Namespace Planning: Choice of namespace can drastically impact things
such as security, ease of configuration and ease of troubleshooting. No choice of namespace can give you best of all worlds config. The best choice is dependent on the values of the organisation, as there are tradeoffs involved. 1. Internal vs External namespaces: Have you got an external namespace? Do you want to use your external namespace internally or not? Best argument for using single name as both internal and external namespace is consistency, ease of deployment and keeps AD well organised and its easy to tell where an object falls into the AD hierarchy by looking at the FQDN. However this model lacks a robust security structure and makes firewall configuration and testing much more difficult. Port Forwarding could be explored as a solution. 2. Outsourcing webhosting helps by disconnecting website from private network 3. If you have to host your website and resources then setting up 2 separate Active directory forests: one for externally accessible servers e.g. web and mail servers with a domain controller placed in that forest, a bare minimum number of user accounts and should have a one way trust relationship with the private domain ; the other should contain the private network
Keep it simple: improves overall efficiency, easy to understand (if you
have high staff turn-over) and easy to troubleshoot
Use appropriate site topology: Site topology should mirror network
topology. Highly connected parts of network should fall within a single site. Site links should mirror WAN connections, with each physical facility separated by a WAN link constituting a separate AD site
Use dedicated domain controllers: Money might be saved by having a
domain controller configured to also act as a web or mail server. Adding roles to a domain controller can adversely affect server performance, reduce security and complicate the process of backing up and restoring server
Have at least 2 DNS servers: AD is totally dependent on DNS services,
and organisations try to economise by having just 1 DNS server. If DNS server fails, then AD will cease to function. It will be wise to have a redundant system of 2 DNS servers.
Virtualisation: Using multiple domain controllers provides fault tolerance
in case one fails. However this physical redundancy is circumvented by server virtualisation, and many organisations put all there virtualised domain controllers into one host server. If this host server fails, then all domain controllers go down with it. Scatter virtualised domain controllers across multiple host servers
FSMO role back-ups: FSMO domain controller role is critical to AD health
and failure can be very disruptive. To avoid rebuilding AD, always plan for regular back-up of FSMO domain controller.
Plan Domain Structure and stick to it: Many organisations plan AD
and start carefully, but as time goes on, and without much governance, AD evolves in a rather organic manner. A robust governance plan is required for AD to stay in check and dictate the structure.