develop and implement an up-to-date active directory strategy

7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy

1/52

Practical IT Research that Drives Measurable Results

1Info-Tech Research Group

Develop an Up-to-Date Active Directory

Strategy, and Implement


2/52

Active Directory Strategy and Migration

2

Those who should read this:

At the end, you will have:

An optimal Active Directory structure for your environment. An understanding of whats new in 2008 R2 Active Directory. The criteria required to decide when, and if, to migrate to 2008 R2. Migration best practices.

Info-Tech Research Group

Active Directory (AD) is network security solution included in Windows Server operating

systems. AD provides user authentication, manages access to network resources, and can beused to deploy software. To facilitate security and administration, AD enables companies to

organize users and systems on the network into a tree-like hierarchical structure.

Windows 2008 and 2008 R2 introduced significant AD security and administration

enhancements. The migration to a 2008 platform will be inevitable as earlier OSs no longer

meet IT requirements or reach end-of-life. The questions are: when to migrate, and what are

the migration best practices?

Clients looking to improve their Active Directory structure Clients evaluating Windows Server 2008 R2 Active Directory Clients planning/executing a migration to Windows Server 2008 R2


3/52

Executive Summary

Info-Tech Research Group 3

Many organizations have sub-optimal AD structures that are focused more on

organizational hierarchy or political motivators leading to unnecessarycomplexity and higher administration costs.

A single forest and single domain is best for most small or mid-sized companies.

Introduce multiple forests or domains only when there are justifiable legal, business,

or technical needs to isolate parts of the organization or grant autonomy.

A key decision facing organizations is when to migrate to Windows 2008 R2 AD.

Although the new security and administration features are significant, by

themselves they do not warrant a migration project.

Wait for opportunities to migrate as part of another project, such as a hardware

refresh or an overall mandate to standardize on Windows 2008 or 2008 R2.

Companies who take full advantage of online Microsoft resources have good success

with migration, and do not need third-party consultants or tools.


4/52

Active Directory Introduction, Planning, and Design


Whats Newin 2008 R2 Feature Descriptions Feature Rankings Migration Decision

Migrating to2008 R2

Preparing for Migration Migration Workflow

Planningand Design

About Active Directory Best Practices for Design


5/52

Use Active Directory to organize your network, facilitate

administration, and in some cases isolate resources


Active Directorys primary purpose is authenticating users logging on to the network andgranting access rights. AD uses the concept of containers to organize users and computersinto a hierarchical framework to facilitate administration or isolate resources.

Container Description

Forest The top of the AD hierarchy it provides a boundary between the organizations

network and external networks. Multiple forests are required only if parts of

the organization must be completely isolated from each other.

Domain

Domains provide administrative and network boundaries within a forest. Aforest requires at least one domain and it may be divided into multiple

domains. Each domain contains at least one Domain Controller (DC) server

which holds the AD configuration settings and user credentials required for

authentication.

Access between domains can be accomplished where required through trust

relationships.

Organizational Units(OUs)

OUs are optional. They are used to divide the domain into smaller units tofacilitate or delegate administration.

Groups Groups are not a subset of OUs, but are a way to organize users within a

domain for the purpose of applying group policies and permissions. Software

can also be deployed based on group membership.

Group policies cannot cross domains, so they must be duplicated when there

are multiple domains.


6/52

Optimize the replication topology to reduce the need for

regional domains or more expensive WAN links


Replication Topology: The network connections that enableDCs to be replicated to all other DCs.

Knowledge Consistency Checker (KCC): Creates thereplication topology based on the best available connections

between DCs.

Sites: Each location can be identified as a site tooptimize network traffic between locations as follows:

Authentication and service requests are directed to theclosest DC.

While the KCC will define the replication topology within

a site, you define the links between sites to minimize

WAN traffic. For example, funnel the replication through

a central site to minimize east-west traffic, as shown in

the diagram.

The Domain Controller (DC) servers hold the AD configuration settings and user credentials.The DC databases are replicated to every other DC in the domain to allow authentication andadministration to take place at any location. This generates significant network traffic.

Creating regional domains is one way to reduce cross-country replication traffic, but is often notnecessary if you can optimize the replication topology:

Single domain with three

locations/sites. DC servers in each

location allow for local authentication.

Cross-country replication traffic is

funneled through DCs in a central site.


7/52

Understand the concepts of administration, isolation and autonomy

to further assess the need for multiple forests/domains


Concept Description

Service

Administrators Manage the overall AD environment, including configuration settings and DC

maintenance. Service administrators are, in effect, also data administrators since

they have access to all systems.

Data

Administrators Manage a subset of the AD environment e.g., manage data and member

computers.

Isolation Required when its necessary to keep other administrators from viewing a subset

of data or interfering with administration. For example, legal factors may require

certain data or business units to be isolated.

Isolation requires a separate forest since any other level (e.g., a domain) would

fall under the supervision and control of a higher-level administrator.

Autonomy Required when part of the AD environment needs to be managed independently.

Since autonomy rather than isolation is required, this need can be met withseparate domains or potentially OUs depending on the level of autonomy required.

Restricting administrator access is the primary reason for isolation and autonomy.

Small and mid-sized organizations often have a single centralized administration team, so they have

no requirement to create isolation or autonomy from other administrators.

Info-Tech Insight:


8/52

Multiple forests and domains lead to greater complexity and

higher administration costs


Multiple forests and multiple autonomous domains require dedicated

administration teams, increasing costs. The added complexity also requires moreadministration effort.

Examples of costs due to multiple forests and domains include:

To achieve true isolation, each forest requires its own administration team.

Similarly, multiple domains when created to achieve autonomy require theirown administration teams.

Unless each forest or domain is completely independent e.g., no shared

resources and no users who require access to the other forest multiple

forests/domains typically require trust relationships to allow some access.

Group policy settings need to be duplicated in each domain.

I dont want to create a separate domain and give the local IT guy thekeys to the kingdom just because he wants to administer his own users.Senior Systems Administrator, National Transportation Company


9/52

Avoid politically motivated Active Directory designs that lead to

unnecessary multiple forests or domains


Organizational Need Design

Requirement

Recommendations

For security or legal

reasons, a data subset

must be isolated

Isolation This will require a separate forest to achieve isolation. Limit

the number of forest administrators and members.

Account for

anticipated

divestiture

Isolation If you are certain that a division will be sold, you can simplify

eventually splitting off that AD environment by setting it up as

a separate forest.

AD-related

development projectsIsolation Minimize the risk of developers inadvertently affecting the

rest of the network by creating a separate forest for the

development work.

Multiple namespacesare required

Autonomy A separate domain must be created for each DNS namespace.

Administrative

support for national

or international

locations

Autonomy or

Administration

Delegation

Regional domains can ease administrative burden due to time

zone and language issues. However, if autonomy is not

required, and network bandwidth is not an issue, instead use

regional organizational units to delegate administration and

maintain a single forest, single domain design.

Ensure your requirements for multiple forests or domains are real business or

technical needs. Below are examples of potential needs:


10/52

Further improve administration by using Groups rather than OUs

to organize users for the purpose of applying group policies

Its not necessary to create an OU for each department if it serves no administrative

purpose.

When it comes to organizing users and resources for the purpose of administering

policies, use groups rather than OUs:

OUs demand exclusive membership, meaning a system allocated to one OU can't beallocated to another. A user that belongs to the Sales OU but has tasks requiring R&D

systems would require the creation of a dedicated Sales/R&D hybrid OU to ensure

that appropriate permissions exist.

Groups are non-exclusive so our example user could be enrolled in both the Sales

and R&D groups with no additional administration requirements.


The primary purpose of OUs is to delegate administration, not to administer

group polices.

Software can also be deployed based on group membership. Using the scenario above, if deploying

software to the R&D group, the Sales staff who also perform R&D are included.

Info-Tech Insight:


11/52

Case Study: Use a single forest and single domain design to

streamline administration complexity and costs

Many organizations large and small have a single forest and domain, and

instead use organizational units to subdivide administration.


Single forest, single domain, so

no domain trust relationships

are required.

Each location has its own localadministrator, so they are set up

as separate OUs.

DC replication is funneled

through the central location to

minimize cross-country traffic.

A single set of Sales and

Management group policies can

be applied to users in all

locations because they are all in

the same domain.

AD Design Explanation


12/52

Case Study: Create a separate forest to address isolation needs

The west coast facility has dealings with the military. To meet security requirements,the location must be isolated.


The west coast location is set

up as a separate forest with its

own domain.

A one-way trust enables thewest coast facility to access

east coast resources, but

reverse access is not permitted.

Each location has its own local

administrator, so they are set up

as separate OUs.

Sales and Management groups

and policies must be duplicated

in each forest/domain.

AD Design Explanation


13/52

Use this flowchart to determine Active Directory design

requirements

Follow the steps below to determine whether you need a dedicated (separate)forest, domain or organizational unit to address organizational needs.


1. Identify potential needs in

your organization for

isolation, autonomy, or

delegating administration.

2. For each need, follow the

flowchart to identify structure

requirements.

3. Diagram the resulting

structure and confirm that it

meets your overall needswhile avoiding unnecessary

complexity.

For more information on AD design, seeAppendix A: Active Directory Planning and Design

Resources.


14/52

Whats new in Windows 2008 R2 Active Directory


Whats Newin 2008 R2

Feature

Descriptions Feature Rankings Migration Decision

Migrating to2008 R2


Planning andDesign



15/52

Windows 2008 (R1) added security enhancements such as

Fine-Grained Password Policies and Read-Only Domain Controllers


Feature Description

Auditing Enables you to specify which operations to audit and include in the

security log.

Fine-Grained Password

Policies Supports multiple password policies per domain, enabling

administrators to easily implement more restrictive policies where

warranted.

Owner Rights Enables administrators to specify Owner Rights to override defaultaccess rights.

Read-Only Domain

Controllers Does not contain account passwords and replication is one-way only

inbound to the RODC. So if the RODC is compromised, user credentials

and the rest of the network are not at risk.

Restartable Active

Directory DomainServices

Provides the ability to stop and start AD Domain Services to perform

tasks such as security updates without having to restart the DC server.

Database Mounting Tool In a recovery situation, enables you to compare AD backups or snapshots

that were performed at different times to determine which backup is

the best one to restore.


16/52

Windows 2008 R2 introduced the Administrative Center and more

security enhancements


Feature Description

Administrative Center Centralizes administration tools and objects in a task-orientedinterface. Search function for locating and navigating to an object.

Authentication

Mechanism Assurance Recognizes the device used to log in, enabling administrators to impose

greater restrictions on users logging in from personal devices.

Best Practices Analyzer Scans your AD environment to check if the configuration is following

best practices.

Managed ServiceAccounts

Simplifies the administration of isolated key shared applications such asExchange Server and IIS.

Management Pack Monitors computer and software states to assess availability and

performance.

Module for Windows

PowerShell A scripting language that administrators can use to simplify and

automate configuration, administration and diagnostic tasks.

Recycle Bin

Provides an undo capability without any downtime. Uses the Tombstonereanimation method which now saves the attributes.

Web Services Provides a Web service interface to AD domains and AD LDS instances.

Windows 7 Features BranchCache and DirectAccess provide seamless connectivity for remote

Windows 7 users. Offline Domain Join enables pre-provisioning Windows

7 PCs so they automatically join the network at startup.


17/52

The new Administrative Center was voted as offering the most

benefit to organizations


Scores based on feature rankings in an Info-Tech survey.

N=84

Security features such as Managed Service Accounts, Fine-Grained PasswordPolicies, and Authentication Mechanism Assurance also scored high.

Administrative Center: Saves time

with a task oriented interface and

features such as a welcome page that

remembers your common tasks.

Managed Service Accounts: Automated

password management and improved

service principal names (SPN)management makes it easier to isolate

key shared applications.

Fine-Grained Password Policies: Allows

for multiple password policies without

having to create multiple domains.

Authentication Mechanism Assurance:

Provides the means to apply greaterrestrictions when users log in from a

personal device.

For more details on these features, including special considerations, seeAppendix B: New Active Directory

Features. In addition, there have been several group policy enhancements as described in the Microsoft article

Whats New in Group Policy for Windows 7 and Windows Server 2008 R2.
http://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspx


18/52


Many companies have deferred migrating to 2008 or 2008 R2 because theirWindows 2003 DCs continue to meet their needs and are compatible with most

Windows 2008-based applications and systems.

Over 80% of survey respondents

indicated Standardizing on Windows

2008 among their reasons to migrate

their AD.

Although the new AD features alsoscored high, only 2% of respondents

selected that as the only reason tomigrate.

As more companies begin to plan a

Windows 7 rollout, the Windows 7

functionality supported by AD is alsobecoming a motivating factor.

Similarly, a need to restructure the AD

environment or refresh DCs provides a

reason to migrate.

Although the new Active Directory features are significant, they

do not justify a migration on their own for most companies

Source: Info-Tech survey.

N=98


19/52

Wait for opportunities to migrate, such as a project that requires

2008 functionality or an infrastructure upgrade


Examples of

Opportunities

Why Migrate?

Hardware

Refresh When a DC is due for a refresh, replace it with a Windows 2008 R2 server to

put you in a position to later migrate your AD environment to 2008.

Standardize on

Windows 2008 Corporate Standard is the leading adoption driver for Windows 2008 (see

Info-Techs article Why Windows Server 2008? Users Speak Out).

Note that Windows 2003 continues to be compatible with most Windows 2008-

based systems, include Exchange Server 2007 and 2010 (see MicrosoftsExchange Server Supportability Matrix).

Windows 7

Rollout Windows 7 remote connectivity features (BranchCache, DirectAccess)

available with 2008 R2 AD make it worthwhile to consider migrating your AD

environment to 2008 R2 as part of your overall Windows 7 project.

Active Directory

Needs to be

Restructured

If your AD structure is in need of an overhaul, consider migrating to 2008 R2 at

the same time to leverage the new features such as the improved

administration functionality.

I like the compatibility with Windows 7, and the additional grouppolicy settings.IT Manager, Marketing Company
http://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639http://technet.microsoft.com/en-us/library/ff728623(EXCHG.141).aspxhttp://technet.microsoft.com/en-us/library/ff728623(EXCHG.141).aspxhttp://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639http://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639


20/52

Use the Active Directory Migration Readiness Assessment Tool

tool to determine when, how, and if you are ready to migrate

This tool will identify whether to migrate, based on your needs and opportunity,

and recommend a migration method (in-place, transition, or restructure).


The tool will ask you to indicate the

following:

1. Critical needs for the new AD

features.

2. Projects underway that would

require 2008/2008 R2 AD.

3. Your current OS.

4. If you plan to move to new

servers.

5. If your current AD structure is in

need of an overhaul.

Download the

Active Directory Migration ReadinessAssessment Tool
http://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-tool


21/52

Migrating to Windows 2008 R2 Active Directory


Whats Newin 2008 R2

Feature Descriptions Feature Rankings Migration Decision

Migrating to2008 R2


Planning andDesign



22/52

Once you have decided to migrate, choose the migration method

that fits your circumstances


NT to 2008 R2 You must perform an in-place upgrade to either Windows 2000 SP4 or 2003 R2. After

that, follow the guidelines above for 2000 or 2003 to 2008 R2 accordingly.

2000 to 2008 R2

In-Place Upgrade: The hardware must be compatible with Windows 2008 R2. If the 2008

R2 requirements are met, then ensure you are at 2000 SP4, upgrade to 2003 R2, and

then to 2008 R2.

Transition and Restructuring: Both are available options as long as the existing server is

running at least Windows 2000 native.

2003 to 2008 R2 In-Place Upgrade: Must be an x64-based Windows Server 2003 (R2)

Transition and Restructuring: Available for x86- or x64-based Windows 2003 systems.

Three migration methods are available, which depend partly on the source server:

In-Place Upgrade (stay on the existing server)

Transitioning (maintaining existing structure while migrating to a new server)

Restructuring (building a new AD environment on new servers)

The general workflows described in this section also apply to migration to Windows

2008 (R1), with the exception of system requirements specific to 2008 R2 (e.g., R1 can

be 32- or 64-bit).

k f f


23/52

Make extensive use of Microsoft resources

to ensure a successful migration


An Info-Tech survey found that using third-party consultants had noimpact on migration success. Use the available online resources to help

you execute a successful migration.

Among respondents who have completed a migration to 2008 AD:

Over 70% reported no unexpected delays, user interruption, or network disruption.

Only 28% used third-party consultants. Those who used consultants had the same success rate as

those who did not.

0%

20%

40%

60%

80%

100%

120%

140%

160%

180%

200%

220%

Xaxis1

Xaxis15

Xaxis29

Xaxis43

Xaxis57

Xaxis71

Xaxis85

Xaxis99

Xaxis113

Xaxis127

Xaxis141

Xaxis155

Xaxis169

Xaxis183

Xaxis197

Xaxis211

Xaxis225

Xaxis239

Xaxis253

Did Not Use Third-Party Consultants

Used Third-Party Consultants

High

Low

Frequency

0% 100%Migration Success Score

Source: Info-Tech survey. N=35

Distribution of Success Scoresby Third-Party Consultant Usage

Migration Success


24/52

I Pl U d ff h h b l h i ki d


25/52

In-Place Upgrade offers the cheapest, but also the riskiest and

least beneficial migration


Whats Involved?

The OS on the existing DCs are upgraded to Windows 2008 R2.

Benefits

Current AD settings are retained schema, group policies, etc.

Least expensive option (no new hardware)

Disadvantages

Staying on old hardware, so typically lower performance than a new system, and shortershelf life going forward than a new server.

Old data and workaround configurations are retained not a clean system.

More downtime since the server cannot stay operational during the OS upgrade steps.

Additional Information

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2AD DS Domains

If a new Domain Controller or 2008 R2 license is not in your budget, defer migration if possible

until you have the resources to migrate to a new server.

Info-Tech Insight:
http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx


26/52

In-Place Upgrade: Preparation and upgrade steps

Microsoft provides several online resources to assist with this procedure. Beloware the high-level steps.


1 Follow the steps outlined on slide 24, Before You Begin.

2 Perform pre-upgrade steps as outlined Microsoft Pre-Upgrade checklist.

3 Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next

steps. For details, see Microsofts document Prepare Your Infrastructure for Upgrade.

4 Upgrade the first DC OS to 2008 R2. Once that is successful, upgrade remaining DCs.

5 After you have allowed a settling in period (e.g., a week) and there are no replication errorsor other issues, raise the domain functional level to 2008 R2.

Caution:Once youve raised the domain functional level, you cannot roll it back.

6 Raise the forest functional level.

Caution:Once youve raised the forest functional level, you cannot roll it back.

7 Enable AD optional features such as Recycle Bin if you wish to take advantage of them.

8 Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on theanalysis results.

T iti i id f i ti th l th b fit f
http://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspx


27/52

Transitioning provides a safe migration path plus the benefits of

either new hardware or a move to virtualization


Whats Involved?

The AD environment is transferred from existing DCs to Windows 2008 R2 servers. Theexisting DCs are decommissioned or repurposed.

Benefits

Current AD settings are retained schema, group policies, etc.

Can migrate to new hardware (longer shelf-life going forward and better performance)

or to a virtualized server.

Less downtime because the existing DC can stay operational during most of the

migration.

Disadvantages

More expensive, requiring either a new server or an additional virtual server license.


Active Directory Domain Services and DNS Server Migration Guide Active Directory Certificate Services Migration Guide

Transitioning is the most common migration method, offers the least disruption to services,

and provides the option of migrating from a physical server to a virtualized environment.

Info-Tech Insight:
http://technet.microsoft.com/en-us/library/dd379558(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379558(WS.10).aspx


28/52

Transitioning: Preparation and migration steps

As with the In-Place Upgrade, Microsoft provides several online resources toassist with this procedure. Below are the high-level steps.


1 Follow the steps outlined on slide 24, Before You Begin.

2 Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next

steps.

For details, see Microsofts document Prepare Your Infrastructure for Upgrade.

3 Add a Windows 2008 R2 server to your AD environment, and then promote the server to a DC(dcpromo command). Keep the domain functional level at 2003 until the end of the migration

process.

For details, see Microsofts document Install Active Directory Domain Services on the Member

Server That Runs Windows Server 2008 or Windows Server 2008 R2.

4 Check the dcpromo.log and dcpromoui.log log files to ensure there are no issues.

5 Install additional 2008 R2 DCs if applicable.

6 Follow the steps in Microsofts AD DS and DNS Server Migration: Preparing to Migrate to getready to migrate.

7 Transfer DNS settings and FSMOs to the new server, as outlined in Microsofts AD DS and DNSServer Migration: Migrating the AD DS and DNS Server Roles.
http://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd392263(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd392263(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspx


29/52

Transitioning: Post-migration steps

To begin taking advantage of the new 2008 and 2008 R2 features, follow thesteps below.


8 After you have allowed a settling in period (e.g., a week) and there are no replication errorsor other issues, demote the old DCs.

Caution: If a DC has Exchange Server or IIS installed on it, transfer those to a different server

before demoting. Once youve done that, reduce your future admin headaches by demoting

the old DCs.

9 Raise the domain functional level.

Caution:Once youve raised the domain functional level, you cannot roll it back.

10 Raise the forest functional level.

Caution:Once youve raised the forest functional level, you cannot roll it back.

11 Enable AD optional features such as Recycle Bin if you wish to take advantage of thosefeatures.

12 Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on theanalysis results.

Use Restr ct ring hen o r c rrent en ironment is s b optimal


30/52

Use Restructuring when your current environment is sub-optimal

to the point where starting from scratch is the best recourse


Restructuring will add time to the migration; however, if a restructure is required,its also an opportunity to start over in a clean environment.

Whats Involved?

A new AD structure is built on new Windows 2008 R2 servers. The existing DCs are

decommissioned or repurposed.

Benefits

Less downtime because the existing DC can stay operational during most of themigration.

An opportunity to revamp your AD environment and put in place an optimal structure.

Disadvantages

More expensive, requiring either a new server or an additional virtual server license.

More time required to plan and create the new AD environment as well as plan the move

to 2008 R2.Additional Information

Best Practice Active Directory Design for Managing Windows Networks

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/bb727085.aspxhttp://technet.microsoft.com/en-us/library/cc974332(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974332(WS.10).aspxhttp://technet.microsoft.com/en-us/library/bb727085.aspx


31/52

Restructuring: Preparation, migration, and post-migration steps

Microsoft provides an Active Directory Migration Tool (ADMT) to facilitate thisprocess.


1 Follow the steps outlined on slide 24, Before You Begin. In addition, review Microsofts BestPractices for Active Directory Migration.

2 Create the new AD environment on Windows 2008 R2 DCs. Review the slides earlier in thisdeck for AD design best practices and refer to Microsofts TechNet for Windows 2008 R2 and

AD installation instructions.

3 Add test users to the new environment. Monitor logs to ensure that the new environment isfunctioning properly.

4 Migrate resources to the new environment as outlined in Microsofts guide on InterforestActive Directory Domain Restructure.

5 Transfer administration and user accounts to the new environment.

6 After you have allowed a settling in period and there are no replication errors or otherissues, demote the old DCs.

If you are considering virtual DCs use a combination of physical
http://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspx


32/52

If you are considering virtual DCs, use a combination of physical

and virtual DCs to meet performance demands


While virtualization enables hardware cost savings, it is not ideal for DomainControllers.

Potential Performance Issues Potential Support Issues

DCs make intensive use of RAM. Since RAM is shared

with all the other virtual servers hosted by the

same hardware, the RAM may not be sufficient to

support a busy DC.

MS recommends that you usephysical DCs for thefollowing roles:

Global Catalogs

FSMO roles

DNS server

Additional Information:

Microsoft KB article 888794

Deployment Considerations for Virtualized

Domain Controllers

As a general rule, MS does not test or support MS

software running on non-MS virtualization

technology (e.g., VMware).

Those with Premium level support do qualify for

assistance but may need to reproduce the problemon a physical server or MS virtualization product.

Supported MS virtualization environments:

Windows 2008 and later with Hyper-V

Microsoft Hyper-V Server 2008 and later

Server Virtualization Validation Program

Additional Information:


http://support.microsoft.com/kb/888794http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://support.microsoft.com/kb/897615http://support.microsoft.com/kb/957006/http://support.microsoft.com/kb/957006/http://support.microsoft.com/kb/897615http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://support.microsoft.com/kb/888794


33/52

Summary


When creating your AD environment, use a single forest and single domain design

unless there are strong business or technical reasons for multiple forests ordomains.

Use groups rather than OUs to organize users and facilitate applying group

policies. Use OUs when you need to delegate administration.

The new 2008 R2 Administrative Center centralizes and streamlines

administration. Key security enhancements include Managed Service Accounts,Fine-Grained Password Policies, and Authentication Mechanism Assurance.

Although the new features are significant, they do not warrant a migration

project for most companies. Instead wait for opportunities to migrate as part of

another project, such as a Windows 7 rollout or overall mandate to standardize

on 2008/2008 R2. Once the migration decision is made, use the available online resources to help

you execute a successful migration. The use of third-party consultants does not

improve the success rate.


34/52

Appendix A: Active Directory Planning and Design Resources


Info-Tech Resources on Planning and Design:

Efficient Active Directory Deployments Require Significant Planning

Active Directory Topology: Seeing the Trees in the Forest

Active Directory Topology: Cultivating Forests

Active Directory Topology: Dividing by Domains

Delegated Administration is the Role of Organizational Units

Additional Microsoft Resources on AD Design:

Best Practice Active Directory Design for Managing Windows Networks

Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units

How Active Directory Replication Topology Works

Whats New in Group Policy for Windows 7 and Windows Server 2008 R2
http://www.infotech.com/research/efficient-active-directory-deployments-require-significant-planning?nav_id=2639http://www.infotech.com/research/active-directory-topology-seeing-the-trees-in-the-forest?nav_id=2639http://www.infotech.com/research/active-directory-topology-cultivating-forests?nav_id=2639http://www.infotech.com/research/active-directory-topology-dividing-by-domains?nav_id=2639http://www.infotech.com/research/delegated-administration-is-the-role-of-ad-organizational-units?nav_id=2639http://technet.microsoft.com/en-us/library/bb727085.aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/cc755994(WS.10).aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/library/cc755994(WS.10).aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/bb727085.aspxhttp://www.infotech.com/research/delegated-administration-is-the-role-of-ad-organizational-units?nav_id=2639http://www.infotech.com/research/active-directory-topology-dividing-by-domains?nav_id=2639http://www.infotech.com/research/active-directory-topology-cultivating-forests?nav_id=2639http://www.infotech.com/research/active-directory-topology-seeing-the-trees-in-the-forest?nav_id=2639http://www.infotech.com/research/efficient-active-directory-deployments-require-significant-planning?nav_id=2639


35/52

Appendix B: New Active Directory Features


This section describes the following new 2008 and 2008 R2 features in the order that they

ranked in the Info-Tech Survey in terms of offering the most benefit to the organization:

1. Administrative Center

2. Managed Service Accounts

3. Fine-Grained Password Policies

4. Authentication Mechanism Assurance

5. Windows 7 Enhancements

6. Best Practices Analyzer7. Read-Only Domain Controllers

8. Database Mounting Tool

9. Module for PowerShell

10. Recycle Bin

Also described in this appendix:

Auditing Enhancements

Owner Rights

Management Pack

Restartable Active Directory Domain Services

Web Services

Scores based on feature rankings in an Info-Tech survey.

N=84


36/52

New Administrative Center streamlines administration


Description and Benefits

Centralizes administration tools and objects in a task-oriented interface for easier

navigation.

The Welcome page remembers which tasks you perform most often, and provides quick

links to those tasks.

New search function expedites locating and navigating to an object.

Depending on access rights and trusts between domains, you can view and manageobjects in all domains from a single Administrative Center instance.

Special Considerations

Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools

(RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source).


What's New in AD DS: Active Directory Administrative Center (Microsoft TechNet)

Managed Service Accounts simplifies
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=enhttp://technet.microsoft.com/en-us/library/dd378856(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd378856(WS.10).aspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en


37/52

Managed Service Accounts simplifies

locking down key shared applications



Isolating accounts for key shared applications such as Exchange Server and IIS is a

recommended security practice. This feature simplifies the administration of these

accounts with automated password management and improved service principal names

(SPN) management.

Managing these accounts was more complex and time-consuming in previous AD versions

(e.g., required manual password management).


Managed service accounts can be used only for applications installed on Windows Server

2008 R2 or Windows 7.


Service Accounts Step-by-Step Guide (Microsoft TechNet)

Fine-Grained Password Policies feature enables multiple
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx


38/52

Fine-Grained Password Policies feature enables multiple

password and lockout policies per domain



Previous AD versions permitted only a single password and accounts lockout policy per

domain. To have separate policies for different sets of users required a password filter or

multiple domains, adding to the administrative burden and complicating the AD

environment.

With the ability to have multiple password policies per domain, its much easier to

implement more restrictive policies where warranted.


Fine-grained password policies are assigned at the group level. If users are grouped only

into Organizational Units, then set up a shadow group for the OU.

Custom password filters are not affected and can still be used to apply additional

restrictions.


AD DS: Fine-Grained Password Policies (Microsoft TechNet)

Authentication Mechanism Assurance strengthens security
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx


39/52

Authentication Mechanism Assurance strengthens security

against personal devices



The new Authentication Mechanism Assurance feature recognizes who is logging in and

the device being used (e.g., company-assigned PC vs. a home computer or personal

mobile device).

Personal devices create a security risk since you cannot guarantee that they meet

corporate security standards. The extra level of identification enables administrators to

impose greater restrictions on users logging in from personal devices.


This feature is disabled by default.

Requires a certificate-based authentication infrastructure (e.g., smart card or token-

based authentication).


What's New in AD DS: Authentication Mechanism Assurance (Microsoft TechNet)

Remote Windows 7 users gain seamless connectivity and
http://technet.microsoft.com/en-us/library/dd391847(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391847(WS.10).aspx


40/52

Remote Windows 7 users gain seamless connectivity and

improved file access speed



The following Windows 7 features are possible in a 2008 R2 Active Directory environment:

BranchCache Stores commonly accessed files locally in branch offices for much fasterfile access.

DirectAccess Automatically establishes a VPN link when connecting remotely,bypassing manual steps such as launching a VPN connection. If the connection drops, the

VPN is automatically re-established when the network becomes available again.

Offline Domain Join Enables pre-provisioning Windows 7 PCs so they automaticallyjoin the network when they first start up.


BranchCache and DirectAccess are available only for Windows Server 2008 R2 and

Windows 7 computers. DirectAccess also requires IPv6 or transition technologies.

Offline Domain Join can also be used with earlier AD environments by using a /downlevel

parameter.


BranchCache and DirectAccess: Improving the Branch Office Experience (Microsoft

TechNet)

BranchCache for Windows Server 2008 R2 (Microsoft TechNet)

What's New in AD DS: Offline Domain Join (Microsoft TechNet)

Best Practices Analyzer identifies
http://technet.microsoft.com/en-us/magazine/ee835709.aspxhttp://technet.microsoft.com/en-ca/library/dd996634(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391977(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391977(WS.10).aspxhttp://technet.microsoft.com/en-ca/library/dd996634(WS.10).aspxhttp://technet.microsoft.com/en-us/magazine/ee835709.aspx


41/52

Best Practices Analyzer identifies

Active Directory configuration issues



Checks if your AD configuration is following best practices.

To help you indentify and resolve best practice violations, this feature provides:

A rules component which defines what is a best-practice configuration.

A PowerShell script to collect data on your configuration.

A guidance component to help you resolve identified issues.


The feature can be run from the Best Practice Analyzer GUI in Server Manager or using

PowerShell cmdlets.


What's New in AD DS: Active Directory Best Practices Analyzer (Microsoft TechNet)

Read-Only Domain Controllers (RODCs) provide a security option


42/52

Read Only Domain Controllers (RODCs) provide a security option

for less-secure locations



The RODC is designed for remote locations that have poor physical security.

The RODC does not contain account passwords and replication is one-way only

inbound to the RODC. So if the RODC is compromised, user credentials are not at risk,

and any changes to the RODC cannot spread to the rest of the network.

Without an RODC, the alternative when security is a concern is to authenticate over a

WAN to a DC in another location, which can be slow depending on network bandwidth.


The domain must include at least one Windows 2008 DC. Functional level can be

Windows 2003 or higher.

Domain admin accounts cannot be replicated to an RODC. As a result, you have to set up

a separate account on the RODC to administer it.

A separate group must be set up that identifies all the accounts that can be replicated tothe RODC.


AD DS: Read-Only Domain Controllers (Microsoft TechNet)

Read-Only Domain Controllers and Account Lockouts (Microsoft TechNet)
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx


43/52

Database Mounting Tool expedites the recovery process



Also known as Snapshot Viewer or Snapshot Browser.

Enables you to compare AD backups or snapshots that were performed at different times

to determine which backup is the best one to restore. Previously the only option was to

restore each backup to determine which one to use.

Can also be used to review changes made to your AD environment.


The snapshots could potentially be used to examine sensitive data, so they warrant the

same level of security provided to AD DS backups.


AD DS: Database Mounting Tool (Microsoft TechNet)

h ll d h h k
http://technet.microsoft.com/en-us/library/cc753246(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc753246(WS.10).aspx


44/52

PowerShell saves administration time through task automation



PowerShell is a scripting language that administrators can use to simplify and automate

configuration, administration and diagnostic tasks.

Examples of tasks that can be performed include: disable/enable accounts, search for

accounts, add or remove accounts, and create, modify or remove objects.


Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools

(RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source).

This module uses the ADWS service. TCP port 9389 must be open on the DC running the

ADWS service.


What's New in AD DS: Active Directory Module for Windows PowerShell (Microsoft

TechNet)

R l Bi U d i lifi f id l d l i
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=enhttp://technet.microsoft.com/en-us/library/dd378783(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd378783(WS.10).aspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en


45/52

Recycle Bin Undo simplifies recovery from accidental deletions



With 2003 DCs, deleted objects could be recovered from Windows Server backups, but

the DC had to be offline. The Tombstone reanimation method allowed recovery while

online, but attributes such as group memberships were lost.

With 2008 R2 DCs, the Tombstone process saves the attributes, making it a viable

recovery method; deleted objects can be retrieved without any downtime.


This feature is disabled by default.

Once the feature is enabled, you cannot roll back to a lower functional level.


What's New in AD DS: Active Directory Recycle Bin (Microsoft TechNet)

Additional security and workflow features include Auditing and


46/52

Additional security and workflow features include Auditing and

Restartable Domain Services


Auditing Enhancements:

Enables you to specify which operations to audit and include in the security log.

For more details, see AD DS: Auditing (Microsoft TechNet).

Owner Rights:

Enables you to specify Owner Rights to override default access rights.

For more details, see AD DS: Owner Rights (Microsoft TechNet).

Management Pack:

Monitors computer and software states to assess availability and performance. For more details, see Active Directory Federation Services Management Pack Readme (Microsoft

TechNet).

Restartable Active Directory Domain Services:

Provides the ability to stop and start AD Domain Services to perform tasks such as security updates

without having to restart the DC server.

For more details, see AD DS: Restartable Active Directory Domain Services (Microsoft TechNet).

Web Services:

Provides a Web service interface to AD domains and AD LDS instances.

For more details, see What's New in AD DS: Active Directory Web Services (Microsoft TechNet).

A di C R h D hi
http://technet.microsoft.com/en-us/library/cc731764(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd125370(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd279709.aspxhttp://technet.microsoft.com/en-us/library/cc754718(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391908(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391908(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc754718(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd279709.aspxhttp://technet.microsoft.com/en-us/library/dd125370(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731764(WS.10).aspx


47/52

Appendix C: Research Demographics


Info-Tech conducted a survey to generate the data needed to create this research. The

following are graphs depicting the demographic information of those who participated in

the survey.


48/52



49/52



50/52



51/52



52/52

develop and implement an up-to-date active directory strategy

Documents