SKV PROPOSAL

TO TLC FOR ACTIVE DIRECTORY SITE

IMPLEMENTATION
Date:
Jan 27,2014
Prepared by:
Sainath K.E.V
Microsoft Most Valuable Professional

Introduction:
SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft
Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing
and implementing the Infrastructure solutions.
SKV has successfully performed Enterprise Infrastructure transformations including both Desktop
transformations and Server transformations. SKV has proven track record of quality and delivery
methodologies and provide value to its customers by reducing the Operations costs and increase the
revenue.

Summary

TLC is built on CISCO and Microsoft stack of Network devices and Servers. There are two physical
sites configured which are separated by CISCO Routers and an Hybrid infrastructure configured for
Servers and Virtualization stack.
Our proposal to TLC with the following services required:
1) Network Infrastructure validation
SKV Consulting will perform Layer 2 Network analysis and Layer 3 Network analysis. SKV Consulting will follow
industry Operations Frameworks and proven monitoring tools and baselines to provide detail report to TLC Corp.
SKV will validate VLAN trunks, Port aggregation, Bandwidth management and Routing Protocol Design
2) Active Directory Site Validation
SKV Consulting will validate Active Directory Site infrastructure and run different Microsoft Tools to examine the
Active Directory replication health. SKV Consulting will validate Site design and report the information to TLC
Corp.
3) Remote Access
SKV Consulting is spread across Australia and require Consultants to have Remote access to the Data Center
Servers. Consultants would require RDP access and necessary user accounts with appropriate privileges to run
and report the data.

Solution Overview

Introduction:
Existing TLC Data Center is hosted in Sydney and managed by In-House staff. TLC has 2 offices (
Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high
speed networks.
TLC users access Financial application which is hosted on mission critical servers connected with
high speed networks. Users access resources across sites which includes Shared Folders, Backup,
Print Services etc. Front End application connects with back end database and requires fast network
to support real time data read / write.
In this proposal, SKV Corp will perform initial assessment of both Network and Microsoft Active
Directory infrastructure and SKV Technology Consultants will run different Health tools and
Baseline metrics to validate the environment.
TLC is using local ISP for internet connectivity of 4 MBPS link. TLC Sites are configured with SiteSite VPN connection. Each Datacenter is a replica and has the below infrastructure.

TLC Network Infrastructure

Cisco Catalyst 3560 x 2
Cisco 7600 Router x 2
Cisco Fabric Interconnect x 2
Cisco UCS Blade x 2

Description
Network Resiliency and Security
Network Routing
Management Interface
Server virtualization

Physical Servers
Microsoft SQL Server
FICO Server

VLAN
VLAN 1
VLAN 1

UNIX Server
Hyper-v Server
Symantec Backup Server

VLAN 1
Hosts Virtual Networks
VLAN 1

Descrption
SQL server installed on HP Pro Server
Financial Application running on the
server
Hosted on HP Pro Server
Virtualization tier
Backup server

Microsoft Infrastructure
Components
Primary Domain Controller
Additional Domain Controller

VLAN

Descrption

VLAN 1
VLAN 1

Forest Root Domain

Secondary Domain Controller with
DNS

Microsoft Exchange Server

VLAN 1

Microsoft Exchange Server 2010

Microsoft SharePoint Server 2010

Microsoft System Center Operations
Manager
Microsoft System Center
Configuration Manager

VLAN 2
VLAN 2

Microsoft Sharepoint Services

Servers Monitoring Enterprise
solution
Patch Management and Software
Distribution

DNS Namespace
Local

Description
TLC.LOCAL

Global

TLC.com

Solution Diagram:

VLAN2

Domain Controllers
FRD1.TLC. LOCAL
FRD2.TLC.LOCAL
Hosted by ISP

ISP

ISP

Router 3750x

Router 3750x

3560

3560

VLAN2-Prod

VLAN1-Prod

Fabric Interconnect 1

Fabric Interconnect 2

Port

Port

Port

HYPER-V

Production
Environment/UCS Blade

SharePoint,SC
OM,SCCM

DC,
ADC,Exchange

Hybrid Cloud

SAN Storage replication

Sydney Data Center

Production
Environment/UCS Blade

SharePoint,SC
OM,SCCM

DC,
ADC,Exchange

Hybrid Cloud

SAN Storage replication

Port

HYPER-V

HYPER-V

HYPER-V

Production
Environment/UCS Blade

Fabric Interconnect 2

Port

Fabric
Extender

10 MBPS
WAN
Connection

Port

Production
Environment/UCS Blade

Fabric Interconnect 1

Fabric
Extender

Fabric
Extender

Fabric
Extender

Port

SQL Server,Hyperv,UNIX,Symantec
Servers

3560

VLAN2-Prod

VLAN1-Prod

Port

3560

Hybrid Cloud

SQL Server,Hyperv,UNIX,Symantec
Servers

Hybrid Cloud

SAN Storage replication

SAN Storage replication

Melbourne Data Center

Each Data Center consist of 5 physical servers configured on HP Pro Servers. TLC Corp uses
Microsoft Hyper-v as their virtualization stack hosted on Windows Server 2008 R2 Enterprise
Operating Systems. There are two VLANs configured to host different Application Servers with a DMZ
network configured with Microsoft ForeFront , Blue Coat Servers respectively. The second data
center acts as High Availability and DR site with the exact replica of servers configured.

Users are located within Sydney and TLC Corp will be expanding their infrastructure base to Tokyo
this year. Primary Sydney site hosts Microsoft FSMO roles with Microsoft Exchange 2010 Server and
Microsoft System Center Operations Manager 2008 R2 supporting the entire infrastructure for
critical alerts and monitoring.

Microsoft Hyper-v Server hosts Virtual Servers which communicates with VLAN 1 and VLAN 2 and
with the Client network which is out of scope for SKV Consulting to monitor. In addition Physical to
Virtual migration is proposed by Customer with the view of Virtualizing the entire Data Center by
end of this year.

Scope of Work
Following are the requirements gathered after infrastructure analysis and discussion with
Architectural group.

SKV Tasks:

Detail Network Analysis which includes both Layer 2 and Layer 3 will be performed by SKV
Consultants.
Automated solutions will be proposed based on the assessment
Executes different tools and document the analysis
Suggest Architectural changes on Network and Microsoft Active directory Sites

Phase 1 Start of the Project

SKV Project Managers will be involved in discussion with TLC Corp to identify the activities and
timeframes. Detailed project plan will be submitted to the TLC

Phase 2 Network Assessment

SKV Consultants will perform detail analysis of Layer 2 and Layer 3 networks which follows detail
discussions with TLC Network Staff to understand their existing infrastructure.

Phase 3 Active Directory Assessment

SKV Consultants will perform detail analysis of existing Active Directory Site structure and execute
Microsoft Tools to record infrastructure details. Discussions will be made with TLC Active Directory
Staff

Assumptions:
1. Data center hosting is performed by TLC Employees
2. Configuration of CISCO Switches, VLAN configuration is performed by TLC
3. Provision of Internet Protocol Addresses are provided to SKV Consultants by TLC
4. Firewall exception rules are performed by TLC
5. Server Maintenance is performed by TLC which includes Server Patch Management
6. Storage provisioning is performed by TLC which includes provision of LUNs and Configuration
of ISCSI on Windows Servers.
7. Communications between VLANs is provisioned by TLC
8. DR procedures are managed by 3rd party vendor
9. Private Namespace is hosted by TLC
10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by TLC which
includes Group Policy creation and Service accounts provisioning.
11. Network diagram is provided by TLC Corp
12. Access to Network devices which includes Layer 2 , Layer 3 are provisioned by TLC
13. Access to execute commands on Network devices are provisioned by TLC
14. Access to all the required Subnets are provisioned by TLC
15. Access to second data center is provisioned by TLC
16. Active Directory infrastructure diagram is provided by TLC
17. Access to execute commands on Domain Controllers are provided by TLC
18. Access to Active Directory Sites and Subnets is provisioned by TLC
19. Access to DNS is provisioned by TLC

20. This document will not provide detail step-step visual information about the configuration of
DNS server or Domain Controllers for TLC.
21. This document will not cover step-step information about installing and configuring of Domain
Controllers
22. This document will provide best practices to validate the existing Network infrastructure and
Active Directory Site Implementation.

Network Assessment:
SKV will be performing the following Network assessment on TLC Corp

Network Monitoring Overview

Monitor the Access Layer for Network connectivity. Monitor Voice convergence, Wireless
connectivity and verify the logs. Review and validate Default gateway redundancy using dual
connection from switches.

Validate the convergence and verify only the required access is provisioned for wireless
devices. Validate DHCP security to ensure no Snooping occurs, followed by ARP inspection.

Test Virtual Router Redundancy Protocol and First Hop Redundancy Protocol (FHRP) for
successful failover and redundancy. HSRP election process validation is the key in
monitoring, in order to validate the HSRP, SKV consultant should perform VM Live Migration.
Report about the layer 2 extensions, VPLS, Fabric Path and TRILL. HSRP election process
validation is the key in validation.

Validating Layer 3 switching environment includes verifying for packet manipulation

(checksum access). SKV Consultant will validate for Gigabit density and LAN WAN
convergence.

Validate Trunk Configuration by ensuring 802.1Q trunks are used, set DTP mode to
desirable, set DTP mode to encapsulation.

Disable Trunks on host ports and set Native VLAN to unused VLAN.

Validate Dynamic Trunk Protocol, check for the Permanent trunk mode, validate Port which is
configured as Desirable, verify for ISL encapsulation on the trunk link.

The above tests will validate the 3 major layers (Access, Distribution and Core layers). Further
monitoring activities will be performed based on the client request.

Active Directory Validation

SKV will perform below tasks to validate Active Directory Site Infrastructure for TLC.
a) Validate Site Objects and report errors to TLC
b) Validate Subnet Objects and report errors to TLC
c) Validate Site and Subnet Associations and report inconsistencies to TLC
d) Validate and verify DNS site information and report misconfigurations to TLC
e) Validate Logon requests association against the proper Active Directory Sites
f)

Validate Site Replication and report back to TLC

g) Verify Clients DNS IP address associations

Active Directory Monitoring

1) Ensure the Static IP address are configured on the Domain Controllers, validate the subnet
mask and Default gateway configured on the server Strictly no multi home networks on
Domain Controllers.
2) Ensure the Network Ports are opened for various Active directory and DNS communications

Protocol and
Port

AD and AD DS Usage

Type of traffic

TCP and
UDP 389

Directory, Replication, User and

Computer Authentication, Group Policy, LDAP
Trusts

TCP 636

Directory, Replication, User and

Computer Authentication, Group Policy, LDAP SSL
Trusts

TCP 3268

Directory, Replication, User and

Computer Authentication, Group Policy, LDAP GC
Trusts

TCP 3269

Directory, Replication, User and

Computer Authentication, Group Policy, LDAP GC SSL
Trusts

TCP and
UDP 88

User and Computer Authentication,

Forest Level Trusts

Kerberos

TCP and
UDP 53

User and Computer Authentication,

Name Resolution, Trusts

DNS

TCP and
UDP 445

Replication, User and Computer

Authentication, Group Policy, Trusts

SMB,CIFS,SMB2, DFSN, LSARPC,

NbtSS, NetLogonR, SamR, SrvSvc

TCP 25

Replication

SMTP

TCP 135

Replication

RPC, EPM

TCP
Dynamic

Replication, User and Computer

Authentication, Group Policy, Trusts

RPC, DCOM, EPM, DRSUAPI,

NetLogonR, SamR, FRS

TCP 5722

File Replication

RPC, DFSR (SYSVOL)

UDP 123

Windows Time, Trusts

Windows Time

TCP and
UDP 464

Replication, User and Computer

Authentication, Trusts

Kerberos change/set password

UDP
Dynamic

Group Policy

DCOM, RPC, EPM

UDP 138

DFS, Group Policy

DFSN, NetLogon, NetBIOS

Datagram Service

TCP 9389

AD DS Web Services

SOAP

DHCP
UDP 67 and
UDP 2535

Note
DHCP is not a core AD DS service but
it is often present in many AD DS
deployments.

DHCP, MADCAP

UDP 137

User and Computer Authentication,

NetLogon, NetBIOS Name

Resolution

TCP 139

User and Computer Authentication,

Replication

DFSN, NetBIOS Session Service,

NetLogon

3) Verify that the disk partition is formatted with NTFS

4) Verify the DNS Zone TLC.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are
created and populated with
a) Kerberos SRV records pointing to Domain Controller
b) LDAP record pointing to Domain Controller
c) _Kpasswd SRV record pointing to Domain Controller
5) Ensure the Dynamic Updates are configured on the DNS zone
6) Enable Aging and Scavenging on the DNS Server
7) Ensure the Forwarding timeout is set to 6 seconds

8) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.
9) Configure the DNS reverse lookup zones for the specific IP subnets.
10) Ensure the DNS host file on the DNS server should be empty
11) Ensure the recursion timeout must be greater than the forwarding timeout
12) Ensure Replication between sites are using RPC over IP
13) Understand whether the Network is fully routed vs hub and spoke configurations. If the
configuration is Hub and Spoke, careful understanding of Networked WAN Sites is required.
Site Link bridges are required only for the sites which has Domain Controllers configured.
Again careful understanding is required to propose an installation of Domain Controllers in a
Physical Site. If there are adjacent sites with different domain, then there is no need to create
site link between desperate Domains.
14) Validate BASL ( Bridge All Site Links ) against the network. BASL should be enabled /
switched on if the network is routable ( Domain Controllers should be able to communicate
with each other ). If the Domain Controllers logs Event ID 1311, ensure that all the sites (
WAN ) / Site links are routable , validate the site link bridges and remove any unrouted WAN
links from the AD Sites and Services.
15) For any given Active Directory Site with a Global Catalog, all the GCs should be used for
replication.

Validation Tools and Analysis:

Microsoft Active Directory Sites are designed to map the Physical Infrastructure with Logical
Infrastructure and assist logon / Replication within Active Directory Domain Controllers located
across multiple regions. Replication is key in managing the data / object consistency across the
Domains located within Sites, across sites ( Inter-site ). Please note that replication within sites is
always fast when compared to the replication occurring across WAN which uses site link objects.

Knowledge Consistency Checker [kcc] Monitoring:

KCC is responsible for creating inbound connections between domain controllers which finally forms
a replication topology ( Inter-site). Initial nomination of the Bridgehead server takes upto 2 hours
and even in the event of re-nomination ( when customer wants to re-designate Bridgehead Server ) ,
the process takes 2 hours or more to assign a BH server. KCC builds the replication topology with
the help of CNAME record and determines inbound and outbound Domain Controller to create the
Inbound connections.

Intrasite topology is built automatically by KCC, its a ring topology. Replication between sites are
configured with the help of Site Link objects. KCC while building the replication topology contacts
the domain controller within the site and the Domain Controller should respond within the 0 failed
attempts which is, when KCC polls the Domain Controller, it should respond immediately. For
replication between sites, the default time is 2 hours.

Domain Controller KCC Initial Replication with intrasite replication partners

(5 minutes )

Note: Ensure all the services ( DNS/ DHCP ) starts before KCC starts its initial replication.
Test Case 1:
SKV consultants to perform negative test case scenarios to verify if the KCC automatically rebuilds
the topology by shut down the preferred Bridgehead server and validate if KCC automatically elects
the Bridgehead server and rebuilds the topology.

Test Case 2:
Disable Inter-site topology calculation on the Domain Controller of a given site and re-enable it at a
given period. This will ensure the replication load is managed during off peak hours and reduce
network traffic. Use the following link http://support.microsoft.com/kb/242780 to disable the intersite topology.

Test Case 3:
Disable Inter-site topology and manage them manually. This requires Administrators to understand
Corporate Network Topology and designate manual Site link connections. This activity also include
Administrators to provide redundant manual connections which helps KCC to recalculate if a
specific Domain Controller goes down.

Tools: RepAdmin

Conclusion: This document explains monitoring guidelines for Network and Active Directory site
structure. This document explains different monitoring measures for Layer 2 , Layer 3 and general
networking for CISCO devices and explains different monitoring metrics for Active Directory site
implementation.