Assurance (Microsoft TechNet)

Info-Tech Research Group

39

Remote Windows 7 users gain seamless connectivity and improved file access speed
Description and Benefits The following Windows 7 features are possible in a 2008 R2 Active Directory environment: BranchCache Stores commonly accessed files locally in branch offices for much faster file access. DirectAccess Automatically establishes a VPN link when connecting remotely, bypassing manual steps such as launching a VPN connection. If the connection drops, the VPN is automatically re-established when the network becomes available again. Offline Domain Join Enables pre-provisioning Windows 7 PCs so they automatically join the network when they first start up. Special Considerations BranchCache and DirectAccess are available only for Windows Server 2008 R2 and Windows 7 computers. DirectAccess also requires IPv6 or transition technologies. Offline Domain Join can also be used with earlier AD environments by using a /downlevel parameter.

Additional Information
BranchCache and DirectAccess: Improving the Branch Office Experience (Microsoft TechNet) BranchCache for Windows Server 2008 R2 (Microsoft TechNet) What's New in AD DS: Offline Domain Join (Microsoft TechNet)
Info-Tech Research Group 40

Best Practices Analyzer identifies Active Directory configuration issues

Description and Benefits Checks if your AD configuration is following best practices. To help you indentify and resolve best practice violations, this feature provides: A rules component which defines what is a best-practice configuration. A PowerShell script to collect data on your configuration. A guidance component to help you resolve identified issues. Special Considerations The feature can be run from the Best Practice Analyzer GUI in Server Manager or using PowerShell cmdlets. Additional Information What's New in AD DS: Active Directory Best Practices Analyzer (Microsoft TechNet)

Info-Tech Research Group

41

Read-Only Domain Controllers (RODCs) provide a security option for less-secure locations
Description and Benefits The RODC is designed for remote locations that have poor physical security. The RODC does not contain account passwords and replication is one-way only inbound to the RODC. So if the RODC is compromised, user credentials are not at risk, and any changes to the RODC cannot spread to the rest of the network. Without an RODC, the alternative when security is a concern is to authenticate over a WAN to a DC in another location, which can be slow depending on network bandwidth. Special Considerations The domain must include at least one Windows 2008 DC. Functional level can be Windows 2003 or higher.

Domain admin accounts cannot be replicated to an RODC. As a result, you have to set up a separate account on the RODC to administer it.
A separate group must be set up that identifies all the accounts that can be replicated to the RODC. Additional Information AD DS: Read-Only Domain Controllers (Microsoft TechNet) Read-Only Domain Controllers and Account Lockouts (Microsoft TechNet)

Info-Tech Research Group

42

Database Mounting Tool expedites the recovery process

Description and Benefits Also known as Snapshot Viewer or Snapshot Browser. Enables you to compare AD backups or snapshots that were performed at different times to determine which backup is the best one to restore. Previously the only option was to restore each backup to determine which one to use. Can also be used to review changes made to your AD environment.

Special Considerations
The snapshots could potentially be used to examine sensitive data, so they warrant the same level of security provided to AD DS backups. Additional Information AD DS: Database Mounting Tool (Microsoft TechNet)

Info-Tech Research Group

43

PowerShell saves administration time through task automation

Description and Benefits

PowerShell is a scripting language that administrators can use to simplify and automate configuration, administration and diagnostic tasks.
Examples of tasks that can be performed include: disable/enable accounts, search for accounts, add or remove accounts, and create, modify or remove objects. Special Considerations Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools (RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source). This module uses the ADWS service. TCP port 9389 must be open on the DC running the ADWS service. Additional Information What's New in AD DS: Active Directory Module for Windows PowerShell (Microsoft TechNet)

Info-Tech Research Group

44

Recycle Bin Undo simplifies recovery from accidental deletions

Description and Benefits With 2003 DCs, deleted objects could be recovered from Windows Server backups, but the DC had to be offline. The Tombstone reanimation method allowed recovery while online, but attributes such as group memberships were lost. With 2008 R2 DCs, the Tombstone process saves the attributes, making it a viable recovery method; deleted objects can be retrieved without any downtime. Special Considerations

This feature is disabled by default.

Once the feature is enabled, you cannot roll back to a lower functional level. Additional Information What's New in AD DS: Active Directory Recycle Bin (Microsoft TechNet)

Info-Tech Research Group

45

Additional security and workflow features include Auditing and Restartable Domain Services
Auditing Enhancements: Enables you to specify which operations to audit and include in the security log. For more details, see AD DS: Auditing (Microsoft TechNet). Owner Rights: Enables you to specify Owner Rights to override default access rights. For more details, see AD DS: Owner Rights (Microsoft TechNet). Management Pack: Monitors computer and software states to assess availability and performance. For more details, see Active Directory Federation Services Management Pack Readme (Microsoft TechNet). Restartable Active Directory Domain Services: Provides the ability to stop and start AD Domain Services to perform tasks such as security updates without having to restart the DC server. For more details, see AD DS: Restartable Active Directory Domain Services (Microsoft TechNet). Web Services: Provides a Web service interface to AD domains and AD LDS instances. For more details, see What's New in AD DS: Active Directory Web Services (Microsoft TechNet).

Info-Tech Research Group

46

Appendix C: Research Demographics

Info-Tech conducted a survey to generate the data needed to create this research. The following are graphs depicting the demographic information of those who participated in the survey.

Info-Tech Research Group

47

Info-Tech Research Group

48

Info-Tech Research Group

49

Info-Tech Research Group

50

Info-Tech Research Group

51

Info-Tech Research Group

52