SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

SKV PROPOSAL

TO CLT FOR ACTIVE DIRECTORY AND DNS

IMPLEMENTATION

Introduction:

SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing and implementing the Infrastructure solutions.

SKV has successfully performed Enterprise Infrastructure transformations including both Desktop transformations and Server transformations. SKV has proven track record of quality and delivery methodologies and provide value to its customers by reducing the Operations costs and increase the revenue.

1

SKV Solution for CLT

Solution Description:

CLT will be hosting their infrastructure on Microsoft Hyper-v virtualization stack. The virtual infrastructure servers will host Microsoft Exchange Server, Microsoft Active Directory, Microsoft System Center Orchestrator, File Server, CLT Application Servers, and Microsoft SQL Servers etc. CLT has 3 Production VLANs and 1 Client VLAN configured on Cisco hardware, each VLAN is configured on Cisco switches 3750 series, a dedicated patch panel separates Management switches and Clients / Servers. A Fabric interconnect provides management interface which is layered

between Layer 3 switch and Cisco UCS Blade servers.

Each of the VLAN has mix of Unix and Microsoft Servers. Most Microsoft servers are virtualized and staged on Microsoft Hyper-v with appropriate VLAN tags configured for communication between servers and Storage arrays.

CLT Existing Data Center:

Existing CLT Data Center is hosted in Sydney and managed by In-House staff. CLT has 2 offices ( Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high speed networks.

CLT DNS infrastructure should be configured to establish communications between Active Directory domains, applications and users. The infrastructure should be designed on Local Namespace and Public namespaces is managed by ISP. Both branches are connected with IP VPN to Sydney

datacenter. Below table shows the existing servers and Network infrastructure for both Datacenters.

CLT Network Infrastructure Description

Cisco Router 3750x Routing internet traffic

Cisco 3750 Switch x 2 VLAN enabled and configured

Cisco 3750 Switch x 2 Stack-cabled

Cisco Fabric Interconnect x 2 Management Interface

Cisco UCS Blade x 2 Server virtualization

Server VLAN 3 Server VLANs 1 Client VLAN Microsoft Infrastructure Components VLAN Descrption

Primary Domain Controller VLAN 1 Forest Root Domain

Additional Domain Controller VLAN 1 Secondary Domain Controller with

DNS

Microsoft Hyper-v VLAN 1 Virtualization Stack

Microsoft Exchange Server VLAN 1 Exchange 2010

Child Domain Controller VLAN 2 Child domain with DNS

Microsoft SharePoint Server 2010 VLAN 2 Sharepoint Services

Microsoft System Center Operations Manager

VLAN 2 Servers Monitoring Enterprise

solution Microsoft System Center

Configuration Manager

VLAN2 Patch Management and Software

Distribution

Child Domain Controller VLAN 3 Child Domain with DNS configured

File Servers VLAN 3

Certificate Server Virtual Virtual

DNS Namespace Description Domain Controllers

Local CLT.LOCAL FRD1.CLT. LOCAL

FRD2.CLT.LOCAL

Local GPR.CLT. LOCAL Sec1.GPR.CLT. LOCAL

Sec2.GPR.CLT.LOCAL

Local FINANCE.CLT. LOCAL TH1.FINANCE.CLT. LOCAL

TH2.FINANCE.CLT. LOCAL

Global CLT.com Hosted by ISP

Production Environment/UCS Blade Production Environment/UCS Blade Fa b ric E xt e n d e r Fa b ric E xt e n d e r

Fabric Interconnect 1 Fabric Interconnect 2

Port Port Port Port 3750 Switch 1 3750 Switch 2 VLAN1-Prod VLAN2-Prod Router 3750x 3750 Switch 1 3750 Switch 2 VLAN3-Prod H Y P E R -V H Y P E R -V

Technical Diagram:

DNS Server

(FRD)

DC/DNS Server

(Secondary /Domain

2)

Application Server

_User

Data Communication:

Following is the proposed DNS name resolution designed for CLT infrastructure. Active Directory Domains will be staged by SKV Consultants, and relevant DNS routing will be established between 3 domains. Any specific requirements with respect to name resolution will be managed by SKV

Consultants.

For intranet DNS name resolution is either performed by DNS Servers across the Active directory Forest, any Primary DNS zone configured without the Active Directory integration should be managed independently through zone file. Public Name space resolution is performed by the DNS server configured in VLAN1 network.

Though it is not advisable to have the production DNS server to communicate with Public ISP , it is a temporary design to have the Domain 1 DNS to forwards requests to ISP Namespace. Once CLT creates dedicated DMZ zone, a DMZ DNS will be configured to resolve public IP name spaces.

Requirement Understanding:

Following are the requirements gathered after infrastructure analysis and discussion with Architectural group.

CLT Tasks:

1. Data center hosting is performed by CLT Employees

2. Configuration of CISCO Switches, VLAN configuration is performed by CLT 3. Provision of Internet Protocol Addresses are provided to SKV Consultants by CLT 4. Firewall exception rules are performed by CLT

5. Server Maintenance is performed by CLT which includes Server Patch Management

6. Storage provisioning is performed by CLT which includes provision of LUNs and Configuration of ISCSI on Windows Servers.

7. Communications between VLANs is provisioned by CLT 8. DR procedures are managed by 3rd _{party vendor}

9. Private Namespace is hosted by CLT

10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by CLT which includes Group Policy creation and Service accounts provisioning.

SKV Tasks:

a) Installing and configuration of Windows Server Operating Systems for the Domain Controllers are performed by SKV

b) Windows Updates on all the servers are performed by SKV

d) DNS infrastructure designing is performed by SKV e) DNS Implementation is performed by SKV

f) DNS impact analysis is performed by SKV g) DNS tests are performed by SKV

h) Public Namespace is managed by ISP

i) Domain Controller Replication is configured by SKV j) Active Directory Sites and Subnets is configured by SKV

DNS Design Considerations:

SKV has the following design for configuring the DNS infrastructure for CLT.

a) DNS Server IP’s will be configured with private Internet Protocol address ( IPV4) b) DNS servers will be staged in different domains on 3 different VLANs

c) Clients ( which includes Client OS / Server OS ) will be pointing to Domain specific DNS server and any request for public namespace will be managed by DNS Server hosted in VLAN1 d) Inbound and Outbound Firewall ports should be managed by CLT for DNS requests

e) Root hints will be deleted on the Domain 2 and Domain 3 DNS servers.

f) Disable Caching on the VLAN1 DNS servers which prevents possible DNS Cache poisoning g) Configure Secondary Zone for 3 Local Name spaces.

Active Directory Design Considerations:

SKV has the following design for configuring the AD infrastructure for CLT.

a) Creating a Forest Design is performed by SKV and CLT has to approve the Forest Design b) Domain Design is submitted by SKV to CLT and changes will be performed if required c) There should be minimum 2 Domain Controllers for each Domain in CLT environment. d) Place Infrastructure Master Role on non Global Catalog Server as SKV proposed solution is

not to make all DCs as GCs.

e) Organizational Unit designing is performed by SKV f) Active Directory Site topology is designed by SKV

Installation Pre-requisites:

SKV assumes that following are provisioned by CLT respectively

a) Provision of Virtual Servers which includes Hardware, Network and Memory is configured by CLT professionals.

b) Installation and Configuration of the Windows Server 2008 R2 (Full edition) Operating System in all the 3 VLANs, is performed by SKV consultants

c) Network devices and ports are configured by CLT engineers and ensure the firewall ports are opened for DNS Servers communications between VLANs.

d) Remote Monitoring for the servers are provisioned and desired firewall ports are enabled for SKV consultants to access the servers on different farms

e) Ensure the patching of the servers are compliant with the CLT standards and performed by CLT Operations team

f) Ensure, auditing of the servers is performed prior installing of the Domain Controllers.

g) Ensure all the relevant applications (eg: Anti-virus ) are installed and configured on the server which will be configured as DNS server.

Assumptions:

- This document will not provide detail step-step visual information about the configuration of DNS server in VLAN Domains.

- This document will not cover step-step information about installing and configuring of Domain Controllers

- This document will provide best practices to design and plan DNS and AD infrastructure on the specific Network.

Installation Steps:

Following are the installation steps for Installing and Configuring Active Directory and DNS infrastructure in CLT Data Center

1) Ensure the Static IP address are configured on the Servers which are getting promoted to Domain Controllers, validate the subnet mask and Default gateway configured on the server – Strictly no multi home networks

Protocol and

Port AD and AD DS Usage Type of traffic

TCP and UDP 389

Directory, Replication, User and

Computer Authentication, Group Policy, Trusts

LDAP

TCP 636

Directory, Replication, User and

Computer Authentication, Group Policy, Trusts

LDAP SSL

TCP 3268

Directory, Replication, User and

Computer Authentication, Group Policy, Trusts

LDAP GC

TCP 3269

Directory, Replication, User and

Computer Authentication, Group Policy, Trusts

LDAP GC SSL

TCP and UDP 88

User and Computer Authentication,

Forest Level Trusts Kerberos

TCP and UDP 53

User and Computer Authentication,

Name Resolution, Trusts DNS

TCP and UDP 445

Replication, User and Computer Authentication, Group Policy, Trusts

SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 25 Replication SMTP TCP 135 Replication RPC, EPM TCP Dynamic

Replication, User and Computer Authentication, Group Policy, Trusts

RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS

TCP 5722 File Replication RPC, DFSR (SYSVOL)

UDP 123 Windows Time, Trusts Windows Time

TCP and UDP 464

Replication, User and Computer

Authentication, Trusts Kerberos change/set password UDP

Dynamic Group Policy DCOM, RPC, EPM

UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS

Datagram Service

UDP 67 and UDP 2535

DHCP

Note

DHCP is not a core AD DS service but it is often present in many AD DS deployments.

DHCP, MADCAP

UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution

TCP 139 User and Computer Authentication, Replication

DFSN, NetBIOS Session Service, NetLogon

3) Ensure the account provisioned to promote the server has required permissions to install the Domain Controller and launch Server Manager on all the Operating system which are

promoted to Domain Controllers

4) Verify that the disk partition is formatted with NTFS

5) Install Active Directory on FRD1.CLT.LOCAL which is configured with Windows Server 2008 R2 and acts as Forest Root Domain. During the installation, it would prompt for installing DNS service , accept and complete the configuration.

6) Verify the DNS Zone CLT.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are created and populated with

a) Kerberos SRV records pointing to Domain Controller b) LDAP record pointing to Domain Controller

c) _Kpasswd SRV record pointing to Domain Controller 7) Ensure the Dynamic Updates are configured on the DNS zone 8) Enable Aging and Scavenging on the DNS Server

9) Ensure the Forwarding timeout is set to 6 seconds

10) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients can find Resource records on either of the Domains.

11) Configure the DNS reverse lookup zones for the specific IP subnets. 12) Ensure the DNS host file on the DNS server should be empty

14) Test the name resolution from client operating system, and any applications which are requesting for External name space ( CLT.com or Microsoft.com )

15) Use Wireshark / Netmon sniffer utilities to analyze the response time. This includes thorough understanding the client NIC adapter, MTU size, RSS response times.

16) Apply the required server hardening and the Group policies to manage DNS infrastructure. Which includes configuring client DNS suffix list with CLT.LOCAL, GPR.CLT.LOCAL and FINANCE.CLT.LOCAL.

17) On the Forest Root Domain, point the Domain Controller Primary DNS server to itself ( remove 127.0.0.1 / Loop back address ) and configure with Static IPV4 address

18) Schema Master, Domain Naming Master, PDC Emulator, RID Master roles are installed on CLT.local Domain Controller which is also Global Catalog

19) On the Server which is going to get promoted as Additional Domain Controller

(FRD2.CLT.LOCAL), ensure the DNS Primary Server IP address points to “FRD1.CLT.LOCAL” server.

20) To Install Additional Domain Controller, Perform the above tasks (1 – 4) and during installation select Additional Domain Controller and finish the configuration.

21) Infrastructure Master Role is configured on Secondary Domain Controller (FRD2.CLT.LOCAL) which is not a Global catalog server.

22) Follow the above steps to configure Domain Controllers on VLAN 2 and create

GPR.CLT.LOCAL name space. This includes both Child Domain Controller and Secondary Child domain Controller. Secondary Child Domain Controller will not be promoted to Global Catalog server.

23) Configure the Primary DNS server IP address to point to Child Domain Controller.

24) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients can find Resource records on either of the Domains.

If you do not want to replicate the Zone across forest, you may have to rely on conditional forwarders

25) Infrastructure Master Role should be configured on Domain Controller and not on Global Catalog server

27) Configure the NTP service on the domain controller which is configured with PDC Emulator Role.

28) Create Active Directory sites to reflect the Physical sites and associate them with the subnets. 29) Create Server Objects under the Sites and ensure the Replication between CLT.LOCAL and

GPR.CLT.LOCAL are working.

30) Remove the Root hints on the Sec1.GPR.CLT. LOCAL DNS Server.

31) To install Domain Controller and DNS server in VLAN 3 , perform the above steps which

includes DNS configuration, Domain Controller installation and configuration, DNS IP address mapping, Configuration of AD Sites and services

Post installation of the Active Directory, SKV Consultants would perform thorough test on Active Directory Replication using AD Replication tool, follow the Microsoft Operations Framework (Active Directory) to configure the performance bench marks and hand over the documents to CLT

Engineers.

SKV will design AD delegation model based on the requirements from CLT and Group Policy Design with AGPM in place.

Conclusion: This document produces steps to install and configure Active Directory domain

Controllers and DNS infrastructure and best practices and provides thorough check list information for performing DNS or Active Directory configuration.