3. Checklist for Planning, Installing and Configuring Active Directory
This section provides a summary of the steps that are usually needed when planning, installing and configuring an Active Directory domain or forest, including recommendations for the Oxford environment. It covers common tasks, but is not an exhaustive list as details will depend on local environments and requirements.
- Plan and configure your namespace and DNS
- As described above, this is vital as incorrect configuration can lead to a variety of problems. More detailed information is provided on naming and DNS configuration. Consider including DNS checks as part of a regular maintenance plan. Changing domain names is not something to be undertaken lightly, so it's worth planning naming carefully. Note that in Windows 2008 Server, IPv6 is enabled by default; if you're not using it, you may decide to disable it until it's needed (see Microsoft's IPv6 for Microsoft Windows: Frequently Asked Questions).
- Domain Controllers
- Aiming for a minimum of two, possibly three domain controllers reduces the probability of ever needing to restore the Active Directory database from backup. For more flexibility, consider putting other services (e.g. file sharing) onto member servers, and use your domain controllers only for authentication and name resolution services such as DNS, WINS etc. This makes them much easier to move, upgrade etc.
- NetBIOS Names
- If you are using the central WINS servers, plan the NetBIOS names of your servers and domains (the first part of the DNS name, up to the first ".") to minimise the risk of name clashes. See The Central Windows Internet Name Service (WINS) for further information. If you use internal WINS servers (or don't use any) then you only need to make sure you use unique names within your college or department.
- If you are adding a new type of domain controller into an existing domain
(e.g. a 2008 domain controller into a domain of 2003 R2 servers), you
normally need to prepare the forest and/or domain before you
add or upgrade the first server running the new operating system. This is
done using the
adprep.execommand on the install media of the new operating system. Among other things it upgrades the schema to the required level. See for example the Microsoft Adprep page on preparing to add a server running 2008 to a 2000 or 2003 domain or forest, and their other Adprep page for adding 2003 to a 2000 domain. Note that to add a 2003 R2 server to a 2003 or 2000 domain, you need to use the version of
adprep.exeon the second CD. Also that this only applies for domain controllers.
- Under 2003 (or 2000), use dcpromo to install Active Directory. It's a more flexible method than one of the wizards, particularly if you need to change the NetBIOS name of a domain. Under 2008 the wizard is more flexible and should allow you to select the Advanced mode near the start of the process.
- Restore Mode Password
- During the installation of Active Directory, you will be prompted for the Restore Mode Password. Keep this safe as although it's rarely used you might need to know it for certain maintenance and restore operations.
- If you have more than one domain controller, check replication each time you add or remove a domain controller. Consider checking periodically for errors as part of a maintenance plan.
- Configure time
- Configure the PDC emulator for the forest root to synchronise with an external time source. This may be your college/departmental ntp servers, if you have them, or else the OUCS stratum 3 ntp servers. Remember to change this if you move the PDC emulator role. Everything time-related should follow automatically. See Configure the Windows Time service on the PDC emulator for more information and instructions.
- Running your Active Directory infrastructure within a virtual environment can work, but there are some watch points. Avoid the use of REDO and snapshots for your domain controllers. Also take care with time synchronisation. There are various different schemes in use but the common principle seems to be, don't synchronize to multiple sources on the same machine (e.g. don't use both VMWare synchronisation and Active Directory's normal mechanisms). Also watch out for time problems when you boot up a virtual server that has been down for some time. See for example Virtualizing a Windows Active Directory Domain Infrastructure for this and other information. NB for time synchronisation instructions, see the links in the previous point above.
- Global Catalog
- In a single-domain environment, consider making all your domain controllers into global catalog servers. In multi-domain environments, plan the placement of global catalog servers together with the location of your operations master role-holders. See Planning Global Catalog Server Placement and Designate a domain controller to be a global catalog server.
- Operations Master Roles
- These are installed by default onto the first domain controller in a domain or forest. It's important to know where they are as some operations may fail if the relevant operations master is unavailable. In more complex environments, particularly multi-domain forests, you may need to move some of them. See Operations master roles.
- Install Additional Tools and Utilities
- Some useful tools are not installed by default under Windows 2000 and
2003. Install the Support Tools package on all domain controllers (from the
supportfolder on the 2003 or 2000 Server CD or download the latest version from Microsoft.) Under Windows 2008 many of these tools are included as part of the operating system. Also install the Group Policy Management Console on any systems that you use to manage group policy (again it's included on Windows 2008). It's more sophisticated than the built-in tools. It needs at least Windows 2003 or XP (it is included with 2008 by default).
- Backup and Restore
- Configure backup for Active Directory as well as your file stores just in case. If you use Group Policy, consider backing them up periodically, for example using the Group Policy Management Console (see Tools and Utilities).
- Functional Level
- to enable additional features, raise the functional level of your domain and forest as high as possible. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
- Assess security. For example, consider applying a password policy using Group Policy; increasing the size of all the event logs, configuring security logging, and keep an eye on the event logs. Consider enabling some security logging on clients as this isn't enabled by default. Group Policy can make this easier. If you decide to apply more security settings, test thoroughly before letting them into the wild. For example Microsoft's Windows 2003 Security Guide contains various predefined group policy templates, but benefits from some understanding before implementing or it can have unexpected consequences.
- Certificate Services
- Implementing a PKI infrastructure is a major topic in its own right and again benefits from reading around before installing. The JANET certificate service can also be used to secure certain services such as IIS web sites. Further information on setting up your own certificate server as part of an Active Directory installation is available on the Designing a Public Key Infrastructure pages.
- Domain controllers by default use dynamic port allocation so take care if you have firewalls between your domain controllers, on your domain controllers, or between domain controllers and domain members. It is possible to firewall a domain controller using the built-in firewall, but it's not straightforward prior to Windows 2008 server. On Windows 2008 server the firewall is enabled; it is also configured automatically as required when you add roles.
- Maintenance Plan
- Consider developing and using a maintenance plan. A minimum might be to
check event logs daily to weekly, paying particular attention to the
additional logs available on domain controllers. The
Directory Serviceslog will tell you about directory replication, the
File Replication Servicelog will tell you about file replication, and the
DNS Servicelog will tell you about the health of your DNS Service.
- Health Check
- Consider developing a more thorough health check procedure using the available Tools and Utilities. Consider running through it or appropriate parts of it after any major changes such as adding and removing domain controllers, renumbering a subnet, etc., or just periodically (e.g every 612 months).
- Development and Testing
- Consider using a copy of your preferred virtualisation software to set up a test domain where you can try out changes in a development environment. It may be worth purchasing a subscription to Microsoft Technet (email the Shop for details) .