Unless overridden by a customer, we generally deploy certain standards within Active Directory (AD) to ensure consistency across AD forests that we manage.
Generally, we design a tree like so:
– Builtin (default)
– Computers (default)
– Computer Laptops
– Computer Servers
– Domain Controllers (default)
– ForeignSecurityPrinciples (default)
— Inactive Users
The purpose of the non-default OUs is to enable us, now or in the future, to easily create GPOs to handle different types of computers (e.g., workstations, laptops, servers) and users (admins, contractors, normal) differently. Of course this means you have to be sure to create the entries in the right location.
Rarely if ever do we create Users under ROOTUsers
For special accounts, we use special naming conventions.
- Admin accounts have the format of username-admin, e.g., bsmith-admin.
- Service accounts have the format of username-svc, e.g., productx-svc.
We still utilize LOGON scripts, especially in networks with Windows 2003 and Windows XP. Note that this has largely been replaced with GPOs for startup scripts in Windows 2008+ and Windows 7+.
Number of DCs and DNS
While AD only requires a single AD and DNS server, it’s safest to have at least two. Most often, a single server is both a DC and DNS. Be very careful (and often avoid) making a SQL Server, Exchange Server, or Remote Desktop Server a DC.
DNS Resolver Configuration on a DC
This is one of the biggest problem areas for new admins. Other than DCs, DNS configuration is simple. DNS#1 is the primary DNS (usually DC 1) and DNS#2 is the secondary DNS (usually DC 2). This is NOT the case for a DC.
Assuming you are configuring the DNS resolver on DC1, you should use the following configuration:
Notice that the first entry is another DNS server, not the local DNS server. And the second entry is always 127.0.0.1. This is the Microsoft standard and ensures valid AD replication. The most common mistake is to do this:
This is also wrong: