Home > Articles

  • Print
  • + Share This
This chapter is from the book

Best Practices

The following are best practices from this chapter:

  • Design domains sparingly: Don’t necessarily set up multiple domains for different remote offices or sites.

  • Turn on the Active Directory Recycle Bin after upgrading to Windows Server 2016 forest-functional level to take advantage of the ability to do a full-fidelity restore of domain objects that have been deleted and to use the much improved interface provided with this version of AD DS.

  • Purchase any external domain namespaces that you might want to use on the Internet.

  • Use RODCs in remote sites where security is not as strong.

  • Strongly consider using dynamic DNS in an AD DS domain environment.

  • Turn on global AD DS auditing to better understand changes made to Active Directory objects.

  • Consider using cross-forest transitive trusts between two disparate AD DS forests when merging the forests is not an option.

  • Place the infrastructure master role on a DC that isn’t also a global catalog, unless all DCs in the domain are global catalog servers or you are in a single domain environment.

  • Properly plan fine-grained password policies to avoid conflicting policies being applied to users. Leave enough numeric space between the precedence numbers of individual PSOs so as to allow for new PSOs to be placed above and below the PSO in order of priority.

  • Switch to Windows Server 2016 Functional mode as early as possible, to be able to take advantage of the numerous improvements, including AD Recycle Bin support, fine-grained password policies, Kerberos improvements, last interactive logon information, and the use of DFS-R for the SYSVOL replication.

  • Use DC virtualization with Windows Server 2008 R2 to be able to quickly stage and deploy multiple DCs across a wide environment.

  • Seriously consider deploying AD DS DCs on Server Core to reduce their security footprint. Use PowerShell to manage and control the DCs.

  • Use global groups to contain users in the domain in which they exist but also to grant access to resources in other trusted domains.

  • Use universal groups to contain users from any domain in the forest and to grant access to any resource in the forest.

  • + Share This
  • 🔖 Save To Your Account