Develop an Up-to-Date Active Directory Strategy, and - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

Develop an Up-to-Date Active Directory Strategy, and

Description:

Develop an Up-to-Date Active Directory Strategy, and Implement * Info-Tech Research Group ... – PowerPoint PPT presentation

Number of Views:161
Avg rating:3.0/5.0
Slides: 53
Provided by: smartesti
Category:

less

Transcript and Presenter's Notes

Title: Develop an Up-to-Date Active Directory Strategy, and


1
  • Develop an Up-to-Date Active Directory Strategy,
    and Implement

2
Active Directory Strategy and Migration
Active Directory (AD) is network security
solution included in Windows Server operating
systems. AD provides user authentication, manages
access to network resources, and can be used to
deploy software. To facilitate security and
administration, AD enables companies to organize
users and systems on the network into a tree-like
hierarchical structure. Windows 2008 and 2008 R2
introduced significant AD security and
administration enhancements. The migration to a
2008 platform will be inevitable as earlier OSs
no longer meet IT requirements or reach
end-of-life. The questions are when to migrate,
and what are the migration best practices?
Those who should read this
  • Clients looking to improve their Active Directory
    structure
  • Clients evaluating Windows Server 2008 R2 Active
    Directory
  • Clients planning/executing a migration to Windows
    Server 2008 R2

At the end, you will have
  • An optimal Active Directory structure for your
    environment.
  • An understanding of whats new in 2008 R2 Active
    Directory.
  • The criteria required to decide when, and if, to
    migrate to 2008 R2.
  • Migration best practices.

Info-Tech Research Group
3
Executive Summary
  • Many organizations have sub-optimal AD structures
    that are focused more on organizational hierarchy
    or political motivators leading to unnecessary
    complexity and higher administration costs.
  • A single forest and single domain is best for
    most small or mid-sized companies.
  • Introduce multiple forests or domains only when
    there are justifiable legal, business, or
    technical needs to isolate parts of the
    organization or grant autonomy.
  • A key decision facing organizations is when to
    migrate to Windows 2008 R2 AD. Although the new
    security and administration features are
    significant, by themselves they do not warrant a
    migration project.
  • Wait for opportunities to migrate as part of
    another project, such as a hardware refresh or an
    overall mandate to standardize on Windows 2008 or
    2008 R2.
  • Companies who take full advantage of online
    Microsoft resources have good success with
    migration, and do not need third-party
    consultants or tools.

4
Active Directory Introduction, Planning, and
Design
5
Use Active Directory to organize your network,
facilitate administration, and in some cases
isolate resources
  • Active Directorys primary purpose is
    authenticating users logging on to the network
    and granting access rights. AD uses the concept
    of containers to organize users and computers
    into a hierarchical framework to facilitate
    administration or isolate resources.

6
Optimize the replication topology to reduce the
need for regional domains or more expensive WAN
links
The Domain Controller (DC) servers hold the AD
configuration settings and user credentials. The
DC databases are replicated to every other DC in
the domain to allow authentication and
administration to take place at any location.
This generates significant network
traffic. Creating regional domains is one way to
reduce cross-country replication traffic, but is
often not necessary if you can optimize the
replication topology
  • Replication Topology The network connections
    that enable DCs to be replicated to all other
    DCs.
  • Knowledge Consistency Checker (KCC) Creates the
    replication topology based on the best available
    connections between DCs.
  • Sites Each location can be identified as a
    site to optimize network traffic between
    locations as follows
  • Authentication and service requests are directed
    to the closest DC.
  • While the KCC will define the replication
    topology within a site, you define the links
    between sites to minimize WAN traffic. For
    example, funnel the replication through a central
    site to minimize east-west traffic, as shown in
    the diagram.

Single domain with three locations/sites. DC
servers in each location allow for local
authentication. Cross-country replication traffic
is funneled through DCs in a central site.
7
Understand the concepts of administration,
isolation and autonomy to further assess the need
for multiple forests/domains
  • Restricting administrator access is the primary
    reason for isolation and autonomy.

8
Multiple forests and domains lead to greater
complexity and higher administration costs
Multiple forests and multiple autonomous domains
require dedicated administration teams,
increasing costs. The added complexity also
requires more administration effort.
  • Examples of costs due to multiple forests and
    domains include
  • To achieve true isolation, each forest requires
    its own administration team.
  • Similarly, multiple domains when created to
    achieve autonomy require their own administration
    teams.
  • Unless each forest or domain is completely
    independent e.g., no shared resources and no
    users who require access to the other forest
    multiple forests/domains typically require trust
    relationships to allow some access.
  • Group policy settings need to be duplicated in
    each domain.

I dont want to create a separate domain and
give the local IT guy the keys to the kingdom
just because he wants to administer his own
users. Senior Systems Administrator, National
Transportation Company
9
Avoid politically motivated Active Directory
designs that lead to unnecessary multiple forests
or domains
Ensure your requirements for multiple forests or
domains are real business or technical needs.
Below are examples of potential needs

10
Further improve administration by using Groups
rather than OUs to organize users for the purpose
of applying group policies
The primary purpose of OUs is to delegate
administration, not to administer group polices.
  • Its not necessary to create an OU for each
    department if it serves no administrative
    purpose.
  • When it comes to organizing users and resources
    for the purpose of administering policies, use
    groups rather than OUs
  • OUs demand exclusive membership, meaning a system
    allocated to one OU can't be allocated to
    another. A user that belongs to the Sales OU but
    has tasks requiring RD systems would require the
    creation of a dedicated Sales/RD hybrid OU to
    ensure that appropriate permissions exist.
  • Groups are non-exclusive so our example user
    could be enrolled in both the Sales and RD
    groups with no additional administration
    requirements.

11
Case Study Use a single forest and single domain
design to streamline administration complexity
and costs
  • Many organizations large and small have a
    single forest and domain, and instead use
    organizational units to subdivide administration.

AD Design Explanation
  • Single forest, single domain, so no domain trust
    relationships are required.
  • Each location has its own local administrator, so
    they are set up as separate OUs.
  • DC replication is funneled through the central
    location to minimize cross-country traffic.
  • A single set of Sales and Management group
    policies can be applied to users in all locations
    because they are all in the same domain.

12
Case Study Create a separate forest to address
isolation needs
  • The west coast facility has dealings with the
    military. To meet security requirements, the
    location must be isolated.

AD Design Explanation
  • The west coast location is set up as a separate
    forest with its own domain.
  • A one-way trust enables the west coast facility
    to access east coast resources, but reverse
    access is not permitted.
  • Each location has its own local administrator, so
    they are set up as separate OUs.
  • Sales and Management groups and policies must be
    duplicated in each forest/domain.

13
Use this flowchart to determine Active Directory
design requirements
  • Follow the steps below to determine whether you
    need a dedicated (separate) forest, domain or
    organizational unit to address organizational
    needs.
  • Identify potential needs in your organization for
    isolation, autonomy, or delegating
    administration.
  • For each need, follow the flowchart to identify
    structure requirements.
  • Diagram the resulting structure and confirm that
    it meets your overall needs while avoiding
    unnecessary complexity.

For more information on AD design, see Appendix
A Active Directory Planning and Design Resources.
14
Whats new in Windows 2008 R2 Active Directory
15
Windows 2008 (R1) added security enhancements
such as Fine-Grained Password Policies and
Read-Only Domain Controllers
16
Windows 2008 R2 introduced the Administrative
Center and more security enhancements
17
The new Administrative Center was voted as
offering the most benefit to organizations
Security features such as Managed Service
Accounts, Fine-Grained Password Policies, and
Authentication Mechanism Assurance also scored
high.
  • Administrative Center Saves time with a task
    oriented interface and features such as a welcome
    page that remembers your common tasks.
  • Managed Service Accounts Automated password
    management and improved service principal names
    (SPN) management makes it easier to isolate key
    shared applications.
  • Fine-Grained Password Policies Allows for
    multiple password policies without having to
    create multiple domains.
  • Authentication Mechanism Assurance Provides the
    means to apply greater restrictions when users
    log in from a personal device.

Scores based on feature rankings in an Info-Tech
survey. N84
For more details on these features, including
special considerations, see Appendix B New
Active Directory Features. In addition, there
have been several group policy enhancements as
described in the Microsoft article Whats New in
Group Policy for Windows 7 and Windows Server
2008 R2.
18
Although the new Active Directory features are
significant, they do not justify a migration on
their own for most companies
  • Many companies have deferred migrating to 2008 or
    2008 R2 because their Windows 2003 DCs continue
    to meet their needs and are compatible with most
    Windows 2008-based applications and systems.
  • Over 80 of survey respondents indicated
    Standardizing on Windows 2008 among their
    reasons to migrate their AD.
  • Although the new AD features also scored high,
    only 2 of respondents selected that as the only
    reason to migrate.
  • As more companies begin to plan a Windows 7
    rollout, the Windows 7 functionality supported by
    AD is also becoming a motivating factor.
  • Similarly, a need to restructure the AD
    environment or refresh DCs provides a reason to
    migrate.

Source Info-Tech survey. N98
19
Wait for opportunities to migrate, such as a
project that requires 2008 functionality or an
infrastructure upgrade

I like the compatibility with Windows 7, and the
additional group policy settings. IT Manager,
Marketing Company
20
Use the Active Directory Migration Readiness
Assessment Tool tool to determine when, how, and
if you are ready to migrate
  • This tool will identify whether to migrate, based
    on your needs and opportunity, and recommend a
    migration method (in-place, transition, or
    restructure).
  • The tool will ask you to indicate the following
  • Critical needs for the new AD features.
  • Projects underway that would require 2008/2008 R2
    AD.
  • Your current OS.
  • If you plan to move to new servers.
  • If your current AD structure is in need of an
    overhaul.

Download the Active Directory Migration
Readiness Assessment Tool
21
Migrating to Windows 2008 R2 Active Directory
22
Once you have decided to migrate, choose the
migration method that fits your circumstances
  • Three migration methods are available, which
    depend partly on the source server
  • In-Place Upgrade (stay on the existing server)
  • Transitioning (maintaining existing structure
    while migrating to a new server)
  • Restructuring (building a new AD environment on
    new servers)

2003 to 2008 R2
  • In-Place Upgrade Must be an x64-based Windows
    Server 2003 (R2)
  • Transition and Restructuring Available for x86-
    or x64-based Windows 2003 systems.
  • In-Place Upgrade The hardware must be compatible
    with Windows 2008 R2. If the 2008 R2 requirements
    are met, then ensure you are at 2000 SP4, upgrade
    to 2003 R2, and then to 2008 R2.
  • Transition and Restructuring Both are available
    options as long as the existing server is running
    at least Windows 2000 native.

2000 to 2008 R2
NT to 2008 R2
  • You must perform an in-place upgrade to either
    Windows 2000 SP4 or 2003 R2. After that, follow
    the guidelines above for 2000 or 2003 to 2008 R2
    accordingly.

The general workflows described in this section
also apply to migration to Windows 2008 (R1),
with the exception of system requirements
specific to 2008 R2 (e.g., R1 can be 32- or
64-bit).
23
Make extensive use of Microsoft resources to
ensure a successful migration
  • An Info-Tech survey found that using third-party
    consultants had no impact on migration success.
    Use the available online resources to help you
    execute a successful migration.
  • Among respondents who have completed a migration
    to 2008 AD
  • Over 70 reported no unexpected delays, user
    interruption, or network disruption.
  • Only 28 used third-party consultants. Those who
    used consultants had the same success rate as
    those who did not.

Distribution of Success Scores by Third-Party
Consultant Usage
Migration Success
High
Frequency
Low
0
100
Migration Success Score
Source Info-Tech survey. N35
24
Regardless of migration method, always back up
DCs and assess your environment for 2008 R2
compatibility before you begin

Our biggest lesson learned was that we didnt do
a good job of documenting the customized
settings. We will now for next time. Server
Systems Administrator, Government Agency
25
In-Place Upgrade offers the cheapest, but also
the riskiest and least beneficial migration
26
In-Place Upgrade Preparation and upgrade steps
  • Microsoft provides several online resources to
    assist with this procedure. Below are the
    high-level steps.

27
Transitioning provides a safe migration path plus
the benefits of either new hardware or a move to
virtualization
28
Transitioning Preparation and migration steps
  • As with the In-Place Upgrade, Microsoft provides
    several online resources to assist with this
    procedure. Below are the high-level steps.

29
Transitioning Post-migration steps
  • To begin taking advantage of the new 2008 and
    2008 R2 features, follow the steps below.

30
Use Restructuring when your current environment
is sub-optimal to the point where starting from
scratch is the best recourse
  • Restructuring will add time to the migration
    however, if a restructure is required, its also
    an opportunity to start over in a clean
    environment.

31
Restructuring Preparation, migration, and
post-migration steps
  • Microsoft provides an Active Directory Migration
    Tool (ADMT) to facilitate this process.

32
If you are considering virtual DCs, use a
combination of physical and virtual DCs to meet
performance demands
  • While virtualization enables hardware cost
    savings, it is not ideal for Domain Controllers.

33
Summary
  • When creating your AD environment, use a single
    forest and single domain design unless there are
    strong business or technical reasons for multiple
    forests or domains.
  • Use groups rather than OUs to organize users and
    facilitate applying group policies. Use OUs when
    you need to delegate administration.
  • The new 2008 R2 Administrative Center centralizes
    and streamlines administration. Key security
    enhancements include Managed Service Accounts,
    Fine-Grained Password Policies, and
    Authentication Mechanism Assurance.
  • Although the new features are significant, they
    do not warrant a migration project for most
    companies. Instead wait for opportunities to
    migrate as part of another project, such as a
    Windows 7 rollout or overall mandate to
    standardize on 2008/2008 R2.
  • Once the migration decision is made, use the
    available online resources to help you execute a
    successful migration. The use of third-party
    consultants does not improve the success rate.

34
Appendix A Active Directory Planning and Design
Resources
  • Info-Tech Resources on Planning and Design
  • Efficient Active Directory Deployments Require
    Significant Planning
  • Active Directory Topology Seeing the Trees in
    the Forest
  • Active Directory Topology Cultivating Forests
  • Active Directory Topology Dividing by Domains
  • Delegated Administration is the Role of
    Organizational Units
  • Additional Microsoft Resources on AD Design
  • Best Practice Active Directory Design for
    Managing Windows Networks
  • Achieving Autonomy and Isolation with Forests,
    Domains, and Organizational Units
  • How Active Directory Replication Topology Works
  • Whats New in Group Policy for Windows 7 and
    Windows Server 2008 R2

35
Appendix B New Active Directory Features
  • This section describes the following new 2008 and
    2008 R2 features in the order that they ranked in
    the Info-Tech Survey in terms of offering the
    most benefit to the organization
  • Administrative Center
  • Managed Service Accounts
  • Fine-Grained Password Policies
  • Authentication Mechanism Assurance
  • Windows 7 Enhancements
  • Best Practices Analyzer
  • Read-Only Domain Controllers
  • Database Mounting Tool
  • Module for PowerShell
  • Recycle Bin
  • Also described in this appendix
  • Auditing Enhancements
  • Owner Rights
  • Management Pack
  • Restartable Active Directory Domain Services
  • Web Services

Scores based on feature rankings in an Info-Tech
survey. N84
36
New Administrative Center streamlines
administration
37
Managed Service Accounts simplifies locking down
key shared applications
38
Fine-Grained Password Policies feature enables
multiple password and lockout policies per domain
39
Authentication Mechanism Assurance strengthens
security against personal devices
40
Remote Windows 7 users gain seamless connectivity
and improved file access speed
41
Best Practices Analyzer identifies Active
Directory configuration issues
42
Read-Only Domain Controllers (RODCs) provide a
security option for less-secure locations
43
Database Mounting Tool expedites the recovery
process
44
PowerShell saves administration time through task
automation
45
Recycle Bin Undo simplifies recovery from
accidental deletions

46
Additional security and workflow features include
Auditing and Restartable Domain Services
  • Auditing Enhancements
  • Enables you to specify which operations to audit
    and include in the security log.
  • For more details, see AD DS Auditing (Microsoft
    TechNet).
  • Owner Rights
  • Enables you to specify Owner Rights to override
    default access rights.
  • For more details, see AD DS Owner Rights
    (Microsoft TechNet).
  • Management Pack
  • Monitors computer and software states to assess
    availability and performance.
  • For more details, see Active Directory Federation
    Services Management Pack Readme (Microsoft
    TechNet).
  • Restartable Active Directory Domain Services
  • Provides the ability to stop and start AD Domain
    Services to perform tasks such as security
    updates without having to restart the DC server.
  • For more details, see AD DS Restartable Active
    Directory Domain Services (Microsoft TechNet).
  • Web Services
  • Provides a Web service interface to AD domains
    and AD LDS instances.
  • For more details, see What's New in AD DS Active
    Directory Web Services (Microsoft TechNet).

47
Appendix C Research Demographics
Info-Tech conducted a survey to generate the data
needed to create this research. The following are
graphs depicting the demographic information of
those who participated in the survey.
48

49

50

51

52
Write a Comment
User Comments (0)
About PowerShow.com