10 Tips for Effective Active Directory Design

By WireINPUT -
Active Directory design is a science, and it’s far too complex to cover all the nuances within the confines of one article. But I wanted to share with you 10 quick tips that will help make your AD design more efficient and easier to troubleshoot and manage.


1: Keep it simple

The first bit of advice is to keep things as simple as you can. Active Directory is designed to be flexible, and if offers numerous types of objects and components. But just because you can use something doesn’t mean you should. Keeping your Active Directory as simple as possible will help improve overall efficiency, and it will make the troubleshooting process easier whenever problems arise.

2: Use the appropriate site topology

Although there is definitely something to be said for simplicity, you shouldn’t shy away from creating more complex structures when it is appropriate. Larger networks will almost always require multiple Active Directory sites. The site topology should mirror your network topology. Portions of the network that are highly connected should fall within a single site. Site links should mirror WAN connections, with each physical facility that is separated by a WAN link encompassing a separate Active Directory site.

3: Use dedicated domain controllers

I have seen a lot of smaller organizations try to save a few bucks by configuring their domain controllers to pull double duty. For example, an organization might have a domain controller that also acts as a file server or as a mail server. Whenever possible, your domain controllers should run on dedicated servers (physical or virtual). Adding additional roles to a domain controller can affect the server’s performance, reduce security, and complicate the process of backing up or restoring the server.

4: Have at least two DNS servers

Another way that smaller organizations sometimes try to economize is by having only a single DNS server. The problem with this is that Active Directory is totally dependent upon the DNS services. If you have a single DNS server, and that DNS server fails, Active Directory will cease to function.

5: Avoid putting all your eggs in one basket (virtualization)

One of the main reasons organizations use multiple domain controllers is to provide a degree of fault tolerance in case one of the domain controllers fails. However, this redundancy is often circumvented by server virtualization. I often see organizations place all their virtualized domain controllers onto a single virtualization host server. So if that host server fails, all the domain controllers will go down with it. There is nothing wrong with virtualizing your domain controllers, but you should scatter the domain controllers across multiple host servers.

6: Don’t neglect the FSMO roles (backups)

Although Windows 2000 and every subsequent version of Windows Server have supported the multimaster domain controller model, some domain controllers are more important than others. Domain controllers that are hosting Flexible Single Master Operations (FSMO) roles are critical to Active Directory health. Active Directory is designed so that if a domain controller that is hosting FSMO roles fails, AD can continue to function — for a while. Eventually though, a FSMO domain controller failure can be very disruptive.
I have heard some IT pros say that you don’t have to back up every domain controller on the network because of the way Active Directory information is replicated between domain controllers. While there is some degree of truth in that statement, backing up FSMO role holders is critical.

I once had to assist with the recovery effort for an organization in which a domain controller had failed. Unfortunately, this domain controller held all of the FSMO roles and acted as the organization’s only global catalog server and as the only DNS server. To make matters worse, there was no backup of the domain controller. We ended up having to rebuild Active Directory from scratch. This is an extreme example, but it shows how important domain controller backups can be.

7: Plan your domain structure and stick to it

Most organizations start out with a carefully orchestrated Active Directory architecture. As time goes on, however, Active Directory can evolve in a rather haphazard manner. To avoid this, I recommend planning in advance for eventual Active Directory growth. You may not be able to predict exactly how Active Directory will grow, but you can at least put some governance in place to dictate the structure that will be used when it does.

8: Have a management plan in place before you start setting up servers

Just as you need to plan your Active Directory structure up front, you also need to have a good management plan in place. Who will administrator Active Directory? Will one person or team take care of the entire thing or will management responsibilities be divided according to domain or organizational unit? These types of management decisions must be made before you actually begin setting up domain controllers.

9: Try to avoid making major logistical changes

Active Directory is designed to be extremely flexible, and it is possible to perform a major restructuring of it without downtime or data loss. Even so, I would recommend that you avoid restructuring your Active Directory if possible. I have seen more than one situation in which the restructuring process resulted in some Active Directory objects being corrupted, especially when moving objects between domain controllers running differing versions of Windows Server.

10: Place at least one global catalog server in each site

Finally, if you are operating an Active Directory consisting of multiple sites, make sure that each one has its own global catalog server. Otherwise, Active Directory clients will have to traverse WAN links to look up information from a global catalog.

Comments

Post a Comment

Popular posts from this blog

IBM x3650 M4 Series Server Model - Activation Keys Backup to be taken for IMM Moduel II, why?

By WireINPUT -
Image
If you are planning to replace the system board (Mother Board) for M4 series of IBM xSeries 3650 model server, you should and must take the activation keys backup, otherwise you will miss the IMM key. IMM key something like iLO Activation key on HP servers. If that  iLO key didn't acivated, then you won't get the 'Remote Access' option. In the same way, IBM series requires a key to be activated to access the IMM console. IMM Activation to be backuped and restore once the new board get replaced. Here is the screenshot there you see more options what we discussed so far -
Read more

HPONCFG GUI Utility / Tool Download Links - x32 & x64 bit versions, 2003 & 2008 Windows Versions

By WireINPUT -
Here goes the links to download the versions. With this new GUI version, we can change /reset the iLO password,  change the IP address, Subnet & Gateway configurations and many more - HP Lights-Out Online Configuration Utility for Windows 2003/2008 x64 Editions Click here to download x64 bit version Type: Software - Lights-Out Management Version: 3.1.1.0 (22 Nov 2010) Operating System(s): File name: cp013639.exe (1.0 MB) HP Lights-Out Online Configuration Utility for Windows Server 2003/2008 Click here to download x32 bit version (3.2.0.0) Type: Software - Lights-Out Management Version: 3.2.0.0 (18 Jul 2011) Operating System(s): Microsoft Windows Server 2003, Microsoft Windows Server 2008 W32 File name: cp015357.exe (950 KB) HP Lights-Out Online Configuration Utility for Windows Server 2003/2008 Click here to download x32 bit version (3.1.0.0) Type: Software - Lights-Out Management Version: ...
Read more

The Windows Time Service terminated with the following error - Event ID 7023 & 46

By nag -
After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log. Message 1 Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7023 Description: The Windows Time service terminated with the following error: Not all privileges referenced are assigned to the caller. For more information, see Help and Support Center at http://support.microsoft.com. Message 2 Event Type: Error Event Source: W32Time Event Category: None Event ID: 46 Description: The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started. Additionally, when you try to start the Windows Time service manually, you may receive one of the following error messages: Error 1083: The executable program that this servic...
Read more