Develop and Implement an Up-To-date Active Directory Strategy
Transcript of Develop and Implement an Up-To-date Active Directory Strategy
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
1/52
Practical IT Research that Drives Measurable Results
1Info-Tech Research Group
Develop an Up-to-Date Active Directory
Strategy, and Implement
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
2/52
Active Directory Strategy and Migration
2
Those who should read this:
At the end, you will have:
An optimal Active Directory structure for your environment. An understanding of whats new in 2008 R2 Active Directory. The criteria required to decide when, and if, to migrate to 2008 R2. Migration best practices.
Info-Tech Research Group
Active Directory (AD) is network security solution included in Windows Server operating
systems. AD provides user authentication, manages access to network resources, and can beused to deploy software. To facilitate security and administration, AD enables companies to
organize users and systems on the network into a tree-like hierarchical structure.
Windows 2008 and 2008 R2 introduced significant AD security and administration
enhancements. The migration to a 2008 platform will be inevitable as earlier OSs no longer
meet IT requirements or reach end-of-life. The questions are: when to migrate, and what are
the migration best practices?
Clients looking to improve their Active Directory structure Clients evaluating Windows Server 2008 R2 Active Directory Clients planning/executing a migration to Windows Server 2008 R2
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
3/52
Executive Summary
Info-Tech Research Group 3
Many organizations have sub-optimal AD structures that are focused more on
organizational hierarchy or political motivators leading to unnecessarycomplexity and higher administration costs.
A single forest and single domain is best for most small or mid-sized companies.
Introduce multiple forests or domains only when there are justifiable legal, business,
or technical needs to isolate parts of the organization or grant autonomy.
A key decision facing organizations is when to migrate to Windows 2008 R2 AD.
Although the new security and administration features are significant, by
themselves they do not warrant a migration project.
Wait for opportunities to migrate as part of another project, such as a hardware
refresh or an overall mandate to standardize on Windows 2008 or 2008 R2.
Companies who take full advantage of online Microsoft resources have good success
with migration, and do not need third-party consultants or tools.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
4/52
Active Directory Introduction, Planning, and Design
Info-Tech Research Group 4
Whats Newin 2008 R2 Feature Descriptions Feature Rankings Migration Decision
Migrating to2008 R2
Preparing for Migration Migration Workflow
Planningand Design
About Active Directory Best Practices for Design
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
5/52
Use Active Directory to organize your network, facilitate
administration, and in some cases isolate resources
Info-Tech Research Group 5
Active Directorys primary purpose is authenticating users logging on to the network andgranting access rights. AD uses the concept of containers to organize users and computersinto a hierarchical framework to facilitate administration or isolate resources.
Container Description
Forest The top of the AD hierarchy it provides a boundary between the organizations
network and external networks. Multiple forests are required only if parts of
the organization must be completely isolated from each other.
Domain
Domains provide administrative and network boundaries within a forest. Aforest requires at least one domain and it may be divided into multiple
domains. Each domain contains at least one Domain Controller (DC) server
which holds the AD configuration settings and user credentials required for
authentication.
Access between domains can be accomplished where required through trust
relationships.
Organizational Units(OUs)
OUs are optional. They are used to divide the domain into smaller units tofacilitate or delegate administration.
Groups Groups are not a subset of OUs, but are a way to organize users within a
domain for the purpose of applying group policies and permissions. Software
can also be deployed based on group membership.
Group policies cannot cross domains, so they must be duplicated when there
are multiple domains.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
6/52
Optimize the replication topology to reduce the need for
regional domains or more expensive WAN links
Info-Tech Research Group 6
Replication Topology: The network connections that enableDCs to be replicated to all other DCs.
Knowledge Consistency Checker (KCC): Creates thereplication topology based on the best available connections
between DCs.
Sites: Each location can be identified as a site tooptimize network traffic between locations as follows:
Authentication and service requests are directed to theclosest DC.
While the KCC will define the replication topology within
a site, you define the links between sites to minimize
WAN traffic. For example, funnel the replication through
a central site to minimize east-west traffic, as shown in
the diagram.
The Domain Controller (DC) servers hold the AD configuration settings and user credentials.The DC databases are replicated to every other DC in the domain to allow authentication andadministration to take place at any location. This generates significant network traffic.
Creating regional domains is one way to reduce cross-country replication traffic, but is often notnecessary if you can optimize the replication topology:
Single domain with three
locations/sites. DC servers in each
location allow for local authentication.
Cross-country replication traffic is
funneled through DCs in a central site.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
7/52
Understand the concepts of administration, isolation and autonomy
to further assess the need for multiple forests/domains
Info-Tech Research Group 7
Concept Description
Service
Administrators Manage the overall AD environment, including configuration settings and DC
maintenance. Service administrators are, in effect, also data administrators since
they have access to all systems.
Data
Administrators Manage a subset of the AD environment e.g., manage data and member
computers.
Isolation Required when its necessary to keep other administrators from viewing a subset
of data or interfering with administration. For example, legal factors may require
certain data or business units to be isolated.
Isolation requires a separate forest since any other level (e.g., a domain) would
fall under the supervision and control of a higher-level administrator.
Autonomy Required when part of the AD environment needs to be managed independently.
Since autonomy rather than isolation is required, this need can be met withseparate domains or potentially OUs depending on the level of autonomy required.
Restricting administrator access is the primary reason for isolation and autonomy.
Small and mid-sized organizations often have a single centralized administration team, so they have
no requirement to create isolation or autonomy from other administrators.
Info-Tech Insight:
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
8/52
Multiple forests and domains lead to greater complexity and
higher administration costs
Info-Tech Research Group 8
Multiple forests and multiple autonomous domains require dedicated
administration teams, increasing costs. The added complexity also requires moreadministration effort.
Examples of costs due to multiple forests and domains include:
To achieve true isolation, each forest requires its own administration team.
Similarly, multiple domains when created to achieve autonomy require theirown administration teams.
Unless each forest or domain is completely independent e.g., no shared
resources and no users who require access to the other forest multiple
forests/domains typically require trust relationships to allow some access.
Group policy settings need to be duplicated in each domain.
I dont want to create a separate domain and give the local IT guy thekeys to the kingdom just because he wants to administer his own users.Senior Systems Administrator, National Transportation Company
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
9/52
Avoid politically motivated Active Directory designs that lead to
unnecessary multiple forests or domains
Info-Tech Research Group 9
Organizational Need Design
Requirement
Recommendations
For security or legal
reasons, a data subset
must be isolated
Isolation This will require a separate forest to achieve isolation. Limit
the number of forest administrators and members.
Account for
anticipated
divestiture
Isolation If you are certain that a division will be sold, you can simplify
eventually splitting off that AD environment by setting it up as
a separate forest.
AD-related
development projectsIsolation Minimize the risk of developers inadvertently affecting the
rest of the network by creating a separate forest for the
development work.
Multiple namespacesare required
Autonomy A separate domain must be created for each DNS namespace.
Administrative
support for national
or international
locations
Autonomy or
Administration
Delegation
Regional domains can ease administrative burden due to time
zone and language issues. However, if autonomy is not
required, and network bandwidth is not an issue, instead use
regional organizational units to delegate administration and
maintain a single forest, single domain design.
Ensure your requirements for multiple forests or domains are real business or
technical needs. Below are examples of potential needs:
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
10/52
Further improve administration by using Groups rather than OUs
to organize users for the purpose of applying group policies
Its not necessary to create an OU for each department if it serves no administrative
purpose.
When it comes to organizing users and resources for the purpose of administering
policies, use groups rather than OUs:
OUs demand exclusive membership, meaning a system allocated to one OU can't beallocated to another. A user that belongs to the Sales OU but has tasks requiring R&D
systems would require the creation of a dedicated Sales/R&D hybrid OU to ensure
that appropriate permissions exist.
Groups are non-exclusive so our example user could be enrolled in both the Sales
and R&D groups with no additional administration requirements.
Info-Tech Research Group 10
The primary purpose of OUs is to delegate administration, not to administer
group polices.
Software can also be deployed based on group membership. Using the scenario above, if deploying
software to the R&D group, the Sales staff who also perform R&D are included.
Info-Tech Insight:
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
11/52
Case Study: Use a single forest and single domain design to
streamline administration complexity and costs
Many organizations large and small have a single forest and domain, and
instead use organizational units to subdivide administration.
Info-Tech Research Group 11
Single forest, single domain, so
no domain trust relationships
are required.
Each location has its own localadministrator, so they are set up
as separate OUs.
DC replication is funneled
through the central location to
minimize cross-country traffic.
A single set of Sales and
Management group policies can
be applied to users in all
locations because they are all in
the same domain.
AD Design Explanation
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
12/52
Case Study: Create a separate forest to address isolation needs
The west coast facility has dealings with the military. To meet security requirements,the location must be isolated.
Info-Tech Research Group 12
The west coast location is set
up as a separate forest with its
own domain.
A one-way trust enables thewest coast facility to access
east coast resources, but
reverse access is not permitted.
Each location has its own local
administrator, so they are set up
as separate OUs.
Sales and Management groups
and policies must be duplicated
in each forest/domain.
AD Design Explanation
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
13/52
Use this flowchart to determine Active Directory design
requirements
Follow the steps below to determine whether you need a dedicated (separate)forest, domain or organizational unit to address organizational needs.
Info-Tech Research Group 13
1. Identify potential needs in
your organization for
isolation, autonomy, or
delegating administration.
2. For each need, follow the
flowchart to identify structure
requirements.
3. Diagram the resulting
structure and confirm that it
meets your overall needswhile avoiding unnecessary
complexity.
For more information on AD design, seeAppendix A: Active Directory Planning and Design
Resources.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
14/52
Whats new in Windows 2008 R2 Active Directory
Info-Tech Research Group 14
Whats Newin 2008 R2
Feature
Descriptions Feature Rankings Migration Decision
Migrating to2008 R2
Preparing for Migration Migration Workflow
Planning andDesign
About Active Directory Best Practices for Design
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
15/52
Windows 2008 (R1) added security enhancements such as
Fine-Grained Password Policies and Read-Only Domain Controllers
Info-Tech Research Group 15
Feature Description
Auditing Enables you to specify which operations to audit and include in the
security log.
Fine-Grained Password
Policies Supports multiple password policies per domain, enabling
administrators to easily implement more restrictive policies where
warranted.
Owner Rights Enables administrators to specify Owner Rights to override defaultaccess rights.
Read-Only Domain
Controllers Does not contain account passwords and replication is one-way only
inbound to the RODC. So if the RODC is compromised, user credentials
and the rest of the network are not at risk.
Restartable Active
Directory DomainServices
Provides the ability to stop and start AD Domain Services to perform
tasks such as security updates without having to restart the DC server.
Database Mounting Tool In a recovery situation, enables you to compare AD backups or snapshots
that were performed at different times to determine which backup is
the best one to restore.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
16/52
Windows 2008 R2 introduced the Administrative Center and more
security enhancements
Info-Tech Research Group 16
Feature Description
Administrative Center Centralizes administration tools and objects in a task-orientedinterface. Search function for locating and navigating to an object.
Authentication
Mechanism Assurance Recognizes the device used to log in, enabling administrators to impose
greater restrictions on users logging in from personal devices.
Best Practices Analyzer Scans your AD environment to check if the configuration is following
best practices.
Managed ServiceAccounts
Simplifies the administration of isolated key shared applications such asExchange Server and IIS.
Management Pack Monitors computer and software states to assess availability and
performance.
Module for Windows
PowerShell A scripting language that administrators can use to simplify and
automate configuration, administration and diagnostic tasks.
Recycle Bin
Provides an undo capability without any downtime. Uses the Tombstonereanimation method which now saves the attributes.
Web Services Provides a Web service interface to AD domains and AD LDS instances.
Windows 7 Features BranchCache and DirectAccess provide seamless connectivity for remote
Windows 7 users. Offline Domain Join enables pre-provisioning Windows
7 PCs so they automatically join the network at startup.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
17/52
The new Administrative Center was voted as offering the most
benefit to organizations
Info-Tech Research Group 17
Scores based on feature rankings in an Info-Tech survey.
N=84
Security features such as Managed Service Accounts, Fine-Grained PasswordPolicies, and Authentication Mechanism Assurance also scored high.
Administrative Center: Saves time
with a task oriented interface and
features such as a welcome page that
remembers your common tasks.
Managed Service Accounts: Automated
password management and improved
service principal names (SPN)management makes it easier to isolate
key shared applications.
Fine-Grained Password Policies: Allows
for multiple password policies without
having to create multiple domains.
Authentication Mechanism Assurance:
Provides the means to apply greaterrestrictions when users log in from a
personal device.
For more details on these features, including special considerations, seeAppendix B: New Active Directory
Features. In addition, there have been several group policy enhancements as described in the Microsoft article
Whats New in Group Policy for Windows 7 and Windows Server 2008 R2.
http://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
18/52
Info-Tech Research Group 18
Many companies have deferred migrating to 2008 or 2008 R2 because theirWindows 2003 DCs continue to meet their needs and are compatible with most
Windows 2008-based applications and systems.
Over 80% of survey respondents
indicated Standardizing on Windows
2008 among their reasons to migrate
their AD.
Although the new AD features alsoscored high, only 2% of respondents
selected that as the only reason tomigrate.
As more companies begin to plan a
Windows 7 rollout, the Windows 7
functionality supported by AD is alsobecoming a motivating factor.
Similarly, a need to restructure the AD
environment or refresh DCs provides a
reason to migrate.
Although the new Active Directory features are significant, they
do not justify a migration on their own for most companies
Source: Info-Tech survey.
N=98
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
19/52
Wait for opportunities to migrate, such as a project that requires
2008 functionality or an infrastructure upgrade
Info-Tech Research Group 19
Examples of
Opportunities
Why Migrate?
Hardware
Refresh When a DC is due for a refresh, replace it with a Windows 2008 R2 server to
put you in a position to later migrate your AD environment to 2008.
Standardize on
Windows 2008 Corporate Standard is the leading adoption driver for Windows 2008 (see
Info-Techs article Why Windows Server 2008? Users Speak Out).
Note that Windows 2003 continues to be compatible with most Windows 2008-
based systems, include Exchange Server 2007 and 2010 (see MicrosoftsExchange Server Supportability Matrix).
Windows 7
Rollout Windows 7 remote connectivity features (BranchCache, DirectAccess)
available with 2008 R2 AD make it worthwhile to consider migrating your AD
environment to 2008 R2 as part of your overall Windows 7 project.
Active Directory
Needs to be
Restructured
If your AD structure is in need of an overhaul, consider migrating to 2008 R2 at
the same time to leverage the new features such as the improved
administration functionality.
I like the compatibility with Windows 7, and the additional grouppolicy settings.IT Manager, Marketing Company
http://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639http://technet.microsoft.com/en-us/library/ff728623(EXCHG.141).aspxhttp://technet.microsoft.com/en-us/library/ff728623(EXCHG.141).aspxhttp://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639http://www.infotech.com/research/why-windows-server-2008-users-speak-out?nav_id=2639 -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
20/52
Use the Active Directory Migration Readiness Assessment Tool
tool to determine when, how, and if you are ready to migrate
This tool will identify whether to migrate, based on your needs and opportunity,
and recommend a migration method (in-place, transition, or restructure).
Info-Tech Research Group 20
The tool will ask you to indicate the
following:
1. Critical needs for the new AD
features.
2. Projects underway that would
require 2008/2008 R2 AD.
3. Your current OS.
4. If you plan to move to new
servers.
5. If your current AD structure is in
need of an overhaul.
Download the
Active Directory Migration ReadinessAssessment Tool
http://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-toolhttp://www.infotech.com/research/active-directory-migration-readiness-tool -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
21/52
Migrating to Windows 2008 R2 Active Directory
Info-Tech Research Group 21
Whats Newin 2008 R2
Feature Descriptions Feature Rankings Migration Decision
Migrating to2008 R2
Preparing for Migration Migration Workflow
Planning andDesign
About Active Directory Best Practices for Design
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
22/52
Once you have decided to migrate, choose the migration method
that fits your circumstances
Info-Tech Research Group 22
NT to 2008 R2 You must perform an in-place upgrade to either Windows 2000 SP4 or 2003 R2. After
that, follow the guidelines above for 2000 or 2003 to 2008 R2 accordingly.
2000 to 2008 R2
In-Place Upgrade: The hardware must be compatible with Windows 2008 R2. If the 2008
R2 requirements are met, then ensure you are at 2000 SP4, upgrade to 2003 R2, and
then to 2008 R2.
Transition and Restructuring: Both are available options as long as the existing server is
running at least Windows 2000 native.
2003 to 2008 R2 In-Place Upgrade: Must be an x64-based Windows Server 2003 (R2)
Transition and Restructuring: Available for x86- or x64-based Windows 2003 systems.
Three migration methods are available, which depend partly on the source server:
In-Place Upgrade (stay on the existing server)
Transitioning (maintaining existing structure while migrating to a new server)
Restructuring (building a new AD environment on new servers)
The general workflows described in this section also apply to migration to Windows
2008 (R1), with the exception of system requirements specific to 2008 R2 (e.g., R1 can
be 32- or 64-bit).
k f f
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
23/52
Make extensive use of Microsoft resources
to ensure a successful migration
Info-Tech Research Group 23
An Info-Tech survey found that using third-party consultants had noimpact on migration success. Use the available online resources to help
you execute a successful migration.
Among respondents who have completed a migration to 2008 AD:
Over 70% reported no unexpected delays, user interruption, or network disruption.
Only 28% used third-party consultants. Those who used consultants had the same success rate as
those who did not.
0%
20%
40%
60%
80%
100%
120%
140%
160%
180%
200%
220%
Xaxis1
Xaxis15
Xaxis29
Xaxis43
Xaxis57
Xaxis71
Xaxis85
Xaxis99
Xaxis113
Xaxis127
Xaxis141
Xaxis155
Xaxis169
Xaxis183
Xaxis197
Xaxis211
Xaxis225
Xaxis239
Xaxis253
Did Not Use Third-Party Consultants
Used Third-Party Consultants
High
Low
Frequency
0% 100%Migration Success Score
Source: Info-Tech survey. N=35
Distribution of Success Scoresby Third-Party Consultant Usage
Migration Success
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
24/52
I Pl U d ff h h b l h i ki d
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
25/52
In-Place Upgrade offers the cheapest, but also the riskiest and
least beneficial migration
Info-Tech Research Group 25
Whats Involved?
The OS on the existing DCs are upgraded to Windows 2008 R2.
Benefits
Current AD settings are retained schema, group policies, etc.
Least expensive option (no new hardware)
Disadvantages
Staying on old hardware, so typically lower performance than a new system, and shortershelf life going forward than a new server.
Old data and workaround configurations are retained not a clean system.
More downtime since the server cannot stay operational during the OS upgrade steps.
Additional Information
Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2AD DS Domains
If a new Domain Controller or 2008 R2 license is not in your budget, defer migration if possible
until you have the resources to migrate to a new server.
Info-Tech Insight:
http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
26/52
In-Place Upgrade: Preparation and upgrade steps
Microsoft provides several online resources to assist with this procedure. Beloware the high-level steps.
Info-Tech Research Group 26
1 Follow the steps outlined on slide 24, Before You Begin.
2 Perform pre-upgrade steps as outlined Microsoft Pre-Upgrade checklist.
3 Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next
steps. For details, see Microsofts document Prepare Your Infrastructure for Upgrade.
4 Upgrade the first DC OS to 2008 R2. Once that is successful, upgrade remaining DCs.
5 After you have allowed a settling in period (e.g., a week) and there are no replication errorsor other issues, raise the domain functional level to 2008 R2.
Caution:Once youve raised the domain functional level, you cannot roll it back.
6 Raise the forest functional level.
Caution:Once youve raised the forest functional level, you cannot roll it back.
7 Enable AD optional features such as Recycle Bin if you wish to take advantage of them.
8 Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on theanalysis results.
T iti i id f i ti th l th b fit f
http://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771954(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
27/52
Transitioning provides a safe migration path plus the benefits of
either new hardware or a move to virtualization
Info-Tech Research Group 27
Whats Involved?
The AD environment is transferred from existing DCs to Windows 2008 R2 servers. Theexisting DCs are decommissioned or repurposed.
Benefits
Current AD settings are retained schema, group policies, etc.
Can migrate to new hardware (longer shelf-life going forward and better performance)
or to a virtualized server.
Less downtime because the existing DC can stay operational during most of the
migration.
Disadvantages
More expensive, requiring either a new server or an additional virtual server license.
Additional Information
Active Directory Domain Services and DNS Server Migration Guide Active Directory Certificate Services Migration Guide
Transitioning is the most common migration method, offers the least disruption to services,
and provides the option of migrating from a physical server to a virtualized environment.
Info-Tech Insight:
http://technet.microsoft.com/en-us/library/dd379558(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379558(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
28/52
Transitioning: Preparation and migration steps
As with the In-Place Upgrade, Microsoft provides several online resources toassist with this procedure. Below are the high-level steps.
Info-Tech Research Group 28
1 Follow the steps outlined on slide 24, Before You Begin.
2 Use Microsofts Adprep tool to prepare your AD environment for the addition of a Windows2008 R2 DC. Once the changes have been replicated to all DCs, you can continue with next
steps.
For details, see Microsofts document Prepare Your Infrastructure for Upgrade.
3 Add a Windows 2008 R2 server to your AD environment, and then promote the server to a DC(dcpromo command). Keep the domain functional level at 2003 until the end of the migration
process.
For details, see Microsofts document Install Active Directory Domain Services on the Member
Server That Runs Windows Server 2008 or Windows Server 2008 R2.
4 Check the dcpromo.log and dcpromoui.log log files to ensure there are no issues.
5 Install additional 2008 R2 DCs if applicable.
6 Follow the steps in Microsofts AD DS and DNS Server Migration: Preparing to Migrate to getready to migrate.
7 Transfer DNS settings and FSMOs to the new server, as outlined in Microsofts AD DS and DNSServer Migration: Migrating the AD DS and DNS Server Roles.
http://technet.microsoft.com/en-us/library/cc771461(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd392263(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd379526(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd392263(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc755103(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc771461(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
29/52
Transitioning: Post-migration steps
To begin taking advantage of the new 2008 and 2008 R2 features, follow thesteps below.
Info-Tech Research Group 29
8 After you have allowed a settling in period (e.g., a week) and there are no replication errorsor other issues, demote the old DCs.
Caution: If a DC has Exchange Server or IIS installed on it, transfer those to a different server
before demoting. Once youve done that, reduce your future admin headaches by demoting
the old DCs.
9 Raise the domain functional level.
Caution:Once youve raised the domain functional level, you cannot roll it back.
10 Raise the forest functional level.
Caution:Once youve raised the forest functional level, you cannot roll it back.
11 Enable AD optional features such as Recycle Bin if you wish to take advantage of thosefeatures.
12 Run the Active Directory Best Practices Analyzer. Make any appropriate changes based on theanalysis results.
Use Restr ct ring hen o r c rrent en ironment is s b optimal
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
30/52
Use Restructuring when your current environment is sub-optimal
to the point where starting from scratch is the best recourse
Info-Tech Research Group 30
Restructuring will add time to the migration; however, if a restructure is required,its also an opportunity to start over in a clean environment.
Whats Involved?
A new AD structure is built on new Windows 2008 R2 servers. The existing DCs are
decommissioned or repurposed.
Benefits
Less downtime because the existing DC can stay operational during most of themigration.
An opportunity to revamp your AD environment and put in place an optimal structure.
Disadvantages
More expensive, requiring either a new server or an additional virtual server license.
More time required to plan and create the new AD environment as well as plan the move
to 2008 R2.Additional Information
Best Practice Active Directory Design for Managing Windows Networks
ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/bb727085.aspxhttp://technet.microsoft.com/en-us/library/cc974332(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974332(WS.10).aspxhttp://technet.microsoft.com/en-us/library/bb727085.aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
31/52
Restructuring: Preparation, migration, and post-migration steps
Microsoft provides an Active Directory Migration Tool (ADMT) to facilitate thisprocess.
Info-Tech Research Group 31
1 Follow the steps outlined on slide 24, Before You Begin. In addition, review Microsofts BestPractices for Active Directory Migration.
2 Create the new AD environment on Windows 2008 R2 DCs. Review the slides earlier in thisdeck for AD design best practices and refer to Microsofts TechNet for Windows 2008 R2 and
AD installation instructions.
3 Add test users to the new environment. Monitor logs to ensure that the new environment isfunctioning properly.
4 Migrate resources to the new environment as outlined in Microsofts guide on InterforestActive Directory Domain Restructure.
5 Transfer administration and user accounts to the new environment.
6 After you have allowed a settling in period and there are no replication errors or otherissues, demote the old DCs.
If you are considering virtual DCs use a combination of physical
http://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974335(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc974412(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
32/52
If you are considering virtual DCs, use a combination of physical
and virtual DCs to meet performance demands
Info-Tech Research Group 32
While virtualization enables hardware cost savings, it is not ideal for DomainControllers.
Potential Performance Issues Potential Support Issues
DCs make intensive use of RAM. Since RAM is shared
with all the other virtual servers hosted by the
same hardware, the RAM may not be sufficient to
support a busy DC.
MS recommends that you usephysical DCs for thefollowing roles:
Global Catalogs
FSMO roles
DNS server
Additional Information:
Microsoft KB article 888794
Deployment Considerations for Virtualized
Domain Controllers
As a general rule, MS does not test or support MS
software running on non-MS virtualization
technology (e.g., VMware).
Those with Premium level support do qualify for
assistance but may need to reproduce the problemon a physical server or MS virtualization product.
Supported MS virtualization environments:
Windows 2008 and later with Hyper-V
Microsoft Hyper-V Server 2008 and later
Server Virtualization Validation Program
Additional Information:
Microsoft KB article 897615
Microsoft KB article 957006
http://support.microsoft.com/kb/888794http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://support.microsoft.com/kb/897615http://support.microsoft.com/kb/957006/http://support.microsoft.com/kb/957006/http://support.microsoft.com/kb/897615http://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd348449(WS.10).aspxhttp://support.microsoft.com/kb/888794 -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
33/52
Summary
Info-Tech Research Group 33
When creating your AD environment, use a single forest and single domain design
unless there are strong business or technical reasons for multiple forests ordomains.
Use groups rather than OUs to organize users and facilitate applying group
policies. Use OUs when you need to delegate administration.
The new 2008 R2 Administrative Center centralizes and streamlines
administration. Key security enhancements include Managed Service Accounts,Fine-Grained Password Policies, and Authentication Mechanism Assurance.
Although the new features are significant, they do not warrant a migration
project for most companies. Instead wait for opportunities to migrate as part of
another project, such as a Windows 7 rollout or overall mandate to standardize
on 2008/2008 R2. Once the migration decision is made, use the available online resources to help
you execute a successful migration. The use of third-party consultants does not
improve the success rate.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
34/52
Appendix A: Active Directory Planning and Design Resources
Info-Tech Research Group 34
Info-Tech Resources on Planning and Design:
Efficient Active Directory Deployments Require Significant Planning
Active Directory Topology: Seeing the Trees in the Forest
Active Directory Topology: Cultivating Forests
Active Directory Topology: Dividing by Domains
Delegated Administration is the Role of Organizational Units
Additional Microsoft Resources on AD Design:
Best Practice Active Directory Design for Managing Windows Networks
Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units
How Active Directory Replication Topology Works
Whats New in Group Policy for Windows 7 and Windows Server 2008 R2
http://www.infotech.com/research/efficient-active-directory-deployments-require-significant-planning?nav_id=2639http://www.infotech.com/research/active-directory-topology-seeing-the-trees-in-the-forest?nav_id=2639http://www.infotech.com/research/active-directory-topology-cultivating-forests?nav_id=2639http://www.infotech.com/research/active-directory-topology-dividing-by-domains?nav_id=2639http://www.infotech.com/research/delegated-administration-is-the-role-of-ad-organizational-units?nav_id=2639http://technet.microsoft.com/en-us/library/bb727085.aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/cc755994(WS.10).aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/magazine/2009.10.gpwin7.aspxhttp://technet.microsoft.com/en-us/library/cc755994(WS.10).aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/bb727032.aspxhttp://technet.microsoft.com/en-us/library/bb727085.aspxhttp://www.infotech.com/research/delegated-administration-is-the-role-of-ad-organizational-units?nav_id=2639http://www.infotech.com/research/active-directory-topology-dividing-by-domains?nav_id=2639http://www.infotech.com/research/active-directory-topology-cultivating-forests?nav_id=2639http://www.infotech.com/research/active-directory-topology-seeing-the-trees-in-the-forest?nav_id=2639http://www.infotech.com/research/efficient-active-directory-deployments-require-significant-planning?nav_id=2639 -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
35/52
Appendix B: New Active Directory Features
Info-Tech Research Group 35
This section describes the following new 2008 and 2008 R2 features in the order that they
ranked in the Info-Tech Survey in terms of offering the most benefit to the organization:
1. Administrative Center
2. Managed Service Accounts
3. Fine-Grained Password Policies
4. Authentication Mechanism Assurance
5. Windows 7 Enhancements
6. Best Practices Analyzer7. Read-Only Domain Controllers
8. Database Mounting Tool
9. Module for PowerShell
10. Recycle Bin
Also described in this appendix:
Auditing Enhancements
Owner Rights
Management Pack
Restartable Active Directory Domain Services
Web Services
Scores based on feature rankings in an Info-Tech survey.
N=84
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
36/52
New Administrative Center streamlines administration
Info-Tech Research Group 36
Description and Benefits
Centralizes administration tools and objects in a task-oriented interface for easier
navigation.
The Welcome page remembers which tasks you perform most often, and provides quick
links to those tasks.
New search function expedites locating and navigating to an object.
Depending on access rights and trusts between domains, you can view and manageobjects in all domains from a single Administrative Center instance.
Special Considerations
Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools
(RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source).
Additional Information
What's New in AD DS: Active Directory Administrative Center (Microsoft TechNet)
Managed Service Accounts simplifies
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=enhttp://technet.microsoft.com/en-us/library/dd378856(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd378856(WS.10).aspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
37/52
Managed Service Accounts simplifies
locking down key shared applications
Info-Tech Research Group 37
Description and Benefits
Isolating accounts for key shared applications such as Exchange Server and IIS is a
recommended security practice. This feature simplifies the administration of these
accounts with automated password management and improved service principal names
(SPN) management.
Managing these accounts was more complex and time-consuming in previous AD versions
(e.g., required manual password management).
Special Considerations
Managed service accounts can be used only for applications installed on Windows Server
2008 R2 or Windows 7.
Additional Information
Service Accounts Step-by-Step Guide (Microsoft TechNet)
Fine-Grained Password Policies feature enables multiple
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
38/52
Fine-Grained Password Policies feature enables multiple
password and lockout policies per domain
Info-Tech Research Group 38
Description and Benefits
Previous AD versions permitted only a single password and accounts lockout policy per
domain. To have separate policies for different sets of users required a password filter or
multiple domains, adding to the administrative burden and complicating the AD
environment.
With the ability to have multiple password policies per domain, its much easier to
implement more restrictive policies where warranted.
Special Considerations
Fine-grained password policies are assigned at the group level. If users are grouped only
into Organizational Units, then set up a shadow group for the OU.
Custom password filters are not affected and can still be used to apply additional
restrictions.
Additional Information
AD DS: Fine-Grained Password Policies (Microsoft TechNet)
Authentication Mechanism Assurance strengthens security
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
39/52
Authentication Mechanism Assurance strengthens security
against personal devices
Info-Tech Research Group 39
Description and Benefits
The new Authentication Mechanism Assurance feature recognizes who is logging in and
the device being used (e.g., company-assigned PC vs. a home computer or personal
mobile device).
Personal devices create a security risk since you cannot guarantee that they meet
corporate security standards. The extra level of identification enables administrators to
impose greater restrictions on users logging in from personal devices.
Special Considerations
This feature is disabled by default.
Requires a certificate-based authentication infrastructure (e.g., smart card or token-
based authentication).
Additional Information
What's New in AD DS: Authentication Mechanism Assurance (Microsoft TechNet)
Remote Windows 7 users gain seamless connectivity and
http://technet.microsoft.com/en-us/library/dd391847(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391847(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
40/52
Remote Windows 7 users gain seamless connectivity and
improved file access speed
Info-Tech Research Group 40
Description and Benefits
The following Windows 7 features are possible in a 2008 R2 Active Directory environment:
BranchCache Stores commonly accessed files locally in branch offices for much fasterfile access.
DirectAccess Automatically establishes a VPN link when connecting remotely,bypassing manual steps such as launching a VPN connection. If the connection drops, the
VPN is automatically re-established when the network becomes available again.
Offline Domain Join Enables pre-provisioning Windows 7 PCs so they automaticallyjoin the network when they first start up.
Special Considerations
BranchCache and DirectAccess are available only for Windows Server 2008 R2 and
Windows 7 computers. DirectAccess also requires IPv6 or transition technologies.
Offline Domain Join can also be used with earlier AD environments by using a /downlevel
parameter.
Additional Information
BranchCache and DirectAccess: Improving the Branch Office Experience (Microsoft
TechNet)
BranchCache for Windows Server 2008 R2 (Microsoft TechNet)
What's New in AD DS: Offline Domain Join (Microsoft TechNet)
Best Practices Analyzer identifies
http://technet.microsoft.com/en-us/magazine/ee835709.aspxhttp://technet.microsoft.com/en-ca/library/dd996634(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391977(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391977(WS.10).aspxhttp://technet.microsoft.com/en-ca/library/dd996634(WS.10).aspxhttp://technet.microsoft.com/en-us/magazine/ee835709.aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
41/52
Best Practices Analyzer identifies
Active Directory configuration issues
Info-Tech Research Group 41
Description and Benefits
Checks if your AD configuration is following best practices.
To help you indentify and resolve best practice violations, this feature provides:
A rules component which defines what is a best-practice configuration.
A PowerShell script to collect data on your configuration.
A guidance component to help you resolve identified issues.
Special Considerations
The feature can be run from the Best Practice Analyzer GUI in Server Manager or using
PowerShell cmdlets.
Additional Information
What's New in AD DS: Active Directory Best Practices Analyzer (Microsoft TechNet)
Read-Only Domain Controllers (RODCs) provide a security option
http://technet.microsoft.com/en-us/library/dd378893(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd378893(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
42/52
Read Only Domain Controllers (RODCs) provide a security option
for less-secure locations
Info-Tech Research Group 42
Description and Benefits
The RODC is designed for remote locations that have poor physical security.
The RODC does not contain account passwords and replication is one-way only
inbound to the RODC. So if the RODC is compromised, user credentials are not at risk,
and any changes to the RODC cannot spread to the rest of the network.
Without an RODC, the alternative when security is a concern is to authenticate over a
WAN to a DC in another location, which can be slow depending on network bandwidth.
Special Considerations
The domain must include at least one Windows 2008 DC. Functional level can be
Windows 2003 or higher.
Domain admin accounts cannot be replicated to an RODC. As a result, you have to set up
a separate account on the RODC to administer it.
A separate group must be set up that identifies all the accounts that can be replicated tothe RODC.
Additional Information
AD DS: Read-Only Domain Controllers (Microsoft TechNet)
Read-Only Domain Controllers and Account Lockouts (Microsoft TechNet)
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://blogs.technet.com/b/askds/archive/2008/02/15/read-only-domain-controllers-and-account-lockouts.aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
43/52
Database Mounting Tool expedites the recovery process
Info-Tech Research Group 43
Description and Benefits
Also known as Snapshot Viewer or Snapshot Browser.
Enables you to compare AD backups or snapshots that were performed at different times
to determine which backup is the best one to restore. Previously the only option was to
restore each backup to determine which one to use.
Can also be used to review changes made to your AD environment.
Special Considerations
The snapshots could potentially be used to examine sensitive data, so they warrant the
same level of security provided to AD DS backups.
Additional Information
AD DS: Database Mounting Tool (Microsoft TechNet)
h ll d h h k
http://technet.microsoft.com/en-us/library/cc753246(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc753246(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
44/52
PowerShell saves administration time through task automation
Info-Tech Research Group 44
Description and Benefits
PowerShell is a scripting language that administrators can use to simplify and automate
configuration, administration and diagnostic tasks.
Examples of tasks that can be performed include: disable/enable accounts, search for
accounts, add or remove accounts, and create, modify or remove objects.
Special Considerations
Can be installed on a Windows 7 PC as part of the Remote Server Administration Tools
(RSAT). See Remote Server Administration Tools for Windows 7 (Microsoft Source).
This module uses the ADWS service. TCP port 9389 must be open on the DC running the
ADWS service.
Additional Information
What's New in AD DS: Active Directory Module for Windows PowerShell (Microsoft
TechNet)
R l Bi U d i lifi f id l d l i
http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=enhttp://technet.microsoft.com/en-us/library/dd378783(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd378783(WS.10).aspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
45/52
Recycle Bin Undo simplifies recovery from accidental deletions
Info-Tech Research Group 45
Description and Benefits
With 2003 DCs, deleted objects could be recovered from Windows Server backups, but
the DC had to be offline. The Tombstone reanimation method allowed recovery while
online, but attributes such as group memberships were lost.
With 2008 R2 DCs, the Tombstone process saves the attributes, making it a viable
recovery method; deleted objects can be retrieved without any downtime.
Special Considerations
This feature is disabled by default.
Once the feature is enabled, you cannot roll back to a lower functional level.
Additional Information
What's New in AD DS: Active Directory Recycle Bin (Microsoft TechNet)
Additional security and workflow features include Auditing and
http://technet.microsoft.com/en-us/library/dd391916(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391916(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
46/52
Additional security and workflow features include Auditing and
Restartable Domain Services
Info-Tech Research Group 46
Auditing Enhancements:
Enables you to specify which operations to audit and include in the security log.
For more details, see AD DS: Auditing (Microsoft TechNet).
Owner Rights:
Enables you to specify Owner Rights to override default access rights.
For more details, see AD DS: Owner Rights (Microsoft TechNet).
Management Pack:
Monitors computer and software states to assess availability and performance. For more details, see Active Directory Federation Services Management Pack Readme (Microsoft
TechNet).
Restartable Active Directory Domain Services:
Provides the ability to stop and start AD Domain Services to perform tasks such as security updates
without having to restart the DC server.
For more details, see AD DS: Restartable Active Directory Domain Services (Microsoft TechNet).
Web Services:
Provides a Web service interface to AD domains and AD LDS instances.
For more details, see What's New in AD DS: Active Directory Web Services (Microsoft TechNet).
A di C R h D hi
http://technet.microsoft.com/en-us/library/cc731764(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd125370(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd279709.aspxhttp://technet.microsoft.com/en-us/library/cc754718(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391908(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd391908(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc754718(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd279709.aspxhttp://technet.microsoft.com/en-us/library/dd125370(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731764(WS.10).aspx -
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
47/52
Appendix C: Research Demographics
Info-Tech Research Group 47
Info-Tech conducted a survey to generate the data needed to create this research. The
following are graphs depicting the demographic information of those who participated in
the survey.
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
48/52
Info-Tech Research Group 48
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
49/52
Info-Tech Research Group 49
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
50/52
Info-Tech Research Group 50
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
51/52
Info-Tech Research Group 51
-
7/28/2019 Develop and Implement an Up-To-date Active Directory Strategy
52/52