Number One – Hardware: Is your hardware ready for the AD? How good are your sizing for this? Are they (PDC, BDC) going to be virtualized or not? Well in my opinion theres no need for deploying a stand alone AD on a dedicated physical server, unless you really need it for a large organizational forest or you need to create geographically located AD’s. Now in a 2000 User’s environment a 4GB memory space for a medium sized company with a 100GB RAID-5 drives would produce a mere 1~4% processor on simply AD with no other roles installed. But with Branches you would require different arrangements:
- Certificate Services
But please do deploy these services in different VM’s and in member servers. Now it would be even better if you could Place at least one domain controller in every site, and make at least one domain controller in each site a global catalog. And you should not login into the Domain Controller as an Admin, rather use a minimized access account. In that way you would make less mistakes.
Number Two – Security: Deploying AD is fairly simple, but failure to plan ahead would be catastrophic. After deploying AD, you should focus on strengthening your AD. Assuming your physical servers has restricted access control and properly air conditioned.
- First thing to do is to disable the Administrator account or you can rename it to your choosing.
- Do set time settings, as this server will be your time provider.
- Configure your TCP/IP static settings before you deploy your first Forest. I would do NAT to connect to AD for all Network Resources including Network Printers.
- Decide on the Forest Functional Level and Domain Functional Level.
- Internet Sharing Settings should be disabled.
- Remove all users from schema admin group, and create your own designated SU’s or domain admin’s.
- Plan & Implement Master Operation Roles
- Check your AD as designated to the Global Catalog Server, and trust relationships
- Authentication method checkup, PAP/CHAP with proper Kerberos and TLS encryption methods should be used to communicate clients with MD5 hash algorithms, this is where you would require PKI/Certificate Services.
- If you have multiple forests, do secure these as well with security relationships
- Start configuring the forwarders, subnets, pointers, records check etc.
- Start restricting shared resources by implementing Group Policy.
- Now Designate a DNS Server; should not be on the Domain Controller, a VM would do as well.
Number Three – Post Operations:
- Create a Backup Domain Controller
- Create another replicated Domain Controller if you wish. I would rather have one while not needed, but when disaster strikes, I would really have it 🙂
- Start updating your servers, regularly patched and keep updated state for unwanted states. I would go for SCCM for all my server/client patch management.
- Open/Configure necessary Firewall rules to properly communicate to AD by network attached devices.
- Backup all your domain controllers. Schedule it for a recurring basis. Partial/Differentials will not give you total backup solution. So, Choose wisely. You should have a solid plan on this, as a complete weekly backup of all AD’s is desired.
- Monthly health check report is desired. You can use SCOM for it.
- Most importantly, use a snapshot to keep. And restore copies in lab as your AD evolves in time. Test out changes in the LAB then apply them in the production environment.
Here is a sample video for deploying AD @ my YouTube Channel: https://www.youtube.com/watch?v=glH8mfw7IH8