Академический Документы
Профессиональный Документы
Культура Документы
Overview
Active Directory Infrastructure Assessment Document has been designed based on best practices for implementing and mana
infrastructure. The document covers Active Directory Infrastructure Assessment, Group Policy Assessment, Certification Autho
Forefront Identity Management Assessment. This document can be useful for anyone who performs AD Migration / Consolida
Upgrade while preserving AD integration of native and third party components.
The goal of the document is to capture all Active Directory-related features of Windows Server 2008 R2 , Group Policy , CA, FIM
and Client/ Server Operating System configurations. This document is intended to serve as a master list of features that need t
considered for any Active Directory implemenation
Applications / Software / Systems Installed : This column helps identifying whether the mentioned component is installed
Applications / Software / Systems Not Installed : This column helps identifying whether the mentioned component is not inst
Requires AD Authentication: This column suggests whether or not the component requires AD Authentication
Active Directory Forest Model: This column describes the AD Forest Configuration they may or may not be configured in an O
Configured: Should be filled in the Feature / component is configured
Not Configured: Should be filled if the Feature / Component is not configured
Active Directory Design Configuration: This column describes the AD Domain Configuration they may or may not be configure
Active Directory Sites Configuration: This column describes the AD Site Configuration they may or may not be configured in an
Domain Controller Configuration: Domain Controller configuration which may or many not be configured in an Organization
AD DS FSMO Configuration : FSMO configuration which may or may not be configured in an Organization
DNS Configuration: DNS configuration which may or may not be configured in an Organization
Active Directory Feature Configuration : Outlines different features which may or may not have be configured in an Organizati
Client / Workstation Configuration: This section outlines Workstation Active Directory features / functionality which may or m
Organization
Active Directory Certificate Services Configuration: This section outlines different PKI features that may or may not be configu
Microsoft Forefront Identity Manager Configuration: This section outlines different FIM capabilities that may or may not be c
Organization
Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegat
work has been done.
Notes: Additional information relating to this item.
Feedback
Please direct questions and comments about this guide to sainathss@live.in.
Document: Active Directory 2008 / 2008 R2 Infrastructure
Design Assessment Document
Client : <Customer>
D01
D02
D03
D04
D05
D06
D07
D08
D09
D10
D11
D12
D13
D14
D15
D16
D17
D18
D19
D20
D21
D22
D23
D24
D25
D26
D27
Active Directory Dependent Applications, Software & Systems
Reference
ADS 01
ADS 02
ADS 03
ADS 04
ADS 05
ADS 06
ADS 07
ADS 08
ADS 09
ADS 10
ADS 11
ADS 12
ADS 13
ADS 14
ADS 15
ADS 16
ADS 17
ADS 18
ADS 19
ADS 20
ADS 21
ADS 22
ADS 23
ADS 24
ADS 25
ADS 26
ADS 27
ADS 28
ADS 29
ADS 30
ADS 31
ADS 32
ADS 33
ADS 34
ADS 35
ADS 36
ADS 37
ADS 38
ADS 39
ADS 40
ADS 41
ADS 42
ADS 43
ADS 44
ADS 45
ADS 46
ADS 47
ADS 48
ADS 49
ADS 50
ADS 51
ADS 52
ADS 53
ADS 54
ADS 55
ADS 56
ADS 57
ADS 58
ADS 59
ADS 60
ADS 61
Active Directory Forest Design
Reference
ADF 01
ADF 02
ADF 03
ADF 04
ADF 05
ADD 02
ADD 03
ADD 04
ADD 05
ADD 06
ADD 07
ADD 08
ADD 09
ADD 10
ADD 11
ADD 12
ADD 13
ADD 15
ADD 16
ADD 17
ADD 18
ADS 02
ADS 03
ADS 04
ADS 05
ADS 06
ADS 07
ADS 08
ADS 09
ADS 10
ADS 11
ADS 12
ADS 13
ADS 14
ADS 14
ADS 15
ADS 16
ADS 17
ADS 18
ADS 19
ADS 20
ADS 21
Active Directory Domain Controller Design
Reference
ADC 01
ADC 02
ADC 03
ADC 04
ADC 05
ADC 06
ADC 07
ADC 08
ADC 09
ADC 10
ADC 11
ADC 12
ADC 13
ADC 14
ADC 15
ADC 16
ADC 17
ADFD 01
ADFD 02
ADFD 03
ADFD 04
ADNS 01
ADNS 02
ADNS 03
ADNS 04
ADNS 05
ADNS 06
ADNS 07
ADNS 08
ADNS 09
ADNS 10
ADNS 11
ADNS 12
ADNS 13
ADNS 14
ADNS 15
ADNS 16
ADNS 17
ADNS 18
ADFR 02
ADFR 03
ADFR 04
ADFR 05
ADFR 06
ADFR 07
ADFR 08
ADFR 09
ADFR 10
ADFR 11
ADFR 12
ADFR 13
ADFR 14
ADFR 15
ADFR 16
ADFR 17
ADFR 18
ADFR 20
ADFR 21
ADFR 22
ADW 02
ADW 03
ADW 04
ADW 05
ADW 06
ADW 07
ADW 08
ADW 09
ADW 10
ADW 11
Active Directory Certificate Services Design
Reference
ADCS 01
ADCS 02
ADCS 03
ADCS 04
ADCS 05
ADCS 06
ADCS 07
ADCS 08
ADCS 09
ADCS 10
ADCS 11
ADCS 12
ADCS 13
ADCS 14
ADCS 15
ADCS 16
ADCS 17
ADCS 18
MFIM 02
MFIM 03
MFIM 04
MFIM 05
MFIM 06
MFIM 07
MFIM 08
MFIM 09
MFIM 10
MFIM 11
MFIM 12
MFIM 13
Dated :
Author:
Design Document
UNIX Servers
LINUX Servers
SOLARIS Servers
IBM Servers
VMWare VShield
VMWare VFabric
VMWare VHorizon
Citrix Receiver
Citrix ShareFile
Citrix XenApp
Citrix XenDesktop
Citrix XenClient
Citrix Netscalar
Citrix XenServer
CISCO ACS
CISCO Routers
CISCO Switches
CISCO ASA
CISCO SoftPhone
CISCO UCS
SAP Applications
Resource Domains
AD DS FSMO Configuration
PDC Chaining
DNS Configuration
Does AD Forest DNS Configuration supports Dynamic Updates. List down the
Domains which are not configured with DNS Dynamic Updates
BIND DNS Incremental Zone Transfer , Round Robin and Forwarders Configuration
Dynamic Data
Schema Redefine
ADMX Configuration
Recycle Bin
Mandatory Profiles
FIM User Management with different data stores ( Oracle / IBM / SAP / HP etc.. )
Description
Organizational Structure Document explains how <Customer>s Business
Units are fit into hierarchy
Copy of Master list of Group Policy settings implemented for Windows Clients
at Forest and Domain Level
Copy of Master list of Group Policy settings implemented for Windows Servers
at Forest and Domain Level
Description
Active Directory Forest with Single Domain
Shortcut trust avoids traversing entire forest for authentication and establish trust with
peer domains
Keeping the fact that <Customer> is an Enterprise Grade AD
Extension attributes an be used when default attribute set does not suffice the need.
Description
Does all the <Customer> Network is completely routed and mapped in Active Directory
SMTP Is configured between sites which has poor and unreliable network connection
If BASL is disabled, Site Link Bridge should be configured for successful communication
between sites.
Are there any sites with weak site link connectivity with other sites
Are there any mission critical applications which requires high speed WAN Site links
Number of Users per AD site, this will help determining the DC placement
and design considerations
Does each DC synchronize its time with Domain PDC Emulator ( either Child or any DC
in Parent Domain) or
with external /other time source
Description
Schema master should be placed in a site with high bandwidth to support faster
Schema updates to attributes
Schema Master role and Domain Naming Master role can be placed
out side root domain. Provide the information if these roles are placed
outside root domain
PDC chaining occurs when security principal tries to authenticate and the
authenticating DC wouldn’t accept the password and communicates back to PDC for
an authorization.
RID Pool size can be changed from default in a distributed environment where
there are connectivity issues between DC and RID master
Description
Supports WINS type name resolution for resolving short names without DNS Suffix
search list configured.
How does a client locate Domain controller in the event of all the DC's in the client site
becomes unavailable
Helps automatic removal of stale records per DNS Server basis based on refresh
interval
SRV RR weight for an DC can be lower down which reduces the amount of client
requests to Domain Controllers
Description
Application Partitions which are replicated across <Customer> AD Forest
Application Partitions can store information related to DNS, DHCP , COM+ Apps
Network Services etc..
ADSI or LDAP can be used to dynamically add an Auxiliary class to an existing object
Dynamic objects has TTL value defined and are automatically delete by AD after TTL expiry
Redefining Schema is used when Administrators want to hide unused classes and
their attributes. Another usage would be to resolve Schema conflicts
An Active Directory Site level setting which eliminates the need of Global Catalog server
This service is disabled by default on all Windows 2003 / 2008 Domain Controllers
Password and Account lockout policies can now be defined Per-User basis
RODC are useful in branch office scenario or at an AD sites that lack Physical Security
Description
Workstations can be part of workgroup / Active Directory domain
Though there are no reasons to deploy multiple Root CA's , many Organizations have
deployed multiple Microsoft Root CA's
to support Isolated environments / Applications separately.
This is critical information to understand the CA Validation period which is set during
the CA installation
Understand Key Length which are configured and Key Length renewal
Certificates can be configured to not store in CA database which are commonly used
for Network authentication
Description
Design Document should describe existing
1) Processes in place
2)Organizational structure
3) Business units involved
4) Workflow methodologies
5) current state of Security environment
6) Request and Approval Process
7) Solution architecture
8) Proof of concept document
9)Reporting strategies
10) Lifecycle Management
Document detailing
1) Security Policy enforcement
2) Delegation and Administration Process
3) Workflow Process
4) Auditing and Reporting Process
5) Password Management
6) User account life cycle design
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
Application / Software Application / Software
Server Systems Installed Server Systems Not Installed
Configured Not Configured
talog server
Configured Not Configured
Configured Not Configured
Configured Not Configured
Attachments
Requires AD Authentication
Comments
Comments
Comments
Comments
Comment
Comment
Comment
Comment
Comment
Comment
Acknowledgments
Author
Sainath K.E.V
Reviewer
Marcin Policht
Reference Documents