Let's face the truth, AD has been alive and running in a majority of all companies around the world for 15 years. During that time, there have been tons of upgrades and development, bringing more and better functionality to face the demands of time.
Microsoft have provided "simple" ways of keeping your AD environment updated, but sometimes the simplicity brings complexity under the "hood" of the user friendly interface.
A major task for all AD Engineers is to make sure everything is really running as expected not only from a visual perspective but also in reality, otherwise the benefits of being updated are lost or at least limited.
So, what should I be looking for? What have changed over the years? Below are some examples:
- Support for Universal groups, both security and distribution
- Group Nesting
- SID History
- Updates to Logon time stamp
- Selective Authentication
- Container redirection (Computers and Users)
- Constrained delegation
- Forest Trust
- Domain Rename
- LVR (Linked-Value Replication)
- Improved KCC (Knowledge Consistency Checker)
- RODC Deployment (Read-Only Domain Controllers)
- DFSR support for Sysvol Replication (running on Windows 2003 or later)
- Domain Based DFS with support for ABE and Scalability running in Windows 208 Native Mode
- AES 128 and 256 support for Kerberos
- Last Interactive Logon Information
- Fine-Grained Password Policies
Windows 2008 R2:
- AMA (Authentication Mechanism Assurance)
- Automatic SPN Management
- Active Directory Recycle Bin
- Added KDC support for Claims, Compound Authentication and Kerberos Armoring
Windows 2012 R2:
- DC-Side Protection for Protected Users
- Authentication Policies
- Authentication Policy Silos
For additional Information regarding added functionality refer to the following link:
Above functionality of course also requires moving the Domain and Forest to the appropriate level. Taking this into consideration from your own Active Directory perspective, you soon realize, there are most likely things to be done and reasons to make sure everything is running smoothly.
You could potentially compromise the security and functionality provided by AD by ignoring or not knowing about the added values.
Now it's time for the Golden Rule number 1: Before even thinking about doing any changes to you production environment, make sure you have a well-tested, well-documented and fully functional Disaster Recovery Plan. Also make sure you are able to at least use one level of Testing environment or Q&A (Quality Assurance) environment.
A backup is not a Disaster Recovery Plan, it's only a part of it. A Disaster Recovery Plan must consist of at least the following:
- A tested and verified backup strategy (running)
- A tested and verified recovery method, for all critical services provided and surrounding Active Directory (including the actual Operating system and Hardware as well)
- All possible recovery scenarios, documented in detail (from individual objects, Domain Controllers, Sites, Domains to the entire Forest itself)
- "Fire drills" on at least a yearly basis, performing the entire Disaster Recovery process,
- A well trained group of people able to perform the operations if necessary, always attending the fire drills for yearly training and knowledge update purposes.
- A dedicated person(s) responsible for maintaining and updating the documentation.
Do you need to be a rocket scientist to prepare all this? No, not really, you can always use specialized software to ease your burdens and of course combine them with the Active Directory Recycle Bin Feature.
Active Directory, Compliance and Identity: Part 1b, will take a road trip into the specialized software of my choice and also provide some tips and tricks surrounding it.
While you are waiting for the next part, please active the AD Recycle Bin:
Activating the AD Recycle Bin