Title: Develop an Up-to-Date Active Directory Strategy, and
1- Develop an Up-to-Date Active Directory Strategy,
and Implement
2Active Directory Strategy and Migration
Active Directory (AD) is network security
solution included in Windows Server operating
systems. AD provides user authentication, manages
access to network resources, and can be used to
deploy software. To facilitate security and
administration, AD enables companies to organize
users and systems on the network into a tree-like
hierarchical structure. Windows 2008 and 2008 R2
introduced significant AD security and
administration enhancements. The migration to a
2008 platform will be inevitable as earlier OSs
no longer meet IT requirements or reach
end-of-life. The questions are when to migrate,
and what are the migration best practices?
Those who should read this
- Clients looking to improve their Active Directory
structure - Clients evaluating Windows Server 2008 R2 Active
Directory - Clients planning/executing a migration to Windows
Server 2008 R2
At the end, you will have
- An optimal Active Directory structure for your
environment. - An understanding of whats new in 2008 R2 Active
Directory. - The criteria required to decide when, and if, to
migrate to 2008 R2. - Migration best practices.
Info-Tech Research Group
3Executive Summary
- Many organizations have sub-optimal AD structures
that are focused more on organizational hierarchy
or political motivators leading to unnecessary
complexity and higher administration costs. - A single forest and single domain is best for
most small or mid-sized companies. - Introduce multiple forests or domains only when
there are justifiable legal, business, or
technical needs to isolate parts of the
organization or grant autonomy. - A key decision facing organizations is when to
migrate to Windows 2008 R2 AD. Although the new
security and administration features are
significant, by themselves they do not warrant a
migration project. - Wait for opportunities to migrate as part of
another project, such as a hardware refresh or an
overall mandate to standardize on Windows 2008 or
2008 R2. - Companies who take full advantage of online
Microsoft resources have good success with
migration, and do not need third-party
consultants or tools.
4Active Directory Introduction, Planning, and
Design
5Use Active Directory to organize your network,
facilitate administration, and in some cases
isolate resources
- Active Directorys primary purpose is
authenticating users logging on to the network
and granting access rights. AD uses the concept
of containers to organize users and computers
into a hierarchical framework to facilitate
administration or isolate resources.
6Optimize the replication topology to reduce the
need for regional domains or more expensive WAN
links
The Domain Controller (DC) servers hold the AD
configuration settings and user credentials. The
DC databases are replicated to every other DC in
the domain to allow authentication and
administration to take place at any location.
This generates significant network
traffic. Creating regional domains is one way to
reduce cross-country replication traffic, but is
often not necessary if you can optimize the
replication topology
- Replication Topology The network connections
that enable DCs to be replicated to all other
DCs. - Knowledge Consistency Checker (KCC) Creates the
replication topology based on the best available
connections between DCs. - Sites Each location can be identified as a
site to optimize network traffic between
locations as follows - Authentication and service requests are directed
to the closest DC. - While the KCC will define the replication
topology within a site, you define the links
between sites to minimize WAN traffic. For
example, funnel the replication through a central
site to minimize east-west traffic, as shown in
the diagram.
Single domain with three locations/sites. DC
servers in each location allow for local
authentication. Cross-country replication traffic
is funneled through DCs in a central site.
7Understand the concepts of administration,
isolation and autonomy to further assess the need
for multiple forests/domains
- Restricting administrator access is the primary
reason for isolation and autonomy.
8Multiple forests and domains lead to greater
complexity and higher administration costs
Multiple forests and multiple autonomous domains
require dedicated administration teams,
increasing costs. The added complexity also
requires more administration effort.
- Examples of costs due to multiple forests and
domains include - To achieve true isolation, each forest requires
its own administration team. - Similarly, multiple domains when created to
achieve autonomy require their own administration
teams. - Unless each forest or domain is completely
independent e.g., no shared resources and no
users who require access to the other forest
multiple forests/domains typically require trust
relationships to allow some access. - Group policy settings need to be duplicated in
each domain.
I dont want to create a separate domain and
give the local IT guy the keys to the kingdom
just because he wants to administer his own
users. Senior Systems Administrator, National
Transportation Company
9Avoid politically motivated Active Directory
designs that lead to unnecessary multiple forests
or domains
Ensure your requirements for multiple forests or
domains are real business or technical needs.
Below are examples of potential needs
10Further improve administration by using Groups
rather than OUs to organize users for the purpose
of applying group policies
The primary purpose of OUs is to delegate
administration, not to administer group polices.
- Its not necessary to create an OU for each
department if it serves no administrative
purpose. - When it comes to organizing users and resources
for the purpose of administering policies, use
groups rather than OUs - OUs demand exclusive membership, meaning a system
allocated to one OU can't be allocated to
another. A user that belongs to the Sales OU but
has tasks requiring RD systems would require the
creation of a dedicated Sales/RD hybrid OU to
ensure that appropriate permissions exist. - Groups are non-exclusive so our example user
could be enrolled in both the Sales and RD
groups with no additional administration
requirements.
11Case Study Use a single forest and single domain
design to streamline administration complexity
and costs
- Many organizations large and small have a
single forest and domain, and instead use
organizational units to subdivide administration.
AD Design Explanation
- Single forest, single domain, so no domain trust
relationships are required. - Each location has its own local administrator, so
they are set up as separate OUs. - DC replication is funneled through the central
location to minimize cross-country traffic. - A single set of Sales and Management group
policies can be applied to users in all locations
because they are all in the same domain.
12Case Study Create a separate forest to address
isolation needs
- The west coast facility has dealings with the
military. To meet security requirements, the
location must be isolated.
AD Design Explanation
- The west coast location is set up as a separate
forest with its own domain. - A one-way trust enables the west coast facility
to access east coast resources, but reverse
access is not permitted. - Each location has its own local administrator, so
they are set up as separate OUs. - Sales and Management groups and policies must be
duplicated in each forest/domain.
13Use this flowchart to determine Active Directory
design requirements
- Follow the steps below to determine whether you
need a dedicated (separate) forest, domain or
organizational unit to address organizational
needs.
- Identify potential needs in your organization for
isolation, autonomy, or delegating
administration. - For each need, follow the flowchart to identify
structure requirements. - Diagram the resulting structure and confirm that
it meets your overall needs while avoiding
unnecessary complexity.
For more information on AD design, see Appendix
A Active Directory Planning and Design Resources.
14Whats new in Windows 2008 R2 Active Directory
15Windows 2008 (R1) added security enhancements
such as Fine-Grained Password Policies and
Read-Only Domain Controllers
16Windows 2008 R2 introduced the Administrative
Center and more security enhancements
17The new Administrative Center was voted as
offering the most benefit to organizations
Security features such as Managed Service
Accounts, Fine-Grained Password Policies, and
Authentication Mechanism Assurance also scored
high.
- Administrative Center Saves time with a task
oriented interface and features such as a welcome
page that remembers your common tasks. - Managed Service Accounts Automated password
management and improved service principal names
(SPN) management makes it easier to isolate key
shared applications. - Fine-Grained Password Policies Allows for
multiple password policies without having to
create multiple domains. - Authentication Mechanism Assurance Provides the
means to apply greater restrictions when users
log in from a personal device.
Scores based on feature rankings in an Info-Tech
survey. N84
For more details on these features, including
special considerations, see Appendix B New
Active Directory Features. In addition, there
have been several group policy enhancements as
described in the Microsoft article Whats New in
Group Policy for Windows 7 and Windows Server
2008 R2.
18Although the new Active Directory features are
significant, they do not justify a migration on
their own for most companies
- Many companies have deferred migrating to 2008 or
2008 R2 because their Windows 2003 DCs continue
to meet their needs and are compatible with most
Windows 2008-based applications and systems.
- Over 80 of survey respondents indicated
Standardizing on Windows 2008 among their
reasons to migrate their AD. - Although the new AD features also scored high,
only 2 of respondents selected that as the only
reason to migrate. - As more companies begin to plan a Windows 7
rollout, the Windows 7 functionality supported by
AD is also becoming a motivating factor. - Similarly, a need to restructure the AD
environment or refresh DCs provides a reason to
migrate.
Source Info-Tech survey. N98
19Wait for opportunities to migrate, such as a
project that requires 2008 functionality or an
infrastructure upgrade
I like the compatibility with Windows 7, and the
additional group policy settings. IT Manager,
Marketing Company
20Use the Active Directory Migration Readiness
Assessment Tool tool to determine when, how, and
if you are ready to migrate
- This tool will identify whether to migrate, based
on your needs and opportunity, and recommend a
migration method (in-place, transition, or
restructure).
- The tool will ask you to indicate the following
- Critical needs for the new AD features.
- Projects underway that would require 2008/2008 R2
AD. - Your current OS.
- If you plan to move to new servers.
- If your current AD structure is in need of an
overhaul.
Download the Active Directory Migration
Readiness Assessment Tool
21Migrating to Windows 2008 R2 Active Directory
22Once you have decided to migrate, choose the
migration method that fits your circumstances
- Three migration methods are available, which
depend partly on the source server - In-Place Upgrade (stay on the existing server)
- Transitioning (maintaining existing structure
while migrating to a new server) - Restructuring (building a new AD environment on
new servers)
2003 to 2008 R2
- In-Place Upgrade Must be an x64-based Windows
Server 2003 (R2) - Transition and Restructuring Available for x86-
or x64-based Windows 2003 systems.
- In-Place Upgrade The hardware must be compatible
with Windows 2008 R2. If the 2008 R2 requirements
are met, then ensure you are at 2000 SP4, upgrade
to 2003 R2, and then to 2008 R2. - Transition and Restructuring Both are available
options as long as the existing server is running
at least Windows 2000 native.
2000 to 2008 R2
NT to 2008 R2
- You must perform an in-place upgrade to either
Windows 2000 SP4 or 2003 R2. After that, follow
the guidelines above for 2000 or 2003 to 2008 R2
accordingly.
The general workflows described in this section
also apply to migration to Windows 2008 (R1),
with the exception of system requirements
specific to 2008 R2 (e.g., R1 can be 32- or
64-bit).
23Make extensive use of Microsoft resources to
ensure a successful migration
- An Info-Tech survey found that using third-party
consultants had no impact on migration success.
Use the available online resources to help you
execute a successful migration.
- Among respondents who have completed a migration
to 2008 AD - Over 70 reported no unexpected delays, user
interruption, or network disruption. - Only 28 used third-party consultants. Those who
used consultants had the same success rate as
those who did not.
Distribution of Success Scores by Third-Party
Consultant Usage
Migration Success
High
Frequency
Low
0
100
Migration Success Score
Source Info-Tech survey. N35
24Regardless of migration method, always back up
DCs and assess your environment for 2008 R2
compatibility before you begin
Our biggest lesson learned was that we didnt do
a good job of documenting the customized
settings. We will now for next time. Server
Systems Administrator, Government Agency
25In-Place Upgrade offers the cheapest, but also
the riskiest and least beneficial migration
26In-Place Upgrade Preparation and upgrade steps
- Microsoft provides several online resources to
assist with this procedure. Below are the
high-level steps.
27Transitioning provides a safe migration path plus
the benefits of either new hardware or a move to
virtualization
28Transitioning Preparation and migration steps
- As with the In-Place Upgrade, Microsoft provides
several online resources to assist with this
procedure. Below are the high-level steps.
29Transitioning Post-migration steps
- To begin taking advantage of the new 2008 and
2008 R2 features, follow the steps below.
30Use Restructuring when your current environment
is sub-optimal to the point where starting from
scratch is the best recourse
- Restructuring will add time to the migration
however, if a restructure is required, its also
an opportunity to start over in a clean
environment.
31Restructuring Preparation, migration, and
post-migration steps
- Microsoft provides an Active Directory Migration
Tool (ADMT) to facilitate this process.
32If you are considering virtual DCs, use a
combination of physical and virtual DCs to meet
performance demands
- While virtualization enables hardware cost
savings, it is not ideal for Domain Controllers.
33Summary
- When creating your AD environment, use a single
forest and single domain design unless there are
strong business or technical reasons for multiple
forests or domains. - Use groups rather than OUs to organize users and
facilitate applying group policies. Use OUs when
you need to delegate administration. - The new 2008 R2 Administrative Center centralizes
and streamlines administration. Key security
enhancements include Managed Service Accounts,
Fine-Grained Password Policies, and
Authentication Mechanism Assurance. - Although the new features are significant, they
do not warrant a migration project for most
companies. Instead wait for opportunities to
migrate as part of another project, such as a
Windows 7 rollout or overall mandate to
standardize on 2008/2008 R2. - Once the migration decision is made, use the
available online resources to help you execute a
successful migration. The use of third-party
consultants does not improve the success rate.
34Appendix A Active Directory Planning and Design
Resources
- Info-Tech Resources on Planning and Design
- Efficient Active Directory Deployments Require
Significant Planning - Active Directory Topology Seeing the Trees in
the Forest - Active Directory Topology Cultivating Forests
- Active Directory Topology Dividing by Domains
- Delegated Administration is the Role of
Organizational Units - Additional Microsoft Resources on AD Design
- Best Practice Active Directory Design for
Managing Windows Networks - Achieving Autonomy and Isolation with Forests,
Domains, and Organizational Units - How Active Directory Replication Topology Works
- Whats New in Group Policy for Windows 7 and
Windows Server 2008 R2
35Appendix B New Active Directory Features
- This section describes the following new 2008 and
2008 R2 features in the order that they ranked in
the Info-Tech Survey in terms of offering the
most benefit to the organization - Administrative Center
- Managed Service Accounts
- Fine-Grained Password Policies
- Authentication Mechanism Assurance
- Windows 7 Enhancements
- Best Practices Analyzer
- Read-Only Domain Controllers
- Database Mounting Tool
- Module for PowerShell
- Recycle Bin
- Also described in this appendix
- Auditing Enhancements
- Owner Rights
- Management Pack
- Restartable Active Directory Domain Services
- Web Services
Scores based on feature rankings in an Info-Tech
survey. N84
36New Administrative Center streamlines
administration
37Managed Service Accounts simplifies locking down
key shared applications
38Fine-Grained Password Policies feature enables
multiple password and lockout policies per domain
39Authentication Mechanism Assurance strengthens
security against personal devices
40Remote Windows 7 users gain seamless connectivity
and improved file access speed
41Best Practices Analyzer identifies Active
Directory configuration issues
42Read-Only Domain Controllers (RODCs) provide a
security option for less-secure locations
43Database Mounting Tool expedites the recovery
process
44PowerShell saves administration time through task
automation
45Recycle Bin Undo simplifies recovery from
accidental deletions
46Additional security and workflow features include
Auditing and Restartable Domain Services
- Auditing Enhancements
- Enables you to specify which operations to audit
and include in the security log. - For more details, see AD DS Auditing (Microsoft
TechNet). - Owner Rights
- Enables you to specify Owner Rights to override
default access rights. - For more details, see AD DS Owner Rights
(Microsoft TechNet). - Management Pack
- Monitors computer and software states to assess
availability and performance. - For more details, see Active Directory Federation
Services Management Pack Readme (Microsoft
TechNet). - Restartable Active Directory Domain Services
- Provides the ability to stop and start AD Domain
Services to perform tasks such as security
updates without having to restart the DC server. - For more details, see AD DS Restartable Active
Directory Domain Services (Microsoft TechNet). - Web Services
- Provides a Web service interface to AD domains
and AD LDS instances. - For more details, see What's New in AD DS Active
Directory Web Services (Microsoft TechNet).
47Appendix C Research Demographics
Info-Tech conducted a survey to generate the data
needed to create this research. The following are
graphs depicting the demographic information of
those who participated in the survey.
48 49 50 51 52