I Need To Make A Change With My IT Support! Call (225) 706-8414

Active Directory Standards

Unless overridden by a customer, we generally deploy certain standards within Active Directory (AD) to ensure consistency across AD forests that we manage.

Tree Design

Generally, we design a tree like so:

ROOT
–  Builtin (default)
– Computers (default)
– Computer Laptops
– Computer Servers
– Domain Controllers (default)
– ForeignSecurityPrinciples (default)
– AdUsers
— Admins
— Contacts
— Contractors
— Inactive Users
— Users
— ServiceAccounts
Users (default)

The purpose of the non-default OUs is to enable us, now or in the future, to easily create GPOs to handle different types of computers (e.g., workstations, laptops, servers) and users (admins, contractors, normal) differently. Of course this means you have to be sure to create the entries in the right location.

Rarely if ever do we create Users under ROOTUsers

User Naming

For special accounts, we use special naming conventions.

  • Admin accounts have the format of username-admin, e.g., bsmith-admin.
  • Service accounts have the format of username-svc, e.g., productx-svc.

Logon Scripts

We still utilize LOGON scripts, especially in networks with Windows 2003 and Windows XP. Note that this has largely been replaced with GPOs for startup scripts in Windows 2008+ and Windows 7+.

Number of DCs and DNS

While AD only requires a single AD and DNS server, it’s safest to have at least two. Most often, a single server is both a DC and DNS. Be very careful (and often avoid) making a SQL Server, Exchange Server, or Remote Desktop Server a DC.

DNS Resolver Configuration on a DC

This is one of the biggest problem areas for new admins. Other than DCs, DNS configuration is simple. DNS#1 is the primary DNS (usually DC 1) and DNS#2 is the secondary DNS (usually DC 2). This is NOT the case for a DC.

Assuming you are configuring the DNS resolver on DC1, you should use the following configuration:

DNS#1 <ip-of-dc2>
DNS#2 127.0.0.1

Notice that the first entry is another DNS server, not the local DNS server. And the second entry is always 127.0.0.1. This is the Microsoft standard and ensures valid AD replication. The most common mistake is to do this:

DNS#1: <ip-of-dc1>
DNS#2: <ip-of-dc2>

This is also wrong:

DNS#1: <ip-of-dc2>
DNS#2: <ip-of-dc1>

Note that this also means that the DNS resolver configuration on every DC is slightly different. It’s not like a standard server or DHCP configuration. It’s unique to each DC to ensure the primary DNS is another DC, not the local one. Of course, if you have a single DC environment, your DNS resolver configuration would be:
DNS#1: 127.0.0.1
DNS#2: <blank>

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!