Active Directory Design, Optimization, and Automation

In Security, Servers, Windows by Glenn Thomas

Active directory design considerations

Part 1 of our Network Remodeling / Redesigning / Restructuring Services series

Active Directory is the central repository for nearly all networks today. Some of the most important roles it is responsible for are: end-user authentication, security, and the ability to automagically control how servers, client computers, and end-users are provisioned once they are added to your network. My goal for this article is to be more of an informative overview and non-technical in answering the question: Why would you want to invest in a good Active Directory design?

A brief history of what I run into stepping into a new network environment the first time. Chances are if your company has been solely reliant on computers systems for several years, you probably have gone through several IT vendors or internal systems administrators managing your network including the Active Directory database that manages your entire network and its security. This is a very common scenario after interviewing with our clients for the first time.

Answer these few questions:

  • Do computer performance or resource organizational issues haunt your end-users on a daily basis making them less productive?
  • How long should it take to add one (or a thousand users for that matter) to your network, make sure they can access resources they need, not access resources that aren’t suppose to see, and most importantly not have to ask any questions?
  • Do you have an updated report of “who” can access “what” on your network?
  • Do you lack confidence knowing an employee is locked out after they have left your company?

Active Directory design – step by step.

The best network topology starts with a solid plan, and Active Directory plays a central role behind the scene. Here are some tips to help you during your decision process:

  1. Active Directory should be well thought-out and designed (or re-designed) to fit your needs.
    In an ideal setup, Active Directory should start out as an organizational hierarchy for your business. Yes, there are commonalities and frameworks that can be used crossed multiple industries, but eventually each setup becomes more unique as time passes for each business. With this being said, the structure of Active Directory should fit the scope of your organization: on a small-scale level for small business, on a large-scale level for large businesses, educational institutions, and on the functions of how your business operates. Going back several years, there has probably been several individuals that were responsible for managing this resource and at several different levels of expertise. Active Directory is probably doing its job, but are you really getting the most out of it and is it working for you – not against you?
  2. Security Groups should be matching your network resources.
    I can’t stress this enough. The last call I want to get is “why can Billy Bob get into the Accounting folder?” or “Why can Jane’s account still access VPN services and get into the network?” Not only will we put the best design in place, we can setup an automated report showing you what the permissions are so YOU can review them at any time and have the reassurance that you’re not just taking my word for it. This includes who has what access to file share, who has access to remotely VPN into the network, and so-on-so-forth.
  3. Automation of most server, client computers, and end-users should be automatically setup following frameworks.
    I won’t go into detail on servers for now, but client computers take top-seat here. I know them inside an out – it’s a love hate relationship with me. I do like knowing I can actually make an impact on how to get them to perform better for clients and to get the “that a boy” pat on the back on occasion. But realistically, I’d rather not have to deal with the endless headaches which they bring to the table. I rather spend my time setting up Active Directory and fine tuning it, and offload the minimal amount of client management to myself or someone else in your company for that matter. Once the right system is in place, adding users and computers, access to network shares/network drives, printers, and software becomes a breeze. Again, this all starts with the best plan upfront, and delegates within your business can easily be trained “if required” to support minor changes moving forward.

Active Directory technology has been around for a while and it’s no secret ingredient when it comes to networks, but it’s the planning and design that make it a useful IT tool for all companies. I would love to dig into some of the nitty gritty details, but there are just too many things you can do with it.

In my next series – Part 2 – Network Resource Availability, Security, and Data Integrity I will be shedding light on some of the safety measures we put in place to secure your data and to ensure it’s backed-up.

Related Articles:
Overview: Network Remodeling/Redesigning/Restructuring Services
Part 2: Network Resource Availability and Data Integrity
Part 3: Client OS Deployments & Management

 

About the Author
Glenn Thomas

Glenn Thomas

Glenn is a Network Engineer at Source One Technology and has been providing IT consultancy services to schools, nonprofits and SMBs in Waukesha, Milwaukee and SE Wisconsin for over 15 years.