Active Directory Infrastructure Assessment DocumentDocument version: 1.0
Published: July 04, 2014
Overview
Task List Columns
Active Directory Infrastructure Assessment Document has been designed based on best practices for implementing and managing Active Directory infrastructure. The document covers Active Directory Infrastructure Assessment, Group Policy Assessment, Certification Authority Assessment and Forefront Identity Management Assessment. This document can be useful for anyone who performs AD Migration / Consolidation , AD Restructuring, AD Upgrade while preserving AD integration of native and third party components.
The goal of the document is to capture all Active Directory-related features of Windows Server 2008 R2 , Group Policy , CA, FIMand Client/ Server Operating System configurations. This document is intended to serve as a master list of features that need to beconsidered for any Active Directory implemenation
Reference: Reference Number of a section Design Document: Different Infrastructure design document to assist Migration / Restructuring / Update Description: High level overview of component and expected outcome from the customerComment: Person who is responsible for the task to comment on the component.Attachment: Person responsible for the task to attach the required document
Applications / Software / Systems Configuration: This corresponds to Application / Software / Server Systemswhich may or may not be configured and may or may not be integrated with Active Directory
Applications / Software / Systems Installed : This column helps identifying whether the mentioned component is installedApplications / Software / Systems Not Installed : This column helps identifying whether the mentioned component is not installedRequires AD Authentication: This column suggests whether or not the component requires AD AuthenticationActive Directory Forest Model: This column describes the AD Forest Configuration they may or may not be configured in an OrganizationConfigured: Should be filled in the Feature / component is configured Not Configured: Should be filled if the Feature / Component is not configuredActive Directory Design Configuration: This column describes the AD Domain Configuration they may or may not be configured in an Organization
Active Directory Sites Configuration: This column describes the AD Site Configuration they may or may not be configured in an OrganizationDomain Controller Configuration: Domain Controller configuration which may or many not be configured in an OrganizationAD DS FSMO Configuration : FSMO configuration which may or may not be configured in an OrganizationDNS Configuration: DNS configuration which may or may not be configured in an OrganizationActive Directory Feature Configuration : Outlines different features which may or may not have be configured in an Organization
Client / Workstation Configuration: This section outlines Workstation Active Directory features / functionality which may or may not be configured in an Organization
Active Directory Certificate Services Configuration: This section outlines different PKI features that may or may not be configured in an Organization
Feedback
Microsoft Forefront Identity Manager Configuration: This section outlines different FIM capabilities that may or may not be configured in an OrganizationOwner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done.
Notes: Additional information relating to this item.
Please direct questions and comments about this guide to [email protected].
Client : <Customer>
<Customer> Design DocumentsReference
D01
D02
D03
D04
D05
D06
D07
D08
D09
D10
D11
D12
D13
Document: Active Directory 2008 / 2008 R2 Infrastructure Design Assessment Document
D14
D15
D16
D17
D18
D19
D20
D21
D22
D23
D24
D25
D26
D27
Active Directory Dependent Applications, Software & Systems
ReferenceADS 01
ADS 02
ADS 03
ADS 04
ADS 05
ADS 06
ADS 07
ADS 08
ADS 09
ADS 10
ADS 11
ADS 12
ADS 13
ADS 14
ADS 15
ADS 16
ADS 17
ADS 18
ADS 19
ADS 20
ADS 21
ADS 22
ADS 23
ADS 24
ADS 25
ADS 26
ADS 27
ADS 28
ADS 29
ADS 30
ADS 31
ADS 32
ADS 33
ADS 34
ADS 35
ADS 36
ADS 37
ADS 38
ADS 39
ADS 40
ADS 41
ADS 42
ADS 43
ADS 44
ADS 45
ADS 46
ADS 47
ADS 48
ADS 49
ADS 50
ADS 51
ADS 52
ADS 53
ADS 54
ADS 55
ADS 56
ADS 57
ADS 58
ADS 59
ADS 60
ADS 61
Active Directory Forest DesignReference
ADF 01
ADF 02
ADF 03
ADF 04
ADF 05
Active Directory Domain DesignReferenceADD 01
ADD 02
ADD 03
ADD 04
ADD 05
ADD 06
ADD 07
ADD 08
ADD 09
ADD 10
ADD 11
ADD 12
ADD 13
ADD 15
ADD 16
ADD 17
ADD 18
Active Directory Sites DesignReferenceADS 01
ADS 02
ADS 03
ADS 04
ADS 05
ADS 06
ADS 07
ADS 08
ADS 09
ADS 10
ADS 11
ADS 12
ADS 13
ADS 14
ADS 14
ADS 15
ADS 16
ADS 17
ADS 18
ADS 19
ADS 20
ADS 21
Active Directory Domain Controller DesignReference
ADC 01
ADC 02
ADC 03
ADC 04
ADC 05
ADC 06
ADC 07
ADC 08
ADC 09
ADC 10
ADC 11
ADC 12
ADC 13
ADC 14
ADC 15
ADC 16
ADC 17
Active Directory FSMO DesignReference
ADFD 01
ADFD 02
ADFD 03
ADFD 04
Active Directory DNS DesignReference
ADNS 01
ADNS 02
ADNS 03
ADNS 04
ADNS 05
ADNS 06
ADNS 07
ADNS 08
ADNS 09
ADNS 10
ADNS 11
ADNS 12
ADNS 13
ADNS 14
ADNS 15
ADNS 16
ADNS 17
ADNS 18
Active Directory 2008 / 2008 R2 Feature ImplementationReferenceADFR 01
ADFR 02
ADFR 03
ADFR 04
ADFR 05
ADFR 06
ADFR 07
ADFR 08
ADFR 09
ADFR 10
ADFR 11
ADFR 12
ADFR 13
ADFR 14
ADFR 15
ADFR 16
ADFR 17
ADFR 18
ADFR 20
ADFR 21
ADFR 22
Client / Workstation DesignReferenceADW 01
ADW 02
ADW 03
ADW 04
ADW 05
ADW 06
ADW 07
ADW 08
ADW 09
ADW 10
ADW 11
Active Directory Certificate Services DesignReferenceADCS 01
ADCS 02
ADCS 03
ADCS 04
ADCS 05
ADCS 06
ADCS 07
ADCS 08
ADCS 09
ADCS 10
ADCS 11
ADCS 12
ADCS 13
ADCS 14
ADCS 15
ADCS 16
ADCS 17
ADCS 18
Microsoft Forefront Identity ManagerReference
MFIM 01
MFIM 02
MFIM 03
MFIM 04
MFIM 05
MFIM 06
MFIM 07
MFIM 08
MFIM 09
MFIM 10
MFIM 11
MFIM 12
MFIM 13
Dated :Author:
Design Document
<Customer> Organizational Structure Document
<Customer> Geographical layout Document
<Customer> Network Diagram Document
<Customer> Existing Active Directory Topology Diagram Document
<Customer> Active Directory and DNS Namespace Document
<Customer> Active Directory Object Identifiers [OID] list Document
<Customer> Domain Controllers Patch Management Process Document
<Customer> Active Directory Monitoring Process Document
<Customer> Active Directory Security Permission Design Document
<Customer> Active Directory Audit Design Document
<Customer> Active Directory Delegation Design Document
<Customer> Active Directory Organizational Structure Document
<Customer> Group Policy Windows Client Settings Document
<Customer> Group Policy Windows Server Settings Document
<Customer> Group Policy Windows Kiosk / Digital Device Settings Document
<Customer> Group Policy Application Settings Document
<Customer> Group Policy Preference Settings Document
<Customer> Group Policy User Settings Document
<Customer> Group Policy Forest Wide Settings Document
<Customer> Group Policy Settings of Active Directory Sites Document
<Customer> Active Directory Certificate Services Configuration Document
<Customer> Group Policy Functional Settings Document[includes Network Settings, Database settings, Service Account settings]
<Customer> Oracle Identity Manager Integration withMicrosoft Active Directory Configuration Document
<Customer> NetIQ Identity Manager Integration with Microsoft Active Directory Configuration Document
<Customer> Dell Quest One Identity Manager Integrationwith Microsoft Active Directory Document
<Customer> Microsoft Forefront Identity Manager [IAM] Integrationwith Microsoft Active Directory Document
<Customer> IBM Tivoli Identity Manager Integration withMicrosoft Active Directory Document
Applications / Software / Server Systems Configuration<Customer> Enterprise Business Applications Document
<Customer> Enterprise Productivity Applications Document
<Customer> Enterprise Infrastructure Applications Document
<Customer> Enterprise Mobility Applications Document
Microsoft Office Applications Document
Microsoft ASP Applications Document
Microsoft BizTalk Server
Microsoft Commerce Server
Microsoft Dynamics CRM Server
Microsoft Dynamics NAV
Microsoft Exchange Server
Active Directory Federation Services
Microsoft Forefront Identity Manager
Microsoft Forefront Threat Management , Unified Access Gateway
Microsoft Hyper-v Server
Microsoft Lync Server
Microsoft Project Server
Microsoft SharePoint Server
Microsoft System Center Configuration Manager
Microsoft System Center Virtual Machine Manager
Microsoft System Center Operations Manager
Microsoft System Center Service Manager
Microsoft SQL Server
Microsoft System Center Data Protection Manager
Microsoft System Center Reporting Manager
Windows Rights Management Server
Windows Server Update Services
Windows Server ( 2003 - 2008 R2 )
Windows Clients ( XP, Windows 7, Windows Vista )
UNIX Servers
LINUX Servers
SOLARIS Servers
IBM Servers
VMWare VSphere Components (Director /Storage Appliance )
VMWare Vcenter Suite
VMWare VShield
VMWare VFabric
VMWare Vcloud Suite
VMWare VHorizon
Citrix Workspace Suite
Citrix GoTO Meeting / GoTO Webinar
Citrix Receiver
Citrix ShareFile
Citrix XenApp
Citrix XenDesktop
Citrix XenClient
Citrix Netscalar
Citrix XenServer
CISCO Collaboration Systems
CISCO WAAS (Wide Area Application Services)
CISCO ACS
CISCO Routers
CISCO Switches
CISCO Call Manager
CISCO ASA
CISCO SoftPhone
CISCO UCS
CISCO ScanSafe Cloud Web Security
ORACLE Database Servers
SAP Applications
Enterprise Backup Solutions (EMC/NetApp/ IBM/ CA/ HP/ DELL/ VEEAM/)
Active Directory Forest Configuration
Resource Forest Model
Restricted Access Forest Model
Active Directory Forest Trust
Multi Domain Forest Configuration
Dedicated Active Directory Forest in Branch Office
Active Directory Design ConfigurationSingle Domain Model
Regional Domain Model
Multiple Domain Tree Configurations
Resource Domains
Active Directory Domain in Branch Offices
Active Directory Domain supporting Kiosks
Active Directory Domain supporting External Users
Active Directory External Trust between Domains
Active Directory Realm Trust
Active Directory Shortcut Trust
Offline Domain Join
Schema Extension Attributes usage
SID Filtering Quarantine on External Trust
Domain Wide Authentication over External Trust
Oracle Identity Management Servers Configured as Central Directory
Active Directory Sites ConfigurationPhysical Sites Routing Topology
Bridge All Site Links [ BASL ] Configuration
Physical IP Sites configured in Active Directory Sites and Subnets
Physical IP Subnets configured in Active Directory Sites and Subnets
Active Directory Supernets
Selective Authentication on External Trust [including Forest Trust ]
Oracle Identity Management Synchronization Configuration with Microsoft Active Directory
AD Subnets created based on IP Summarization
Active Directory Subnet Mapping for IPV 6 Subnets
Separate AD Sites for managing Resources
SMTP Site link Configurations
Active Directory Site link bridges
Manually created Connection Objects
Replication Intervals within a site
Active Directory Sites without Domain Controller
Active Directory Sites without Global Catalog
Slow Site Links
Mission Critical Applications
Average Users per Active Directory Site
Active Directory Intrasite Replication frequency
Finding Next Closest Site Configuration
Site Link Interval Configuration
Active Directory Automatic Site Coverage-Both in Hub and Branch sites
Bridgehead Server Configuration Automatic vs Preferred
Domain Controller Configuration
Domain Controller Versions
Number of Domain Controllers per AD Site
Number of Read Only Domain Controllers per AD Site
Additional Domain Controllers for every PDC Emulator
Virtualized Domain Controllers
Percentage of Domain Controllers being Virtualized
Domain Controllers running Server Core
Child Domain PDC synchronize Windows Time with Parent Domain
Each Domain Controller synchronize Windows Time with PDC Emulator
Highest Domain Functional Level per Domain
Forest Function level
RODC Password Replication Policies
Forest Root PDC Windows Time synchronized withExternal or Internal Time Source
Domain Controller Database Storage Location Configurationlocal disk vs External Storage
Multiple Read Only Domain Controllers in an Active Directory Site- Password Policies should be synchronized and maintained to avoid unpredictable situations
RODC in Perimeter Network
AD DS FSMO Configuration
Schema Master Placement
Schema Master and Domain Naming Master Role Placement
PDC Chaining
RID Pool Value Configuration
DNS Configuration
DNS Centralized Design
DNS Parent Child Design
Using DFS to replicate SYSVOL . FRS Replication is used in Windows Server2000 and Windows Server 2003 or on Domain Controllers migratedfrom Windows Server2003 to Windows Server 2008
Dynamic DNS Configuration configured on entire AD Forest
Application Partitions for managing DNS zones
Aging and Scavenging Configuration
DNS Weight Configuration
Disjoint Namespace Configuration
BIND DNS Namespace Configuration
BIND DNS Delegated Domain Configuration
BIND Primary Name Server and Slave Name Server Configuration
BIND DNS Disaster Recovery Configuration
BIND DNS Incremental Zone Transfer , Round Robin and Forwarders Configuration
Integration between Microsoft DNS and BIND DNS Configuration
Global Name Zone Configuration.List out AD Domain where Global Name Zone is configured
DNSSEC Configuration between -External DNS Servers and Internal DNS Server-Internal DNS Server ( Starting from 2012 )
Optimize Location of Domain Controller-DNSAvoidRegisterRecords
Does AD Forest DNS Configuration supports Dynamic Updates. List down theDomains which are not configured with DNS Dynamic Updates
BIND and Active Directory Configuration
Active Directory Feature ConfigurationActive Directory Application Partitions
Application Partitions storing DNS/DHCP/COM+/Network Services data
Application data stored in AD LDS Instance
Concurrent LDAP Binds
Dynamic Auxiliary Classes
Dynamic Data
Schema Redefine
Universal Group Caching
Distributed Link Tracking ( DLT ) Configuration
Administrative Role Separation
ADMX Configuration
Active Directory Database Snapshots
Fine Grained Password Policy
Read Only Domain Controllers
Active Directory Web Service
Authentication Mechanism Assurance
Managed Service Accounts
Recycle Bin
Encryption Level support
Integration of third Party Authentication Systems with Active Directory
Permission Design Implemented - Users vs Group or both
Client / Workstation ConfigurationWindows client configured in Workgroup mode
Windows Clients ( Windows XP / Windows 7 ) joined to AD Domain
Mobile clients ( Mobile devices / Tablets ) requiring AD authentication
KIOSKS Client Computers
Windows Clients Local User Profile
Windows Clients Roaming User Profile
Windows Clients Folder Redirection
Windows Offline Files
Mandatory Profiles
Direct Access Configuration
Bitlocker Active Directory Integration for Clientsincluding storing and retrieving information
Active Directory Certificate Services ConfigurationLegal / Government / Regulatory requirements for Certificate Infrastructure
Locations in an Organization where Certificate Services will be deployed
List of Applications and Services that uses Certificates
Certificate Request validation per location
Number of Root CA's deployed
Microsoft Root CA Type and Location implementation
Certificate Authority Fault Tolerant Design
Private key Protection methods
PKI Infrastructure Administrator privileges / Role configuration
Certificate Authority Validation Period
Key Length usage
AIA Repository Store
Certificate Revocation Lists configuration
Certificate Enrollment Configuration
Certificate Template Configuration
Cross Forest Enrollment Configuration
Certificate Enrollment Web Service and Policy Service Configuration
Non Persistent Certificates
Microsoft Forefront Identity Manager Configuration
Identity Management Design Document
User Management Design Document
Access Management Design Document
Identity Management Configuration Document
FIM Management Agent Configuration
FIM Schema Configuration
FIM Service Management Agent Configuration
FIM User Management Configuration ( integration with AD )
FIM User Management with different data stores ( Oracle / IBM / SAP / HP etc.. )
FIM Group Management configuration ( Integration with AD )
FIM Self Service Password Reset Configuration
FIM Office 365 configuration
FIM Reporting
Jul-14Sainath KEV
Description
Copy of existing Active Directory Topology diagram
Copy of existing Active Directory and DNS Namespace Document
Copy of recent OID list
Copy of existing Patch Management Process
Copy of existing AD Monitoring Document
Copy of existing Security Permission design Document
Copy of existing Active Directory Audit design Document
copy of existing Active Directory Delegation Document
Copy of current Active Directory Organizational Structure of each AD Domain
Organizational Structure Document explains how <Customer>s BusinessUnits are fit into hierarchy
Geographical layout explaining Continents, Countries , citiesin which Business units are configured
Copy of Network Diagram explaining the connection speedsbetween the various sites
Copy of Master list of Group Policy settings implemented for Windows Clientsat Forest and Domain Level
Copy of Per AD Domain Application settings configured in Group Policy
Copy of Active Directory Forest wide Group Policy Settings
Copy of existing Active Directory Sites Configuration settings Document
Copy of existing Microsoft FIM integration document with Active Directory
Copy of Master list of Group Policy settings implemented for Windows Serversat Forest and Domain Level
Copy of Master list of Group Policy settings implemented forWindows Kiosks / Digital Devices at Forest and Domain Level
Copy of Per AD Domain Network, Database, Service Accounts Group Policy settings Document
Copy of Group Policy Preferences Document configuredat both Forest and Domain Level
Copy of Group Policy User Settings Document Configured for every Active Directory Domain in the AD Forest
Copy of existing Active Directory Certificates Services Configuration DocumentDocument Should detail CA Hierarchy, Public & Private Root Certificates etc..
Copy of Oracle Identity Manager integration Document withMicrosoft Active Directory. This Document should reflect co-existence, site structure , Synchronization, etc.. Information.
Copy of existing NetIQ Identity Manager integration Document with Microsoft Active Directory which covers installation of AD driver, Authentication Methods, Synchronization methods , Groups Management etc..
Copy of existing Dell Quest One Identity Manager integration documentdetailing the RBAC policies, automation process , Rules etc..for managing Users / Network devices
Copy of IBM TIM integration with MS AD document detailing IBM Connectorconfiguration, SSL configuration , etc.
DescriptionWhether or not <Customer> Business Applications require AD Authentication
Whether or not <Customer> Productivity Applications require AD Authentication
Office Applications require AD Authentication
ASP applications that requires AD Authentication
BizTalk Server if installed, whether or not integrated with AD
MS Commerce Server if installed, whether or not integrated with AD
MS Dynamic CRM Server if installed, whether or not integrated with AD
MS Dynamic NAV Server if installed, whether or not integrated with AD
Exchange Server does require AD Authentication
Is there an existing ADFS Configuration within <Customer> ( intra domain / external )
Forefront server does require AD Authentication
These components requires AD Authentication
Whether or not Hyper-v is configured in Standalone mode
Microsoft Lync requires AD Authentication
MS Project Server if installed, whether or not integrated with AD
Whether or not <Customer> Infrastructure Connector Applications require AD Authentication
Whether or not <Customer> Mobility Applicationsrequire AD Authentication
Microsoft SharePoint server requires AD Authentication
SCCM Server does require AD Authentication
SCVMM does require AD Authentication
SCVMM can work in Standalone mode and integrate with AD
SCSM can work in Standalone mode and integrate with AD
SQL Server can be installed in Standalone mode or can be integrated with AD
SCDPM can work in Standalone mode and integrate with AD
Reporting Server if configured, whether or not integrated with AD
RMS should be integrated with AD
WSUS can be installed in Standalone and integrate with AD
Whether all Windows Servers authenticate with Active Directory
Whether all Windows Clients authenticate with Active Directory
Whether all UNIX Servers authenticate with Active Directory
Whether all LINUX Servers authenticate with Active Directory
Whether all SOLARIS Servers authenticate with Active Directory
Whether all IBM Servers authenticate with Active Directory
Whether or not VSphere requires AD authentication
Whether or not VCenter requires AD authentication
Whether or not VShield requires AD authentication
Whether or not VFabric requires AD authentication
Whether or not VCloud requires AD authentication
Whether or not VCloud requires AD authentication
Whether or not Citrix Workspace Suite requires AD authentication
Whether or not Citrix Receiver requires AD Authentication
Whether or not Citrix ShareFIle requires AD Authentication
Whether or not Citrix XenApp requires AD Authentication
Whether or not Citrix XenDesktop requires AD Authentication
Whether or not Citrix XenClient requires AD Authentication
Whether or not Citrix Netscalar requires AD Authentication
Whether or not Citrix XenServer requires AD Authentication
Whether or not CISCO Collaboration Systems requires AD Authentication
Whether or not CISCO WAAS requires AD Authentication
Whether or not CISCO ACS requires AD Authentication
Whether or not CISCO Routers requires AD Authentication
Whether or not CISCO Switches requires AD Authentication
Whether or not CISCO Call Manager requires AD Authentication
Whether or not CISCO ASA requires AD Authentication
Whether or not CISCO SoftPhone requires AD Authentication
Whether or not CISCO UCS requires AD Authentication
Whether or not CISCO ScanSafe requires AD Authentication
Whether or not ORACLE DB Servers requires AD Authentication
Whether or not all SAP Applications requires AD Authentication
Whether or not Backup solutions requires AD Authentication
Whether or not Citrix GoTO meeting andGoTO Webinar requires AD authentication
Description
Are there multiple Domains configured in a Forest
DescriptionActive Directory Forest with Single Domain
Active Directory Forest with one or more Domains
Dedicated Active Directory Domain for each Branch Office
Dedicated Active Directory Domain to authenticate Kiosks Machines
Dedicated Active Directory Domain for authenticating external users
External trust Configuration between Domain in separate AD Forests
A separate Forest is used to manage Resources,Resource Forest do not contain User accounts
A separate Forest is created to store sensitive data. No trust exists betweenOrganizational Forest and Restricted Forest
Are there any Forest Trusts Configuredbetween Active Directory Forests?
Multiple Active Directory Tree with subdomain Configurations. Example: Forest Root Domain (asia.contoso.com) and new domain tree would be asia.atlas.com within FRD.
Resource Domains configured to meet specific needs ( eg: to manage Private Cloud)or dedicated Domain for Microsoft Exchange
Real Trust between Unix and Windows systems
Windows 7 can be joined to domain without network connection
Extension attributes an be used when default attribute set does not suffice the need.
Restricting access to resources between Trusted forest and Trusting Forest
Unrestricted access to resources between Trusted forest and Trusting Forest
DescriptionDoes all the <Customer> Network is completely routed and mapped in Active Directory
BASL is disabled or enabled in <Customer> Active Directory
Does all the Physical IP Sites are created in Active Directory
Does all the Physical IP Subnets are created in Active Directory
Shortcut trust avoids traversing entire forest for authentication and establish trust with peer domainsKeeping the fact that <Customer> is an Enterprise Grade AD
Understanding whether Oracle Identity Manager is configured as Central Directory or Microsoft Active Directory is deployed as Central Directory store.
Synchronization from Active directory to Oracle Identity Management can be performed either by USN-Changed approach or with DirSync method.
Are there any Supernets configured in <Customer> to address missing Subnet definitions. Supernets have one single subnet with one or more smaller subnets
Are there AD Subnets configured based on IP Summarization
Is AD sites and subnets are configured with IPV6 subnets
SMTP Is configured between sites which has poor and unreliable network connection
Are there any manually modified / created connection objects
Are there AD Sites without Domain Controller in place
Are there AD sites without Global Catalog servers
Are there any sites with weak site link connectivity with other sites
Are there any mission critical applications which requires high speed WAN Site links
Are AD Sites configured with custom Intrasite Replication frequency ?
Active directory sites without Domain Controller configured
Administrators can configure polling schedule on the site link object
Are there separate Sites configured to manage resources example: Separate Site for managing GC / Exchange Note: it is no longer recommended practice to place Exchange in separate site
If BASL is disabled, Site Link Bridge should be configured for successful communication between sites.
Is <Customer> managing manual replication intervals within a site or followingdefault replication intervals
Number of Users per AD site, this will help determining the DC placementand design considerations
By default ISTG selects bridgehead servers in a site automatically , but can be configured by selecting Preferred Bridgehead servers
Description
This helps determining existing Domain Controller Capacity per AD Site
Helps understanding existing redundant Configuration
Domain Controllers can be virtualized and be managed securely
Active Directory DC's configured on Windows Server Core edition
Forest Functional level set on the Root
DC database can be stored locally or on External Storage
Are there mix of Windows Server 2003 and Windows Server2008 Domain Controllers ?
In an complex environment, Administrators can virtualize all or part of Domain Controllers
Windows Time can be synchronized with external time sourceor with internal time source
Does Child Domain PDC synchronize time with Parent Domainor external /other time source
Does each DC synchronize its time with Domain PDC Emulator ( either Child or any DC in Parent Domain) orwith external /other time source
Multiple RODCs can be placed in an AD site, however allRODC servers should have same set of policies
RODC can be placed in perimeter network and detail out the design Configuration
Description
Description
Replication of zones configured at Forest wide
Schema master should be placed in a site with high bandwidth to support faster Schema updates to attributes
Schema Master role and Domain Naming Master role can be placedout side root domain. Provide the information if these roles are placedoutside root domain
PDC chaining occurs when security principal tries to authenticate and the authenticating DC wouldn’t accept the password and communicates back to PDC for an authorization.
RID Pool size can be changed from default in a distributed environment wherethere are connectivity issues between DC and RID master
Each of the Sub Domain / Child domain are authoritativefor managing their zones
DNSSEC protects the communication from an unauthorized / attacker.
Configuration of BIND DNS Namespace in <Customer> environment
Configuration of BIND Delegated zone Configuration Document
Disaster recovery Configuration of BIND DNS Server
Dynamic DNS registers Resource Records dynamically, avoiding Administrators to manually update / edit the zone file
Supports WINS type name resolution for resolving short names without DNS Suffix search list configured.
How does a client locate Domain controller in the event of all the DC's in the client site becomes unavailable
Application partitions can be configured to control replication scope to required Domain Controllers
Helps automatic removal of stale records per DNS Server basis based on refresh interval
SRV RR weight for an DC can be lower down which reduces the amount of client requests to Domain Controllers
The Configuration includes Primary Master, Slave Name server Configuration(Subnet / Site )
Organizations can run BIND / MS DNS servers to support name resolution. The Configuration file should explain the integration aspects of both DNS servers
Organizations running BIND DNS servers to support Active Directory infrastructure
DescriptionApplication Partitions which are replicated across <Customer> AD Forest
Storing Application data in AD LDS instance
ADSI or LDAP can be used to dynamically add an Auxiliary class to an existing object
Dynamic objects has TTL value defined and are automatically delete by AD after TTL expiry
An Active Directory Site level setting which eliminates the need of Global Catalog server
This service is disabled by default on all Windows 2003 / 2008 Domain Controllers
Non Domain Administrators can be delegated to administer RODC
Group Policy Store upgrade
Does <Customer> AD team stores AD Database Snapshots ?
Password and Account lockout policies can now be defined Per-User basis
RODC are useful in branch office scenario or at an AD sites that lack Physical Security
Additional endpoint service that can be configured on Domain Controllers
Application Partitions can store information related to DNS, DHCP , COM+ AppsNetwork Services etc..
Are there Concurrent Binds / Fast binds configured in <Customer> AD ForestFast binds do not generate Kerberos tickets
Redefining Schema is used when Administrators want to hide unused classes andtheir attributes. Another usage would be to resolve Schema conflicts
With AMA, Administrators can define special SID's for User's smart card authentication
Service account password are automatically changed on regular basis
Allows Administrators to recover deleted objects without restoring from Backup
DescriptionWorkstations can be part of workgroup / Active Directory domain
Does every Windows Client is joined to Active Directory Domain
Configuring AD to authenticate mobile devices
Presence of KIOSK client computers
Configuration of Windows Client Local User Profiles
Configuration of Windows Client Roaming User Profiles
Configuration of Windows Client Folder Redirection
Configuration of Windows Client Offline Files Configuration
Configuration of Windows Client Mandatory Profile Configuration
Is there an Direct Access Configuration in place
Weak Encryption ( DES and 3DES ) are disabled in Server 2008 R2but can be reverted explicitly by Administrators
Third party authentication systems / software can easily beintegrated with Active Directory
Permissions can be assigned to individual user object or Group , it is alwaysrecommended to apply permissions at Group level rather to an individual object
DescriptionLocal laws or Industry regulations currently followed to support Certificate Services
Document detailing Root CA / Subordinate CA / Issuing CA Fault tolerant infrastructure
Understand the level of administrative access to CA in <Customer> environment
Certificate services can be deployed for entire organization or it can be implementedfor specific region / department based on the customer requirement
List of all Applications which rely on Microsoft Certificate ServicesEg: [Infrastructure / Business / Mobility / Productivity apps] [WLANS , VPN, S/MIME, IPSEC, EFS, Exchange , Direct Access , SCCM, HTTPS ]
Document the number of certificate requests / revocation per location which helps in designing or re-structuring Active Directory Certificate Services environment
Though there are no reasons to deploy multiple Root CA's , many Organizations have deployed multiple Microsoft Root CA's to support Isolated environments / Applications separately.
Understand existing Root CA deployment - whether the Root CA is deployed as1) Stand-Alone Root CA 2) Enterprise Root CA 3) External Root CA [ Third party Root CA ]
Private Keys can be protected either by Offline CA or by using HSM[Hardware Security Module]
This is critical information to understand the CA Validation period which is set during the CA installation
Understand Key Length which are configured and Key Length renewal
Allows clients to enroll for certificates over web interfaces
Description
It is important to understand the current implementation of AIA repository store ( Example: LDAP / web site / Public Network )
Understand and document below information on1) CDP Locations 2) CRL Validity 3) Delta CRL
Understand the existing process of Certificate Enrollment which includes 1) Manual Enrollment2) Auto Enrollment 3) Web Enrollment
Understand the implementation of Certificate Templates configured in the Organization which includes 1) Version 2 Templates 2) Version 3 Templates 3) Permission configuration on the Templates
Cross Forest enrollment allows CA or Multiple CA in one AD forest to support clients in multiple AD forests
Certificates can be configured to not store in CA database which are commonly used for Network authentication
Design Document should describe existing1) Processes in place2)Organizational structure3) Business units involved 4) Workflow methodologies5) current state of Security environment6) Request and Approval Process 7) Solution architecture8) Proof of concept document 9)Reporting strategies 10) Lifecycle Management
Document detailing1) Security Policy enforcement 2) Delegation and Administration Process3) Workflow Process 4) Auditing and Reporting Process5) Password Management6) User account life cycle design
Existing <Customer> Access Management process which includes 1) Authentication Process2) Authorization Process3) Access Policies 4) Single Sign On Process5) Federated Identities6) Entitlement Management Process7) Life Cycle Management Process
Existing IDM Configuration Document which details the following 1) Credential Management 2) Self Service process3) Profile Management4) User Management 5) Registration and Enrollment 6) Workflow Configuration7) Policies and Role Management 8) Delegated Administration9) Application Integration 10) Reconciliation
Document detailing all MA configuration in place,which includes the accounts used for MA connectorsRun Profiles and permissions assigned.
FIM manages two schemas for FIM Sync and FIM Service and they can be changed depending on the requirements. The document should explain if anychanges are done at the Schema level
Document which explains 1) Management Policy Rules configured in FIM 2) Configuration sets 3) Inbound Synchronization rules4) Outbound Synchronization rules 5) Provisioning process6) AD Synchronization rules 7) AD object / attribute configuration
Document which explains 1) Management Policy Rules configured in FIM 2) Configuration sets 3) Inbound Synchronization rules4) Outbound Synchronization rules 5) Provisioning process6) Synchronization rules
Document should outline 1) Group scope and Group Types2) FIM Group type and Group scope3) MPR configuration for Groups 4) Distribution Groups configuration 5) AD Security and Distribution Groups configuration
Document should detail out Self service configuration which includes 1) Password management in data sources ( AD / IBM … ) 2) Password Reset User sets configuration 3) Authentication workflow configuration 4) Self service Management Policy Rules
Document should detail 1) DirSync configuration 1.1) Data Store synchronization 1.2) Connector filter configuration 1.3) Object Types configuration2) Federation configuration
Document should detail 1) FIM synchronization with Microsoft SCSM 2) SCSM ETL Process3) Role management for accessing reports
Owner Comments
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
<Customer>
Application / SoftwareServer Systems Installed
Application / SoftwareServer Systems Not Installed
Configured Not Configured
Configured Not Configured
Configured Not Configured Does all the <Customer> Network is completely routed and mapped in Active Directory
Configured Not Configured
Configured Not Configured
Configured Not Configured
Configured Not Configured
Dynamic objects has TTL value defined and are automatically delete by AD after TTL expiry
An Active Directory Site level setting which eliminates the need of Global Catalog server
Configured Not Configured
Configured Not Configured
Configured Not Configured
Attachments
Requires AD Authentication
Comments
Comments
Comments
Comments
Comment
Comment
Comment
Comment
Comment
Comment
Acknowledgments
Author
Sainath K.E.V
Reviewer
Marcin Policht
Reference Documents
Microsoft TechNet Active Directory Technical documentation
Active Directory Product Operations Guide
Active Directory Certificate Authority Infrastructure Planning and Design GuideActive Directory Directory Services Infrastructure Planning and Design Guide
Forefron Identity Manager Planning and Design Guide
Active Directory Designing, Configuring 5th Edition
Active Directory Field Guide