Announcement

Collapse
No announcement yet.

Active Directory Infrastructure redesign

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Infrastructure redesign

    In an earlier post I was struggling with establishing external trusts between our home office and several remote locations. Turned out that several of the remote DCs had been created with an image, and had not been syspreped so they had duplicate domain SIDs. So the bad news is at the very least I am looking at rebuilding 3 domains. The good news is that this may give me an excuse to redesign the entire AD structure and do it the "right way".

    Currently each location is a separate forest, and all our IT staff have accounts in every domain to do administration. Also, several users at each location have an account in our home office domain to access exchange, a term server, and a few other resources. I was establishing one-way external trusts to allow the IT staff to administrate the remote domains with our home office credentials, and I have it setup to work on about 22 of the 26 sites. After getting some good advice on my last thread, I have done some research and thinking and compiled a pros / cons list of the three different possibilities and would like your input on this. I think it will take some convincing of management to redesign, so I need some concrete reasons why one forest is the best and then should we have one domain or several child domains. Here is the list, please add to it if you can:

    1.One Forest and One domain. Separate stores with OUs and control replication with Sites and Services
    a.Pros:
    i.Domain controller redundancy
    ii.Centralized management of users, computers, GPOs, permissions, etc
    iii.Less replication traffic then child domains because of only having one domain
    iv.Would NOT need a global catalog at each site
    v.Users would only have one account
    vi.Users could use Exchange with only one account – could use Outlook too
    b.Cons:
    i.Current home office domain resources that grant access to “domain users” need to be changed to use “Home Office Users”
    ii.ALL user accounts and passwords will be on each store’s server and if the server is compromised, ALL users must change passwords
    iii.Would need to be careful granting permissions so remote users don’t get more access than we want them to have to home office resources

    2.One Forest with stores as child domains to Home Office root domain (implicit two-way transitive trusts)
    a.Pros:
    i.Users would only need one logon
    ii.Users could use Exchange with only one account – could use Outlook too
    iii.Users that are members of the enterprise admins group could administer all domains with one logon
    b.Cons:
    i.ALL user accounts and passwords will be on each remote server since it will be a global catalog and if stolen, ALL users must change passwords
    ii.Remote domains only have one DC (no redundancy)
    iii.Don’t have central user management. Each domain still has admin accounts, it own groups, it own group policies, etc. Would have to connect to remote domain via ADUC to make changes.
    iv.Each child Domain Controller would also need to be a global catalog – more replication.

    3.Separate forests for each site with External trusts
    a.Pros:
    i.Most secure configuration
    ii.Each site only has its own AD users’ passwords – if compromised only that domain is at risk
    iii.Least replication traffic (pretty much nothing over the external trust)
    b.Cons:
    i.Users cannot access exchange, Terminal Server, and other Home Office resources with their primary account
    ii.No DC redundancy
    iii.No central management


    THANKS!!

  • #2
    Re: Active Directory Infrastructure redesign

    Will try and read this all tomorrow! but one point was:
    "all out IT staff have accounts in every domain to do administration"
    If you want administrators at every site having rights to everything globally then a single domain is the best way forward. If you have admins who only look after their local stuff then you need to decide if they only need to change passwords etc or if you need a separate domain.

    How many users are we talking?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Active Directory Infrastructure redesign

      All IT staff is at the home office, and we need to manage all the sites. Home Office has about 200 users and each remote site has about 10 users. I am definitely leaning toward absorbing all the remote sites into our domain, but I am looking for some more ammunition before I go present the plan to management.

      Comment


      • #4
        Re: Active Directory Infrastructure redesign

        Personally I'm with Option 1. The less complexity the better IMHO. A few points I'd like to make:

        I would only set up separate domains or forests if:

        A. There's a business need or requirement for maintaining the separation.

        B. There's a political, geographic, or cultural need or requirement for maintaining the separation.

        C. There's an IT management need or requirement for maintaining the separation.

        Here's my opinion on what you should have in each site:

        1. A DC that is also a DNS, DHCP, and GC (for universal group membership validation) and WINS if you want network browsing to be available domain wide. This way if the link to the main site goes down users can still log on and access local resources.

        2. DFS link targets for access to resources such as file shares, etc.

        3. A file and print server.

        Comment


        • #5
          Re: Active Directory Infrastructure redesign

          I would agree with joeqwerty. One other thing for the remote sites is you could setup RODC's (read only DC's). You would need to install/upgrade a DC in your environment to 2K8 and have your forest/domain at 2K3 or higher functional level. But this would protect/limit the impact if a remote DC was compromised (mentioned as a concern in option 1).


          -Jason
          MCSA/MCSE 2K3,MCITP:ESA,MCTS x 4,VCP x 2

          Comment


          • #6
            Re: Active Directory Infrastructure redesign

            Option 1 would be my choice as well. If you can go with 2k8 in the remote offices in addition to RODCs you could also you bitlocker, although I would recommend TPM enabled hardware for this.

            Comment


            • #7
              Re: Active Directory Infrastructure redesign

              Option 1 for me but you're still going to want GC's at the locations.
              GoogleFu is strong with this one ^

              Comment


              • #8
                Re: Active Directory Infrastructure redesign

                Why would I want GCs at all the locations if I only have one domain in the forest? Does the logon process need a GC? What if I don't use any universal groups? I know Exchange needs a GC, but the exchange servers are at the home office. I guess it doesn't really matter, because the remote servers will already be DCs and will have a full copy of the directory, so it shouldn't require any additional replication traffic.

                Thanks for the input everyone!

                I would love to install 2008 and be able to use RDOC and bitlocker, but alas we are running an app that requires SQL 2000 at each location and SQL2000 doesn't play nice with 2008.

                Comment


                • #9
                  Re: Active Directory Infrastructure redesign

                  It's recommended by MS to have a GC at each physical site. Even though you really only need one it speeds up searches.

                  Here's some information on the do's an don'ts

                  http://books.google.com/books?id=4Tz...num=4#PPA60,M1

                  http://technet.microsoft.com/en-us/l...88(WS.10).aspx
                  Last edited by stamandster; 27th May 2009, 16:26.
                  GoogleFu is strong with this one ^

                  Comment


                  • #10
                    Re: Active Directory Infrastructure redesign

                    Originally posted by toddb View Post
                    Why would I want GCs at all the locations if I only have one domain in the forest? Does the logon process need a GC? What if I don't use any universal groups? I know Exchange needs a GC, but the exchange servers are at the home office. I guess it doesn't really matter, because the remote servers will already be DCs and will have a full copy of the directory, so it shouldn't require any additional replication traffic.

                    Thanks for the input everyone!

                    I would love to install 2008 and be able to use RDOC and bitlocker, but alas we are running an app that requires SQL 2000 at each location and SQL2000 doesn't play nice with 2008.
                    Regardless of whether you use Universal Groups, a GC will still be contacted.

                    In your case, I would recommend either:
                    • a registry hack, so a GC won't be contacted each time (can't rememebr what it is but there is one).
                    • Using Global Group caching
                    I would recommend the Global Group caching. This will also ensure less replication traffic.

                    Comment


                    • #11
                      Re: Active Directory Infrastructure redesign

                      So I started testing this in my lab, and I have a question on something I ran into:

                      When the users from a remote domain are migrated to the home office domain, they become members of the "domain users" and "Users" groups. By default, server 2003 gives the "Users" group read permissions at the root level of the drive, so all these new users have a lot more access than I want them to have to the home office servers. What is the best way to address this?

                      Thanks,
                      Todd

                      Comment


                      • #12
                        Re: Active Directory Infrastructure redesign

                        Remove domain users from the root of the server drives
                        (But note they should not be able to access C$ share etc.)
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Active Directory Infrastructure redesign

                          That was my first thought, but I am worried that will have unintended consequences since many other folders inherit permissions from the root. I am not worried about shares that we have created, but system permissions that the operating system needs for things like domain logon etc. If they aren't needed I am surprised MS gives them permission by default.

                          Comment


                          • #14
                            Re: Active Directory Infrastructure redesign

                            So I met with management today to discuss this project, and basically it is a no go unless I can figure out how to secure the directory info at the remote sites. The remote servers are not very physically secure, and they aren't willing to spend the money to make them physically secure, so it is a very real possibility that one could be stolen or compromised. This would give the attacker access to all the passwords on our domain, requiring all 400 or so users at all 26 sites to reset their passwords, and there may still be a window of opportunity for the intruders to gain access. Is there anything I can do besides upgrading to 2008 and using Bitlocker? Any 3rd party encryption tools?

                            Thanks!!!!

                            Comment


                            • #15
                              Re: Active Directory Infrastructure redesign

                              What about using TrueCrypt (free/open source) to encrypt the whole disk? Use a very secure password, something 21 characters or longer for all administrators (you should already know how to make a secure password).

                              Enable a bios configuration password!

                              Btw, Domain Users do not have access to remote administrative shares. A group policy should be in place that disables local logon for domain users to all domain controllers. Any domain admins should not be in the domain users group.
                              GoogleFu is strong with this one ^

                              Comment

                              Working...
                              X