Etkin Active Directory Dizaynında 10 ipucu

1: Keep it simple-Basit tutun

The first bit of advice is to keep things as simple as you can.
Active Directory is designed to be flexible, and if offers numerous
types of objects and components. But just because you can use something
doesn’t mean you should. Keeping your Active Directory as simple as
possible will help improve overall efficiency, and it will make the
troubleshooting process easier whenever problems arise.

2: Use the appropriate site topology-En uygun site topolojiyi kullanın

Although there is definitely something to be said for simplicity, you
shouldn’t shy away from creating more complex structures when it is
appropriate. Larger networks will almost always require multiple Active
Directory sites. The site topology should mirror your network topology.
Portions of the network that are highly connected should fall within a
single site. Site links should mirror WAN connections, with each
physical facility that is separated by a WAN link encompassing a
separate Active Directory site.

3: Use dedicated domain controllers-Domain controllarınız sadece bu işi yapsın

I have seen a lot of smaller organizations try to save a few bucks by
configuring their domain controllers to pull double duty. For example,
an organization might have a domain controller that also acts as a file
server or as a mail server. Whenever possible, your domain controllers
should run on dedicated servers (physical or virtual). Adding additional
roles to a domain controller can affect the server’s performance,
reduce security, and complicate the process of backing up or restoring
the server.

4: Have at least two DNS servers- En az 2 adet DNS serverınız olsun

Another way that smaller organizations sometimes try to economize is
by having only a single DNS server. The problem with this is that Active
Directory is totally dependent upon the DNS services. If you have a
single DNS server, and that DNS server fails, Active Directory will
cease to function.

5: Avoid putting all your eggs in one basket (virtualization)-Serverlarınızı (DC) Sanalda da olsa farklı makinalara kurun

One of the main reasons organizations use multiple domain controllers
is to provide a degree of fault tolerance in case one of the domain
controllers fails. However, this redundancy is often circumvented by
server virtualization. I often see organizations place all their
virtualized domain controllers onto a single virtualization host server.
So if that host server fails, all the domain controllers will go down
with it. There is nothing wrong with virtualizing your domain
controllers, but you should scatter the domain controllers across
multiple host servers.

6: Don’t neglect the FSMO roles (backups)-FSMO rollerini ihmal etmeyin

Although Windows 2000 and every subsequent version of Windows Server
have supported the multimaster domain controller model, some domain
controllers are more important than others. Domain controllers that are
hosting Flexible Single Master Operations (FSMO) roles are critical to
Active Directory health. Active Directory is designed so that if a
domain controller that is hosting FSMO roles fails, AD can continue to
function — for a while. Eventually though, a FSMO domain controller
failure can be very disruptive.

I have heard some IT pros say that you don’t have to back up every
domain controller on the network because of the way Active Directory
information is replicated between domain controllers. While there is
some degree of truth in that statement, backing up FSMO role holders is
critical.

I once had to assist with the recovery effort for an organization in
which a domain controller had failed. Unfortunately, this domain
controller held all of the FSMO roles and acted as the organization’s
only global catalog server and as the only DNS server. To make matters
worse, there was no backup of the domain controller. We ended up having
to rebuild Active Directory from scratch. This is an extreme example,
but it shows how important domain controller backups can be.

7: Plan your domain structure and stick to it-Domain yapınızı planlayın ve plana bağlı kalın

Most organizations start out with a carefully orchestrated Active
Directory architecture. As time goes on, however, Active Directory can
evolve in a rather haphazard manner. To avoid this, I recommend planning
in advance for eventual Active Directory growth. You may not be able to
predict exactly how Active Directory will grow, but you can at least
put some governance in place to dictate the structure that will be used
when it does.

8: Have a management plan in place before you start setting up servers-Serverları kurmadan önce nasıl yöneteceğinize karar verin

Just as you need to plan your Active Directory structure up front,
you also need to have a good management plan in place. Who will
administrator Active Directory? Will one person or team take care of the
entire thing or will management responsibilities be divided according
to domain or organizational unit? These types of management decisions
must be made before you actually begin setting up domain controllers.

9: Try to avoid making major logistical changes-AD yapısında fazla büyük değişiklikler yapmamaya özen gösterin

Active Directory is designed to be extremely flexible, and it is
possible to perform a major restructuring of it without downtime or data
loss. Even so, I would recommend that you avoid restructuring your
Active Directory if possible. I have seen more than one situation in
which the restructuring process resulted in some Active Directory
objects being corrupted, especially when moving objects between domain
controllers running differing versions of Windows Server.

10: Place at least one global catalog server in each site-Her site'a en az bir global catalog server kurun.

Finally, if you are operating an Active Directory consisting of
multiple sites, make sure that each one has its own global catalog
server. Otherwise, Active Directory clients will have to traverse WAN
links to look up information from a global catalog.