Top 5 Active Directory Best Practices
Prescriptive guidance about Active Directory hasn’t generally been updated since the January 21, 2005 TechNet Active Directory Best Practices article. Some of the legacy information no longer applies, but we see many of the basics being ignored putting organizations at high risk:
- Two Domain Controllers. Always have a second domain controller for Active Directory, DNS, and DHCP failover. If you only have one domain controller and it fails, no one can access either the network or the Internet.
- Authoritative Backup. Backup the system state and not simply the virtual image of your domain controllers. Without an authoritative backup, you cannot restore Active Directory and must create a new domain (even if named the same) and rejoin all workstations for potentially days to weeks of user profile and application problems. If you don’t have an authoritative backup when the main domain controller fails, but do have a second domain controller then you face the pending emergency tasks of USN rollback error:
- Seize roles on another domain controller
- Export any DHCP scopes
- Manually remove the problem domain controller from Active Directory and shutdown
- Build another domain controller
- Import DHCP scopes
- Test proper Active Directory replication and network logon
- Standard networking. These rules are law with few exceptions:
- Only one network connection enabled and it should be listed first in priority
- Single static IP Address assigned with valid subnet mask and default gateway
- DNS 1 is the IP Address of the machine and DNS 2 is the IP Address of the second domain controller
- IPV6 is enabled with settings set to obtain
- There should be no forwarding addresses in DNS to other servers internal or external
- Firewall On. Domain controllers should have the firewall on as the most sensitive machines on the network, containing the master user security database and network configuration. The firewall should be on for all devices for encapsulation to prevent rampant hacking and virus outbreak. Backup and anti-virus programs generally will not install without the firewall enabled.
- Anti-virus Installed. If a domain controller is accessed by a malicious intruder, you should have anti-virus to prevent installation of a rogue Trojan program or Rootkit. Proper exclusions of files or folders in use do not slow response or interfere with network access on a domain controller.
Active Directory and associated network security are the only things that should run on a domain controller. Running applications, hosting websites, and sharing files should be avoided on a domain controller. Microsoft also doesn’t support installation of Exchange (or SQL Server) on a domain controller.
