Practical IT Research that Drives Measurable Results Develop an Up-to-Date Active Directory Strategy, and Implement

Active Directory Strategy and Migration Those who should read this: At the end, you will have: An optimal Active Directory structure for your environment. An understanding of what’s new in 2008 R2 Active Directory. The criteria required to decide when, and if, to migrate to 2008 R2. Migration best practices. Active Directory (AD) is network security solution included in Windows Server operating systems. AD provides user authentication, manages access to network resources, and can be used to deploy software. To facilitate security and administration, AD enables companies to organize users and systems on the network into a tree-like hierarchical structure. Windows 2008 and 2008 R2 introduced significant AD security and administration enhancements. The migration to a 2008 platform will be inevitable as earlier OS’s no longer meet IT requirements or reach end-of-life. The questions are: when to migrate, and what are the migration best practices? Clients looking to improve their Active Directory structure Clients evaluating Windows Server 2008 R2 Active Directory Clients planning/executing a migration to Windows Server 2008 R2

Executive Summary Many organizations have sub-optimal AD structures that are focused more on organizational hierarchy or political motivators leading to unnecessary complexity and higher administration costs. A single forest and single domain is best for most small or mid-sized companies. Introduce multiple forests or domains only when there are justifiable legal, business, or technical needs to isolate parts of the organization or grant autonomy. A key decision facing organizations is when to migrate to Windows 2008 R2 AD. Although the new security and administration features are significant, by themselves they do not warrant a migration project. Wait for opportunities to migrate as part of another project, such as a hardware refresh or an overall mandate to standardize on Windows 2008 or 2008 R2. Companies who take full advantage of online Microsoft resources have good success with migration, and do not need third-party consultants or tools.

Active Directory Introduction, Planning, and Design What’s New in 2008 R2 Feature DescriptionsFeature RankingsMigration Decision Migrating to 2008 R2 Preparing for MigrationMigration Workflow Planning and Design About Active DirectoryBest Practices for Design

Use Active Directory to organize your network, facilitate administration, and in some cases isolate resources Active Directory’s primary purpose is authenticating users logging on to the network and granting access rights. AD uses the concept of containers to organize users and computers into a hierarchical framework to facilitate administration or isolate resources. ContainerDescription Forest The top of the AD hierarchy it provides a boundary between the organization’s network and external networks. Multiple forests are required only if parts of the organization must be completely isolated from each other. Domain Domains provide administrative and network boundaries within a forest. A forest requires at least one domain and it may be divided into multiple domains. Each domain contains at least one Domain Controller (DC) server which holds the AD configuration settings and user credentials required for authentication. Access between domains can be accomplished where required through trust relationships. Organizational Units (OUs) OUs are optional. They are used to divide the domain into smaller units to facilitate or delegate administration. Groups Groups are not a subset of OUs, but are a way to organize users within a domain for the purpose of applying group policies and permissions. Software can also be deployed based on group membership. Group policies cannot cross domains, so they must be duplicated when there are multiple domains.

Optimize the replication topology to reduce the need for regional domains or more expensive WAN links Replication Topology: The network connections that enable DCs to be replicated to all other DCs. Knowledge Consistency Checker (KCC): Creates the replication topology based on the best available connections between DCs. Sites: Each location can be identified as a “site” to optimize network traffic between locations as follows: Authentication and service requests are directed to the closest DC. While the KCC will define the replication topology within a site, you define the links between sites to minimize WAN traffic. For example, funnel the replication through a central site to minimize east-west traffic, as shown in the diagram. The Domain Controller (DC) servers hold the AD configuration settings and user credentials. The DC databases are replicated to every other DC in the domain to allow authentication and administration to take place at any location. This generates significant network traffic. Creating regional domains is one way to reduce cross-country replication traffic, but is often not necessary if you can optimize the replication topology: Single domain with three locations/sites. DC servers in each location allow for local authentication. Cross-country replication traffic is funneled through DCs in a central site.

Understand the concepts of administration, isolation and autonomy to further assess the need for multiple forests/domains Concept Description Service Administrators Manage the overall AD environment, including configuration settings and DC maintenance. Service administrators are, in effect, also data administrators since they have access to all systems. Data Administrators Manage a subset of the AD environment – e.g., manage data and member computers. Isolation Required when it’s necessary to keep other administrators from viewing a subset of data or interfering with administration. For example, legal factors may require certain data or business units to be isolated. Isolation requires a separate forest since any other level (e.g., a domain) would fall under the supervision and control of a higher-level administrator. Autonomy Required when part of the AD environment needs to be managed independently. Since autonomy rather than isolation is required, this need can be met with separate domains or potentially OUs depending on the level of autonomy required. Restricting administrator access is the primary reason for isolation and autonomy. Small and mid-sized organizations often have a single centralized administration team, so they have no requirement to create isolation or autonomy from other administrators. Info-Tech Insight:

Multiple forests and domains lead to greater complexity and higher administration costs Multiple forests and multiple autonomous domains require dedicated administration teams, increasing costs. The added complexity also requires more administration effort. Examples of costs due to multiple forests and domains include: To achieve true isolation, each forest requires its own administration team. Similarly, multiple domains when created to achieve autonomy require their own administration teams. Unless each forest or domain is completely independent — e.g., no shared resources and no users who require access to the other forest — multiple forests/domains typically require trust relationships to allow some access. Group policy settings need to be duplicated in each domain. “I don’t want to create a separate domain and give the local IT guy the keys to the kingdom just because he wants to administer his own users.” Senior Systems Administrator, National Transportation Company

Avoid politically motivated Active Directory designs that lead to unnecessary multiple forests or domains Organizational NeedDesign Requirement Recommendations For security or legal reasons, a data subset must be isolated IsolationThis will require a separate forest to achieve isolation. Limit the number of forest administrators and members. Account for anticipated divestiture IsolationIf you are certain that a division will be sold, you can simplify eventually splitting off that AD environment by setting it up as a separate forest. AD-related development projects IsolationMinimize the risk of developers inadvertently affecting the rest of the network by creating a separate forest for the development work. Multiple namespaces are required AutonomyA separate domain must be created for each DNS namespace. Administrative support for national or international locations Autonomy or Administration Delegation Regional domains can ease administrative burden due to time zone and language issues. However, if autonomy is not required, and network bandwidth is not an issue, instead use regional organizational units to delegate administration and maintain a single forest, single domain design. Ensure your requirements for multiple forests or domains are real business or technical needs. Below are examples of potential needs:

Further improve administration by using Groups rather than OUs to organize users for the purpose of applying group policies It’s not necessary to create an OU for each department if it serves no administrative purpose. When it comes to organizing users and resources for the purpose of administering policies, use groups rather than OUs: OUs demand exclusive membership, meaning a system allocated to one OU can't be allocated to another. A user that belongs to the Sales OU but has tasks requiring R&D systems would require the creation of a dedicated Sales/R&D hybrid OU to ensure that appropriate permissions exist. Groups are non-exclusive so our example user could be enrolled in both the Sales and R&D groups with no additional administration requirements. The primary purpose of OUs is to delegate administration, not to administer group polices. Software can also be deployed based on group membership. Using the scenario above, if deploying software to the R&D group, the Sales staff who also perform R&D are included. Info-Tech Insight:

Info-Tech Helps Professionals To: Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP