Modern day Active Directory Best Practices

Active Directory as we know it is generally still the foundation stone of any medium business to large enterprise when it comes to providing access to things such as services, resources and a more importantly, security.

Although the technology is now over 14 years old, it has been greatly improved over the course of its lifespan and is now evolving into new areas as the way in which we manage our IT infrastructures today is rapidly changing.

However, for the most part Active Directory still remains to be used across world in thousands of businesses and likely will for some time yet.

I have worked in a number of different environments and had exposure to many Active Directory structures from the good right to the downright ugly.

As the design principles and practices that were in place when Active Directory shipped 14 years ago are now no longer relevant, many organisations may want re-think their strategies and design approach.

With this I’ve brought together a list of best practices that are now recommended for today’s Active Directory deployments as supported by Microsoft.

Obviously this would take up too much time to split each area out individually and go into detail, so for the purpose of this post I will narrow each down to three; Domain Controllers, Active Directory and lastly, Security considerations.

Domain Controllers:

  • Keep them “clean” e.g. do not install anything more than the exact required set of software and server roles
  • Reduce attack surface by deploying Server Core installations
  • Virtualise your Active Directory deployments if where possible
  • Deploy Read-Only Domain Controllers for small branch offices that lack higher levels of physical security
  • Deploy at least a minimum of two Domain Controllers per site within the organisation
  • Keep IPv6 enabled on network adapters and leave auto configured
  • Point the FSMO Role Holder at its own IP Address for a DNS server in the network adapter
  • Point each additional Domain Controller to anothers IP as the the first DNS server entry  in the network adapter
  • Add the Loopback address ( as the last DNS server on all network adapters
  • Configure the PDC Emulator to point to an reliable external time server
  • Use Active Directory Integrated DNS Zones
  • Use DNS Forwarders for external DNS resolution
  • Domain and Forest Functional Levels minimum of at least Windows Server 2008 or higher – a lot has changed since 2000 and 2003
  • Use Distributed File Service for SYSVOL Replication – File Replication Service now deprecated
  • Enable and use the Active Directory Recycle Bin – 2008 R2 Domain/Forest Functional Level
  • Use Notification based replication for Domain Controllers within other Active Directory Sites if possible – near instant replication of changes
  • Enable Strict Replication – prevent tombstone objects replicating
  • Set the Forest Tombstone lifetime to 180 days – only applicable if the forest was created on Windows 2000/2003 RTM or 2003 R2 RTM
  • Block Internet access to Domain Controllers

Active Directory:

  • Deploy single Domain Forests – no multi-domain forests or trust relationships
  • Use Federated identity & claims-based authentication with Active Directory Federated Services (ADFS)
  • Design for security first e.g. delegation/administration with access control
  • Administrative identities kept separated from standard users
  • Organise client computers by site – delegate/manage who can add computers to the Domain
  • Organise member servers by their role e.g. Exchange, SharePoint, SQLServer
  • Organise standard users by site/department and location e.g internal or external staff
  • Take advantage of the Manged Service Accounts Container for service based accounts that leverage AD for authentication e.g SQL Server
  • Make User Principal Name the sames as the users email address e.g. greig.mitchell

Security Considerations:

  • Set a strong complex password on the built-in Administrator account and disable it – 120 characters if need be!
  • Do not use the built-in Administrator account for day-to-day Administration tasks
  • Limit the number of members in Domain Admins/Enterprise Admins/Schema Admins – keep empty more or less and add only when required
  • Do not use Builtin Groups (Account/Server/Print/Backup Operators) leave empty
  • Deny Domain Admins/Enterprise Admins/Schema Admins logon rights to Workstations and Member Servers
  • Add Domain Admin/Enterprise Admins/Schema Admin and other workstation/server accounts to Protected Users Group (Server 2012 R2)
  • Restrict Service Accounts to the servers they are used on – Use Logon to option
  • Take advantage of Group Managed Service Accounts in Server 2012/2012 R2
  • Use Group Policy Restricted Groups to specify Administrators membership – use MemberOf setting cumulative
  • Change privileged accounts and service account passwords every 6 months or when an admin leaves the organisation
  • Change the Kerberos Service Account and DSRM account passwords every 6 months or when an admin leaves the organisation
  • Implement Two-Factor Authentication for privileged accounts
  • Enable Active Directory auditing for changes to membership of privileged groups and objects.

So there you have it, some up to date best practices you can use in current and future Active Directory deployments.

I think that more less covers a majority of aspects relating to the changes since Windows 2000, however I may break some of these areas down further in a future post so stay tuned! 🙂

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.