Best Practices for Active Directory

Download 309 Kb.
bet	8/45
Sana	21.03.2017
Hajmi	309 Kb.
	#1028

1 ... 4 5 6 7 8 9 10 11 ... 45

Summary
Related Links

Best Practices for Active Directory

Here are some best practices for setting up and working with Active Directory:

As a security best practice, it is recommended that you do not log on to your computer with administrative credentials. When you are logged on to your computer without administrative credentials, you can use ‘Run as’ to accomplish administrative tasks. For more information, see “Why You Should Not Run Your Computer as an Administrator” and “Using Run As” in the Windows Server 2003 on-screen Help and Support Center.
To further secure Active Directory, you should implement the following security guidelines:

Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains. For more information, see User and Computer Accounts, in the on-screen Help and Support Center.
Physically secure all domain controllers in a locked room. For more information, see “Domain Controllers and Securing Active Directory” in the Windows Server 2003 on-screen Help and Support Center.
Manage the security relationship between two forests and simplify security administration and authentication across forests. For more information, see “Forest Trusts” in the Windows Server 2003 on-screen Help and Support Center.
To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group and add a user to the group only when schema changes need to be made. Once the change has been made, remove the user from the group.
Restrict user, group, and computer access to shared resources and to filter Group Policy settings. For more information, see “Security Groups” in the Windows Server 2003 on-screen Help and Support Center.
By default, all traffic on Active Directory administration tools is signed and encrypted while in transit on the network. Do not disable this feature. For more information, see “Managing Active Directory from MMC” in the Windows Server 2003 on-screen Help and Support Center.
Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators, and Backup Operators groups. For more information about these groups, see “Default Groups” in the on-screen Help and Support Center.
For general security information about Active Directory, see “Security Overview for Active Directory” and “Securing Active Directory” in the Windows Server 2003 on-screen Help and Support Center.
General (lot. generalis - umumiy, bosh) - qurolli kuchlardagi harbiy unvon (daraja). Dastlab, 16-a.da Fransiyada joriy qilingan. Rossiyada 17-a.ning 2-yarmidan maʼlum. Oʻzbekiston qurolli kuchlarida G.

Establish as a site every geographic area that requires fast access to the latest directory information.
Establishing areas that require immediate access to up-to-date Active Directory information as separate sites will provide the resources required to meet your needs. For more information, see “To Create a Site” in the Windows Server 2003 on-screen Help and Support Center.
Place at least one domain controller in every site, and make at least one domain controller in each site a global catalog. Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient. For more information, see “To Enable or Disable a Global Catalog” in the Windows Server 2003 on-screen Help and Support Center.
Leave all site links bridged and leave site link connection schedules unrestricted. Bridging all site links maximizes replication links between sites and prevents the need to create site link bridges manually. Leaving site link connection schedules unrestricted eliminates connection-scheduling conflicts that might prevent replication. By default, all site links are bridged, and site link connection schedules are unrestricted. For more information, see “To Enable or Disable Site Link Bridges” and “To Configure Site Link Connection Availability” in the Windows Server 2003 on-screen Help and Support Center.
Establish a preferred bridgehead server if you are using a firewall or if you want to dedicate a computer to intersite replication. A bridgehead server serves as a proxy for communications with other sites outside of a firewall. All sites must be associated with at least one subnet and in at least one site link, or they will not be usable. For more information, see “To Associate a Subnet with a Site” and “To Add a Site to a Site Link” in the Windows Server 2003 on-screen Help and Support Center.
Perform regular backups of domain controllers in order to preserve all trust relationships within that domain. For more information, see “Domain Controllers” in the Windows Server 2003 on-screen Help and Support Center.

Summary

The Windows Server 2003 family of operating systems provides significant enhancements over the Windows NT Server 4.0 family of operating systems. Windows Server 2003 was designed to make it easy to upgrade from Windows 2000 or Windows NT Server 4.0, making it easy for organizations to take advantage of the new features and benefits of Windows.

A first decision point in preparation for upgrading is choosing which Microsoft Windows Server 2003 to use:

Windows Server 2003, Standard Edition. Designed for small organizations and departmental use, Standard Edition delivers intelligent file and printer sharing, secure Internet connectivity, centralized desktop application deployment, and Web solutions that connect employees, partners, and customers. Standard Edition provides high levels of dependability, scalability, and security.
Windows Server 2003, Enterprise Edition. Designed for medium to large businesses, Enterprise Edition is the recommended operating system for servers running applications such as networking, messaging, inventory, and customer service systems, databases, and e-commerce Web sites. Enterprise Edition delivers high reliability, performance, and superior business value. It will be available in both 32-bit and 64-bit versions.
Windows Server 2003, Datacenter Edition. Designed for businesses that demand the highest levels of scalability, availability, and reliability, Datacenter Edition lets you deliver mission-critical solutions for databases, enterprise resource planning software, high-volume real-time transaction processing, and server consolidation. Datacenter Edition will be available in both 32-bit and 64-bit versions.
Windows Server 2003, Web Edition. Designed for building and hosting Web applications, Web pages, and XML Web services, Web Edition delivers a single-purpose solution for Internet service providers, application developers, and others wishing only to use or deploy specific Web functionality. Web Edition takes advantage of improvements in Internet Information Services (IIS) 6.0, Microsoft ASP.NET, and the Microsoft .NET Framework.

A second decision point is whether to upgrade--copying the new system onto the existing system--or to perform a new installation or migration.

Active Directory becomes an even more powerful administrative resource with Windows Server 2003, and can be deployed in either homogenous Windows Server 2003 environments or heterogeneous environments including Windows 2000 and Windows NT Server 4.0 domains. The Active Directory Installation Wizard simplifies deployments.

Microsoft has worked to make upgrading as easy as possible, so organizations can more readily enjoy the benefits of the Windows Server 2003 family of operating systems.

Best Practices for Active Directory