What Are Some Good Practices When Deploying Directory Services

IT administrators have been working with and around Active Directory since the introduction of the technology in Windows 2000 Server. Windows 2000 Server was released on February 17, 2000 just many administrators began working with Active Directory in late 1999 when information technology was released to manufacturing (RTM) on Dec 15, 1999.

There are some good practices to adhere to when deploying DCs. Many of these practices are documented. But non many organizations are implementing these practices.

How to deploy and setup Domain Controller

We volition skip over the well-known good practices such as maintaining the Agile Directory database on i set up of disk spindles, the log files on dissever disk spindles, and the operating organisation on its ain ready of disk spindles.

Some of the bottom implemented good practices for domain controllers are:

• Run the Server Cadre installation of the operating organization.

Many administrators avert change, especially for systems such equally AD DS that are incredibly stable. And then when a new administrator proposes switching over to the Server Core installation, he is often met with icy stares. But the reality is that nigh administrators administrate AD DS remotely by launching ADUC or PowerShell on their client or administrative computer. All of the core management tools including the Active Directory Authoritative Middle (ADAC) and Windows PowerShell work almost identically when used locally on a DC or remotely from a client computer or an administrative computer. Thus, by moving to the Server Core installation, the administrative experience isn't degraded. And, y'all gain security enhancements and some small performance enhancements.

• Do not run other software or services on a DC.

Back in the old days, similar x years ago, almost organizations used physical servers because virtualization was in its infancy. And then, when it was time to provision a new file server, DHCP server, or print server, administrators often simply tapped an existing server. A DC was often used too. Fast frontward to 2015 when virtualization is the de facto standard and automated provisioning helps deliver a new VM in minutes and the old mode of doing things isn't nigh every bit compelling. Now, when yous need a place for a file server, DHCP server, print server, or some other application server, y'all can provision a new VM. Or, better nevertheless, you tin provision a new VM as a utility server. A utility server is a server that hosts all of the applications and services that are too small to warrant a defended server. This allows your DCs to stick with a dedicated service which brings more than stability.

• Adjust the startup order and fix a BIOS countersign.

While all of your read-write DCs should be in a secure data center, in that location are plenty of IT and non-IT people that take access to the information center. For instance, the contracted electricians that works on the cooling arrangement accept data center access. In improver, there are likely network guys, cabling guys, and It management with data center admission. Everyone that has physical access to a DC can proceeds access to a physical DC in only a couple of minutes at a console in the data heart. There are specialized freeware boot images available that you can apply to kicking into and reset passwords, install malware, or gain admission to the disk information, assuming that the deejay isn't encrypted. To avoid this, perform the following configurations:

• Ensure that all removable media is non office of the BIOS kick order. Instead, merely the hard disk where the operating system installed should be part of the boot order. This is truthful for your virtualization host servers too, if you have virtual DCs.

• Set a strong BIOS password. If you lot don't fix a BIOS countersign, somebody can update the kicking society, boot to the Windows Server installation media or many freeware toolkits, perform a repair to get to a command prompt. One time at the command prompt, they can wreak some havoc and quickly reset passwords for domain accounts.

• Keep the DCs in a locked chiffonier. While a BIOS password is ane layer of security, if the assaulter is semi-capable, he or she will likely know how to reset the BIOS so that the configuration resets and password is removed. Often, this requires gaining access to the motherboard. You lot can reduce the adventure of such an assail by keeping DCs in a locked cabinet. Some servers also allow for chassis locks. In high security environments, you lot should opt for both.

• Standardize the configuration of all domain controllers.

You should try to friction match the configuration settings for each DC. You can accomplish some of this by using build automation through deployment tools such equally Organisation Heart Configuration Manager. Items of interest for DCs are the consequence log size settings to ensure that you have large sizes to capture auditing and security related information, boot settings such as the timeout waiting for OS selection on physical servers, firmware and BIOS versions and settings, and hardware configuration. Of form, there are many other configuration items to standardize by using Group Policy. The primary goal is to configure the DCs identically.

More information about Active Directory basisc you will find in our Advert tutorial for begginners.

Proficient in Microsoft infrastructure and cloud-based solutions built effectually Windows, Active Directory, Azure, Microsoft Exchange, System Center, virtualization, and MDOP. In add-on to authoring books, Brian writes training content, white papers, and is a technical reviewer on a large number of books and publications.

Source: https://blog.netwrix.com/2017/01/30/best-practices-deploy-and-setup-domain-controller/

Posted by: kisertany1937.blogspot.com

Share this post