Documente Academic
Documente Profesional
Documente Cultură
Introduction
Crete LLC is a successful company that is rapidly expanding its production and
distribution of solar panels in Los Angeles, Dallas, and Houston. However, with the advent and
promotion of clean energy around the country, there is the great likelihood that other solar
companies such as Solar City and Astrum Solar will compete for Crete’s clientele. It is
imperative that Crete remains a competitive company to secure its market not only by offering a
good product for its customers, but also by offering an efficient and safe way to provide this
product. One of the most important recommendations in achieving this goal is that Crete updates
its network technology to assure it achieves and maintains the necessary speed in marketing,
handling of clientele requests, and distributing its products. As Crete expands its business to
other states, it is also very important that this updated system is versatile enough to allow for this
clientele requirements, and an increased number of the employees’ utilization of the network
system. This technology proposal takes into account all of those needs while planning for a better
technical security and improved remote access to technology between the current Crete locations
Active Directory
Domains
Active Directory service is basically “a distributed database that stores and manages
applications” (“Domains,” 2014). The use of Active Directory allows for the organization of the
system’s components such as “users, computers, and devices” in an orderly fashion that
2
encompasses “logical containers” (“Domains,” 2014). Forest is the top-level logical containers
and it holds domains enclosing data from the different “organizational units” (“Domains,” 2014).
The recommendation for organizations thriving to expand their services and locations is
to implement a forest domain model. This is because there needs to be an organized model of
how all the domains are interconnected with one another to assure the provision of an optimal
service. For this scenario, a regional domain model would work best. According to Microsoft,
regional domain models are recommended in cases where there will be a large number of users
utilizing the network traffic from several geographical locations (“Reviewing,” 2012). The plan
for Crete is to mainly conduct its enterprise throughout 3 locations: Los Angeles, Dallas, and
Houston, in which the main staff will be in Dallas and Houston. Since these locations are
somewhat dispersed around the country, the most standard single domain model would not be
well suited for this situation, as replication traffic of the enterprises’ directory would consume
too much bandwidth (“Reviewing,” 2012). I recommend partitioning the directory into several
domains scattered across the 3 locations to limit the amount of replication traffic needed to
Another important aspect of this new plan for Crete is to create a unique domain name
that is not in use by any other company or entity. “Choosing a domain name is similar to
choosing a company name,” because it will represent the company’s “identity on the web” (“10
Tips,” 2015). Experts suggest the domain name to be short to be easy to remember and find,
while also defining the brand to promote the company’s product (“10 Tips,” 2015). For Crete, a
Following the regional domain model, a forest root domain must be created along with
one or more regional domains. The root domain’s job is to replicate all of the domain’s object
3
data throughout all of the regional domains in the network. At Crete, the locations Los Angeles,
Dallas, and Houston are all interconnected using a WAN connection. In this setting, a regional
domain should be placed at each location along with the forest root domain being implemented
at either Dallas or Houston - where the main staff is located. This setting would be the best
solution in reducing replication traffic and stabilizing the environment, while at the same time,
efficiently distributing all needed resources for the enterprise’s users (“Reviewing,” 2012).
RODC
I recommend that Crete system has read-only domain controllers (RODC). RODC is
specially designed for branch offices, due to their typical features of having few users, low
physical security, network speed, and limited IT resources (see Fig 1) (“RODC,” 2009).
Figure 1. Illustration on how RODC is used in branch office development. (“RODC,” 2009).
4
unidirectional replication, special krbtgt account that “helps to restrict malicious updates from
affecting the rest of the forest,” password replication policy (PRP) that disallows passwords from
being “cached on the RODC,” and RODC filtered attribute set (FAS) that disallows the
RODC to the Los Angeles satellite office location would benefit the company in maintaining the
integrity of the original operational settings at this smaller office, while allowing more flexibility
in network management such as the utilization of the server and application administration at the
Setting Flexible Single-Master (FSMO) roles is another area of consideration that must
be taken into account for this project, since Crete operations will be “performed on a single
domain controller” (FSMO, 2014). Microsoft recommends this setting to “define a well-known
target for critical operations and to prevent the introduction of conflicts or latency that could be
FSMO roles are added by the system. The Schema Master for Crete, which allows for either
manual or programmed schema updates should be placed on the Primary Domain Controller
(PDC) of the forest root domain to allow “updates that are added by Windows ADPREP
/FORESTPREP, by Microsoft Exchange, and by other applications that use Active Directory
Domain Services (AD DS)” (FSMO, 2014). The PDC, which is the default target domain
controller for Group Policy updates, receives password updates, and “performs writable
operations” functions. PDC and the other main three domain roles: RID Master (finds “RID
pools to replica”), Domain Naming Master (adds or removes “domains and applications to and
from the forest”), and Infrastructure Master (“updates cross-domain references and phantoms
from the global catalog”) will all be placed on the regional domains (FSMO, 2014). Please note
5
that for the applicable FSMO, “the owner must be online, discoverable, and available on the
In the case of any natural disaster, such tsunamis or tornados, or any other events such as
power outages, hacker attacks, or even riot destructions, a plan for AD backup and recovery is
highly recommended. It’s important that Crete creates a backup and recovery plan for all of the
objects in its domain’s Active Directory; especially considering that Crete’s data will be
transmitted throughout three different and scattered locations around the county. For this
scenario, a backup of the AD should be made on each regional domain using the wbadmin start
systemstatebackup command. All backups should be kept and stored on a dedicated internal or
external hard drive (“Best,” 2008). I also recommend periodical updates using the Windows
Server Backup system. Scheduled updates should be performed during late hours in the day,
where traffic is usually not too busy and the level of operations is usually not too high (“Best,”
2008). By Microsoft’s default, the back time is 5:00 PM. Recommendations are to perform at
least two trusted backups on each domain by scheduling backups to be made on a daily basis.
This measure is important in the case of fault tolerance (“Best,” 2008). The Task Scheduler can
be used to accomplish this task. This task will run the Wbadmin.exe to define the appropriate
time when the backups should be made (“Scenario,” 2008). In cases where data is lost or
corrupted, a plan for Active Directory recovery must be made to ensure the loss does not cause a
significant impact in the business. The recommendations for Crete are as follow:
In general, use the wbadmin start systemstaterecovery command to recover any lost
In cases where the AD needs to return to the state of a lasted backup, a nonauthoritative
restore will likely suffice. The affected domain controller must first be restored into
Directory Services Restore Mode (DSRM) where then the wbadmin may start the
For the case of recovering specific objects and containers that have been deleted from the
AD, Authoritative restore will likely solve the issue. The domain controller must be in
DSRM mode first before selecting the backup, which is usually the most recent domain
backup. Using Ntdsutil.exe, the desired object, containers, or partitions must be marked
as authoritative. After restarting the domain into normal mode, the changes should take
Group Policy
When considering domain maintenance, one of the greatest advantages that Windows
Server 2012 provides is Group Policy. “Group Policy is a system within Active Directory that
gives the network administrators the ability to define user, security, and organization-wide
policies throughout the network” (Jacoberger, n.d.). Basically, Group Policies specify who or
what and how group of users can utilize the computer/software operations within the company’s
system “including registry-based policy settings, security settings, software installation, scripts
(computer startup and shutdown, and log on and log off), and folder redirection” (“Step,” n.d.).
The benefits of implementing Group Policy include “ease of management, security, cost and
It is highly recommended that Crete establishes Group Policy practices for its personnel.
“The policy information is stored in Group Policy objects (GPOs), which are linked to selected
Active Directory containers: sites, domains, and organizational units (OUs)” (“Step,” n.d.). The
7
settings have to take in account the Active Directory of the company to establish the hierarchical
profile of the Group Policy. Fig. 2 provides a general scheme that could be applied to Crete:
Figure 2. Modified “Group Policy and the Active Directory.” This figure shows the
Group Policy offers numerous options in the management and control of users; some the
Remote Group Policy update: As changes are made to the Group Policy settings, it is
important that all domains and computers are updated according to these changes. IT
personal of Crete may create a scheduled tasks to refresh the changes made to the Group
Policy settings, thus replicating the settings made to the computers associated to that
Group Policy Results: A Group Policy Results report may be created by the main IT
administrative staff to verify and determine if all group policy settings have been applied
to the desired clients/computers (“What’s New,” 2014). This is important, as it gives the
Crete’s administration the security that all group policy configurations are done according
to its preferences.
Fast Startup: For the standard client users, improved startup times may be implemented
to adhere to a smoother, overall better experience. For example, utilize a hibernate state
instead of a full shutdown to allow times for startup and shutdown to become
Group Policy Preferences for Internet Explorer 10: Considering the Crete
administrative staff goals, limits of how Internet Explorer 10 may be used to disallow
specific sites that should not be permitted such as viewing YouTube videos or accessing
operations. The Distributed File System provides the ability to logically organized shared folders
located on multiple servers all in one single logical folder called the namespace. This operation
allows for multiple users across the domain to access the shared files (TestOut, “Distributed,”
namespace would not be applicable to this company since it will be using the Active Directory
Domain Services. A domain-based namespace should also be implemented as it will ensure the
availability of the namespace for multiple namespace servers’ applicants (“Choose,” 2017).
Considering that more than one DNS server will be deployed for Crete, DNS zones must
be implemented to ensure DNS zone transfers and replications are concurrent. A combination of
9
primary, secondary, and stub zones would effectively benefit Crete’s business. The primary zones
deployed within the Crete’s network will be responsible for answering any DNS name resolution
requests sent from the DNS namespace, while the secondary zones will take upon this role in the
case of “excessive traffic” or when the “primary server fails” (“Configuring,” n.d.) . For the stub
zones, because they only contain a partitioned amount of DNS data, they will be useful for
anywhere that needs a reduction in zone transfers and replications traffic (“Configuring,” n.d.).
File Services
The File Server Resource Manger (FSRM) should also be configured. This suite of tools
will give the IT administrators of Crete the ability to control the kind and quantity of data that is
stored on the Crete’s servers. Using FSRM, hard quotas may be created for setting a limit on the
amount of data a particular folder may have (TestOut, “File,” 2017). This setting allows for a
much better solution to keeping storage management in check. Soft quotas may also be created
for keeping a record of how much disk space is used for certain files (TestOut, “File,” 2017).
With a combination of hard and soft quotas, storage management can easily be managed.
In order to secure file sharing throughout Crete, I recommend the implementation of the
Distributed Files System (DFS) (please, also refer to the discussion about DFS above). By
providing an increased data availability and user confidentiality (TestOut, “Distributed,” 2017).
Remote Services
There are several technologies for Remote Access role that provides “centralized
access services with the Routing and Remote Access Service (RRAS)” (“Remote,” 2012). For
Crete, I recommend the use of the DirectAccess service as the best and most secure remote
access for users. DirectAccess allows authorized remote users “to securely access shared
10
resources, Web sites, and applications [within Crete’s] network on an internal network without
connecting to a virtual private network (VPN)” (“Remote,” 2014). This service should be
implemented from the Remote Access server role and “deployed on the same Edge server and
managed by using Windows PowerShell commands and the Remote Access Microsoft
Within any organization, remote access should be used with caution because this use may
cause unwanted interferences upon the users’ daily operations (Keeley, 2014). Since there is the
potential that remote access may become accessible to any user by default, it is highly
recommended that only proper users are granted remote access on a case-by-case basis. I
recommend implementing a local security policy to provide a better line of who should receive
the ability to have the Remote Access. A local security policy at Crete should delineate in detail
the groups of users who are trusted with this privilege and in what situations (Keeley, J. (2014).
These groups should be restricted mainly to IT and server administrators; regular employees and
Within the Crete’s network, all server and clients should be up-to-date with the latest
Microsoft updates and patches. By default, clients refer to the Microsoft Update Website for
updates using the Automatic updates. However, network bandwidth and speed can drastically be
affected due to this operation. A solution to this problem is to implement a Windows Server
Update Services (WSUS) server. Because WSUS servers are built to communicate with the
Microsoft Update Website, they make for a much better, accessible referral point for the latest
updates and patches available for download (TestOut, “Windows Software,” 2017). Utilizing this
mode will allow any client or server configured with the WSUS server access to the necessary
patches available from its list of Microsoft updates (TestOut, “Windows Software,” 2017).
11
New servers without an operating system may easily be deployed within Crete’s network
by using the Windows Deployment Services (WDS) server role. With the use of virtual disk
images, WDS is contacted whenever a new server is booted from the network (TestOut,
“Windows Development,” 2017). The new server contacts WDS for the needed OS components
and downloads the OP required for the server to run (“Windows Development,” 2017).
Conclusion
The options delineated in this proposal have the goal maintain or even increase Crete’s
LLC competitive edge in manufacturing and distributing solar panels across the country by
increasing its network security and availability of the services. These recommendations have
taken into consideration that Crete’s operations have to provide reliable, safe, and efficient
service to a growing clientele, while allowing for the company’s physical and network
expansion.
12
References
10 tips for choosing the perfect domain name. (2015). GoDaddy. Retrieved from
https://www.godaddy.com/garage/smallbusiness/launch/10-tips-for-choosing-the-perfect-
domain-name/
Advantages that a RODC can provide to an existing deployment. (2012). Microsoft: Tech Net:
us/library/cc770320(v=ws.10).aspx
Best Practices for AD DS Backup and Recovery. (2008). Microsoft: Tech Net: Windows Server.
Choose a Namespace Type. (2013). (2008). Microsoft: Developer Network. Retrieved from
https://msdn.microsoft.com/en-us/library/cc770287(v=ws.11).aspx
Configuring DNS Zones in Windows Server 2012. (n.d.). MC MCSE Certification Resources.
FSMO placement and optimization on Active Directory domain controllers. (2014). Microsoft.
optimization-on-active-directory-domain-controllers
Jacoberger, T. (n.d.). The Benefits of Group Policy. TCI Technologies. Retrieved from
http://blog.tcitechs.com/blog/benefits-group-policy/
Keeley, J. (2014). How to use remote access efficiently, safely & securely. Make Use Of.
https://technet.microsoft.com/en-us/library/dn636119(v=ws.11).aspx
Reviewing the domain models. (2012). Microsoft: Tech Net: Windows Server. Retrieved from
https://technet.microsoft.com/en-us/library/cc731718(v=ws.10).aspx
13
Scenario overviews for backing up and recovering AD DS. (2008). Microsoft: Tech Net:
us/library/cc732238(v=ws.10).aspx
Step-by-step guide to understanding the Group Policy feature set. (n.d.). Microsoft: MSDN
Test Out Server Pro: Management and Administration. (2017). Distributed File System (DFS):
Windows Software Update Services (WSUS): WSUS Facts. TestOut. Chapter 6.1.2.
What is an RODC? (2009). Microsoft: Tech Net: Windows Server. Retrieved from
https://technet.microsoft.com/en-us/library/cc755058(v=ws.10).aspx
What are domains and forests? (2014). Microsoft: Tech Net. Retrieved from
https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx
What's New in Group Policy in Windows Server? (2014). Microsoft: Tech Net: Windows Server.