MSTD AD DS Implmentation Document

Imp notes: - This Document is prepared on the Basis of RFP requirement and solutions, in each point
the Document is divided into three areas, 1. Role or Service, 2. Current Architecture and Solution
Design.

Contents
Directory Services ......................................................................................................................................... 2
1.

Overview of Directory Services ............................................................................................................. 2

2.

GOAL for AD DS deployment ................................................................................................................ 4

a. Improving the Security of the MSTD AD Infrastructure ........................................................................ 4
b. Global Logon ......................................................................................................................................... 4
c. Sharing Active Directory Contact Objects across AD Forests ................................................................ 4
d. Sharing AD-Dependent Applications across AD Forests ....................................................................... 4
e. Optimize Rapid Reconfiguration/Agility ............................................................................................... 4
f. Optimize Affordability/Efficiency........................................................................................................... 4

3.

AD DS Current Scenario of MSTD.......................................................................................................... 4

4.

Infrastructure for AD DS........................................................................................................................ 5

5.

AD DS Solution Design Archtecture. ..................................................................................................... 5

a)

IMPLENTATION DECISIONS ............................................................................................................... 5

6.

AD Setup ............................................................................................................................................... 5

7.

Forest and Domain ................................................................................................................................ 5

8.

Domain Name ....................................................................................................................................... 6

9.

Domain Controller at Site:- ................................................................................................................... 7

10.

Domain and Forest Functional Level................................................................................................. 7

11.

FSMO Roles (Flexible Single Master of Operation) ........................................................................... 8

12.

AD Site & Service............................................................................................................................... 8

13.

AD Global Catalog. ............................................................................................................................ 9

14.

AD Replication between Two Sites. ................................................................................................ 10

MSTD AD DS Implmentation Document

15.
a)

AD DNS. ........................................................................................................................................... 11
DNS Server features ........................................................................................................................ 11

16.

AD Schema. ..................................................................................................................................... 12

17.

Computer and User Policy Management in AD. ............................................................................. 12

18.

AD DHCP. ......................................................................................................................................... 13

19.

AD OU Structure.............................................................................................................................. 13

20.

User and Computers creation in AD ............................................................................................... 15

21.

AD Services Failover in Hyper-V Structure. ..................................................................................... 16

22.

AD Backup & Restoration................................................................................................................ 17

__________________________________________________________
Directory Services
1. Overview of Directory Services
A directory service provides the ability to store information about networked devices and services,
and the people who use them, in a central location within a distributed environment. A directory
service also implements the services that make this information available to users, computers, and
applications. Therefore, a directory service is both a directory (the store of this information) and a set
of services that provide the means to securely add, modify, delete, and locate data in the directory
store.
By deploying Windows Server 2012 Active Directory Domain Services (AD DS) in MSTD
environment, MSTD can take the advantage of the centralized, delegated administrative model and
single sign-on (SSO) capability that AD DS provides or MSTD can use the AD DS for the third party
SSO.
MSTD can use Active Directory Domain Services (AD DS) in Windows Server 2012 to simplify
user and resource management while creating scalable, secure, and manageable infrastructures. You
can use AD DS to manage your network infrastructure, including branch office, Microsoft Exchange
Server, and multiple forest environments.

MSTD AD DS Implmentation Document

Figure 1 illustrates, the benefits of AD DS and how it acts as the focal point of the Windows
Server 2012 R2 network, demonstrating how it can be used to manage identities and broker
relationships between distributed resources.

MSTD AD DS Implmentation Document

2. GOAL for AD DS deployment

The MSTD organizes this future-state vision below goals:

a. Improving the Security of the MSTD AD Infrastructure The ability to better defend the AD
infrastructure from exploitation and minimize the risk of information compromise as documented.
b. Global Logon the ability for any authorized MSTD user to logon to any local MSTD network
(Active Directory forest) connected to the intranet or any Internet application which will
authenticating through AD DS of MSTD (Eg:- SSO)
c. Sharing Active Directory Contact Objects across AD Forests The ability for any authorized
MSTD user to look up and find any other MSTD user natively within the desktop Outlook client,
Outlook Web Access, or authorized mobile device (e.g. Microsoft Mobile Application).
d. Sharing AD-Dependent Applications across AD Forests The ability for an authorized MSTD
user in one AD forest to securely access applications or systems located in a different AD forest.
e. Optimize Rapid Reconfiguration/Agility Enhance the ability of Windows networks to respond
to changing mission needs and the ability to quickly reconstitute following a partial network loss or
breach.
f. Optimize Affordability/Efficiency Reduce the overall complexity and cost of operating and
defending MSTD networks by supporting their networks through AD consolidation and
rationalization.

3. AD DS Current Scenario of MSTD.

a) Currently MSTD is not having any AD Structure at any location.
b) The Domain Name is using as per the third party solution which is in the name of
MAHAVAT.GOV.IN
c) No Single or Multiple Forest Structure.

MSTD AD DS Implmentation Document

4. Infrastructure for AD DS.

a) Current Scenario: - Currently MSTD does not having any existing infrastructure.
b) Solution Design :1) Hardware: - PDC and DRC will have the 2 Physical Hosts of HP BL660 Gen8 at
each site on which Domain Controller will be deployed on Hyper-V instance.
2) Software :- AD DS will be configure on virtual OS of Windows 2012 Std. Edition

5. AD DS Solution Design Archtecture.

a) IMPLENTATION DECISIONS
a) The following decisions were made in regard to the design and implementation:
Single forest, single domain model
b) Delegated Domain Name Server zones
c) Single Sign On accounts will be in the root Domain in People OU segregated by
Managed By affiliation (including users and groups).
d) Local accounts, used for service accounts, will be located in departmental OU.
e) Centralized DNS and WINS will be provided
f) Physical access to Domain Controllers limited to Data Center
g) Enterprise administrators will only make changes to Departmental Organizational Units
In emergencies after going through proper change control.

6. AD Setup
a) The AD Services will be setup on the Virtual Instance of windows 2012 Std. Edition, as a
Single forest, single domain model.

7. Forest and Domain

A) Current Scenario: - Currently MSTD does not having any forest structure.
B) Design Solution: - New Domain will be deployed with name of
MAHAVAT.GOV.IN as per the single forest basis. In the deploying face we are
going to deploy the two AD DS server at each site (PDC 2 no. and DRC 2 no.).
Out of the two AD servers which are in PDC (Primary Data Center) one will be the
primary Domain Controller and another server will act as ADC (Additional Domain
Controller) and 2 at DRC which will also be the additional Domain controller in this
Domain.

MSTD AD DS Implmentation Document

Below is the Architecture of one forest two sites architecture.

MSTD Forest.

PDC
DC Site

ADC1

ADC2

ADC3

DRC Site

8. Domain Name
Active Directory domains can be identified using a DNS name, which can be the same as an
organization's public domain name, a sub-domain or an alternate version (which may end in .local).
While Group Policy can be applied to an entire domain, it is typical to apply policies to sub-groups of
objects known as organizational units (OUs). All object attributes, such as usernames, must be
unique within a single domain and, by extension, an OU.
A) Current Scenario: - Currently MSTD is using the Domain name as Mahavat.gov.in
with XYZ IP Address provided by ISP.
B) Solution Design : MSTD can use the same Domain for the new infrastructure setup this domain system
will also be used to mailing users. But at the time of implementation, the new public
IP need to edit in the register DNS.
MSTD should take a specific down time for the changes of IP address from existing
to new IP address.

MSTD AD DS Implmentation Document

9. Domain Controller at Site

When you create the first domain controller in your organization, you are also creating the first
domain, the first forest, the first site, and installing Active Directory. Domain controllers running
Windows Server 2003 store directory data and manage user and domain interactions, including user
logon processes, authentication, and directory searches. Domain controllers are created by using the
Active Directory Installation Wizard.
It is often good practice to put at least one domain controller in each site to enhance network
performance. When users log on to the network, a domain controller must be contacted as part of the
logon process. If clients must connect to a domain controller located in a different site, the logon
process can take a long time. The best network performance is available when the domain controller
at a site is also a global catalog. This way, the server can fulfill queries about objects in the entire
forest. However, enabling many domain controllers as global catalogs can increase the replication
traffic on your network
A) Current Scenario: - MSTD does not have any Domain Controller at both the site.
B) Solution Design:MSTD will deploy the total four Domain Controller in both the site (2 at Each Site), PDC
(primary Data Center) will have two 2 Domain Controller out of which one will be the
Primary Domain and Other one will be the ADC (Additional Domain Controller),
Another Site (DRC) will have 2 Domain controller and both the server will act as an
ADC.
Reason for 2 Domain Controller at each Site: - MSTD will deploy the 2 Domain
controller at each site for Disaster Recovery Purpose, If one DC fails the user will not
having any Impact for logon. This will required a zero down time.

10. Domain and Forest Functional Level.

When you install Active Directory Domain Services (AD DS), a set of basic Active Directory
features is enabled by default. In addition to the basic Active Directory features on individual domain
controllers, there are new domain-wide and forest-wide Active Directory features available when all
domain controllers in a domain or forest are running a later version of Windows Server.
A) Current Scenario: - MSTD does not have any Domain.
B) Solution Design: - The Functional level of the Domain will be Windows 2008.

MSTD AD DS Implmentation Document

11. FSMO Roles (Flexible Single Master of Operation)

During installation of Active Directory on a Windows Server 2000/2003/2008/2012 all FSMO roles will
automatically be installed on the first server. But Best Practice dictates to move some of this Flexible
Single Master of Operation (FSMO) roles to separate servers

A) Current Scenario: - MSTD does not have any Domain.

B) Solution Design: - MSTD will have 2 Domain Controller in PDC site, Out of which as
per the best practice Forest Roles will be places on the PDC and Domain Roles will be
places in the ADC.
Reason for FSMO role on Different Server: Out of 5 roles the Infrastructure
Master role will be on the same site, if we keep the Domain Roles in ADC1 at PDC
(Primary Data Center) location, there no need to define the GC at the same site.

12. AD Site & Service

Active Directory Sites and Services is a Microsoft Management Console (MMC) snap-in that you can use
to administer the replication of directory data among all sites in an Active Directory Domain Services (AD
DS) forest. This snap-in also provides a view of the service-specific objects that are published in AD DS.
Administrators who are responsible for forest-wide service administration can use Active Directory Sites
and Services to manage the intersite replication topology for the forest. Administrators who are
responsible for application services can be delegated responsibility for the service containers into which
application-specific objects are published

A) Current Scenario: - MSTD does not have any forest or Domain.

B) Solution Design: - AD Administrator will configure site and services as per the location
and each location will be added as per the below configuration steps. For this activity
MSTD should provide the Site Map of MSTD.

The tasks for configuring a new site include the following:

Creating the site

Mapping the correct IP addresses to the site by creating a subnet
Linking the site to another site or sites by creating a site link and adding the new
site to it

MSTD AD DS Implmentation Document

13. AD Global Catalog

The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.
The global catalog is stored on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Searches that are directed to the global catalog are
faster because they do not involve referrals to different domain controllers.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of all other domain
directory partitions in the forest. The additional domain directory partitions are partial because only a
limited set of attributes is included for each object. By including only the attributes that are most
used for searching, every object in every domain in even the largest forest can be represented in the
database of a single global catalog server.
Benefit for the GC Services.

User Logon Support faster

Universal Group Membership
User Principal Name,
Universal Group Membership Caching
Address Book Lookups :- Exchange Server uses the global catalog to store mail recipient data that
enables clients in a forest to send and receive e-mail messages
A) Current Scenario: - MSTD does not have any GC server.
B) Solution Design: - MSTD will configure GC services on one Domain Controller at each
site PDC and DRC. GC Services is needed because at both site Exchange Server will be
implemented which will require GC services for faster Addressbook Lookups

MSTD AD DS Implmentation Document

14. AD Replication between Two Sites.

The replication topology of Active Directory directory service provides the network of connections
between domain controllers in a forest according to their location in Active Directory sites. A site is an
Active Directory object that you create and configure to represent an area of good network connectivity,
typically corresponding to a local area network (LAN). The site object is associated with a set of one or
more subnets, which are objects that identify a range of IP addresses. Each domain controller has an IP
address that maps to a subnet, and that mapping in turn identifies the site of the domain controller. By
recognizing domain controllers according to site locations, the replication system ensures that each
domain controller is updated with directory changes in the most efficient and timely manner possible,
given network conditions and directory service configuration. The replication topology is generated
automatically at regular intervals to accommodate network and configuration changes, and is designed
to ensure that all domain controllers are connected without redundancy and with minimum cost.

A) Current Scenario: - MSTD does not have any site currently so no current replication
tropology is present.
B) Solution Design: - Two Site replication will happen as per the below Map.

MSTD AD DS Implmentation Document

15. AD DNS.
Domain Name System (DNS) is a system for naming computers and network services that is
organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the
Internet, to locate computers and services with user-friendly names. When a user enters a DNS
name in an application, DNS services can resolve the name to other information that is
associated with the name, such as an IP address.
For example, most users prefer a friendly name, such as corp.contoso.com, to locate a computer,
such as a mail server or Web server, on a network. A friendly name can be easier to learn and
remember. However, computers communicate over a network by using numeric addresses. To
make the use of network resources easier, name systems such as DNS provide a way to map the
user-friendly name for a computer or service to its numeric address.
The DNS Server role in Windows Server 2012 combines support for standard DNS protocols
with the benefits of integration with Active Directory Domain Services (AD DS) and other
Windows networking and security features, including such advanced capabilities as secure
dynamic update of DNS resource records

a) DNS Server features

A Request for Comments (RFC)-compliant DNS server

Interoperability with other DNS server implementations
Support for Active Directory Domain Services (AD DS)
Enhancements to DNS zone storage in AD DS
Conditional forwarders
Stub zones
Enhanced DNS security features
Integration with other Microsoft networking services3

Current Scenario: - MSTD does not have any Domain.

Solution Design: - AD Administrator will configure Primary Domain Controller as
DNS server, which will have all the A Record , SRV Record & CNAME
Record if require. This DNS server will work as a gateway for the local machine. To
access the internet and other application which will authenticate by local domain.

MSTD AD DS Implmentation Document

16. AD Schema.
Active Directory Schema is a Microsoft Management Console (MMC) snap-in that you can use to view
and manage the Active Directory Domain Services (AD DS) schema.
Current Scenario: - MSTD does not have any Domain.
Solution Design: - By default Schema will be installed with AD Directory Services
enabled, But due to Exchange 2013 in the MSTD infrastructure going to deployed,
Administration team need upgrade the Schema. This Schema will be upgraded at the
time of First Exchange Instance installation with the below help command line.
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

17. Computer and User Policy Management in AD.

Group Policy is an infrastructure that allows you to specify managed configurations for users and
computers through Group Policy settings and Group Policy Preferences. You can manage Group Policy
settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment
through the Group Policy Management Console (GPMC). By using Group Policy, you can significantly
reduce our organizations total cost of ownership. Various factors, such as the large number of policy
settings available, the interaction between multiple policies, and inheritance options, can make Group
Policy design complex.
Current Scenario: - MSTD does not have any group policy.
Solution Design: - AD administrator will configure the all the new Group Policys
through (GPMC) tool which will done after the basic installation of AD services. MSTD
Management needs to discuss and Finalize the changes which is require to do through
GP.
Below is some of the application or services which we can controller through GP.
(lockout policy , screen saver settings , logon scripts publishing , folder shares allotment ,
populate desktop icons ,assign printers , to limit Internet explorer options as a result of
Managed Administrative Templates, USB disabled , Delegation Rights)

MSTD AD DS Implmentation Document

18. AD DHCP.
Dynamic Host Configuration Protocol (DHCP) is a client-server technology that allows DHCP servers to
assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. When
DHCP servers are deployed on our network, we can automatically provide client computers and other
TCP/IPv4 and IPv6 based network devices with valid IP addresses.
Current Scenario: - MSTD does not have any DHCP configure in any AD.
Solution Design: - AS per the new Infrastructure of PDC and DRC currently there is
no requirement of DHCP Services, But if Changes required by MSTD management,
AD administrator will enabled the DHCP services on PDC and create the Scope as
per network Subnet.

19. AD OU Structure.
After domain planning is complete, an OU structure can be designed. In the best practices OU
model, departments within the domain manage their internal operations, while the domain's IT
staff manages the overall infrastructure. In other words, each department manages its objects in
the directory, while the domain IT staff manages the configuration of the directory service itself.
Best practices for creating an OU design introduces the role of "OU owner." The Active
Directory OU owner is comparable to most Windows 2012 domain administrators. This means
that domain administrators who manage users and resources in a Windows 2012 domain will
manage the same resources in an Active Directory domain, but will be owners of OUs.
Expect to make periodic changes to your OU structure to reflect changes in your administrative
structure and to support policy-based administration. OUs are designed to be easily changed.
OUs are containers within domains that can contain other OUs, users, groups, computers, and
other objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are
primarily used to group objects for management purposes

MSTD AD DS Implmentation Document

Current Scenario: - MSTD does not have any OU structure. Below is the eg :- of
one location of MSTD .

MSTD AD DS Implmentation Document

Solution Design: - AS per the above CST office structure of MSTD AD

Administrator will create the OU in AD as per Type, location , Department. For the
OU Structure Configuration MSTD need to provide the complete location chart and
department chat for the OU Structure and Group policy implementation on OU.

Below is sample OU architecture which will use in AD.

20. User and Computers creation in AD

You use Active Directory Users and Computers to manage recipients. Active Directory Users and
Computers is an MMC snap-in that is a standard part of Microsoft Windows Server operating systems.
However, when you install Exchange 2013, the setup wizard automatically extends the functionality of
Active Directory Users and Computers to include Exchange-specific tasks
You can use Active Directory Users and Computers to create new user accounts or manage existing user
accounts. Below is some of the example for which we can use AD User and Computer Snap-in
h)
i)
j)
k)
l)
m)
n)
o)

Understanding User Accounts

Create a New User Account
Reset a User Password
Copy a User Account
Move a User Account
Set Logon Hours
Disable or Enable a User Account
Map a Certificate to a User Account

MSTD AD DS Implmentation Document

p) Change a User's Primary Group

q) Delete a User Account
Current Scenario: - MSTD does not have any AD structure.
Solution Design: - AD administrator will create the User and Computer account as
per the MSTD requirement. Currently MSTD is having the following User and
Computer account setup which will be standardized as per new requirement at the
time operation face.

Current User creation sample:-

21. AD Services Failover in Hyper-V Structure.

Windows Server 2012 Hyper-V also introduces VM-Generation ID (VMGenID). VMGenID provides a way
for the hypervisor to communicate to the guest OS when significant changes have occurred. For
example, the hypervisor can communicate to a virtualized DC that a restore from snapshot has occurred
(Hyper-V snapshot restore technology, not backup restore). AD DS in Windows Server 2012 is aware of
VMGenID VM technology and uses it to detect when hypervisor operations are performed, such as
snapshot restore, which allows it to better protect itself.
Hyper-v Failover.
When a Hyper-V replica failover occurs (planned or unplanned), the Windows Server 2012 virtualized DC
detects a VMGenID reset, triggering the aforementioned safety features. Active Directory operations
then proceed as normal. The replica VM runs in place of the primary VM.

Current Scenario: - MSTD does not have any VM or Hyper-V setup

Solution Design: - Hyper-V administrator will create virtual windows 2012 Std. OS Instance
on each HP BL660 Gen8 Host, 2 in PDC and 2 in DRC. On the Virtual Windows 2012
instance, Active directory Domain will be setup. If any Host or Virtual Instance fails the
second Host Instance in the same Site will start acting as primary server till the First Domain
Controller Comes Up.

MSTD AD DS Implmentation Document

22. AD Backup & Restoration.

Current Scenario: - MSTD does not have any AD so no backup procedure is done.
Solution Design: - Backup Administrator will keep the everyday backup history of AD, The
backup will take on the daily basis as per Microsoft best practice and the Symantec Backup
utility.