Best Practice for Reconstituting Active Directory

Analysis and Design phase

Namespace Planning: Choice of namespace can drastically impact things

such as security, ease of configuration and ease of troubleshooting. No
choice of namespace can give you best of all worlds config. The best
choice is dependent on the values of the organisation, as there are tradeoffs involved.
1. Internal vs External namespaces: Have you got an external
namespace? Do you want to use your external namespace internally
or not? Best argument for using single name as both internal and
external namespace is consistency, ease of deployment and keeps
AD well organised and its easy to tell where an object falls into the
AD hierarchy by looking at the FQDN. However this model lacks a
robust security structure and makes firewall configuration and
testing much more difficult. Port Forwarding could be explored as a
solution.
2. Outsourcing webhosting helps by disconnecting website from
private network
3. If you have to host your website and resources then setting up 2
separate Active directory forests: one for externally accessible
servers e.g. web and mail servers with a domain controller placed in
that forest, a bare minimum number of user accounts and should
have a one way trust relationship with the private domain ; the
other should contain the private network

Keep it simple: improves overall efficiency, easy to understand (if you

have high staff turn-over) and easy to troubleshoot

Use appropriate site topology: Site topology should mirror network

topology. Highly connected parts of network should fall within a single site.
Site links should mirror WAN connections, with each physical facility
separated by a WAN link constituting a separate AD site

Use dedicated domain controllers: Money might be saved by having a

domain controller configured to also act as a web or mail server. Adding
roles to a domain controller can adversely affect server performance,
reduce security and complicate the process of backing up and restoring
server

Have at least 2 DNS servers: AD is totally dependent on DNS services,

and organisations try to economise by having just 1 DNS server. If DNS
server fails, then AD will cease to function. It will be wise to have a
redundant system of 2 DNS servers.

Virtualisation: Using multiple domain controllers provides fault tolerance

in case one fails. However this physical redundancy is circumvented by
server virtualisation, and many organisations put all there virtualised
domain controllers into one host server. If this host server fails, then all
domain controllers go down with it. Scatter virtualised domain controllers
across multiple host servers

FSMO role back-ups: FSMO domain controller role is critical to AD health

and failure can be very disruptive. To avoid rebuilding AD, always plan for
regular back-up of FSMO domain controller.

Plan Domain Structure and stick to it: Many organisations plan AD

and start carefully, but as time goes on, and without much governance, AD
evolves in a rather organic manner. A robust governance plan is required
for AD to stay in check and dictate the structure.

Avoid major logistical changes: