Active Directory Planning Worksheets

taken with permission from Active Directory Planning and Design by Harry Brelsford

 

Table 1: Business Needs Analysis (Q and A)

Table 2: Business Requirements Analysis

Table 3: Project Plan

Table 4: Active Directory Design and Planning Team

Table 5: Technical Requirements Analysis

Table 6: Security Requirements Planning

Table 7: Windows 2000 Server Network Infrastructure Planning

Table 8: Active Directory Design and Planning

Table 9: Windows NT 4.0 to Windows 2000 Migration Planning

 

Table 1: Business Needs Analysis (Q and A)

Question

Answer

Have you clearly defined the nature of the organizationís business?

 

Has the organization developed a clear sense of direction or mission?

 

Does the organization have a clear philosophy for conducting its business affairs?

 

Are the organizationís business goals attainable?

 

Are the organizationís objectives logically related in a hierarchy that will lead to goal achievement?

 

Does the organization periodically reevaluate its objectives to be sure they have not grown obsolete?

 

Has the organization developed a logical and planned approach for collecting data on its internal and external environment?

 

Are data stored of filed in ways that allow easy retrieval of useful information?

 

Are reports produced that are seldom or never used?

 

Does the organization periodically review its information system to make certain it is useful and up-to-date?

 

List four or five key strengths of the organization.

 

What are key weaknesses in the organization?

 

In developing the organizationís final strategy, did it consider three or four possible alternatives?

 

Are employees involved in making planning decisions?

 

Did management take time to communicate the final strategic plan to employees and deal with their concerns?

 

Is the timetable for implementation of the strategic plan realistic?

 

Have definite checkpoints been schedules for assessing progress toward goals?

 

Has the organization developed effective ways of measuring progress?

 

 


 

Table 2: Business Requirements Analysis

Analysis Item

Sub-Analysis Item

Completed

Analyze the existing and planned business models

 

 

 

Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices.

 

 

Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making.

 

Analyze the existing and planned organizational structures. Considerations include management model: company organization: vendor, partner, and customer relationships; and acquisition plans.

 

 

Analyze factors that influence company strategies.

 

 

 

Identify company priorities.

 

 

Identify the projected growth and growth strategy.

 

 

Identify relevant laws and regulations.

 

 

Identify the companyís tolerance for risk.

 

 

Identify the total cost of operations

 

Analyze the structure of IT management. Considerations include type of administration, such as centralized or decentralized; funding model; outsourcing; decision-making process; and change-management process.

 

 

Analyze business and security requirements for the end user.

 

 

Analyze the current physical model and information security model.

 

 

 

Analyze internal and external security risks.

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 3: Project Plan

Phase

Tasks

Duration / Assigned
Resources / Comments

A. AD Design Creation

 

 

 

A.1. Namespace (DNS) Selection

 

 

A.2. Namespace Design

 

 

A.3. Domain Tree/Forest Architectural Development

 

 

A.4. AD Domain Naming Conventions

 

 

A.5. DNS Design

 

 

A.6. DNS Interoperability Issues

 

 

A.7. DNS Zones and Administrative Model Development

 

 

A.8 OU Development and Design

 

 

A.9. Group and User Design

 

 

A.10. Security Design and Development

 

 

A.11. Delegation of Authority Design

 

 

A.12. AD/Windows 2000 Capacity Planning

 

 

A.13. Design of Group Policies

 

B Test Lab (Proof of Concept)

 

 

 

B.1. Testing Server Functionality

 

 

B.2. Core Service Testing (DNS, DHCP, WINS)

 

 

B.3. Server Interoperability and Coexistence Testing

 

 

B.4. Server Migration Testing

 

 

B.5. Desktop Testing (Operating System, Applications)

 

 

B.6. Network Infrastructure

 

 

B.7. Hardware Infrastructure

 

C. Production Pilot

 

 

 

C.1. Launch Pilot Phase

 

 

C.2. Pilot Planning Tasks

 

 

C.3. Pilot Feedback

 

D. Rollout

 

 

 

D.1. Develop Implementation Plan

 

 

D.2. Perform Work

 

 

D.3. Troubleshooting

 

 

D.4. Feedback

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 4: Active Directory Design and Planning Team

Team Member

Role

Comments

 

Enterprise or AD Architect

 

 

Corporate Standards Implementation Lead

 

 

Deployment Site Lead

 

 

Deployment Team Lead

 

 

Help Desk Lead

 

 

Networking Lead

 

 

Services/Product/Technology Lead

 

 

Developer Lead

 

 

End User Lead

 

 

Senior Management/Executive Representative

 

 

Line Manager(s)

 

 

Other

 

 

Other

 

 

Other

 

 


 

Table 5: Technical Requirements Analysis

Analysis Item

Sub-Analysis Item

Completed

Evaluate the companyís existing and planned technical environment and goals

 

 

 

Analyze company size and user and resource distribution

 

 

Assess the available connectivity between the geographic location of worksites and remote sites

 

 

Assess the net available bandwidth and latency issues

 

 

Analyze performance, availability, and scalability requirements of services

 

 

Analyze the method of accessing data and systems

 

 

Analyze network roles and responsibilities. Roles include administrative, user, service, resource ownership, and application.

 

 

Analyze security considerations

 

Analyze the impact of Active Directory on the existing and planned technical environment

 

 

 

Assess existing systems and applications

 

 

Identify existing and planned upgrades and rollouts

 

 

Analyze technical support structure

 

 

Analyze existing and planned network and system management

 

Analyze the business requirements for client computer desktop management

 

 

 

Analyze end-user work needs

 

 

Identify technical support needs for end-users

 

Establish the required client computer environment standards

 

 

Analyze the existing disaster recovery strategy for client computers, servers, and the network

 

 

Analyze the impact of infrastructure design on the existing and planned technical environment

 

 

 

Assess current applications

 

 

Analyze network infrastructure, protocols, and hosts

 

 

Evaluate network services

 

 

Analyze TCP/IP infrastructure

 

 

Assess current hardware

 

 

Identify existing and planned upgrades and rollouts

 

 

Analyze technical support structure

 

 

Analyze existing and planned network and systems management

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 6: Security Requirements Planning

Analysis Item

Sub-Analysis Item

Complete

Design a security baseline for a Windows 2000 network that includes domain controller, operations masters, application servers, file and print servers, RAS servers, desktop computers, portable computers, and kiosks

 

 

Identify the required level of security for each resource. Resources include printers, files, shares, Internet access, and dial-in access

 

 

Design an audit policy

 

 

Design a delegation of authority policy

 

 

Design the placement and inheritance of security policies for sites, domains, and organizational units

 

 

Design an Encrypting File System strategy

 

 

Design an authentication strategy

 

 

 

Select authentication methods. Methods include certificate-base authentication, Kerberos authentication, clear-text passwords, digest authentication, smart cards, NTMLM, RADIUS, and SSL.

 

 

Design an authentication strategy for integration with other systems

 

Design a security group strategy

 

 

Design a Public Key Infrastructure

 

 

 

Design Certificate Authority (CA) hierarchies

 

 

Identify certificate server roles

 

 

Certificate management plan

 

 

Integrate with third-party CAs

 

 

Map certificates

 

Design Windows 2000 network services security

 

 

 

Design Windows 2000 DNS security

 

 

Design Windows 2000 Remote Installation Services (RIS) security

 

 

Design Windows 2000 SNMP security

 

 

Design Windows 2000 Terminal Services security

 

Provide secure access to public networks from a private network

 

 

Provide external users with secure access to private network resources

 

 

Provide secure access between private networks

 

 

 

Provide secure access within a LAN

 

 

Provide secure access within a WAN

 

 

Provide secure access across a public network

 

Design Windows 2000 security for remote access users

 

 

Design a Server-Messaging Block (SMB)-signing solution

 

 

Design an IPSec solution

 

 

 

Design an IPSec encryption scheme

 

 

Design an IPSec management strategy

 

 

Design negotiation policies

 

 

Design security policies

 

 

Design IP filters

 

 

Design security levels

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 7: Windows 2000 Server Network Infrastructure Planning

Analysis Item

Sub-Analysis Item

Completed

Modify and design a network topology

 

 

Design network services that support application architecture

 

 

Design a resource strategy

 

 

 

Plan for the placement and management of resources

 

 

Plan for growth

 

 

Plan for decentralized or centralized resources

 

Design a TCP/IP networking strategy

 

 

 

Analyze IP subnet requirements

 

 

Design a TCP/IP addressing and implementation plan

 

 

Measure and optimize a TCP/IP infrastructure design

 

 

Integrate software routing into existing networs

 

 

Integrate TCP/IP with existing WAN requirements

 

Design a plan for the interaction of Windows 2000 network services such as WINS, DHCP, and DNS

 

 

Design a DHCP strategy

 

 

 

Integrate DHCP into a routed environment

 

 

Integrate DHCP with Windows 2000

 

 

Design a DHCP service for remote locations

 

 

Measure and optimize a DHCP infrastructure design

 

Design name resolution services

 

 

 

Create an integrated DNS design

 

 

Create a secure DNS design

 

 

Create a highly available DNS design

 

 

Measure and optimize a DNS infrastructure design

 

 

Design a DNS deployment strategy

 

 

Create a WINS design

 

 

Create a secure WINS design

 

 

Measure and optimize a WINS infrastructure design

 

 

Design a WINS deployment strategy

 

Design a multi-protocol strategy. Protocols include IPX/SPX and SNA

 

 

Design a Distributed file system (Dfs) strategy

 

 

 

Design the placement of a Dfs root

 

 

Design a Dfs root replica strategy

 

Designing for Internet Connectivity

 

 

 

Design an Internet and extranet access solution. Components of the solution could include proxy server, firewall, routing and remote access, Network Address Translation (NAT, connection sharing, Web server, or mail server

 

 

Design a load-balancing strategy

 

Design an implementation strategy for dial-up remote access

 

 

 

Design a remote access solution that uses Routing and Remote Access

 

 

Integrate authentication with Remote Authentication Dial-In User Service (RADIUS)

 

Design a virtual private network (VPN) strategy

 

 

Design a Routing and Remote Access routing solution to connect locations

 

 

 

Design a demand-dial routing strategy

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 8: Active Directory Design and Planning

Analysis Item

Sub-Analysis Item

Completed

Design an Active Directory forest and domain structure

 

 

 

Design a forest and schema structure

 

 

Design a domain structure

 

 

Analyze and optimize trust relationships

 

Design an Active Directory naming strategy

 

 

 

Establish the scope of the Active Directory

 

 

Design the namespace

 

 

Plan DNS strategy

 

Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure.

 

 

 

Develop an OU delegation plan

 

 

Plan Group Policy Object management

 

 

Plan policy management for client computers

 

Plan for the coexistence of Active Directory and other directory services

 

 

Design an Active Directory site topology

 

 

 

Design a replication strategy

 

 

Define site boundaries

 

Design a schema modification policy

 

 

Design an Active Directory implementation plan

 

 

Design the placement of operations masters

 

 

 

Considerations include performance, fault tolerance, functionality, and manageability

 

Design the placement of Global Catalog Servers

 

 

 

Considerations include performance, fault tolerance, functionality, and manageability

 

Design the placement of domain controllers

 

 

 

Considerations include performance, fault tolerance, functionality, and manageability

 

Design the placement of DNS servers

 

 

 

Considerations include performance, fault tolerance, functionality, and manageability

 

 

Plan for interoperability with the existing DNS

 

Other

 

 

Other

 

 

Other

 

 

 


 

Table 9: Windows NT 4.0 to Windows 2000 Migration Planning

Analysis Item

Sub-Analysis Item

Completed

Choose the type of migration. Types include upgrade, restructure Windows NT to Windows 2000, restructure Windows 2000 to Windows 2000, upgrade and restructure, inter-forest restructure, and intra-forest restructure

 

 

Plan the domain restructure

 

 

 

Select the domain to be restructured and decide on the proper order for restructuring them. Decide when incremental migrations are appropriate

 

 

Implement organizational units (OUs)

 

Select the appropriate tools for implementing the migration from Windows NT to Windows 2000. Tools include Active Directory Migration Tool (ADMT); ClonePrincipal and NETDOM (for inter-forest type), and Move Tree and NETDOM (for intra-forest type)

 

 

Perform pre-migration tasks

 

 

 

Develop a testing strategy for upgrading and implementing a pilot migration

 

 

Prepare the environment for upgrade. Considerations include readiness remediation

 

Plan to install or upgrade DNS

 

 

Plan the upgrade for hardware, software, and infrastructure

 

 

 

Assess current hardware

 

 

Assess and evaluate security implications. Considerations include physical security, delegating control to groups, and evaluating post-migration security risks

 

 

Assess and evaluate application compatibility. Considerations include Web Server, Microsoft Exchange, and line of business (LOB) applications.

 

 

Assess the implications of an upgrade for network services. Considerations include RAS, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, and third-party DNS.

 

 

Assess security implications. Considerations include physical security, certificate services, SID history, and evaluating post-migration security risks

 

Identify upgrade paths. Considerations include O/S version and service packs

 

 

Develop a recovery plan. Considerations include Security Account Manger, WINS, DHCP, and DNS

 

 

Upgrade the PDC, the BDCs, the application servers, and the RAS servers

 

 

Implement system policies as Group Policies

 

 

Implement replication bridges as necessary

 

 

Decide when to switch to native mode

 

 

If necessary, develop a procedure for restructuring. Create a Windows 2000 target domain, if necessary

 

 

 

Create trusts as necessary

 

 

Create OUs

 

 

Create sites

 

 

Reapply account policies and user rights in the Windows 2000 Group Policy

 

Plan for migration

 

 

 

Migrate groups and users

 

 

Migrate local groups and computer accounts

 

Verify the functionality of Exchange. Considerations include service accounts and mailboxes

 

 

 

Map mailboxes

 

Test the deployment

 

 

Implement disaster recovery plans

 

 

 

Have a plan to restore to a pre-migration environment

 

Perform post-migration tasks

 

 

 

Redefine DACLS

 

 

Back up source domains

 

 

Decommission source domains and redeploy domain controllers

 

Other

 

 

Other

 

 

Other

 

 

†††††††††††††††††††††††