How can I implement an Active Directory?

[Kohlmann]

In large companies the implementation of Active Directory is a process that makes a specialized team, divided into groups that cover the three most important phases (Design, Planning and Implementation). This is different to what happens in small companies or even medium, where a single person or sometimes a small group, must assume the entire process. Even still without sufficient experience or knowledge of specific subject. I am here, because I just need some information on the implementation of Active Directory and the initial key considerations. I think that I have explained enough to make you understand. Please help me as soon as possible.

[Elijah2010]

We must always leave with the conviction that a single domain is sufficient. Having a bounded domain only costs significantly both hardware and software, easier to centralize the administration, it is easier to configure, and various reasons I shall not now to narrow the topic. Of course there are valid reasons to justify having more than one domain, but not many, often unrelated to what many think, for example, the number of users.

[Kalanidhi]

Here are some who can justify more than one domain:

• Different account policies for domains to Windows 2003R2. From Windows 2008 this issue is resolved, but if our domain is based on Windows 2003R2 or earlier, then all account policies, such as passwords and blocking are the same for the entire domain. If you need different account policies, it takes more of a domain.
• Unreliable WAN links or low bandwidth available, if the company has more than one physical location is important to consider the WAN links that connect them. Generally you want to ensure everything goes as if this link is not available, which involves placing domain controllers in each site, and that if not properly configured can make a lot of traffic on the link. But we must bear in mind that properly configuring sites, subnets and links we can not only shorten the traffic, but also makes use when configuring the WAN link.

[Osman84]

Consider this scenario: a central site and a branch. As the link has low bandwidth, we decided on two domains, one central and one in the branch. If someone goes to the central branch, to log need to contact a central Domain Controller, and therefore need the WAN link. How do we solve the problem if the link is not active? Sounds easy, put a central Domain Controller at the site of the branch. In this case unfortunately lost everything that they wanted to optimize, since the latter requires central Domain Controller replication of any changes. And it gives just as if we had made a single domain.

[Maadhav]

Sometimes the remote sites do not have the physical security required by a server. This implies that appropriate personnel have physical access to it. It might take him, or make an attack "offline" (Live CD) in which case could access security information throughout the domain. Until Windows 2003R2, avoiding the risk involved to create another domain. Since Windows 2008 it is practically mitigated with the use of Read Only Domain Controllers (RODCs) and that it also does not support changes or replicate information to other drivers, also has copies of user passwords, except that the administrator specifically permits. The RODC is an additional advantage because we can assign a "local administrator" for a person at the remote site can, for example, install software or updates, and need not be domain administrator.

[Acalapati]

This issue should be thought not only based on the current situation, we must also take into account developments that you would expect from the company. The fundamental conditions that we consider are:

• Stable: it does not change over time
• Significant: identifying the best company
• Easy to remember: not just for administrators, users also
• Containing many features: it is written many times
• And finally, one of the toughest matches the name "Internet presence?

The first thing to consider is that although both Internet names, the names of Active Directory (Active Directory) are resolved by the DNS service, each is a separate name space.

[Solitario]

You will be having several alternatives for the name of our Active Directory domain:
"Firm.com": As the Internet presence
A possible alternative if you take some precautions, since there are two DNS servers, one external and one internal. The content must meet only the names of the services that we publish on the Internet. The inmate must meet all names, both internal and the rest of the Internet.
In short you have two DNS, both with a zone firm.com and both authoritative about it, but with different content. Make no mistake
"Internal company.com" Subdomain of Internet presence
in a first time Microsoft recommended the use of such names. It has two possible drawbacks, the possible excessive length, and care not to delegate the subdomain in the external DNSs.
"Firm.local" internet presence name but with suffix "local"
It is an attractive alternative to currently used because it retains the name ("Company") but is not resolvable on the Internet (suffix "local"), giving a possible advantage in terms of safety.

[Warner]

I would like to tell you that, we can mitigate many risks should provide fault tolerance on the domain. For this it is essential to have at least two domain controllers per domain, to the failure or out of one of them all still work, although it can degrade the performance. The fact that all continue to work gives us more time and leisure to make the recovery work.

[Deabelos]

After reading the above post, I would like to add something. So that in case of fall of a domain controller, the other can supply it must meet certain conditions:

1. Have at least two domain controllers in each domain (Obvious)
2. That both are Domain Controllers Global Catalog
3. Both domain controllers are DNS service
4. That all clients are configured as DNS on both Domain Controllers

[DarenHawk]

Considerations for Domain Controllers
Lack of budget - One common problem in small companies. No budget for two servers, one is actually a server, the other may be a desktop machine "well armed." They divided the task properly.
Do not have more than one IP address (Multihomed). It is common to hear problems with this configuration. As the DNS service by default uses Round Robin, the customer can answer with an IP address is not accessible to him, among other problems documented. It should not be VPN server, much less Firewall (Firewall) externalDomain controllers contain the most valuable of the network: the user names and passwords that allow access and modify all network resources. An analogy: Are you hang all their savings in the front door of your house? The domain controller should be just that: Domain Controller. Although it is sometimes difficult in small business, a domain controller should not provide other services to the network. It could be lighter with services such as DHCP or WINS if implemented. But it is not at all recommended to be file server or print let alone applications that can consume many resources, such as SQL, Exchange or other commercial applications.