Discussion on:
View:
Show:
One addendum to number 6: avoid backing up the RID master as this should never be restored, so where possible I prefer to see the RID master held on a separate, non-backed-up DC.
You only need to backup a single domain controller. Once it has been restored, the rest can be by dcpromo-ing clean installs of Windows.
The roles can then be checked/assigned as per this KB article... http://support.microsoft.com/kb/324801
The roles can then be checked/assigned as per this KB article... http://support.microsoft.com/kb/324801
While the design elements mentioned are critical, I think they are only part of the AD design. After AD is up and running, you need to design your OU structure. I prefer an OU structure based on an administration model keeping in mind the need to either locate objects based on geography or company organizational structure. Either way I then prefer to separate the objects further into sub-OUs based on object Type (ie Users, workstations, Servers, Groups). This makes it easy for delegation of rights as well as for applying Group Policy.
I think this applies to large organizations as well as smaller environments.
I think this applies to large organizations as well as smaller environments.
It's important to not be too granular, too. Don't confuse granularity with accuracy of application, either.
For instance, using OU structure as your only method of targeting users or computers can be ineffective as things move around.
Make sure to use a combination of GPOs assigned to specific OUs, higher-tier OUs using security filtering in the scope, and utilizing the Sites to target IP subnets.
For instance, using OU structure as your only method of targeting users or computers can be ineffective as things move around.
Make sure to use a combination of GPOs assigned to specific OUs, higher-tier OUs using security filtering in the scope, and utilizing the Sites to target IP subnets.
Mixed DC versions, while functional, may be your biggest headache in the long term. Microsoft's recommended best practice is to keep all DCs at the same OS version and SP level.
If you upgrade one, make a plan to upgrade all of them. There are long term issues with AD and FRS replication that can get painful to resolve.
If you upgrade one, make a plan to upgrade all of them. There are long term issues with AD and FRS replication that can get painful to resolve.
expensive - depending on the size of the company and the age of the network. With some older servers, that might mean a hardware upgrade as well. Good tip, just in many cases it's really hard to get the budget to do that.
We are running 120 Oracle 10g servers and 160 SQL 2005 servers. The problem is we want to migrate to Server 2008 R2. The problem is Oracle 10g R1 won't run on the Server R2 so we have to step backa little for those. The result is a mixture of Windows 2008 R1 and R2 machines (as part of our migration) and the older Server 2003 R2 machines for our legacy applications that we can't do without.
The reality is that in large networks with alot of applications, having a single Server OS and service pack installation thoughout the enterprise simply isn't possible.
The reality is that in large networks with alot of applications, having a single Server OS and service pack installation thoughout the enterprise simply isn't possible.
Make all DCs global catalogs and DNS servers. FSMO roles vs GC isn't an issue if ALL DC's are GCs. But this is an all or nothing design. Assign pri DNS on the NIC to itself, sec to other DNS servers. If each DC has a DNS server it can still start even if your other DNS seervers are not available.
You dont have to rebuild an entire AD database if you have a 2nd DC. You can just seize the FSMO roles.
Good headline for #6. Although other posters have explained how to recover FSMO roles it is vital that the AD administrator keep track of where they are.
#8 should be, "will administer Active Directory", not "administrator". The latter is, of course, not a verb.
#8 should be, "will administer Active Directory", not "administrator". The latter is, of course, not a verb.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
