You are on page 1of 8

TECH BRIEF

The 12 Essential Tasks of


Active Directory Domain
Services
Using the right tools and processes helps reduce
administrative overhead and ensures directory
service is always available

Abstract delegation is a way to reduce the built-in tools to reduce some of


amount of work administrators this workload, but are the native
Active Directory Domain Services have to do when managing AD tools enough? Perhaps its time
(AD DS) administration and DS infrastructures, it really only to reduce AD DS administration
management includes 12 major addresses one or two of the 12 overhead by automating most
tasks. These tasks cover a wide tasks, for example, user and tasks and tightening internal
breadth of business needs and group administration as well as security. Address this by first,
are not all performed solely by end point device administration. determining what the twelve
AD DS administrators. In fact, The other ten tasks can be essential labors of Active
administrators can and should staggering in nature security, Directory are and then, see how
delegate several tasks to other networked service administration, you can reduce AD DS workloads
members of their technical OU-Specific Management, Group through the implementation
community, technicians, help Policy Object management and of proper management and
desk personnel, even users many more and because of this administration tools.
such as team managers and can take up inordinate amounts of
administrative assistants. While time. You can rely on Microsofts
Active Directory Domain of this, AD DS is the primary
Services Administration directory that is designed to rule
and manage users, computers
Any systems administrator will and servers in a distributed
agree that Active Directory networkhierarchy.
Domain Services (AD DS) offers
comprehensive services for
However, AD DS is first and
network administration. In fact,
foremost based on a database
Active Directory AD DS goes beyond the simple
Lightweight Directory Access
a hierarchical database (see
Figure 1). As such, the directory
Domain Services Protocol (LDAP) services most
database contains a schema a
manufacturers publish. An LDAP
is an effective service is designed to provide an
database structure. This schema
applies to every instance of AD
means to secure organized set of records, often
using a hierarchical structure.
DS, but it can be extended as

and manage a For example, a phone book is a


when you integrate directory-
aware applications such as
Windows network. simple directory.
Microsoft Exchange, Microsoft
SharePoint and other into your
Active Directory Domain Services network structure.
is a directory service that
provides a means of securing and
An AD DS instance is defined
managing a Windows network.
as an Active Directory forest.
It also supports links and
The forest is the largest single
integration features with other
partition for any given database
Windows-based services. Because

Forest

Domain Naming
System

Forest Trust

Root
Global Catalog Domain
W.NET Schema

Conguration
X.NET Z.NET Domain-specic Contents
Y.NET
Tree
Domain Controllers

Objects
Read-only DC Site
(RODC)

Users, Computers, Account Policies


Multimaster Replication Printers, Etc.
GPO Objects

Site
Groups

Universal, Global,
Domain Local

Figure 1: The Active Directory Domain Services database structure

2
structure. Everyone who controllers (DCs), printers, file from a local Domain. Controller.
participates in the forest will shares, applications, and much One major difference between
share a given set of attributes more. If you have more than Active Directory and a standard
and object types. Forests can be one domain in the forest, it will database is that in addition to
grouped together to share certain automatically be linked to all being hierarchical, it is completely
information. Windows Server others through a transitive decentralized. Information resides
2003 introduced the concept of two-way trust. in each domain controller and all
forest trusts, which allow forests DCs except Read Only Domain
to share portions of their Active The domain is defined as a Controllers (RODCs) can
Directory database with others security boundary because it initiate changes which will be
and vice versa. This concept has contains rules that apply to the replicated to others through the
since been improved in Windows objects it contains. These rules multi-master replication model.
Server 2008. can be in the form of security
policies or Group Policy Objects As you can see, an AD DS
By default, the AD DS database (GPOs). Security policies are environment can become quite
includes over 200 object types global domain rules, but they can complex and can be quite a
and over 1,000 attributes. When be refined through fine- grained burden to manage.
you extend the AD DS database, password policies and applied
you add more object types or to specific groups of objects In addition, there are two clear
attributes. For example, Microsoft within the domain. GPOs tend contexts of administration within
Exchange practically doubles the to be more discrete and must an AD DS database:
number of objects and attributes be applied to specific container
in the forest when it is installed in objects. While domains are Service administration
an AD DS environment. discrete security boundaries, the ensures that the
forest will always remain the AD DS environment
Like any database, AD DS ultimate security boundary within functionsproperly
categorizes the objects it contains, an AD DS structure. The domain
but unlike relational databases, is termed an administrative Data administration
the AD DS database structure is boundary because, the policies provides the entities that
hierarchical because it is based that apply to its objects do not rely on AD DS, such as users,
on the Domain Naming System cross the domain boundary. applications, services and
(DNS) structure. In a forest, the more, with the information
root pointanalogous to the Domain contents can be they need to do their
home page in a DNS structureis further categorized through workproperly.
the root domain. Every AD DS grouping object types such as
forest must contain at least one organizational units (OUs) or AD DS administrators and
domain. Domains act as discrete groups. Organizational units technicians usually manage
object containers within the provide groupings that can Service administration. Data
forest. Domains can be regrouped be used for administrative or administration is often delegated
into trees. Trees are segregated delegation purposes. Groups are to other members of the
from each other through their used mainly for the application organization such as individual
DNS name. of security rights or email users, managers, and, in the
distribution lists. case of data fed to applications
Every forest will include at least or services, the application
one tree and one domain. The Forests, trees, domains, developers and administrators.
domain is both a security policy organizational units, groups,
and administrative boundary users, and computers are all
within the forest. It is required objects stored within the AD
to contain objects such as users, DS database. As such, they
computers, servers, domain can be manipulated globally or

3
Twelve Categories of AD DS controls mandated by the Relying on Third-Party Tools
Administration leadership of your company.
All of the 12 primary AD DS While Microsoft has done a
When you understand the management efforts must be good job of bringing AD DS
complexities of AD DS database auditable, reportable, controllable administration together under one
contents and interaction, you andmanageable. roof with the new tools introduced
can see that there are several in Windows Server 2008, there is
different types of operations Managing the 12 still a lot left out. Making AD DS
required to ensure an AD DS Task Categories administration easier is the goal
environment operates efficiently of the third-party products such
and reliably. In fact, Active Managing these tasks takes as Active Roles.
Directory Domain Services a lot of work. This is why it
administration or management is so important to automate Your goal when looking to third-
covers 12 major activities. These as many of the tasks as party tools should be to reduce
activities and their breadth possible. Windows PowerShell administration overhead and
of coverage are described in is a great help and so is the ensure complete AD DS lockdown.
Table 1, which also outlines Active Directory Administration
which tasks focus on data or Console (ADAC), however, this
content management and which all depends on how your network
are concentrated on service is organized and how many
administration, or which can be users or computers you need
delegated and which require high- to manage. Small networks
level administration rights. can be managed by a single
person. Medium networks begin
Depending on the size of to require more than one person
your network, each of the and also require delegation.
activities included in Table 1 Large networks or worldwide
may be a fulltime role in many networks require a strong division
organizations. Delegation of this of tasks and responsibilities,
work, both across organizational maximum delegation and
and geographical boundaries help completeautomation.
to spread the work effort and
develop skill sets in the resource Yes, you can perform most of
pool. However, the primary these tasks with the native
tools supplied by Microsoft do tools and the native automation
not lend themselves well to this features of Windows Server,
distributed model that is required but youll also have to take the
in todays enterprises. Delegation, time to become a PowerShell
audit logging, reporting, and expert and fully understand
managed controls are all required the intricacies of your AD
for effective IT operations, and DSenvironment.
are primarily driven by audit

4
Table 1: The Twelve Tasks of AD DS Administration

Task Description Service Data

This includes user password resets, user creation and deactivation,


user group creation, and membership management.
1. User and Password changes should be delegated to the help desk.
group account
Massive account changes and service account administration

administration
should be the responsibility of administrators.

Global group memberships should be managed by user delegates.

All computers in a Windows network environment must have a


2. Endpoint device computer account. This is how they interact with the directory and
administration how the directory interacts with them.
Should be delegated to technicians.

This includes publication of network file shares, printers, Distributed


3. Networked File System (DFS shares, application directory partitions, possibly
service Exchange email, and so on.
administration
Should be delegated to the administrator of each service type.

4. Group Policy GPOs provide the most powerful model for object management in
Windows Server.
Object (GPO)
management Should be delegated to appropriate technicians.

DNS is closely tied to the directory, and the operation of the


directory service is based on a properly functioning dynamic
5. DNS DNSinfrastructure.
administration
Because DNS is integrated with the directory, directory DNS
administration is the responsibility of the domain administrator.

Replication is at the very core of the directory service operation.


It covers the configuration of subnets, sites, site links, site link
6. Active Directory bridges, and bridgehead servers. You should rely heavily on
topology and the Knowledge Consistency Checker (KCC) a service that
replication automatically generates replication topologies based on the rules

management and guidelines you give it to control replication.
This is the responsibility of the domain administrator.

Configuration administration involves forest, domain, and


organizational unit (OU) design and implementation. It also
involves Flexible Single Master Operations (FSMO) role, global
7. Active Directory catalog servers, and DCs placement, including RODCs. One
additional activity that is related to configuration management is
configuration
time synchronization. AD DS relies on the PDC Emulator role to

management
synchronize time in the network.
These tasks are the responsibility of the forest and
domainadministrators.

5
Table 1: The Twelve Tasks of AD DS Administration, continued

Task Description Service Data

AD DS is a database, albeit a distributed one. As such, it includes


8. Active Directory a database schema. Schema modifications are not done lightly
because added objects cannot normally be removed, although they
schema
can be deactivated, renamed, and reused.

management
This is the responsibility of the forest administrator.

This refers to the population of the directory with information about


the objects it contains. User objects, shared folders, and computer
objects can include owners; groups can include managers; printers
and computers can include location tracking information. The
Active Directory Schema Management console can be used to add
9. Information or remove content from the global catalog and determine whether
management an object should be indexed. You can also assign NTDS quotas

to make sure no one adds or extracts more information than
permitted in the directory.
Delegate as many of the information management tasks as
possible to appropriate personnel within your organization.

Security administration covers everything from setting Domain


Account and fine-grained password policies, assigning user rights,
10. Security managing trusts as well as access control list (ACL) and access
administration control entry (ACE) administration.
This is the responsibility of the domain administrator or designated
operators to whom it has been delegated.

Database management involves Ntds.dit maintenance as well


as AD DS object and GPO protection. Includes managing the
LostandFound and LostandFoundConfig containers, which are
designed to collect homeless objects in your directory. Also includes
11. Database compacting the directory database on each DC. Although AD DS
management regularly compacts its own database automatically, it is good

practice to compact it manually. This also includes object recovery
from the AD DS Recycle Bin.
This is the responsibility of the domain administrator.

Generate reports from your directory to know how it is structured,


what it contains, and how it runs. There is no default centralized
reporting tool, but you can export data at several levels of the
directory. You can also generate GPO reports with the Group Policy
12. AD reporting
Management console.

This is the responsibility of the domain administrator and the
GPOsteward.

6
This is why you need a product 10. Complete security manage and audit actions. Even
that will first, address each of administration of the directory, so, when you try using the
the 12 task categories, and creating a sort of firewall various builtin tools Microsoft
second, provide support for around the directory structure makes available to perform the
delegation as well as full system to protect it. work, you end up having to
automation. Ideally, the tool become an expert in at least
will offer the majority of the 11. Database management twelve different task categories
followingfunctions: capabilities to ensure the and risk not being able to
NTDS. DIT database runs at conform to other requirements
its best. such as: auditing, reporting and
1. Automatic user and group
provisioning, reducing management of distributed or
12. Full reporting both online
group and object external resources.
and offline to ensure you
managementoverhead. are always up to date on the
Given the need today to do more
structure and operation of
2. Automatic computer with less and given the little
your directory service.
accountprovisioning. free time most administrators
have on their hands, the very
3. Controlled delegation These twelve features focus on
best approach is to rely on one
to ensure networked the 12 essential tasks of AD DS,
single tool set that can tackle
services and other tasks however, there should also be
all directory tasks in a standard
can be completely and additional features such as:
interface. This is where tools
confidently delegated to
such as Active Roles can greatly
appropriate personnel in Automation, integrating simplify AD DS management and
yourorganization. the management tool administration tasks for you while
withWindows keeping your directory completely
4. Group Policy integration
to reduce GPO secure. Better yet, Active Roles
PowerShell to help generate
administrationoverhead. can help you automate the most
new scripts automatically.
routine tasks you must undertake
5. DNS Management integration Change control, ensuring that to keep your directory service
to simplify hierarchical the proper authorities provide humming. Isnt it time you took
database structure sign off on major service a proactive step in reducing your
administration. changes and to guarantee workload? Download a free trial
that all changes are tracked. and find out more at quest.
6. Topology and replication com/products/active-roles/.
management tools to ensure
Extensibility to integrate
the directory is always
automation and administration About the Authors
working at its best.
tasks to further simplify directory
administration. In the end, youll Original content developed
7. Configuration administration
see that using a single, integrated by Nelson Ruest and Danielle
to help graft and prune the
tool will greatly simplify the Ruest of Resolutions Enterprises
forest as needed as your
administration of large directory Ltd. The Ruests are technology
organization changes.
structures and provide an futurists focused on infrastructure
8. Control over the schema easy way to manage such a design and optimization. The
modification process complexenvironment. original content has been updated
to ensure AD DS by the One Identity team
databasestability. Conclusion primary editor Todd Peterson.

9. User self-service and Managing large directory


automation to support structures can be unwieldy,
information management especially if you dont have
within the directory. the tools to properly delegate,

7
For More Information AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY
2017 One Identity LLC, WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED
ALL RIGHTS RESERVED. OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
This guide contains proprietary information protected WARRANTY OF MERCHANTABILITY, FITNESS FOR A
by copyright. The software described in this guide is PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN
furnished under a software license or nondisclosure NO EVENT SHALL ONE IDENTITY BE LIABLE FOR
agreement. This software may be used or copied only in ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE,
accordance with the terms of the applicable agreement. SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
No part of this guide may be reproduced or transmitted WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
in any form or by any means, electronic or mechanical, BUSINESS INTERRUPTION OR LOSS OF INFORMATION)
including photocopying and recording for any purpose ARISING OUT OF THE USE OR INABILITY TO USE
other than the purchasers personal use without the THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN
written permission of One Identity LLC. ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
One Identity makes no representations or warranties
with respect to the accuracy or completeness of
The information in this document is provided in
the contents of this document and reserves the
connection with One Identity products. No license,
right to make changes to specifications and product
express or implied, by estoppel or otherwise, to any
descriptions at any time without notice. One Identity
intellectual property right is granted by this document
does not make any commitment to update the
or in connection with the sale of One Identity products.
information contained in this document.
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS

About One Identity

The One Identity family of identity and access


management (IAM) solutions, offers IAM for the real
world including business-centric, modular and integrated,
and future-ready solutions for identity governance,
access management, and privileged management.

If you have any questions regarding your potential use


of this material, contact:

One Identity LLC


Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656

Refer to our Web site (www.oneidentity.com)


for regional and international office information.

TechBrief-12EssentialTasksADDS-US-KJ-27627