But please treat this as a generic guideline, which would help you to prepare your own list of best practices based on your environment. It is assumed that the reader is already having a fair understanding and working knowledge of Active Directory management. A Resource Domain is a domain which typically hosts other critical infrastructure which works closely with Active Directory. Now that we have covered the root domain, let's discuss the design of child domains. For example: most of the Domain Controllers for us.
For a large enterprise, this approach is better than having a single domain single forest model. This regional domain separation offers more flexibility on segregating roles and responsibilities between regions. It also reduces replication burden up to a great extent. By placing a Domain Controller under a particular site, you are telling a Domain Controller "This is your location". By placing a Domain Controller under a particular subnet, you are telling a Domain Controller "This is the network where you belong".
This means each AD Site should be logically connected to at least two different sites. Please avoid this kind of design. For example, the IP range for your US region is In this case, create a matching subnet with You do not need to put any Domain Controller within this subnet.
Why it is necessary? Let's say a client system belongs to a new subnet In such a case, the client would be authenticated by any Domain Controller in the forest, including Domain Controller from other regions. To restrict the authentication request going outside the region, this bigger subnet would be useful.
For larger sites, there should be more than one GC. GCs are heavily used a during cross-forest login. If not, you can edit the attribute property and ensure that it would be replicated to all GCs across the forest. I have seen cases where administrators do not plan it well in advance, and later they have to spend hours in redesigning the OU structure. So when you are designing OU structure, please keep Group Policy in mind.
This will make the deployment of GPO complicated. There should be a regular activity to ensure that no object is left in the default container. This will prevent the accidental deletion of a large OU. So please pay proper attention in OU Delegation to restrict control. This is another area which should be planned meticulously. There are few thumb rules which are as follows :. The members of Universal Groups are part of Global Catalog which will increase the replication load. If you need to use Universal Groups, use them carefully.
This will simplify the group management tasks. This will simplify the Folder permission management. This will help other administrators to contact the right person regarding that group. You should mention the reference number in the comments section of the group.
This will be useful during a future audit. By looking at the group name, you should understand which one is the user group, which one is the permission group, which one is Domain Local Group and so on. Typically , your user group should represent a team or group of people who have something in common. Access Groups are the groups which have specific access on a particular environment. There are multiple benefits of this approach :. Therefore, avoid granting a user group direct access to any object.
Instead, configure access groups and nest user groups within access groups. Some of the common use cases of access groups are :. On the contrary, you should restrict to a minimum number of Domain Controllers which are absolutely necessary to manage the workload.
More Domain Controllers mean more attack surface, more complex replication topology and more management overheads. You can monitor the CPU and Memory utilization of existing Domain Controllers during peak hours for some days, to decide whether you need to deploy additional Domain Controllers. If the process lsass.
Additionally , users might complain about slow login or login refusal during peak hours. However, please avoid RODC if it is not required. Now, a few points related to Domain Controllers health management. There are two aspects of Domain Controller's health management. The first aspect is the health of the Domain Controller Server. You can integrate the script with scheduled task. The script will only display the errors, if there is no error in any DC then the output will be blank.
As Active Directory works on multi-master replication model, we should ensure that all Domain Controllers maintain a consistent database. The database consistency of Domain Controllers is one of the key factors of Active Directory health. There are a few best practices, which helps to keep a healthy AD Database up to a great extent :. The KCC ensures that no domain controllers within a site are 3 hops away from each other. So careful planning is required to ensure that sites replicate with each other within a certain interval.
For a large environment, monitor regular summary report at least twice daily, and monitor full replication report once a day. Store the reports in a single repository for future reference. I have created two PowerShell scripts, one for Replication Summary Report and another for Full replication Report , which would run the report, email the result and store the report in a date-wise folder. Once you integrate these two scripts with scheduled tasks, no further manual intervention is required.
You can also use 3rd party monitoring tools to accomplish this. However, sometimes an error in replication indicates more serious problem including the presence of Lingering Object s in AD Database. The only issue with Recovery Manager for Active Directory is that it carries a hefty price tag.
While it is worth the investment if you have the budget, it is unsuitable for smaller companies with limited budgets. Download a free trial. Microsoft Active Directory Topology Diagrammer is a product that brings a level of visualization to the mix that complements Active Directory well. With this program you can automatically create a Microsoft Visio diagram of your Active Directory topology. Diagrams include features such as administrative groups , domains , sites , servers , and organizational units.
This allows you to look at your network from another perspective. When taking information from Active Directory you can also opt to limit your diagram to one domain or site. This allows you to take a more specific approach to see how particular devices link together in isolation before looking at everything. You can also take your diagrams and add additional objects to them in Microsoft Office Visio for further interaction.
NET Framework Version 2. Microsoft Active Directory Topology Diagrammer can be downloaded for free. All of these utilities have the focus of making it easier to manage Active Directory.
Similarly, the Duplicates Identifier allows you to see all duplicated objects in one click. The result is an Active Directory administrative experience that is more versatile than Active Directory alone. Another interesting utility is the Terminal Session Manager. With the Terminal Session Manager the user can utilize a PowerShell cmdlet to find and manage a range of terminal sessions from a centralized location. This is particularly useful because it allows you to manage and disconnect multiple users from one location.
Active Directory needs to be maintained like any other service and IT Environment Health Scanner has been designed to allow users to do just that. You can use this tool to scan your Active Directory service to look for any problems or chinks in its armor. You can use IT Environment Health Scanner to collect information on site and subnet configurations , DNS name resolution , health and configuration of the Network Time Protocol of domain controllers and configuration of network adapters of all domain controllers.
This gives you the basics to ascertain if there are any problems with your Active Directory service. It comes recommended for up to computers or laptops and 20 servers. BeyondTrust Privilege Explorer is another permissions utility that allows the user to see who has access to what. This utility is one of the better permissions management tools because it keeps things simple. The user interface has a simple classic design that allows you to see who had access to Active Directory when a certain network event was happening.
You also have the ability to be able to track user permissions over time. For example, you can view the permissions for a specific device and view the event logs within the PowerBroker Auditor to see if permissions have been changed. This allows you to look out for any unusual behavior and address it promptly. In the event that you spot something amiss, you can generate a report to document the event in further detail. You can then use advanced filtering to aim target resources to specific groups , permissions , and dates.
This program leaves next to no room for error and allows you to track permission changes easily over time. The only problem is that you have to contact the company directly in order to view a quote. That being said you can download a free trial.
There are many occasions in Active Directory where a user is locked out of Active Directory at the most inconvenient time. Netwrix Account Lockout Examiner has been designed for the expressed purpose of getting to the bottom of Active Directory lockouts. This tool notifies administrators when an account has been locked out of Active Directory so that they can take a closer look at why this is the case.
You can use Netwrix Account Lockout Examiner to ascertain why the user has been locked out with relative ease. Once an administrator has seen that an account has been locked out they can unlock that account through the centralized console or a mobile device.
This enables the user to get user accounts unlocked ASAP. As a consequence, normal service can be resumed much quicker than it would be trying to go it alone with Active Directory. Netwrix Account Lockout Examiner is a tool that provides a solid account monitoring experience. In the event that a user gets locked out this tool is invaluable at getting the account unlocked so that they can get back to business quickly. This product can be downloaded for free.
Bulk Password Control is a tool designed to help users with password management on Active Directory. As a password manager, Bulk Password Control is very fast paced. You can change passwords on multiple accounts at once. You can do this through the use of a password generator that creates passwords for each account. In the event that you want to make this more simple, you can set every account password to the same code.
In other words, you can manage passwords in bulk. This gives you a high degree of control over your active directory users and computers so that if you need to restructure or remove an unsuitable account you can do so with ease.
The bulk password management ability of this product makes it ideal for larger enterprise environments with lots of different users and accounts. Bulk Password Control can be downloaded for free. This tool scans for inactive user accounts and then provides you with information on for how long the accounts have been dormant. In effect, the tool automatically keeps you updated on the state of your connected accounts so that you can take action if need be.
Once you can see that an account has been inactive for a substantial length of time you can deactivate it. Deactivating inactive accounts will reduce the risk of a malicious entity gaining access to your data. Likewise, it will also help if you are audited because it shows that you are taking a proactive approach towards cybersecurity and record management. Netwrix Inactive User Tracker is a tool that is worth its weight in gold for those moments where you need to clean up your Active Directory accounts.
Netwrix Inactive User Tracker can be downloaded for free. Finally, we have Lepide Last Login Report. Learn why people trust wikiHow. Download Article Explore this Article parts. Related Articles. Part 1. Click Download. You may have to scroll down a little to find it. Click Next. Download all 4 files to your computer. Open your Downloads folder. Install all 4 files. Double-click the first of the files, then follow the on-screen instructions to complete the installation.
Do the same with the other files you just downloaded. Part 2. Open the Control Panel. To do this, type control panel into the search bar , then click Control Panel in the search results. Click Programs. Click Turn Windows features on or off. A dialog box will appear.
Click Restart now. The computer will turn off and then turn back on.
0コメント