SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION Date: April 22,2013 Prepared by: Sainath K.E.V Microsoft Most Valuable Professional
Introduction: SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing and implementing the Infrastructure solutions. SKV has successfully performed Enterprise Infrastructure transformations including both Desktop transformations and Server transformations. SKV has proven track record of quality and delivery methodologies and provide value to its customers by reducing the Operations costs and increase the revenue. 1 SKV Solution for CLT Solution Description: CLT will be hosting their infrastructure on Microsoft Hyper-v virtualization stack. The virtual infrastructure servers will host Microsoft Exchange Server, Microsoft Active Directory, Microsoft System Center Orchestrator, File Server, CLT Application Servers, and Microsoft SQL Servers etc. CLT has 3 Production VLANs and 1 Client VLAN configured on Cisco hardware, each VLAN is configured on Cisco switches 3750 series, a dedicated patch panel separates Management switches and Clients / Servers. A Fabric interconnect provides management interface which is layered between Layer 3 switch and Cisco UCS Blade servers. Each of the VLAN has mix of Unix and Microsoft Servers. Most Microsoft servers are virtualized and staged on Microsoft Hyper-v with appropriate VLAN tags configured for communication between servers and Storage arrays. CLT is engaging SKV, a Microsoft Premier Consulting firm to perform DNS Designing and Configuration which involves configuring DNS servers in three Active Directory Domains and establish communication across the DNS servers.
CLT Existing Data Center: Existing CLT Data Center is hosted in Sydney and managed by In-House staff. CLT has 2 offices ( Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high speed networks. CLT DNS infrastructure should be configured to establish communications between Active Directory domains, applications and users. The infrastructure should be designed on Local Namespace and Public namespaces is managed by ISP. Both branches are connected with IP VPN to Sydney datacenter. Below table shows the existing servers and Network infrastructure for both Datacenters. CLT Network Infrastructure Cisco Router 3750x Cisco 3750 Switch x 2 Cisco 3750 Switch x 2 Cisco Fabric Interconnect x 2 Cisco UCS Blade x 2 Description Routing internet traffic VLAN enabled and configured Stack-cabled Management Interface Server virtualization Server VLAN 3 Server VLANs 1 Client VLAN Microsoft Infrastructure VLAN Descrption Components Primary Domain Controller VLAN 1 Forest Root Domain Additional Domain Controller VLAN 1 Secondary Domain Controller with DNS Microsoft Hyper-v VLAN 1 Virtualization Stack Microsoft Exchange Server VLAN 1 Exchange 2010 Child Domain Controller VLAN 2 Child domain with DNS Microsoft SharePoint Server 2010 VLAN 2 Sharepoint Services Microsoft System Center Operations Manager VLAN 2 Servers Monitoring Enterprise solution Microsoft System Center Configuration Manager VLAN2 Patch Management and Software Distribution Child Domain Controller VLAN 3 Child Domain with DNS configured File Servers VLAN 3 SCCM Distribution Point VLAN 3 DP for data access
Certificate Server Virtual Virtual DNS Namespace Description Domain Controllers Local CLT.LOCAL FRD1.CLT. LOCAL FRD2.CLT.LOCAL Local GPR.CLT. LOCAL Sec1.GPR.CLT. LOCAL Sec2.GPR.CLT.LOCAL Local FINANCE.CLT. LOCAL TH1.FINANCE.CLT. LOCAL TH2.FINANCE.CLT. LOCAL Global CLT.com Hosted by ISP Solution Diagram:
Router 3750x 3750 Switch 1 3750 Switch 2 VLAN1-Prod VLAN2-Prod VLAN3-Prod 3750 Switch 1 3750 Switch 2 Port Fabric Interconnect 1 Fabric Interconnect 2 Port Fabric Extender Fabric Extender Port Port HYPER-V HYPER-V Production Environment/UCS Blade Production Environment/UCS Blade SYDNEY Data Center
Technical Diagram: DNS Server (FRD) Forwarder Response DC/DNS Server (Secondary /Domain 2) DNS Requests (3 domains) DNS Server (Secondary / Domain 3) Application Server User
Data Communication: Following is the proposed DNS name resolution designed for CLT infrastructure. Active Directory Domains will be staged by SKV Consultants, and relevant DNS routing will be established between 3 domains. Any specific requirements with respect to name resolution will be managed by SKV Consultants. For intranet DNS name resolution is either performed by DNS Servers across the Active directory Forest, any Primary DNS zone configured without the Active Directory integration should be managed independently through zone file. Public Name space resolution is performed by the DNS server configured in VLAN1 network. Though it is not advisable to have the production DNS server to communicate with Public ISP, it is a temporary design to have the Domain 1 DNS to forwards requests to ISP Namespace. Once CLT creates dedicated DMZ zone, a DMZ DNS will be configured to resolve public IP name spaces. Requirement Understanding: Following are the requirements gathered after infrastructure analysis and discussion with Architectural group. CLT Tasks: 1. Data center hosting is performed by CLT Employees 2. Configuration of CISCO Switches, VLAN configuration is performed by CLT 3. Provision of Internet Protocol Addresses are provided to SKV Consultants by CLT 4. Firewall exception rules are performed by CLT 5. Server Maintenance is performed by CLT which includes Server Patch Management 6. Storage provisioning is performed by CLT which includes provision of LUNs and Configuration of ISCSI on Windows Servers. 7. Communications between VLANs is provisioned by CLT 8. DR procedures are managed by 3 rd party vendor 9. Private Namespace is hosted by CLT 10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by CLT which includes Group Policy creation and Service accounts provisioning. SKV Tasks: a) Installing and configuration of Windows Server Operating Systems for the Domain Controllers are performed by SKV b) Windows Updates on all the servers are performed by SKV c) Firewall Exception rules are provided by SKV to CLT which includes Domain Controller, DNS, RPC, UDP exception rules
d) DNS infrastructure designing is performed by SKV e) DNS Implementation is performed by SKV f) DNS impact analysis is performed by SKV g) DNS tests are performed by SKV h) Public Namespace is managed by ISP i) Domain Controller Replication is configured by SKV j) Active Directory Sites and Subnets is configured by SKV DNS Design Considerations: SKV has the following design for configuring the DNS infrastructure for CLT. a) DNS Server IP s will be configured with private Internet Protocol address ( IPV4) b) DNS servers will be staged in different domains on 3 different VLANs c) Clients ( which includes Client OS / Server OS ) will be pointing to Domain specific DNS server and any request for public namespace will be managed by DNS Server hosted in VLAN1 d) Inbound and Outbound Firewall ports should be managed by CLT for DNS requests e) Root hints will be deleted on the Domain 2 and Domain 3 DNS servers. f) Disable Caching on the VLAN1 DNS servers which prevents possible DNS Cache poisoning g) Configure Secondary Zone for 3 Local Name spaces. Active Directory Design Considerations: SKV has the following design for configuring the AD infrastructure for CLT. a) Creating a Forest Design is performed by SKV and CLT has to approve the Forest Design b) Domain Design is submitted by SKV to CLT and changes will be performed if required c) There should be minimum 2 Domain Controllers for each Domain in CLT environment. d) Place Infrastructure Master Role on non Global Catalog Server as SKV proposed solution is not to make all DCs as GCs. e) Organizational Unit designing is performed by SKV f) Active Directory Site topology is designed by SKV g) Domain Controller capacity planning is determined by SKV h) Active Directory Functional Level designing is performed by SKV i) Active Directory Delegation Model design is performed by SKV
Installation Pre-requisites: SKV assumes that following are provisioned by CLT respectively a) Provision of Virtual Servers which includes Hardware, Network and Memory is configured by CLT professionals. b) Installation and Configuration of the Windows Server 2008 R2 (Full edition) Operating System in all the 3 VLANs, is performed by SKV consultants c) Network devices and ports are configured by CLT engineers and ensure the firewall ports are opened for DNS Servers communications between VLANs. d) Remote Monitoring for the servers are provisioned and desired firewall ports are enabled for SKV consultants to access the servers on different farms e) Ensure the patching of the servers are compliant with the CLT standards and performed by CLT Operations team f) Ensure, auditing of the servers is performed prior installing of the Domain Controllers. g) Ensure all the relevant applications (eg: Anti-virus ) are installed and configured on the server which will be configured as DNS server. Assumptions: - This document will not provide detail step-step visual information about the configuration of DNS server in VLAN Domains. - This document will not cover step-step information about installing and configuring of Domain Controllers - This document will provide best practices to design and plan DNS and AD infrastructure on the specific Network. Installation Steps: Following are the installation steps for Installing and Configuring Active Directory and DNS infrastructure in CLT Data Center 1) Ensure the Static IP address are configured on the Servers which are getting promoted to Domain Controllers, validate the subnet mask and Default gateway configured on the server Strictly no multi home networks 2) Ensure the Network Ports are opened for various Active directory and DNS communications
Protocol and Port TCP and UDP 389 TCP 636 TCP 3268 TCP 3269 TCP and UDP 88 TCP and UDP 53 TCP and UDP 445 AD and AD DS Usage Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts User and Computer Authentication, Forest Level Trusts User and Computer Authentication, Name Resolution, Trusts Replication, User and Computer Authentication, Group Policy, Trusts LDAP LDAP SSL LDAP GC LDAP GC SSL Kerberos DNS TCP 25 Replication SMTP TCP 135 Replication RPC, EPM TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts Type of traffic SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS TCP 5722 File Replication RPC, DFSR (SYSVOL) UDP 123 Windows Time, Trusts Windows Time TCP and UDP 464 UDP Dynamic UDP 138 Replication, User and Computer Authentication, Trusts Group Policy DFS, Group Policy TCP 9389 AD DS Web Services SOAP Kerberos change/set password DCOM, RPC, EPM DFSN, NetLogon, NetBIOS Datagram Service
DHCP UDP 67 and UDP 2535 Note DHCP is not a core AD DS service but it is often present in many AD DS deployments. DHCP, MADCAP UDP 137 TCP 139 User and Computer Authentication, User and Computer Authentication, Replication NetLogon, NetBIOS Name Resolution DFSN, NetBIOS Session Service, NetLogon 3) Ensure the account provisioned to promote the server has required permissions to install the Domain Controller and launch Server Manager on all the Operating system which are promoted to Domain Controllers 4) Verify that the disk partition is formatted with NTFS 5) Install Active Directory on FRD1.CLT.LOCAL which is configured with Windows Server 2008 R2 and acts as Forest Root Domain. During the installation, it would prompt for installing DNS service, accept and complete the configuration. 6) Verify the DNS Zone CLT.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are created and populated with a) Kerberos SRV records pointing to Domain Controller b) LDAP record pointing to Domain Controller c) _Kpasswd SRV record pointing to Domain Controller 7) Ensure the Dynamic Updates are configured on the DNS zone 8) Enable Aging and Scavenging on the DNS Server 9) Ensure the Forwarding timeout is set to 6 seconds 10) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients can find Resource records on either of the Domains. 11) Configure the DNS reverse lookup zones for the specific IP subnets. 12) Ensure the DNS host file on the DNS server should be empty 13) Ensure the recursion timeout must be greater than the forwarding timeout
14) Test the name resolution from client operating system, and any applications which are requesting for External name space ( CLT.com or Microsoft.com ) 15) Use Wireshark / Netmon sniffer utilities to analyze the response time. This includes thorough understanding the client NIC adapter, MTU size, RSS response times. 16) Apply the required server hardening and the Group policies to manage DNS infrastructure. Which includes configuring client DNS suffix list with CLT.LOCAL, GPR.CLT.LOCAL and FINANCE.CLT.LOCAL. 17) On the Forest Root Domain, point the Domain Controller Primary DNS server to itself ( remove 127.0.0.1 / Loop back address ) and configure with Static IPV4 address 18) Schema Master, Domain Naming Master, PDC Emulator, RID Master roles are installed on CLT.local Domain Controller which is also Global Catalog 19) On the Server which is going to get promoted as Additional Domain Controller (FRD2.CLT.LOCAL), ensure the DNS Primary Server IP address points to FRD1.CLT.LOCAL server. 20) To Install Additional Domain Controller, Perform the above tasks (1 4) and during installation select Additional Domain Controller and finish the configuration. 21) Infrastructure Master Role is configured on Secondary Domain Controller (FRD2.CLT.LOCAL) which is not a Global catalog server. 22) Follow the above steps to configure Domain Controllers on VLAN 2 and create GPR.CLT.LOCAL name space. This includes both Child Domain Controller and Secondary Child domain Controller. Secondary Child Domain Controller will not be promoted to Global Catalog server. 23) Configure the Primary DNS server IP address to point to Child Domain Controller. 24) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients can find Resource records on either of the Domains. If you do not want to replicate the Zone across forest, you may have to rely on conditional forwarders 25) Infrastructure Master Role should be configured on Domain Controller and not on Global Catalog server 26) PDC Emulator, RID Master are configured on Global Catalog server. (Sec1.GPR.CLT. LOCAL)
27) Configure the NTP service on the domain controller which is configured with PDC Emulator Role. 28) Create Active Directory sites to reflect the Physical sites and associate them with the subnets. 29) Create Server Objects under the Sites and ensure the Replication between CLT.LOCAL and GPR.CLT.LOCAL are working. 30) Remove the Root hints on the Sec1.GPR.CLT. LOCAL DNS Server. 31) To install Domain Controller and DNS server in VLAN 3, perform the above steps which includes DNS configuration, Domain Controller installation and configuration, DNS IP address mapping, Configuration of AD Sites and services Post installation of the Active Directory, SKV Consultants would perform thorough test on Active Directory Replication using AD Replication tool, follow the Microsoft Operations Framework (Active Directory) to configure the performance bench marks and hand over the documents to CLT Engineers. SKV will design AD delegation model based on the requirements from CLT and Group Policy Design with AGPM in place. Conclusion: This document produces steps to install and configure Active Directory domain Controllers and DNS infrastructure and best practices and provides thorough check list information for performing DNS or Active Directory configuration.