Forest
Step 1:
1. Single Forest, or
2. Multiple Forest , if
a. Multiple schemas
b. Resource forests
c. Forest administrator distrust
d. Legal regulations or geo-political reasons for application and/or data access
Domain
Step 1
1. Single domain, or
2. Multiple domain, if
a. More than 100,000 user or computer objects
b. Large number of frequently changing attributes
c. Replicate directory service issue even using compression algorithm across slow links
d. An MS directory running earlier operating system level.
Step 2
Forest root domain
1. Planned domain, or
2. Dedicated forest root domain, if
a. Operational separation of forest service administrators
b. Protection from operational changes in other domains;
c. Serves as a neutral root.
Step 3
Domain controller placement
1. Hub location, and
2. Satellite locations
Step 4
Domain controller
1. Minimum requirements for DC numbers
User per domain in a site Minimum number of domain controllers required per domain in a site
1–499 One – Single Processor
500–999 One – Dual Processors/Cores
1,000–2,999 Two – Dual Processors/Cores
3,000–10,000 Two – Quad Processors/Cores
2. Communication to other domain controller spanning the WAN, if one domain controller per site in the event of failure
3. Use RODC if there is poor physical security
Step 5
Global Catalog
1. All domain controllers are global catalog servers if only one domain;
2. If multi-domain forest, do not assign each domain controller as global catalog, and carefully place global catalog in each site as below
a. If application requires;
b. If there is more than 100 users;
c. If WAN is not 100% available;
d. If many roaming users.
Step 6
FSMO Roles
1. One domain controller has all roles if only one domain;
2. Do not place Infrastructure Master on global catalog server if multi-domain forest.
Step 7
Sites
1. Sites need create in each location where domain controllers are placed or resources/services rely on site topology;
2. Associate the location to nearest defined site;
3. Consideration need take for site link;
a. Configuration and schema convergence
b. Domain convergence
c. Global catalog convergence
d. Application partition convergence
4. Disable Bridge All Site Links if
a. Network is not fully routed
b. AD DS replication flow is controlled by design
Step 8
OU Structure
1. For delegation of administration
2. For group policy application
Step 9
NTP
1. User external NTP server in general;
2. Use internal NTP server/device, if compliance/regulation requirement;
3. User GPO with WMI filter to apply NTP server in Domain Controllers Container
a. GPO entry: Computer configuration\Windows Settings\Administrative Templates\Windows Time Service;
b. WMI Filter:
Name Space - root\CIMv2
Query - (Select * from Win32_ComputerSystem where DomainRole = 5) {0 = standalone, 1 = Member workstation, 2 = Standalone Server, 3 =Member Server, 4 = Backup domain controller, 5 = Primary domain controller}
Step 10
Backup and Disaster Recovery
1. Do not recover an Active Directory domain controller from a backup copy of an old virtual disk
2. Do not use snapshots (differencing) disks as this could cause corruption and performance degradation within Active Directory
3. Do not pause or suspend virtual domain controllers for extended periods of time
4. Set up Restart Priority to High and Isolation Response to Leave Power On
5. User DRS Anti-affinity rules to segregate Domain Controllers
No comments:
Post a Comment