SKV PROPOSAL

TO CLT FOR ACTIVE DIRECTORY AND DNS

IMPLEMENTATION

Date:

April 22,2013

Prepared by:

Sainath K.E.V

Microsoft Most Valuable Professional

Introduction:
SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft
Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing
and implementing the Infrastructure solutions.
SKV has successfully performed Enterprise Infrastructure transformations including both Desktop
transformations and Server transformations. SKV has proven track record of quality and delivery
methodologies and provide value to its customers by reducing the Operations costs and increase the
revenue.

1 SKV Solution for CLT

Solution Description:
CLT will be hosting their infrastructure on Microsoft Hyper-v virtualization stack. The virtual
infrastructure servers will host Microsoft Exchange Server, Microsoft Active Directory, Microsoft
System Center Orchestrator, File Server, CLT Application Servers, and Microsoft SQL Servers etc.
CLT has 3 Production VLANs and 1 Client VLAN configured on Cisco hardware, each VLAN is
configured on Cisco switches 3750 series, a dedicated patch panel separates Management switches
and Clients / Servers. A Fabric interconnect provides management interface which is layered
between Layer 3 switch and Cisco UCS Blade servers.
Each of the VLAN has mix of Unix and Microsoft Servers. Most Microsoft servers are virtualized and
staged on Microsoft Hyper-v with appropriate VLAN tags configured for communication between
servers and Storage arrays.
CLT is engaging SKV, a Microsoft Premier Consulting firm to perform DNS Designing and
Configuration which involves configuring DNS servers in three Active Directory Domains and
establish communication across the DNS servers.
CLT Existing Data Center:
Existing CLT Data Center is hosted in Sydney and managed by In-House staff. CLT has 2 offices (
Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high
speed networks.
CLT DNS infrastructure should be configured to establish communications between Active Directory
domains, applications and users. The infrastructure should be designed on Local Namespace and
Public namespaces is managed by ISP. Both branches are connected with IP VPN to Sydney
datacenter. Below table shows the existing servers and Network infrastructure for both Datacenters.

CLT Network Infrastructure Description

Cisco Router 3750x Routing internet traffic
Cisco 3750 Switch x 2 VLAN enabled and configured
Cisco 3750 Switch x 2 Stack-cabled
Cisco Fabric Interconnect x 2 Management Interface
Cisco UCS Blade x 2 Server virtualization

Server VLAN
3 Server VLANs
1 Client VLAN

Microsoft Infrastructure VLAN Descrption

Components
Primary Domain Controller VLAN 1 Forest Root Domain
Additional Domain Controller VLAN 1 Secondary Domain Controller with
DNS
Microsoft Hyper-v VLAN 1 Virtualization Stack
Microsoft Exchange Server VLAN 1 Exchange 2010

Child Domain Controller VLAN 2 Child domain with DNS

Microsoft SharePoint Server 2010 VLAN 2 Sharepoint Services
Microsoft System Center Operations VLAN 2 Servers Monitoring Enterprise
Manager solution
Microsoft System Center VLAN2 Patch Management and Software
Configuration Manager Distribution

Child Domain Controller VLAN 3 Child Domain with DNS configured

File Servers VLAN 3
SCCM Distribution Point VLAN 3 DP for data access
Certificate Server Virtual Virtual

DNS Namespace Description Domain Controllers

Local CLT.LOCAL FRD1.CLT. LOCAL
FRD2.CLT.LOCAL
Local GPR.CLT. LOCAL Sec1.GPR.CLT. LOCAL
Sec2.GPR.CLT.LOCAL
Local FINANCE.CLT. LOCAL TH1.FINANCE.CLT. LOCAL
TH2.FINANCE.CLT. LOCAL
Global CLT.com Hosted by ISP

Solution Diagram:
 Router 3750x

3750 Switch 1
3750 Switch 2

VLAN1-Prod
VLAN2-Prod VLAN3-Prod

3750 Switch 1 3750 Switch 2

Fabric Interconnect 1 Fabric Interconnect 2

Port Port

Extender
Fabric
Extender
Fabric

Port Port
HYPER-V

HYPER-V

Production Production
Environment/UCS Blade Environment/UCS Blade

SYDNEY Data Center

Technical Diagram:

Forwarder Response DC/DNS Server

DNS Server
(Secondary /Domain
(FRD)
2)
DNS Requests
(3 domains)

DNS Server
(Secondary / Domain
3)
Application Server User
Data Communication:
Following is the proposed DNS name resolution designed for CLT infrastructure. Active Directory
Domains will be staged by SKV Consultants, and relevant DNS routing will be established between 3
domains. Any specific requirements with respect to name resolution will be managed by SKV
Consultants.

For intranet DNS name resolution is either performed by DNS Servers across the Active directory
Forest, any Primary DNS zone configured without the Active Directory integration should be
managed independently through zone file. Public Name space resolution is performed by the DNS
server configured in VLAN1 network.

Though it is not advisable to have the production DNS server to communicate with Public ISP , it is a
temporary design to have the Domain 1 DNS to forwards requests to ISP Namespace. Once CLT creates
dedicated DMZ zone, a DMZ DNS will be configured to resolve public IP name spaces.

Requirement Understanding:
Following are the requirements gathered after infrastructure analysis and discussion with
Architectural group.

CLT Tasks:

1. Data center hosting is performed by CLT Employees

2. Configuration of CISCO Switches, VLAN configuration is performed by CLT
3. Provision of Internet Protocol Addresses are provided to SKV Consultants by CLT
4. Firewall exception rules are performed by CLT
5. Server Maintenance is performed by CLT which includes Server Patch Management
6. Storage provisioning is performed by CLT which includes provision of LUNs and Configuration
of ISCSI on Windows Servers.
7. Communications between VLANs is provisioned by CLT
8. DR procedures are managed by 3rd party vendor
9. Private Namespace is hosted by CLT
10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by CLT which
includes Group Policy creation and Service accounts provisioning.

SKV Tasks:

a) Installing and configuration of Windows Server Operating Systems for the Domain Controllers
are performed by SKV
b) Windows Updates on all the servers are performed by SKV
c) Firewall Exception rules are provided by SKV to CLT which includes Domain Controller, DNS,
RPC, UDP exception rules
 d) DNS infrastructure designing is performed by SKV
e) DNS Implementation is performed by SKV
f) DNS impact analysis is performed by SKV
g) DNS tests are performed by SKV
h) Public Namespace is managed by ISP
i) Domain Controller Replication is configured by SKV
j) Active Directory Sites and Subnets is configured by SKV

DNS Design Considerations:

SKV has the following design for configuring the DNS infrastructure for CLT.
a) DNS Server IPs will be configured with private Internet Protocol address ( IPV4)
b) DNS servers will be staged in different domains on 3 different VLANs
c) Clients ( which includes Client OS / Server OS ) will be pointing to Domain specific DNS
server and any request for public namespace will be managed by DNS Server hosted in VLAN1
d) Inbound and Outbound Firewall ports should be managed by CLT for DNS requests
e) Root hints will be deleted on the Domain 2 and Domain 3 DNS servers.
f) Disable Caching on the VLAN1 DNS servers which prevents possible DNS Cache poisoning
g) Configure Secondary Zone for 3 Local Name spaces.

Active Directory Design Considerations:

SKV has the following design for configuring the AD infrastructure for CLT.
a) Creating a Forest Design is performed by SKV and CLT has to approve the Forest Design
b) Domain Design is submitted by SKV to CLT and changes will be performed if required
c) There should be minimum 2 Domain Controllers for each Domain in CLT environment.
d) Place Infrastructure Master Role on non Global Catalog Server as SKV proposed solution is
not to make all DCs as GCs.
e) Organizational Unit designing is performed by SKV
f) Active Directory Site topology is designed by SKV
g) Domain Controller capacity planning is determined by SKV
h) Active Directory Functional Level designing is performed by SKV
i) Active Directory Delegation Model design is performed by SKV
Installation Pre-requisites:
SKV assumes that following are provisioned by CLT respectively
a) Provision of Virtual Servers which includes Hardware, Network and Memory is configured by
CLT professionals.
b) Installation and Configuration of the Windows Server 2008 R2 (Full edition) Operating System
in all the 3 VLANs, is performed by SKV consultants
c) Network devices and ports are configured by CLT engineers and ensure the firewall ports are
opened for DNS Servers communications between VLANs.
d) Remote Monitoring for the servers are provisioned and desired firewall ports are enabled for
SKV consultants to access the servers on different farms
e) Ensure the patching of the servers are compliant with the CLT standards and performed by
CLT Operations team
f) Ensure, auditing of the servers is performed prior installing of the Domain Controllers.
g) Ensure all the relevant applications (eg: Anti-virus ) are installed and configured on the server
which will be configured as DNS server.

Assumptions:
- This document will not provide detail step-step visual information about the configuration of
DNS server in VLAN Domains.
- This document will not cover step-step information about installing and configuring of
Domain Controllers
- This document will provide best practices to design and plan DNS and AD infrastructure on
the specific Network.

Installation Steps:
Following are the installation steps for Installing and Configuring Active Directory and DNS
infrastructure in CLT Data Center

1) Ensure the Static IP address are configured on the Servers which are getting promoted to
Domain Controllers, validate the subnet mask and Default gateway configured on the server
Strictly no multi home networks

2) Ensure the Network Ports are opened for various Active directory and DNS communications
Protocol and
AD and AD DS Usage Type of traffic
Port
Directory, Replication, User and
TCP and
Computer Authentication, Group Policy, LDAP
UDP 389
Trusts
Directory, Replication, User and
TCP 636 Computer Authentication, Group Policy, LDAP SSL
Trusts
Directory, Replication, User and
TCP 3268 Computer Authentication, Group Policy, LDAP GC
Trusts
Directory, Replication, User and
TCP 3269 Computer Authentication, Group Policy, LDAP GC SSL
Trusts
TCP and User and Computer Authentication,
Kerberos
UDP 88 Forest Level Trusts
TCP and User and Computer Authentication,
DNS
UDP 53 Name Resolution, Trusts
TCP and Replication, User and Computer SMB,CIFS,SMB2, DFSN, LSARPC,
UDP 445 Authentication, Group Policy, Trusts NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Replication, User and Computer RPC, DCOM, EPM, DRSUAPI,
Dynamic Authentication, Group Policy, Trusts NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and Replication, User and Computer
Kerberos change/set password
UDP 464 Authentication, Trusts
UDP
Group Policy DCOM, RPC, EPM
Dynamic
DFSN, NetLogon, NetBIOS
UDP 138 DFS, Group Policy
Datagram Service
TCP 9389 AD DS Web Services SOAP
 DHCP

UDP 67 and Note

DHCP is not a core AD DS service but DHCP, MADCAP
UDP 2535
it is often present in many AD DS
deployments.

NetLogon, NetBIOS Name

UDP 137 User and Computer Authentication,
Resolution
User and Computer Authentication, DFSN, NetBIOS Session Service,
TCP 139
Replication NetLogon

3) Ensure the account provisioned to promote the server has required permissions to install the
Domain Controller and launch Server Manager on all the Operating system which are
promoted to Domain Controllers

4) Verify that the disk partition is formatted with NTFS

5) Install Active Directory on FRD1.CLT.LOCAL which is configured with Windows Server 2008
R2 and acts as Forest Root Domain. During the installation, it would prompt for installing
DNS service , accept and complete the configuration.

6) Verify the DNS Zone CLT.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are
created and populated with
a) Kerberos SRV records pointing to Domain Controller
b) LDAP record pointing to Domain Controller
c) _Kpasswd SRV record pointing to Domain Controller

7) Ensure the Dynamic Updates are configured on the DNS zone

8) Enable Aging and Scavenging on the DNS Server

9) Ensure the Forwarding timeout is set to 6 seconds

10) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.

11) Configure the DNS reverse lookup zones for the specific IP subnets.

12) Ensure the DNS host file on the DNS server should be empty

13) Ensure the recursion timeout must be greater than the forwarding timeout
14) Test the name resolution from client operating system, and any applications which are
requesting for External name space ( CLT.com or Microsoft.com )

15) Use Wireshark / Netmon sniffer utilities to analyze the response time. This includes thorough
understanding the client NIC adapter, MTU size, RSS response times.

16) Apply the required server hardening and the Group policies to manage DNS infrastructure.
Which includes configuring client DNS suffix list with CLT.LOCAL, GPR.CLT.LOCAL and
FINANCE.CLT.LOCAL.

17) On the Forest Root Domain, point the Domain Controller Primary DNS server to itself ( remove
127.0.0.1 / Loop back address ) and configure with Static IPV4 address

18) Schema Master, Domain Naming Master, PDC Emulator, RID Master roles are installed on
CLT.local Domain Controller which is also Global Catalog

19) On the Server which is going to get promoted as Additional Domain Controller
(FRD2.CLT.LOCAL), ensure the DNS Primary Server IP address points to FRD1.CLT.LOCAL
server.

20) To Install Additional Domain Controller, Perform the above tasks (1 4) and during
installation select Additional Domain Controller and finish the configuration.

21) Infrastructure Master Role is configured on Secondary Domain Controller (FRD2.CLT.LOCAL)

which is not a Global catalog server.

22) Follow the above steps to configure Domain Controllers on VLAN 2 and create
GPR.CLT.LOCAL name space. This includes both Child Domain Controller and Secondary
Child domain Controller. Secondary Child Domain Controller will not be promoted to Global
Catalog server.

23) Configure the Primary DNS server IP address to point to Child Domain Controller.

24) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.

If you do not want to replicate the Zone across forest, you may have to rely on conditional
forwarders

25) Infrastructure Master Role should be configured on Domain Controller and not on Global
Catalog server

26) PDC Emulator, RID Master are configured on Global Catalog server. (Sec1.GPR.CLT. LOCAL)
 27) Configure the NTP service on the domain controller which is configured with PDC Emulator
Role.

28) Create Active Directory sites to reflect the Physical sites and associate them with the subnets.

29) Create Server Objects under the Sites and ensure the Replication between CLT.LOCAL and
GPR.CLT.LOCAL are working.

30) Remove the Root hints on the Sec1.GPR.CLT. LOCAL DNS Server.

31) To install Domain Controller and DNS server in VLAN 3 , perform the above steps which
includes DNS configuration, Domain Controller installation and configuration, DNS IP address
mapping, Configuration of AD Sites and services

Post installation of the Active Directory, SKV Consultants would perform thorough test on Active
Directory Replication using AD Replication tool, follow the Microsoft Operations Framework (Active
Directory) to configure the performance bench marks and hand over the documents to CLT
Engineers.

SKV will design AD delegation model based on the requirements from CLT and Group Policy Design
with AGPM in place.

Conclusion: This document produces steps to install and configure Active Directory domain
Controllers and DNS infrastructure and best practices and provides thorough check list information
for performing DNS or Active Directory configuration.