Active Directory Infrastructure Assessment Document

Document version: 1.0

Published: July 04, 2014

Overview
Active Directory Infrastructure Assessment Document has been designed based on best practices for implementing and mana
infrastructure. The document covers Active Directory Infrastructure Assessment, Group Policy Assessment, Certification Autho
Forefront Identity Management Assessment. This document can be useful for anyone who performs AD Migration / Consolida
Upgrade while preserving AD integration of native and third party components.

The goal of the document is to capture all Active Directory-related features of Windows Server 2008 R2 , Group Policy , CA, FIM
and Client/ Server Operating System configurations. This document is intended to serve as a master list of features that need t
considered for any Active Directory implemenation

Task List Columns

Reference: Reference Number of a section
Design Document: Different Infrastructure design document to assist Migration / Restructuring / Update
Description: High level overview of component and expected outcome from the customer
Comment: Person who is responsible for the task to comment on the component.
Attachment: Person responsible for the task to attach the required document
Applications / Software / Systems Configuration: This corresponds to Application / Software / Server Systems
which may or may not be configured and may or may not be integrated with Active Directory

Applications / Software / Systems Installed : This column helps identifying whether the mentioned component is installed
Applications / Software / Systems Not Installed : This column helps identifying whether the mentioned component is not inst
Requires AD Authentication: This column suggests whether or not the component requires AD Authentication
Active Directory Forest Model: This column describes the AD Forest Configuration they may or may not be configured in an O
Configured: Should be filled in the Feature / component is configured
Not Configured: Should be filled if the Feature / Component is not configured
Active Directory Design Configuration: This column describes the AD Domain Configuration they may or may not be configure

Active Directory Sites Configuration: This column describes the AD Site Configuration they may or may not be configured in an
Domain Controller Configuration: Domain Controller configuration which may or many not be configured in an Organization
AD DS FSMO Configuration : FSMO configuration which may or may not be configured in an Organization
DNS Configuration: DNS configuration which may or may not be configured in an Organization
Active Directory Feature Configuration : Outlines different features which may or may not have be configured in an Organizati
Client / Workstation Configuration: This section outlines Workstation Active Directory features / functionality which may or m
Organization

Active Directory Certificate Services Configuration: This section outlines different PKI features that may or may not be configu
Microsoft Forefront Identity Manager Configuration: This section outlines different FIM capabilities that may or may not be c
Organization
Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegat
work has been done.
Notes: Additional information relating to this item.

Feedback
Please direct questions and comments about this guide to sainathss@live.in.
Document: Active Directory 2008 / 2008 R2 Infrastructure
Design Assessment Document
Client : <Customer>

<Customer> Design Documents

Reference

D01

D02

D03

D04

D05

D06

D07

D08

D09

D10

D11

D12

D13
D14

D15

D16

D17

D18

D19

D20

D21

D22

D23

D24

D25

D26

D27
Active Directory Dependent Applications, Software & Systems

Reference
ADS 01

ADS 02

ADS 03

ADS 04

ADS 05

ADS 06

ADS 07

ADS 08

ADS 09

ADS 10

ADS 11

ADS 12

ADS 13

ADS 14

ADS 15

ADS 16

ADS 17
ADS 18

ADS 19

ADS 20

ADS 21

ADS 22

ADS 23

ADS 24

ADS 25

ADS 26

ADS 27

ADS 28

ADS 29

ADS 30

ADS 31

ADS 32

ADS 33

ADS 34

ADS 35

ADS 36

ADS 37

ADS 38

ADS 39

ADS 40
ADS 41

ADS 42

ADS 43

ADS 44

ADS 45

ADS 46

ADS 47

ADS 48

ADS 49

ADS 50

ADS 51

ADS 52

ADS 53

ADS 54

ADS 55

ADS 56

ADS 57

ADS 58

ADS 59

ADS 60

ADS 61
Active Directory Forest Design
Reference
ADF 01

ADF 02

ADF 03

ADF 04

ADF 05

Active Directory Domain Design

Reference
ADD 01

ADD 02

ADD 03

ADD 04

ADD 05

ADD 06

ADD 07

ADD 08
ADD 09

ADD 10

ADD 11

ADD 12

ADD 13

ADD 15

ADD 16

ADD 17

ADD 18

Active Directory Sites Design

Reference
ADS 01

ADS 02

ADS 03

ADS 04

ADS 05
ADS 06

ADS 07

ADS 08

ADS 09

ADS 10

ADS 11

ADS 12

ADS 13

ADS 14

ADS 14

ADS 15

ADS 16

ADS 17

ADS 18

ADS 19

ADS 20

ADS 21
Active Directory Domain Controller Design
Reference

ADC 01

ADC 02

ADC 03

ADC 04

ADC 05

ADC 06

ADC 07

ADC 08

ADC 09

ADC 10

ADC 11

ADC 12

ADC 13

ADC 14

ADC 15
ADC 16

ADC 17

Active Directory FSMO Design

Reference

ADFD 01

ADFD 02

ADFD 03

ADFD 04

Active Directory DNS Design

Reference

ADNS 01

ADNS 02
ADNS 03

ADNS 04

ADNS 05

ADNS 06

ADNS 07

ADNS 08

ADNS 09

ADNS 10

ADNS 11

ADNS 12

ADNS 13

ADNS 14

ADNS 15

ADNS 16

ADNS 17
ADNS 18

Active Directory 2008 / 2008 R2 Feature Implementation

Reference
ADFR 01

ADFR 02

ADFR 03

ADFR 04

ADFR 05

ADFR 06

ADFR 07

ADFR 08

ADFR 09

ADFR 10

ADFR 11

ADFR 12

ADFR 13

ADFR 14

ADFR 15
ADFR 16

ADFR 17

ADFR 18

ADFR 20

ADFR 21

ADFR 22

Client / Workstation Design

Reference
ADW 01

ADW 02

ADW 03

ADW 04

ADW 05

ADW 06

ADW 07

ADW 08

ADW 09

ADW 10

ADW 11
Active Directory Certificate Services Design
Reference
ADCS 01

ADCS 02

ADCS 03

ADCS 04

ADCS 05

ADCS 06

ADCS 07

ADCS 08

ADCS 09

ADCS 10
ADCS 11

ADCS 12

ADCS 13

ADCS 14

ADCS 15

ADCS 16

ADCS 17

ADCS 18

Microsoft Forefront Identity Manager

Reference
MFIM 01

MFIM 02

MFIM 03

MFIM 04

MFIM 05
MFIM 06

MFIM 07

MFIM 08

MFIM 09

MFIM 10

MFIM 11

MFIM 12
MFIM 13
 Dated :
Author:

Design Document

<Customer> Organizational Structure Document

<Customer> Geographical layout Document

<Customer> Network Diagram Document

<Customer> Existing Active Directory Topology Diagram Document

<Customer> Active Directory and DNS Namespace Document

<Customer> Active Directory Object Identifiers [OID] list Document

<Customer> Domain Controllers Patch Management Process Document

<Customer> Active Directory Monitoring Process Document

<Customer> Active Directory Security Permission Design Document

<Customer> Active Directory Audit Design Document

<Customer> Active Directory Delegation Design Document

<Customer> Active Directory Organizational Structure Document

<Customer> Group Policy Windows Client Settings Document

<Customer> Group Policy Windows Server Settings Document

<Customer> Group Policy Windows Kiosk / Digital Device Settings Document

<Customer> Group Policy Functional Settings Document

[includes Network Settings, Database settings, Service Account settings]

<Customer> Group Policy Application Settings Document

<Customer> Group Policy Preference Settings Document

<Customer> Group Policy User Settings Document

<Customer> Group Policy Forest Wide Settings Document

<Customer> Group Policy Settings of Active Directory Sites Document

<Customer> Active Directory Certificate Services Configuration Document

<Customer> Oracle Identity Manager Integration with

Microsoft Active Directory Configuration Document

<Customer> NetIQ Identity Manager Integration

with Microsoft Active Directory Configuration Document

<Customer> Dell Quest One Identity Manager Integration

with Microsoft Active Directory Document

<Customer> Microsoft Forefront Identity Manager [IAM] Integration

with Microsoft Active Directory Document

<Customer> IBM Tivoli Identity Manager Integration with

Microsoft Active Directory Document
Applications / Software / Server Systems Configuration
<Customer> Enterprise Business Applications Document

<Customer> Enterprise Productivity Applications Document

<Customer> Enterprise Infrastructure Applications Document

<Customer> Enterprise Mobility Applications Document

Microsoft Office Applications Document

Microsoft ASP Applications Document

Microsoft BizTalk Server

Microsoft Commerce Server

Microsoft Dynamics CRM Server

Microsoft Dynamics NAV

Microsoft Exchange Server

Active Directory Federation Services

Microsoft Forefront Identity Manager

Microsoft Forefront Threat Management , Unified Access Gateway

Microsoft Hyper-v Server

Microsoft Lync Server

Microsoft Project Server

Microsoft SharePoint Server

Microsoft System Center Configuration Manager

Microsoft System Center Virtual Machine Manager

Microsoft System Center Operations Manager

Microsoft System Center Service Manager

Microsoft SQL Server

Microsoft System Center Data Protection Manager

Microsoft System Center Reporting Manager

Windows Rights Management Server

Windows Server Update Services

Windows Server ( 2003 - 2008 R2 )

Windows Clients ( XP, Windows 7, Windows Vista )

UNIX Servers

LINUX Servers

SOLARIS Servers

IBM Servers

VMWare VSphere Components (Director /Storage Appliance )

VMWare Vcenter Suite

VMWare VShield

VMWare VFabric

VMWare Vcloud Suite

VMWare VHorizon

Citrix Workspace Suite

Citrix GoTO Meeting / GoTO Webinar

Citrix Receiver

Citrix ShareFile

Citrix XenApp

Citrix XenDesktop

Citrix XenClient

Citrix Netscalar

Citrix XenServer

CISCO Collaboration Systems

CISCO WAAS (Wide Area Application Services)

CISCO ACS

CISCO Routers

CISCO Switches

CISCO Call Manager

CISCO ASA

CISCO SoftPhone

CISCO UCS

CISCO ScanSafe Cloud Web Security

ORACLE Database Servers

SAP Applications

Enterprise Backup Solutions (EMC/NetApp/ IBM/ CA/ HP/ DELL/ VEEAM/)

Active Directory Forest Configuration
Resource Forest Model

Restricted Access Forest Model

Active Directory Forest Trust

Multi Domain Forest Configuration

Dedicated Active Directory Forest in Branch Office

Active Directory Design Configuration

Single Domain Model

Regional Domain Model

Multiple Domain Tree Configurations

Resource Domains

Active Directory Domain in Branch Offices

Active Directory Domain supporting Kiosks

Active Directory Domain supporting External Users

Active Directory External Trust between Domains

Active Directory Realm Trust

Active Directory Shortcut Trust

Offline Domain Join

Schema Extension Attributes usage

SID Filtering Quarantine on External Trust

Selective Authentication on External Trust

[including Forest Trust ]

Domain Wide Authentication over External Trust

Oracle Identity Management Servers Configured as Central Directory

Oracle Identity Management Synchronization Configuration with Microsoft Active

Directory

Active Directory Sites Configuration

Physical Sites Routing Topology

Bridge All Site Links [ BASL ] Configuration

Physical IP Sites configured in Active Directory Sites and Subnets

Physical IP Subnets configured in Active Directory Sites and Subnets

Active Directory Supernets

AD Subnets created based on IP Summarization

Active Directory Subnet Mapping for IPV 6 Subnets

Separate AD Sites for managing Resources

SMTP Site link Configurations

Active Directory Site link bridges

Manually created Connection Objects

Replication Intervals within a site

Active Directory Sites without Domain Controller

Active Directory Sites without Global Catalog

Slow Site Links

Mission Critical Applications

Average Users per Active Directory Site

Active Directory Intrasite Replication frequency

Active Directory Automatic Site Coverage-

Both in Hub and Branch sites

Finding Next Closest Site Configuration

Bridgehead Server Configuration

Automatic vs Preferred

Site Link Interval Configuration

Domain Controller Configuration

Domain Controller Versions

Number of Domain Controllers per AD Site

Number of Read Only Domain Controllers per AD Site

Additional Domain Controllers for every PDC Emulator

Virtualized Domain Controllers

Percentage of Domain Controllers being Virtualized

Domain Controllers running Server Core

Forest Root PDC Windows Time synchronized with

External or Internal Time Source

Child Domain PDC synchronize Windows Time with Parent Domain

Each Domain Controller synchronize Windows Time with PDC Emulator

Highest Domain Functional Level per Domain

Forest Function level

Domain Controller Database Storage Location Configuration

local disk vs External Storage

RODC Password Replication Policies

Multiple Read Only Domain Controllers in an Active Directory Site

- Password Policies should be synchronized and maintained
to avoid unpredictable situations
RODC in Perimeter Network

Using DFS to replicate SYSVOL . FRS Replication is used in Windows Server

2000 and Windows Server 2003 or on Domain Controllers migrated
from Windows Server2003 to Windows Server 2008

AD DS FSMO Configuration

Schema Master Placement

Schema Master and Domain Naming Master Role Placement

PDC Chaining

RID Pool Value Configuration

DNS Configuration

DNS Centralized Design

DNS Parent Child Design

Dynamic DNS Configuration configured on entire AD Forest

Global Name Zone Configuration.

List out AD Domain where Global Name Zone is configured

DNSSEC Configuration between

-External DNS Servers and Internal DNS Server
-Internal DNS Server ( Starting from 2012 )

Optimize Location of Domain Controller-

DNSAvoidRegisterRecords

Does AD Forest DNS Configuration supports Dynamic Updates. List down the
Domains which are not configured with DNS Dynamic Updates

Application Partitions for managing DNS zones

Aging and Scavenging Configuration

DNS Weight Configuration

Disjoint Namespace Configuration

BIND DNS Namespace Configuration

BIND DNS Delegated Domain Configuration

BIND Primary Name Server and Slave Name Server Configuration

BIND DNS Disaster Recovery Configuration

BIND DNS Incremental Zone Transfer , Round Robin and Forwarders Configuration

Integration between Microsoft DNS and BIND DNS Configuration

BIND and Active Directory Configuration

Active Directory Feature Configuration

Active Directory Application Partitions

Application Partitions storing DNS/DHCP/COM+/Network Services data

Application data stored in AD LDS Instance

Concurrent LDAP Binds

Dynamic Auxiliary Classes

Dynamic Data

Schema Redefine

Universal Group Caching

Distributed Link Tracking ( DLT ) Configuration

Administrative Role Separation

ADMX Configuration

Active Directory Database Snapshots

Fine Grained Password Policy

Read Only Domain Controllers

Active Directory Web Service

Authentication Mechanism Assurance

Managed Service Accounts

Recycle Bin

Encryption Level support

Integration of third Party Authentication Systems with Active Directory

Permission Design Implemented - Users vs Group or both

Client / Workstation Configuration

Windows client configured in Workgroup mode

Windows Clients ( Windows XP / Windows 7 ) joined to AD Domain

Mobile clients ( Mobile devices / Tablets ) requiring AD authentication

KIOSKS Client Computers

Windows Clients Local User Profile

Windows Clients Roaming User Profile

Windows Clients Folder Redirection

Windows Offline Files

Mandatory Profiles

Bitlocker Active Directory Integration for Clients

including storing and retrieving information

Direct Access Configuration

Active Directory Certificate Services Configuration
Legal / Government / Regulatory requirements for Certificate Infrastructure

Locations in an Organization where Certificate Services will be deployed

List of Applications and Services that uses Certificates

Certificate Request validation per location

Number of Root CA's deployed

Microsoft Root CA Type and Location implementation

Certificate Authority Fault Tolerant Design

Private key Protection methods

PKI Infrastructure Administrator privileges / Role configuration

Certificate Authority Validation Period

Key Length usage

AIA Repository Store

Certificate Revocation Lists configuration

Certificate Enrollment Configuration

Certificate Template Configuration

Cross Forest Enrollment Configuration

Certificate Enrollment Web Service and Policy Service Configuration

Non Persistent Certificates

Microsoft Forefront Identity Manager Configuration

Identity Management Design Document

User Management Design Document

Access Management Design Document

Identity Management Configuration Document

FIM Management Agent Configuration

FIM Schema Configuration

FIM Service Management Agent Configuration

FIM User Management Configuration ( integration with AD )

FIM User Management with different data stores ( Oracle / IBM / SAP / HP etc.. )

FIM Group Management configuration ( Integration with AD )

FIM Self Service Password Reset Configuration

FIM Office 365 configuration

FIM Reporting
Jul-14
Sainath KEV

Description
Organizational Structure Document explains how <Customer>s Business
Units are fit into hierarchy

Geographical layout explaining Continents, Countries , cities

in which Business units are configured

Copy of Network Diagram explaining the connection speeds

between the various sites

Copy of existing Active Directory Topology diagram

Copy of existing Active Directory and DNS Namespace Document

Copy of recent OID list

Copy of existing Patch Management Process

Copy of existing AD Monitoring Document

Copy of existing Security Permission design Document

Copy of existing Active Directory Audit design Document

copy of existing Active Directory Delegation Document

Copy of current Active Directory Organizational Structure of each AD Domain

Copy of Master list of Group Policy settings implemented for Windows Clients
at Forest and Domain Level
Copy of Master list of Group Policy settings implemented for Windows Servers
at Forest and Domain Level

Copy of Master list of Group Policy settings implemented for

Windows Kiosks / Digital Devices at Forest and Domain Level

Copy of Per AD Domain Network, Database, Service Accounts Group Policy

settings Document

Copy of Per AD Domain Application settings configured in Group Policy

Copy of Group Policy Preferences Document configured

at both Forest and Domain Level

Copy of Group Policy User Settings Document Configured for

every Active Directory Domain in the AD Forest

Copy of Active Directory Forest wide Group Policy Settings

Copy of existing Active Directory Sites Configuration settings Document

Copy of existing Active Directory Certificates Services Configuration Document

Document Should detail CA Hierarchy, Public & Private Root Certificates etc..

Copy of Oracle Identity Manager integration Document with

Microsoft Active Directory. This Document should reflect
co-existence, site structure , Synchronization, etc.. Information.

Copy of existing NetIQ Identity Manager integration Document with

Microsoft Active Directory which covers installation of AD driver,
Authentication Methods, Synchronization methods , Groups Management etc..

Copy of existing Dell Quest One Identity Manager integration document

detailing the RBAC policies, automation process , Rules etc..
for managing Users / Network devices

Copy of existing Microsoft FIM integration document with Active Directory

Copy of IBM TIM integration with MS AD document detailing IBM Connector

configuration, SSL configuration , etc.
Description
Whether or not <Customer> Business Applications require AD Authentication

Whether or not <Customer> Productivity Applications require AD Authentication

Whether or not <Customer> Infrastructure Connector Applications

require AD Authentication

Whether or not <Customer> Mobility Applications

require AD Authentication

Office Applications require AD Authentication

ASP applications that requires AD Authentication

BizTalk Server if installed, whether or not integrated with AD

MS Commerce Server if installed, whether or not integrated with AD

MS Dynamic CRM Server if installed, whether or not integrated with AD

MS Dynamic NAV Server if installed, whether or not integrated with AD

Exchange Server does require AD Authentication

Is there an existing ADFS Configuration within <Customer> ( intra domain / external )

Forefront server does require AD Authentication

These components requires AD Authentication

Whether or not Hyper-v is configured in Standalone mode

Microsoft Lync requires AD Authentication

MS Project Server if installed, whether or not integrated with AD

Microsoft SharePoint server requires AD Authentication

SCCM Server does require AD Authentication

SCVMM does require AD Authentication

SCVMM can work in Standalone mode and integrate with AD

SCSM can work in Standalone mode and integrate with AD

SQL Server can be installed in Standalone mode or can be integrated with AD

SCDPM can work in Standalone mode and integrate with AD

Reporting Server if configured, whether or not integrated with AD

RMS should be integrated with AD

WSUS can be installed in Standalone and integrate with AD

Whether all Windows Servers authenticate with Active Directory

Whether all Windows Clients authenticate with Active Directory

Whether all UNIX Servers authenticate with Active Directory

Whether all LINUX Servers authenticate with Active Directory

Whether all SOLARIS Servers authenticate with Active Directory

Whether all IBM Servers authenticate with Active Directory

Whether or not VSphere requires AD authentication

Whether or not VCenter requires AD authentication

Whether or not VShield requires AD authentication

Whether or not VFabric requires AD authentication

Whether or not VCloud requires AD authentication

Whether or not VCloud requires AD authentication

Whether or not Citrix Workspace Suite requires AD authentication

Whether or not Citrix GoTO meeting and
GoTO Webinar requires AD authentication

Whether or not Citrix Receiver requires AD Authentication

Whether or not Citrix ShareFIle requires AD Authentication

Whether or not Citrix XenApp requires AD Authentication

Whether or not Citrix XenDesktop requires AD Authentication

Whether or not Citrix XenClient requires AD Authentication

Whether or not Citrix Netscalar requires AD Authentication

Whether or not Citrix XenServer requires AD Authentication

Whether or not CISCO Collaboration Systems requires AD Authentication

Whether or not CISCO WAAS requires AD Authentication

Whether or not CISCO ACS requires AD Authentication

Whether or not CISCO Routers requires AD Authentication

Whether or not CISCO Switches requires AD Authentication

Whether or not CISCO Call Manager requires AD Authentication

Whether or not CISCO ASA requires AD Authentication

Whether or not CISCO SoftPhone requires AD Authentication

Whether or not CISCO UCS requires AD Authentication

Whether or not CISCO ScanSafe requires AD Authentication

Whether or not ORACLE DB Servers requires AD Authentication

Whether or not all SAP Applications requires AD Authentication

Whether or not Backup solutions requires AD Authentication

Description
A separate Forest is used to manage Resources,
Resource Forest do not contain User accounts

A separate Forest is created to store sensitive data. No trust exists between

Organizational Forest and Restricted Forest

Are there any Forest Trusts Configured

between Active Directory Forests?

Are there multiple Domains configured in a Forest

Description
Active Directory Forest with Single Domain

Active Directory Forest with one or more Domains

Multiple Active Directory Tree with subdomain Configurations.

Example: Forest Root Domain (asia.contoso.com)
and new domain tree would be asia.atlas.com within FRD.

Resource Domains configured to

meet specific needs ( eg: to manage Private Cloud)
or dedicated Domain for Microsoft Exchange

Dedicated Active Directory Domain for each Branch Office

Dedicated Active Directory Domain to authenticate Kiosks Machines

Dedicated Active Directory Domain for authenticating external users

External trust Configuration between Domain in separate AD Forests

Real Trust between Unix and Windows systems

Shortcut trust avoids traversing entire forest for authentication and establish trust with
peer domains
Keeping the fact that <Customer> is an Enterprise Grade AD

Windows 7 can be joined to domain without network connection

Extension attributes an be used when default attribute set does not suffice the need.

Restricting access to resources between Trusted forest and Trusting Forest

Unrestricted access to resources between Trusted forest and Trusting Forest

Understanding whether Oracle Identity Manager is configured as Central Directory

or Microsoft Active Directory is deployed as Central Directory store.

Synchronization from Active directory to Oracle Identity Management

can be performed either by USN-Changed approach or with DirSync method.

Description
Does all the <Customer> Network is completely routed and mapped in Active Directory

BASL is disabled or enabled in <Customer> Active Directory

Does all the Physical IP Sites are created in Active Directory

Does all the Physical IP Subnets are created in Active Directory

Are there any Supernets configured in <Customer> to address missing Subnet

definitions. Supernets have one single subnet with one or more smaller subnets
Are there AD Subnets configured based on IP Summarization

Is AD sites and subnets are configured with IPV6 subnets

Are there separate Sites configured to manage resources

example: Separate Site for managing GC / Exchange
Note: it is no longer recommended practice to place Exchange in separate site

SMTP Is configured between sites which has poor and unreliable network connection

If BASL is disabled, Site Link Bridge should be configured for successful communication
between sites.

Are there any manually modified / created connection objects

Is <Customer> managing manual replication intervals within a site or following

default replication intervals

Are there AD Sites without Domain Controller in place

Are there AD sites without Global Catalog servers

Are there any sites with weak site link connectivity with other sites

Are there any mission critical applications which requires high speed WAN Site links

Number of Users per AD site, this will help determining the DC placement
and design considerations

Are AD Sites configured with custom Intrasite Replication frequency ?

Active directory sites without Domain Controller configured

By default ISTG selects bridgehead servers in a site automatically , but can be

configured by selecting Preferred Bridgehead servers

Administrators can configure polling schedule on the site link object

Description
Are there mix of Windows Server 2003 and Windows Server
2008 Domain Controllers ?

This helps determining existing Domain Controller Capacity per AD Site

Helps understanding existing redundant Configuration

Domain Controllers can be virtualized and be managed securely

In an complex environment, Administrators can

virtualize all or part of Domain Controllers

Active Directory DC's configured on Windows Server Core edition

Windows Time can be synchronized with external time source

or with internal time source

Does Child Domain PDC synchronize time with Parent Domain

or external /other time source

Does each DC synchronize its time with Domain PDC Emulator ( either Child or any DC
in Parent Domain) or
with external /other time source

Forest Functional level set on the Root

DC database can be stored locally or on External Storage

Multiple RODCs can be placed in an AD site, however all

RODC servers should have same set of policies
RODC can be placed in perimeter network and detail out the design Configuration

Description
Schema master should be placed in a site with high bandwidth to support faster
Schema updates to attributes

Schema Master role and Domain Naming Master role can be placed
out side root domain. Provide the information if these roles are placed
outside root domain

PDC chaining occurs when security principal tries to authenticate and the
authenticating DC wouldn’t accept the password and communicates back to PDC for
an authorization.

RID Pool size can be changed from default in a distributed environment where
there are connectivity issues between DC and RID master

Description

Replication of zones configured at Forest wide

Each of the Sub Domain / Child domain are authoritative

for managing their zones
Dynamic DNS registers Resource Records dynamically, avoiding Administrators to
manually update / edit the zone file

Supports WINS type name resolution for resolving short names without DNS Suffix
search list configured.

DNSSEC protects the communication from an unauthorized / attacker.

How does a client locate Domain controller in the event of all the DC's in the client site
becomes unavailable

Application partitions can be configured to control replication scope to required

Domain Controllers

Helps automatic removal of stale records per DNS Server basis based on refresh
interval

SRV RR weight for an DC can be lower down which reduces the amount of client
requests to Domain Controllers

Configuration of BIND DNS Namespace in <Customer> environment

Configuration of BIND Delegated zone Configuration Document

The Configuration includes Primary Master, Slave Name server Configuration

(Subnet / Site )

Disaster recovery Configuration of BIND DNS Server

Organizations can run BIND / MS DNS servers to support name resolution.

The Configuration file should explain the integration aspects of both DNS servers
Organizations running BIND DNS servers to support Active Directory infrastructure

Description
Application Partitions which are replicated across <Customer> AD Forest

Application Partitions can store information related to DNS, DHCP , COM+ Apps
Network Services etc..

Storing Application data in AD LDS instance

Are there Concurrent Binds / Fast binds configured in <Customer> AD Forest

Fast binds do not generate Kerberos tickets

ADSI or LDAP can be used to dynamically add an Auxiliary class to an existing object

Dynamic objects has TTL value defined and are automatically delete by AD after TTL expiry

Redefining Schema is used when Administrators want to hide unused classes and
their attributes. Another usage would be to resolve Schema conflicts

An Active Directory Site level setting which eliminates the need of Global Catalog server

This service is disabled by default on all Windows 2003 / 2008 Domain Controllers

Non Domain Administrators can be delegated to administer RODC

Group Policy Store upgrade

Does <Customer> AD team stores AD Database Snapshots ?

Password and Account lockout policies can now be defined Per-User basis

RODC are useful in branch office scenario or at an AD sites that lack Physical Security

Additional endpoint service that can be configured on Domain Controllers

With AMA, Administrators can define special SID's for User's smart card authentication

Service account password are automatically changed on regular basis

Allows Administrators to recover deleted objects without restoring from Backup

Weak Encryption ( DES and 3DES ) are disabled in Server 2008 R2

but can be reverted explicitly by Administrators

Third party authentication systems / software can easily be

integrated with Active Directory

Permissions can be assigned to individual user object or Group , it is always

recommended to apply permissions at Group level rather to an individual object

Description
Workstations can be part of workgroup / Active Directory domain

Does every Windows Client is joined to Active Directory Domain

Configuring AD to authenticate mobile devices

Presence of KIOSK client computers

Configuration of Windows Client Local User Profiles

Configuration of Windows Client Roaming User Profiles

Configuration of Windows Client Folder Redirection

Configuration of Windows Client Offline Files Configuration

Configuration of Windows Client Mandatory Profile Configuration

Is there an Direct Access Configuration in place

Description
Local laws or Industry regulations currently followed to support Certificate Services

Certificate services can be deployed for entire organization or it can be implemented

for specific region / department based on the customer requirement

List of all Applications which rely on Microsoft Certificate Services

Eg: [Infrastructure / Business / Mobility / Productivity apps]
[WLANS , VPN, S/MIME, IPSEC, EFS, Exchange , Direct Access , SCCM, HTTPS ]

Document the number of certificate requests / revocation per location which

helps in designing or re-structuring Active Directory Certificate Services environment

Though there are no reasons to deploy multiple Root CA's , many Organizations have
deployed multiple Microsoft Root CA's
to support Isolated environments / Applications separately.

Understand existing Root CA deployment - whether the Root CA is deployed as

1) Stand-Alone Root CA
2) Enterprise Root CA
3) External Root CA [ Third party Root CA ]

Document detailing Root CA / Subordinate CA / Issuing CA Fault tolerant infrastructure

Private Keys can be protected either by Offline CA or by using HSM

[Hardware Security Module]

Understand the level of administrative access to CA in <Customer> environment

This is critical information to understand the CA Validation period which is set during
the CA installation
Understand Key Length which are configured and Key Length renewal

It is important to understand the current implementation of AIA repository store

( Example: LDAP / web site / Public Network )

Understand and document below information on

1) CDP Locations
2) CRL Validity
3) Delta CRL

Understand the existing process of Certificate Enrollment which includes

1) Manual Enrollment
2) Auto Enrollment
3) Web Enrollment

Understand the implementation of Certificate Templates configured in the

Organization which includes
1) Version 2 Templates
2) Version 3 Templates
3) Permission configuration on the Templates

Cross Forest enrollment allows CA or Multiple CA in one AD forest to support clients in

multiple AD forests

Allows clients to enroll for certificates over web interfaces

Certificates can be configured to not store in CA database which are commonly used
for Network authentication

Description
Design Document should describe existing
1) Processes in place
2)Organizational structure
3) Business units involved
4) Workflow methodologies
5) current state of Security environment
6) Request and Approval Process
7) Solution architecture
8) Proof of concept document
9)Reporting strategies
10) Lifecycle Management

Document detailing
1) Security Policy enforcement
2) Delegation and Administration Process
3) Workflow Process
4) Auditing and Reporting Process
5) Password Management
6) User account life cycle design

Existing <Customer> Access Management process which includes

1) Authentication Process
2) Authorization Process
3) Access Policies
4) Single Sign On Process
5) Federated Identities
6) Entitlement Management Process
7) Life Cycle Management Process

Existing IDM Configuration Document which details the following

1) Credential Management
2) Self Service process
3) Profile Management
4) User Management
5) Registration and Enrollment
6) Workflow Configuration
7) Policies and Role Management
8) Delegated Administration
9) Application Integration
10) Reconciliation

Document detailing all MA configuration in place,

which includes the accounts used for MA connectors
Run Profiles and permissions assigned.
FIM manages two schemas for FIM Sync and FIM Service and they can be
changed depending on the requirements. The document should explain if any
changes are done at the Schema level

Document which explains

1) Management Policy Rules configured in FIM
2) Configuration sets
3) Inbound Synchronization rules
4) Outbound Synchronization rules
5) Provisioning process
6) AD Synchronization rules
7) AD object / attribute configuration

Document which explains

1) Management Policy Rules configured in FIM
2) Configuration sets
3) Inbound Synchronization rules
4) Outbound Synchronization rules
5) Provisioning process
6) Synchronization rules

Document should outline

1) Group scope and Group Types
2) FIM Group type and Group scope
3) MPR configuration for Groups
4) Distribution Groups configuration
5) AD Security and Distribution Groups configuration

Document should detail out Self service configuration which includes

1) Password management in data sources ( AD / IBM … )
2) Password Reset User sets configuration
3) Authentication workflow configuration
4) Self service Management Policy Rules

Document should detail

1) DirSync configuration
1.1) Data Store synchronization
1.2) Connector filter configuration
1.3) Object Types configuration
2) Federation configuration
Document should detail
1) FIM synchronization with Microsoft SCSM
2) SCSM ETL Process
3) Role management for accessing reports
Owner Comments

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>
<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>

<Customer>
Application / Software Application / Software
Server Systems Installed Server Systems Not Installed
Configured Not Configured

Configured Not Configured

 Configured Not Configured
e Directory
Configured Not Configured
Configured Not Configured

Configured Not Configured

 Configured Not Configured

fter TTL expiry

talog server
Configured Not Configured
Configured Not Configured
Configured Not Configured
Attachments
Requires AD Authentication
Comments

Comments
Comments
Comments
Comment

Comment
Comment
Comment
Comment
Comment
Acknowledgments

Author

Sainath K.E.V

Reviewer

Marcin Policht

Reference Documents

Microsoft TechNet Active Directory Technical documentation

Active Directory Product Operations Guide

Active Directory Certificate Authority Infrastructure Planning and Design Guide

Active Directory Directory Services Infrastructure Planning and Design Guide

Forefron Identity Manager Planning and Design Guide

Active Directory Designing, Configuring 5th Edition

Active Directory Field Guide