Best Practices for Active Directory

The following is a set of best practices to use when setting up and working with Active Directory:

• As a security best practice, it's recommended that you do not log on to your computer with administrative credentials. When you are logged on to your computer without administrative credentials, you can use Run As to accomplish administrative tasks .

  More Information

  For more information, see "Why You Should Not Run Your Computer as an Administrator" and "Using Run As" in the Windows Server 2003 Help and Support Center.

  
  

• To further secure Active Directory, you should implement the following security guidelines:

  • Rename or disable the Administrator account (and the Guest account) in each domain to prevent attacks on your domains. For more information, see " User and Computer Accounts" in the Help and Support Center.

  • Physically secure all domain controllers in a locked room.

  • Manage the security relationship between two forests, and simplify security administration and authentication across forests.

  • To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group, and add a user to the group only when schema changes need to be made. Once the changes have been made, remove the user from the group .

  • Restrict user, group, and computer access to shared resources; filter Group Policy settings.

  • By default, all traffic on Active Directory administration tools is signed and encrypted while in transit on the network. Do not disable this feature.

  • Some default user rights assigned to specific default groups might allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators, and Backup Operators groups.

  • Establish as a site every geographic area that requires fast access to the latest directory information.

  More Information

  For general security information about Active Directory, see "Security Overview for Active Directory" and "Securing Active Directory" in the Windows .NET Server Help and Support Center.

  
  

  Establishing areas that require immediate access to up-to-date Active Directory information as separate sites will provide the resources required to meet your needs.

  Place at least one domain controller at every site, and make at least one domain controller at each site a global catalog. Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient than sites that have those resources.

  Leave all site links bridged, and leave site link connection schedules unrestricted. Bridging all site links maximizes replication links between sites and prevents the need to create site link bridges manually. Leaving site link connection schedules unrestricted eliminates connection-scheduling conflicts that might prevent replication. By default, all site links are bridged and site link connection schedules are unrestricted.

  Establish a preferred bridgehead server if you are using a firewall or if you want to dedicate a computer to intersite replication. A bridgehead server serves as a proxy for communication with other sites outside a firewall. All sites must be associated with at least one subnet and in at least one site link, or they will not be usable.

  Perform regular backups of domain controllers to preserve all trust relationships within that domain.