Before embarking on the deployment of an Active Directory environment, it is necessary to plan/prepare it in order to avoid problems later.
As we saw in previous lessons, Active Directory relies on a domain name which can be public or private.
To illustrate this lesson, we will start with a company that already has an information system and uses local accounts for users; following a company expansion project, the administrator (system/network) is in charge of setting up a centralized environment for user management.
Table of Content
Topology of the company’s IT environment
The first point to study is the company’s IT environment.
In the case of a single-site company, the reasoning is rather “simple”, the domain controllers will be installed in the datacenter(s) (computer room).
If the company is spread across multiple remote sites, it’s necessary to consider whether domain controllers should be deployed at the other sites. Several questions need to be analyzed to determine this:
- Number of users per site.
- Type and speed of connection between sites.
- Services used by users (file sharing, messaging, remote desktop, etc.)
- Secure environment for server installation, which will determine the type of RODC (Remote Operational Controller).
If you have multiple sites, I recommend placing a domain controller (global catalog) on at least one of the remote sites. This way, in the event of a disaster at the primary site, a domain controller remains available to restart the Active Directory environment.
Choose a domain name
Choosing a domain name is an important part of the Active Directory environment, as it will be used by all the computers, users, and services you may set up.
There is no obligation to choose a domain name that you own; it is possible to choose an extension that is not registered.
As a reminder, a domain name is composed of a name (rdr-it) and a Top Level Domain (.fr).
Examples of valid domains:
- rdr-it.com
- rdr-it.lan
- my-company.intra
- societe.priv
The domain name will be used to generate the NETBIOS name, which is always used for compatibility reasons. The NETBIOS name is generated by the Active Directory domain creation wizard using the domain name in the TLD.
If we choose the domain name rdr-it.lan for the Active Directory environment, here’s how it will translate:
| Domain name | rdr-it.lan |
| NETBIOS Name | RDR-IT |
| User ID | [email protected] |
| User NETBIOS ID | RDR-IT\identifier |
| DNS name of computers | COMPUTER.rdr-it.lan |
Personally, I prefer to use a private domain for the Active Directory environment to avoid any confusion with an existing public domain.
For your information: if you want your users to use their email address to authenticate, it is possible to add suffixes (SPN) (@xxxxxx.yy) in the Active Directory configuration and configure user accounts so that the identifier is the email address.
If using an existing public domain name and services (websites) are published, it is necessary to add the public records internally.
Hardware and software configuration (Windows)
Hardware configuration
The AD DS role is not resource-intensive; for a domain controller, the following should be considered:
- Two CPUs are needed for a virtual machine, while for a physical computer one processor is sufficient.
- 4 to 8 GB of RAM.
- 100 to 200 GB of disk space depending on the items that will be distributed by group policies.
- A minimum 1 Gbps network connection
Setting up Windows
It is recommended to dedicate the computer to the role of domain controller.
The only requirement is to configure a static IP address.
It is recommended to have antivirus software and a firewall enabled.
Preparing users: information and training
Migrating from a locally managed environment to an Active Directory environment has an impact on users.
Depending on the services and different configurations you are going to put in place, it is important to inform and train users so as not to catch them off guard.
When their computer joins the domain and they log in for the first time with their user account to the domain, a new profile will be created; therefore, it is necessary to plan for the migration of profiles to retrieve documents, software settings, internet favorites, etc.
If you plan to use roaming profiles or redirect folders such as Desktop and Documents, you must explain to users that they can log in on another company computer and recover all or part of their environment. To ensure they can do this without contacting IT support, users must know their login credentials and how to switch users.
Training and informing users is key to a successful migration in an Active Directory environment.
Some good practices to consider
Here is a list of some best practices regarding the implementation of an Active Directory environment:
- To ensure the availability of Active Directory services, a minimum of 2 domain controllers must be installed per domain.
- The server is dedicated solely to the role of Active Directory (AD DS) and DNS. (It is installed at the same time as the AD DS role).
- Consider a naming policy for the different objects (Computers, Users, Groups…).
- Consider how to organize the objects in the directory (Sites, Services …).
- Perform regular (daily) backups of domain controllers.
- Secure physical access to domain controller servers.
- Regularly check the health status of domain controllers.
- Perform operating system updates.
- Limit the use of the administrator account; instead, create individual administrator accounts.
- Limit the number of people who can access domain controllers.
- Use different accounts for administration and for day-to-day use.