Difference between revisions of "AD DS"

Revision as of 14:09, 18 February 2017

Active Directory Domain Service Design

• Single forest single domain is preferred, 2,150,000,000 objects per domain, FQDN less than 64 characters
• Implement multiple/backup domain controllers (all GCs), implement multiple sites as needed (site, subnet,site link(180 minutes default, 15 minutes minimum), bridge all site links(default))
• Enable Active Directory Recycle Bin
• Enable Protect object from accidental deletion (User, OU, etc)
• User account properties (City, Country, Phone, Job Title, Department, Manager...)
• Grant permission per group, not a single user
• Delegate IT helpdesk group unlock user account permission
• Delegate IT helpdesk group join computer into domain permission

FSMO (Flexible single master operation)

5 FSMO roles

• Schema master / Forest level
  • To make change Schema in forest (such as Exchange, Lync, SCCM)
• Domain naming master / Forest level
  • To add/remove domain in forest
• PDC / Domain level
  • Time root in forest
  • Group policy central management
  • Handle password change specially (the change will sync to PDC immediately)
  • Handle user account lock specially
• RID pool master / Domain level
  • Assign RIDs to DCs (500/time)
• Infrastucture master / Domain level
  • Objects reference in different domains

To check the FSMO servers

• netdom query fsmo

To transfer / seize to FSMO roles

• Ntdsutil
• Roles
• Connections
•  ?
• Connect to server BJDC01
• Quit
• Transfer schema master
• Transfer domain naming master
• Transfer PDC
• Transfer RID master
• Transfer infrastructure master