AD Implementation Document.docx

8/10/2019 AD Implementation Document.docx

1/17

MSTD AD DS Implmentation Document

Imp notes: - This Document is prepared on the Basis of RFP requirement and solutions, in each pointthe Document is divided into three areas, 1. Role or Service, 2. Current Architecture and SolutionDesign.

Contents

Directory Services ......................................................................................................................................... 2

1. Overview of Directory Services ............................................................................................................. 2

2. GOAL for AD DS deployment ................................................................................................................ 4

a. Improving the Security of the MSTD AD Infrastructure ........................................................................ 4

b. Global Logon ......................................................................................................................................... 4

c. Sharing Active Directory Contact Objects across AD Forests ................................................................ 4

d. Sharing AD-Dependent Applications across AD Forests ....................................................................... 4

e. Optimize Rapid Reconfiguration/Agility ............................................................................................... 4

f. Optimize Affordability/Efficiency ........................................................................................................... 4

3. AD DS Current Scenario of MSTD. ......................................................................................................... 4

4. Infrastructure for AD DS........................................................................................................................ 5

5. AD DS Solution Design Archtecture. ..................................................................................................... 5

a) IMPLENTATION DECISIONS ............................................................................................................... 5

6. AD Setup ............................................................................................................................................... 5

7. Forest and Domain ................................................................................................................................ 5

8. Domain Name ....................................................................................................................................... 6

9. Domain Controller at Site:- ................................................................................................................... 7

10. Domain and Forest Functional Level. ................................................................................................ 7

11. FSMO Roles (Flexible Single Master of Operation) ........................................................................... 8

12. AD Site & Service. .............................................................................................................................. 8

13. AD Global Catalog. ............................................................................................................................ 9

14. AD Replication between Two Sites. ................................................................................................ 10


2/17


15. AD DNS. ........................................................................................................................................... 11

a) DNS Server features ........................................................................................................................ 11

16. AD Schema. ..................................................................................................................................... 12

17. Computer and User Policy Management in AD. ............................................................................. 12

18. AD DHCP. ......................................................................................................................................... 13

19. AD OU Structure. ............................................................................................................................. 13

20. User and Computers creation in AD ............................................................................................... 15

21. AD Services Failover in Hyper-V Structure. ..................................................................................... 1622. AD Backup & Restoration. ............................................................................................................... 17

__________________________________________________________

Directory Services

1. Overview of Directory Services A directory service provides the ability to store information about networked devices and services,and the people who use them, in a central location within a distributed environment. A directoryservice also implements the services that make this information available to users, computers, andapplications. Therefore, a directory service is both a directory (the store of this information) and a setof services that provide the means to securely add, modify, delete, and locate data in the directorystore.

By deploying Windows Server 2012 Active Directory Domain Services (AD DS) in MSTDenvironment, MSTD can take the advantage of the centralized, delegated administrative model andsingle sign-on (SSO) capability that AD DS provides or MSTD can use the AD DS for the third partySSO.

MSTD can use Active Directory Domain Services (AD DS) in Windows Server 2012 to simplifyuser and resource management while creating scalable, secure, and manageable infrastructures. Youcan use AD DS to manage your network infrastructure, including branch office, Microsoft ExchangeServer, and multiple forest environments.


3/17


Figure 1 illustrates, the benefits of AD DS and how it acts as the focal point of the WindowsServer 2012 R2 network, demonstrating how it can be used to manage identities and brokerrelationships between distributed resources.


4/17


2. GOAL for AD DS deployment

The MSTD organizes this future-state vision below goals:

a. Improving the Security of the MSTD AD Infrastructure The ability to better defend the ADinfrastructure from exploitation and minimize the risk of information compromise as documented.

b. Global Logon the ability for any authorized MSTD user to logon to any local MSTD network(Active Directory forest) connected to the intranet or any Internet application which willauthenticating through AD DS of MSTD (Eg:- SSO)

c. Sharing Active Directory Contact Objects across AD Forests The ability for any authorizedMSTD user to look up and find any other MSTD user natively within the desktop Outlook client,Outlook Web Access, or authorized mobile device (e.g. Microsoft Mobile Application).

d. Sharing AD-Dependent Applications across AD Forests The ability for an authorized MSTDuser in one AD forest to securely access applications or systems located in a different AD forest.

e. Optimize Rapid Reconfiguration/Agility Enhance the ability of Windows networks to respond

to changing mission needs and the ability to quickly reconstitute following a partial network loss or breach.

f. Optimize Affordability/Efficiency Reduce the overall complexity and cost of operating anddefending MSTD networks by supporting their networks through AD consolidation andrationalization.

3. AD DS Current Scenario of MSTD.

a) Currently MSTD is not having any AD Structure at any location. b) The Domain Name is using as per the third party solution which is in the name of

MAHAVAT.GOV.INc) No Single or Multiple Forest Structure.


5/17


4. Infrastructure for AD DS.

a) Current Scenario : - Currently MSTD does not having any existing infrastructure. b) Solution Design :-

1) Hardware : - PDC and DRC will have the 2 Physical Hosts of HP BL660 Gen8 ateach site on which Domain Controller will be deployed on Hyper-V instance.

2) Software :- AD DS will be configure on virtual OS of Windows 2012 Std. Edition

5. AD DS Solution Design Archtecture.

a) IMPLENTATION DECISIONS

a) The following decisions were made in regard to the design and implementation:Single forest, single domain model

b) Delegated Domain Name Server zonesc) Single Sign On accounts will be in the root Domain in People OU segregated by

Managed By affiliation (including users and groups). d) Local accounts, used for service accounts, will be located in departmental OU.e) Centralized DNS and WINS will be providedf) Physical access to Domain Controllers limited to Data Centerg) Enterprise administrators will only make changes to Departmental Organizational Units

In emergencies after going through proper change control.

6. AD Setup

a) The AD Services will be setup on the Virtual Instance of windows 2012 Std. Edition, as aSingle forest, single domain model.

7. Forest and Domain

A) Current Scenario : - Currently MSTD does not having any forest structure.

B) Design Solution : - New Domain will be deployed with name ofMAHAVAT.GOV.IN as per the single forest basis. In the deploying face we aregoing to deploy the two AD DS server at each site (PDC 2 no. and DRC 2 no.).Out of the two AD servers which are in PDC (Primary Data Center) one will be the

primary Domain Controller and another server will act as ADC (Additional DomainController) and 2 at DRC which will also be the additional Domain controller in thisDomain.


6/17


Below is the Architecture of one forest two sites architecture.

MSTD Forest.

PDC ADC1 ADC2 ADC3

DC Site DRC Site

8. Domain Name

Active Directory domains can be identified using a DNS name, which can be the same as anorganization's public domain name, a sub-domain or an alternate version (which may end in .local).While Group Policy can be applied to an entire domain, it is typical to apply policies to sub-groups ofobjects known as organizational units (OUs). All object attributes, such as usernames, must beunique within a single domain and, by extension, an OU.

A) Current Scenario : - Currently MSTD is using the Domain name as Mahavat.gov.in with XYZ IP Address provided by ISP.

B) Solution Design : - MSTD can use the same Domain for the new infrastructure setup this domain system

will also be used to mailing users. But at the time of implementation, the new public

IP need to edit in the register DNS. MSTD should take a specific down time for the changes of IP address from existingto new IP address.


7/17


9. Domain Controller at Site When you create the first domain controller in your organization, you are also creating the firstdomain, the first forest, the first site, and installing Active Directory. Domain controllers runningWindows Server 2003 store directory data and manage user and domain interactions, including userlogon processes, authentication, and directory searches. Domain controllers are created by using theActive Directory Installation Wizard.

It is often good practice to put at least one domain controller in each site to enhance network performance. When users log on to the network, a domain controller must be contacted as part of the

logon process. If clients must connect to a domain controller located in a different site, the logon process can take a long time. The best network performance is available when the domain controllerat a site is also a global catalog. This way, the server can fulfill queries about objects in the entireforest. However, enabling many domain controllers as global catalogs can increase the replicationtraffic on your network

A) Current Scenario : - MSTD does not have any Domain Controller at both the site.B) Solution Design :-

MSTD will deploy the total four Domain Controller in both the site (2 at Each Site), PDC(primary Data Center) will have two 2 Domain Controller out of which one will be thePrimary Domain and Other one will be the ADC (Additional Domain Controller),Another Site (DRC) will have 2 Domain controller and both the server will act as anADC.

Reason for 2 Domain Controller at each Site: - MSTD will deploy the 2 Domaincontroller at each site for Disaster Recovery Purpose, If one DC fails the user will nothaving any Impact for logon. This will required a zero down time.

10. Domain and Forest Functional Level.

When you install Active Directory Domain Services (AD DS), a set of basic Active Directory

features is enabled by default. In addition to the basic Active Directory features on individual domaincontrollers, there are new domain-wide and forest-wide Active Directory features available when alldomain controllers in a domain or forest are running a later version of Windows Server.

A) Current Scenario : - MSTD does not have any Domain.B) Solution Design: - The Functional level of the Domain will be Windows 2008.


8/17


11. FSMO Roles (Flexible Single Master of Operation) During installation of Active Directory on a Windows Server 2000/2003/2008/2012 all FSMO roles willautomatically be installed on the first server. But Best Practice dictates to move some of this FlexibleSingle Master of Operation (FSMO) roles to separate servers

A) Current Scenario : - MSTD does not have any Domain.B) Solution Design: - MSTD will have 2 Domain Controller in PDC site, Out of which as

per the best practice Forest Roles will be places on the PDC and Domain Roles will be places in the ADC.

Reason for FSMO role on Different Server: Out of 5 roles the InfrastructureMaster role will be on the same site, if we keep the Domain Roles in ADC1 at PDC(Primary Data Center) location, there no need to define the GC at the same site.

12. AD Site & Service Active Directory Sites and Services is a Microsoft Management Console (MMC) snap-in that you can useto administer the replication of directory data among all sites in an Active Directory Domain Services (ADDS) forest. This snap-in also provides a view of the service-specific objects that are published in AD DS.

Administrators who are responsible for forest-wide service administration can use Active Directory Sites

and Services to manage the intersite replication topology for the forest. Administrators who areresponsible for application services can be delegated responsibility for the service containers into whichapplication-specific objects are published

A) Current Scenario : - MSTD does not have any forest or Domain.B) Solution Design: - AD Administrator will configure site and services as per the location

and each location will be added as per the below configuration steps. For this activityMSTD should provide the Site Map of MSTD.

The tasks for configuring a new site include the following:

Creating the site Mapping the correct IP addresses to the site by creating a subnet Linking the site to another site or sites by creating a site link and adding the new

site to it


9/17


13. AD Global Catalog The global catalog is a distributed data repository that contains a searchable, partial representation ofevery object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.The global catalog is stored on domain controllers that have been designated as global catalog serversand is distributed through multimaster replication. Searches that are directed to the global catalog arefaster because they do not involve referrals to different domain controllers.

The global catalog provides the ability to locate objects from any domain without having to know thedomain name. A global catalog server is a domain controller that, in addition to its full, writable

domain directory partition replica, also stores a partial, read-only replica of all other domaindirectory partitions in the forest. The additional domain directory partitions are partial because only alimited set of attributes is included for each object. By including only the attributes that are mostused for searching, every object in every domain in even the largest forest can be represented in thedatabase of a single global catalog server.

Benefit for the GC Services.

User Logon Support fasterUniversal Group MembershipUser Principal Name,

Universal Group Membership CachingAddress Book Lookups :- Exchange Server uses the global catalog to store mail recipient data thatenables clients in a forest to send and receive e-mail messages

A) Current Scenario : - MSTD does not have any GC server.B) Solution Design: - MSTD will configure GC services on one Domain Controller at each

site PDC and DRC. GC Services is needed because at both site Exchange Server will beimplemented which will require GC services for faster Addressbook Lookups


10/17


14. AD Replication between Two Sites. The replication topology of Active Directory directory service provides the network of connectionsbetween domain controllers in a forest according to their location in Active Directory sites. A site is anActive Directory object that you create and configure to represent an area of good network connectivity,typically corresponding to a local area network (LAN). The site object is associated with a set of one ormore subnets, which are objects that identify a range of IP addresses. Each domain controller has an IPaddress that maps to a subnet, and that mapping in turn identifies the site of the domain controller. Byrecognizing domain controllers according to site locations, the replication system ensures that eachdomain controller is updated with directory changes in the most efficient and timely manner possible,given network conditions and directory service configuration. The replication topology is generatedautomatically at regular intervals to accommodate network and configuration changes, and is designedto ensure that all domain controllers are connected without redundancy and with minimum cost.

A) Current Scenario : - MSTD does not have any site currently so no current replicationtropology is present.

B) Solution Design: - Two Site replication will happen as per the below Map.


11/17


15. AD DNS.

Domain Name System (DNS) is a system for naming computers and network services that isorganized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as theInternet, to locate computers and services with user-friendly names. When a user enters a DNSname in an application, DNS services can resolve the name to other information that isassociated with the name, such as an IP address.

For example, most users prefer a friendly name, such as corp.contoso.com, to locate a computer,such as a mail server or Web server, on a network. A friendly name can be easier to learn and

remember. However, computers communicate over a network by using numeric addresses. Tomake the use of network resources easier, name systems such as DNS provide a way to map theuser-friendly name for a computer or service to its numeric address.

The DNS Server role in Windows Server 2012 combines support for standard DNS protocolswith the benefits of integration with Active Directory Domain Services (AD DS) and otherWindows networking and security features, including such advanced capabilities as securedynamic update of DNS resource records

a) DNS Server features

A Request for Comments (RFC)-compliant DNS server Interoperability with other DNS server implementations Support for Active Directory Domain Services (AD DS) Enhancements to DNS zone storage in AD DS Conditional forwarders Stub zones Enhanced DNS security features Integration with other Microsoft networking services3

Current Scenario : - MSTD does not have any Domain.

Solution Design: - AD Administrator will configure Primary Domain Controller asDNS server, which will have all the A Record , SRV Record & CNAMERecord if require. This DNS server will work as a gateway for the local machine. Toaccess the internet and other application which will authenticate by local domain.


12/17


16. AD Schema. Active Directory Schema is a Microsoft Management Console (MMC) snap-in that you can use to viewand manage the Active Directory Domain Services (AD DS) schema.

Current Scenario : - MSTD does not have any Domain. Solution Design: - By default Schema will be installed with AD Directory Services

enabled, But due to Exchange 2013 in the MSTD infrastructure going to deployed,Administration team need upgrade the Schema. This Schema will be upgraded at thetime of First Exchange Instance installation with the below help command line.

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

17. Computer and User Policy Management in AD. Group Policy is an infrastructure that allows you to specify managed configurations for users andcomputers through Group Policy settings and Group Policy Preferences. You can manage Group Policysettings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environmentthrough the Group Policy Management Console (GPMC). By using Group Policy, you can significantlyreduce our organizations total cost of ownership. Various factors, such as the large number of policysettings available, the interaction between multiple policies, and inheritance options, can make GroupPolicy design complex.

Current Scenario : - MSTD does not have any group policy. Solution Design: - AD administrator will configure the all the new Group Policys

through (GPMC) tool which will done after the basic installation of AD services. MSTDManagement needs to discuss and Finalize the changes which is require to do throughGP.

Below is some of the application or services which we can controller through GP .(lockout policy , screen saver settings , logon scripts publishing , folder shares allotment ,populate desktop icons ,assign printers , to limit Internet explorer options as a result ofManaged Administrative Templates, USB disabled , Delegation Rights)


13/17


18. AD DHCP. Dynamic Host Configuration Protocol (DHCP) is a client-server technology that allows DHCP servers toassign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. WhenDHCP servers are deployed on our network, we can automatically provide client computers and otherTCP/IPv4 and IPv6 based network devices with valid IP addresses.

Current Scenario : - MSTD does not have any DHCP configure in any AD. Solution Design: - AS per the new Infrastructure of PDC and DRC currently there is

no requirement of DHCP Services, But if Changes required by MSTD management,AD administrator will enabled the DHCP services on PDC and create the Scope as

per network Subnet.

19. AD OU Structure.

After domain planning is complete, an OU structure can be designed. In the best practices OU

model, departments within the domain manage their internal operations, while the domain's ITstaff manages the overall infrastructure. In other words, each department manages its objects inthe directory, while the domain IT staff manages the configuration of the directory service itself.

Best practices for creating an OU design introduces the role of "OU owner." The ActiveDirectory OU owner is comparable to most Windows 2012 domain administrators. This meansthat domain administrators who manage users and resources in a Windows 2012 domain willmanage the same resources in an Active Directory domain, but will be owners of OUs.

Expect to make periodic changes to your OU structure to reflect changes in your administrativestructure and to support policy-based administration. OUs are designed to be easily changed.

OUs are containers within domains that can contain other OUs, users, groups, computers, andother objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are

primarily used to group objects for management purposes


14/17


Current Scenario : - MSTD does not have any OU structure. Below is the eg :- ofone location of MSTD .


15/17


Solution Design: - AS per the above CST office structure of MSTD ADAdministrator will create the OU in AD as per Type, location , Department. For theOU Structure Configuration MSTD need to provide the complete location chart anddepartment chat for the OU Structure and Group policy implementation on OU.

Below is sample OU architecture which will use in AD.

20. User and Computers creation in AD You use Active Directory Users and Computers to manage recipients. Active Directory Users andComputers is an MMC snap-in that is a standard part of Microsoft Windows Server operating systems.However, when you install Exchange 2013, the setup wizard automatically extends the functionality ofActive Directory Users and Computers to include Exchange-specific tasks

You can use Active Directory Users and Computers to create new user accounts or manage existing useraccounts. Below is some of the example for which we can use AD User and Computer Snap-in

h) Understanding User Accountsi) Create a New User Account j) Reset a User Passwordk) Copy a User Accountl) Move a User Accountm) Set Logon Hoursn) Disable or Enable a User Accounto) Map a Certificate to a User Account


16/17


p) Change a User's Primary Groupq) Delete a User Account

Current Scenario : - MSTD does not have any AD structure. Solution Design: - AD administrator will create the User and Computer account as

per the MSTD requirement. Currently MSTD is having the following User andComputer account setup which will be standardized as per new requirement at thetime operation face.

Current User creation sample:-

21. AD Services Failover in Hyper -V Structure. Windows Server 2012 Hyper-V also introduces VM-Generation ID (VMGenID). VMGenID provides a wayfor the hypervisor to communicate to the guest OS when significant changes have occurred. Forexample, the hypervisor can communicate to a virtualized DC that a restore from snapshot has occurred(Hyper-V snapshot restore technology, not backup restore). AD DS in Windows Server 2012 is aware ofVMGenID VM technology and uses it to detect when hypervisor operations are performed, such assnapshot restore, which allows it to better protect itself.

Hyper-v Failover.

When a Hyper-V replica failover occurs (planned or unplanned), the Windows Server 2012 virtualized DCdetects a VMGenID reset, triggering the aforementioned safety features. Active Directory operationsthen proceed as normal. The replica VM runs in place of the primary VM.

Current Scenario: - MSTD does not have any VM or Hyper-V setup Solution Design: - Hyper-V administrator will create virtual windows 2012 Std. OS Instance

on each HP BL660 Gen8 Host, 2 in PDC and 2 in DRC. On the Virtual Windows 2012

instance, Active directory Domain will be setup. If any Host or Virtual Instance fails thesecond Host Instance in the same Site will start acting as primary server till the First DomainController Comes Up.


17/17


22. AD Backup & Restoration.

Current Scenario: - MSTD does not have any AD so no backup procedure is done. Solution Design: - Backup Administrator will keep the everyday backup history of AD, The backup will take on the daily basis as per Microsoft best practice and the Symantec Backuputility.

AD Implementation Document.docx

Documents