1

Windows Network Proposal for Crete LLC

Introduction

Crete LLC is a successful company that is rapidly expanding its production and

distribution of solar panels in Los Angeles, Dallas, and Houston. However, with the advent and

promotion of clean energy around the country, there is the great likelihood that other solar

companies such as Solar City and Astrum Solar will compete for Crete’s clientele. It is

imperative that Crete remains a competitive company to secure its market not only by offering a

good product for its customers, but also by offering an efficient and safe way to provide this

product. One of the most important recommendations in achieving this goal is that Crete updates

its network technology to assure it achieves and maintains the necessary speed in marketing,

handling of clientele requests, and distributing its products. As Crete expands its business to

other states, it is also very important that this updated system is versatile enough to allow for this

predictable expansion which entitles an increased number of clientele, a greater influx of

clientele requirements, and an increased number of the employees’ utilization of the network

system. This technology proposal takes into account all of those needs while planning for a better

technical security and improved remote access to technology between the current Crete locations

and the others to come.

Active Directory

Domains

Active Directory service is basically “a distributed database that stores and manages

information about network resources, as well as application-specific data from directory-enabled

applications” (“Domains,” 2014). The use of Active Directory allows for the organization of the

system’s components such as “users, computers, and devices” in an orderly fashion that
 2

encompasses “logical containers” (“Domains,” 2014). Forest is the top-level logical containers

and it holds domains enclosing data from the different “organizational units” (“Domains,” 2014).

The recommendation for organizations thriving to expand their services and locations is

to implement a forest domain model. This is because there needs to be an organized model of

how all the domains are interconnected with one another to assure the provision of an optimal

service. For this scenario, a regional domain model would work best. According to Microsoft,

regional domain models are recommended in cases where there will be a large number of users

utilizing the network traffic from several geographical locations (“Reviewing,” 2012). The plan

for Crete is to mainly conduct its enterprise throughout 3 locations: Los Angeles, Dallas, and

Houston, in which the main staff will be in Dallas and Houston. Since these locations are

somewhat dispersed around the country, the most standard single domain model would not be

well suited for this situation, as replication traffic of the enterprises’ directory would consume

too much bandwidth (“Reviewing,” 2012). I recommend partitioning the directory into several

domains scattered across the 3 locations to limit the amount of replication traffic needed to

provide the necessary services in a more efficient manner.

Another important aspect of this new plan for Crete is to create a unique domain name

that is not in use by any other company or entity. “Choosing a domain name is similar to

choosing a company name,” because it will represent the company’s “identity on the web” (“10

Tips,” 2015). Experts suggest the domain name to be short to be easy to remember and find,

while also defining the brand to promote the company’s product (“10 Tips,” 2015). For Crete, a

domain such as www.CreteSolar.com could be a sufficient option. It is memorable, brandable,

and likely independent from the domains of its competitors.

Following the regional domain model, a forest root domain must be created along with

one or more regional domains. The root domain’s job is to replicate all of the domain’s object
 3

data throughout all of the regional domains in the network. At Crete, the locations Los Angeles,

Dallas, and Houston are all interconnected using a WAN connection. In this setting, a regional

domain should be placed at each location along with the forest root domain being implemented

at either Dallas or Houston - where the main staff is located. This setting would be the best

solution in reducing replication traffic and stabilizing the environment, while at the same time,

efficiently distributing all needed resources for the enterprise’s users (“Reviewing,” 2012).

RODC

I recommend that Crete system has read-only domain controllers (RODC). RODC is

specially designed for branch offices, due to their typical features of having few users, low

physical security, network speed, and limited IT resources (see Fig 1) (“RODC,” 2009).

According to Microsoft, RODC provides several advantages in security. This includes

Figure 1. Illustration on how RODC is used in branch office development. (“RODC,” 2009).
 4

unidirectional replication, special krbtgt account that “helps to restrict malicious updates from

affecting the rest of the forest,” password replication policy (PRP) that disallows passwords from

being “cached on the RODC,” and RODC filtered attribute set (FAS) that disallows the

replication of RODC to maintain confidentiality (“Advantages,” 2012). Therefore, implementing

RODC to the Los Angeles satellite office location would benefit the company in maintaining the

integrity of the original operational settings at this smaller office, while allowing more flexibility

in network management such as the utilization of the server and application administration at the

two main locations in the Dallas and Houston.

FSMO Roles placement

Setting Flexible Single-Master (FSMO) roles is another area of consideration that must

be taken into account for this project, since Crete operations will be “performed on a single

domain controller” (FSMO, 2014). Microsoft recommends this setting to “define a well-known

target for critical operations and to prevent the introduction of conflicts or latency that could be

created by multi-master updates” (FSMO, 2014). When an Active Directory is installed, 5

FSMO roles are added by the system. The Schema Master for Crete, which allows for either

manual or programmed schema updates should be placed on the Primary Domain Controller

(PDC) of the forest root domain to allow “updates that are added by Windows ADPREP

/FORESTPREP, by Microsoft Exchange, and by other applications that use Active Directory

Domain Services (AD DS)” (FSMO, 2014). The PDC, which is the default target domain

controller for Group Policy updates, receives password updates, and “performs writable

operations” functions. PDC and the other main three domain roles: RID Master (finds “RID

pools to replica”), Domain Naming Master (adds or removes “domains and applications to and

from the forest”), and Infrastructure Master (“updates cross-domain references and phantoms

from the global catalog”) will all be placed on the regional domains (FSMO, 2014). Please note
 5

that for the applicable FSMO, “the owner must be online, discoverable, and available on the

network” (FSMO, 2014).

Plan for AD backup and recovery

In the case of any natural disaster, such tsunamis or tornados, or any other events such as

power outages, hacker attacks, or even riot destructions, a plan for AD backup and recovery is

highly recommended. It’s important that Crete creates a backup and recovery plan for all of the

objects in its domain’s Active Directory; especially considering that Crete’s data will be

transmitted throughout three different and scattered locations around the county. For this

scenario, a backup of the AD should be made on each regional domain using the wbadmin start

systemstatebackup command. All backups should be kept and stored on a dedicated internal or

external hard drive (“Best,” 2008). I also recommend periodical updates using the Windows

Server Backup system. Scheduled updates should be performed during late hours in the day,

where traffic is usually not too busy and the level of operations is usually not too high (“Best,”

2008). By Microsoft’s default, the back time is 5:00 PM. Recommendations are to perform at

least two trusted backups on each domain by scheduling backups to be made on a daily basis.

This measure is important in the case of fault tolerance (“Best,” 2008). The Task Scheduler can

be used to accomplish this task. This task will run the Wbadmin.exe to define the appropriate

time when the backups should be made (“Scenario,” 2008). In cases where data is lost or

corrupted, a plan for Active Directory recovery must be made to ensure the loss does not cause a

significant impact in the business. The recommendations for Crete are as follow:

 In general, use the wbadmin start systemstaterecovery command to recover any lost

data (“Scenario,” 2008).

 In cases where AD objects are lost or corrupted, a nonauthoritative or authoritative

restore must be engaged (“Scenario,” 2008).

 6

 In cases where the AD needs to return to the state of a lasted backup, a nonauthoritative

restore will likely suffice. The affected domain controller must first be restored into

Directory Services Restore Mode (DSRM) where then the wbadmin may start the

systemstate recover command (“Scenario,” 2008).

 For the case of recovering specific objects and containers that have been deleted from the

AD, Authoritative restore will likely solve the issue. The domain controller must be in

DSRM mode first before selecting the backup, which is usually the most recent domain

backup. Using Ntdsutil.exe, the desired object, containers, or partitions must be marked

as authoritative. After restarting the domain into normal mode, the changes should take

into affect; thereby, restoring the lost AD files (“Scenario,” 2008).

Group Policy

When considering domain maintenance, one of the greatest advantages that Windows

Server 2012 provides is Group Policy. “Group Policy is a system within Active Directory that

gives the network administrators the ability to define user, security, and organization-wide

policies throughout the network” (Jacoberger, n.d.). Basically, Group Policies specify who or

what and how group of users can utilize the computer/software operations within the company’s

system “including registry-based policy settings, security settings, software installation, scripts

(computer startup and shutdown, and log on and log off), and folder redirection” (“Step,” n.d.).

The benefits of implementing Group Policy include “ease of management, security, cost and

time, and roaming profiles” (Jacoberger, n.d.)

It is highly recommended that Crete establishes Group Policy practices for its personnel.

“The policy information is stored in Group Policy objects (GPOs), which are linked to selected

Active Directory containers: sites, domains, and organizational units (OUs)” (“Step,” n.d.). The
 7

settings have to take in account the Active Directory of the company to establish the hierarchical

profile of the Group Policy. Fig. 2 provides a general scheme that could be applied to Crete:

Figure 2. Modified “Group Policy and the Active Directory.” This figure shows the

hierarchical scheme that could be applied to Crete, LLC. (“Step,” n.d.).

Group Policy offers numerous options in the management and control of users; some the

specific settings that I recommend for Crete are:

 Remote Group Policy update: As changes are made to the Group Policy settings, it is

important that all domains and computers are updated according to these changes. IT

personal of Crete may create a scheduled tasks to refresh the changes made to the Group

Policy settings, thus replicating the settings made to the computers associated to that

particular organizational unit (OU) (“What’s New,” 2014).

 8

 Group Policy Results: A Group Policy Results report may be created by the main IT

administrative staff to verify and determine if all group policy settings have been applied

to the desired clients/computers (“What’s New,” 2014). This is important, as it gives the

Crete’s administration the security that all group policy configurations are done according

to its preferences.

 Fast Startup: For the standard client users, improved startup times may be implemented

to adhere to a smoother, overall better experience. For example, utilize a hibernate state

instead of a full shutdown to allow times for startup and shutdown to become

significantly faster – which is important for an overall user satisfaction.

 Group Policy Preferences for Internet Explorer 10: Considering the Crete

administrative staff goals, limits of how Internet Explorer 10 may be used to disallow

specific sites that should not be permitted such as viewing YouTube videos or accessing

Facebook at work, for example.

Domain Name System (DNS)

Namespace is something that should be heavily considered for Crete’s network

operations. The Distributed File System provides the ability to logically organized shared folders

located on multiple servers all in one single logical folder called the namespace. This operation

allows for multiple users across the domain to access the shared files (TestOut, “Distributed,”

2017). For Crete, I recommend the implementation of a domain-based namespace. A stand-alone

namespace would not be applicable to this company since it will be using the Active Directory

Domain Services. A domain-based namespace should also be implemented as it will ensure the

availability of the namespace for multiple namespace servers’ applicants (“Choose,” 2017).

Considering that more than one DNS server will be deployed for Crete, DNS zones must

be implemented to ensure DNS zone transfers and replications are concurrent. A combination of
 9

primary, secondary, and stub zones would effectively benefit Crete’s business. The primary zones

deployed within the Crete’s network will be responsible for answering any DNS name resolution

requests sent from the DNS namespace, while the secondary zones will take upon this role in the

case of “excessive traffic” or when the “primary server fails” (“Configuring,” n.d.) . For the stub

zones, because they only contain a partitioned amount of DNS data, they will be useful for

anywhere that needs a reduction in zone transfers and replications traffic (“Configuring,” n.d.).

File Services

The File Server Resource Manger (FSRM) should also be configured. This suite of tools

will give the IT administrators of Crete the ability to control the kind and quantity of data that is

stored on the Crete’s servers. Using FSRM, hard quotas may be created for setting a limit on the

amount of data a particular folder may have (TestOut, “File,” 2017). This setting allows for a

much better solution to keeping storage management in check. Soft quotas may also be created

for keeping a record of how much disk space is used for certain files (TestOut, “File,” 2017).

With a combination of hard and soft quotas, storage management can easily be managed.

In order to secure file sharing throughout Crete, I recommend the implementation of the

Distributed Files System (DFS) (please, also refer to the discussion about DFS above). By

deploying a domain-based namespace, shares may be transmitted by multiple namespace servers,

providing an increased data availability and user confidentiality (TestOut, “Distributed,” 2017).

Remote Services

There are several technologies for Remote Access role that provides “centralized

administration, configuration, and monitoring of both DirectAccess and VPN-based remote

access services with the Routing and Remote Access Service (RRAS)” (“Remote,” 2012). For

Crete, I recommend the use of the DirectAccess service as the best and most secure remote

access for users. DirectAccess allows authorized remote users “to securely access shared
 10

resources, Web sites, and applications [within Crete’s] network on an internal network without

connecting to a virtual private network (VPN)” (“Remote,” 2014). This service should be

implemented from the Remote Access server role and “deployed on the same Edge server and

managed by using Windows PowerShell commands and the Remote Access Microsoft

Management Console (MMC)” (“Remote,” 2014).

Within any organization, remote access should be used with caution because this use may

cause unwanted interferences upon the users’ daily operations (Keeley, 2014). Since there is the

potential that remote access may become accessible to any user by default, it is highly

recommended that only proper users are granted remote access on a case-by-case basis. I

recommend implementing a local security policy to provide a better line of who should receive

the ability to have the Remote Access. A local security policy at Crete should delineate in detail

the groups of users who are trusted with this privilege and in what situations (Keeley, J. (2014).

These groups should be restricted mainly to IT and server administrators; regular employees and

anonymous everyday users should not have those permissions.

Windows Server Update Services (WSUS)

Within the Crete’s network, all server and clients should be up-to-date with the latest

Microsoft updates and patches. By default, clients refer to the Microsoft Update Website for

updates using the Automatic updates. However, network bandwidth and speed can drastically be

affected due to this operation. A solution to this problem is to implement a Windows Server

Update Services (WSUS) server. Because WSUS servers are built to communicate with the

Microsoft Update Website, they make for a much better, accessible referral point for the latest

updates and patches available for download (TestOut, “Windows Software,” 2017). Utilizing this

mode will allow any client or server configured with the WSUS server access to the necessary

patches available from its list of Microsoft updates (TestOut, “Windows Software,” 2017).
 11

New servers without an operating system may easily be deployed within Crete’s network

by using the Windows Deployment Services (WDS) server role. With the use of virtual disk

images, WDS is contacted whenever a new server is booted from the network (TestOut,

“Windows Development,” 2017). The new server contacts WDS for the needed OS components

and downloads the OP required for the server to run (“Windows Development,” 2017).

Conclusion

The options delineated in this proposal have the goal maintain or even increase Crete’s

LLC competitive edge in manufacturing and distributing solar panels across the country by

increasing its network security and availability of the services. These recommendations have

taken into consideration that Crete’s operations have to provide reliable, safe, and efficient

service to a growing clientele, while allowing for the company’s physical and network

expansion.
 12

References

10 tips for choosing the perfect domain name. (2015). GoDaddy. Retrieved from

https://www.godaddy.com/garage/smallbusiness/launch/10-tips-for-choosing-the-perfect-

domain-name/

Advantages that a RODC can provide to an existing deployment. (2012). Microsoft: Tech Net:

Windows Server. Retrieved from https://technet.microsoft.com/en-

us/library/cc770320(v=ws.10).aspx

Best Practices for AD DS Backup and Recovery. (2008). Microsoft: Tech Net: Windows Server.

Retrieved from https://technet.microsoft.com/en-us/library/cc753294(v=ws.10).aspx

Choose a Namespace Type. (2013). (2008). Microsoft: Developer Network. Retrieved from

https://msdn.microsoft.com/en-us/library/cc770287(v=ws.11).aspx

Configuring DNS Zones in Windows Server 2012. (n.d.). MC MCSE Certification Resources.

Retrieved from http://www.mcmcse.com/microsoft/guides/70-411/dns_zones.shtml

FSMO placement and optimization on Active Directory domain controllers. (2014). Microsoft.

Retrieved from https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-

optimization-on-active-directory-domain-controllers

Jacoberger, T. (n.d.). The Benefits of Group Policy. TCI Technologies. Retrieved from

http://blog.tcitechs.com/blog/benefits-group-policy/

Keeley, J. (2014). How to use remote access efficiently, safely & securely. Make Use Of.

Retrieved from http://www.makeuseof.com/tag/can-remote-access-helpful-secure/

Remote Access Overview. (2014). Microsoft: Tech Net: Retrieved from

https://technet.microsoft.com/en-us/library/dn636119(v=ws.11).aspx

Reviewing the domain models. (2012). Microsoft: Tech Net: Windows Server. Retrieved from

https://technet.microsoft.com/en-us/library/cc731718(v=ws.10).aspx
 13

Scenario overviews for backing up and recovering AD DS. (2008). Microsoft: Tech Net:

Windows Server. Retrieved from https://technet.microsoft.com/en-

us/library/cc732238(v=ws.10).aspx

Step-by-step guide to understanding the Group Policy feature set. (n.d.). Microsoft: MSDN

Library. Retrieved from https://msdn.microsoft.com/en-us/library/bb742376.aspx

Test Out Server Pro: Management and Administration. (2017). Distributed File System (DFS):

DNS Facts. TestOut. Chapter 3.2.3.

File Server Resource Manager: FSRM Facts. TestOut. Chapter 3.1.9.

Windows Deployment Services (WDS): WDS Facts. TestOut. Chapter 6.2.3.

Windows Software Update Services (WSUS): WSUS Facts. TestOut. Chapter 6.1.2.

What is an RODC? (2009). Microsoft: Tech Net: Windows Server. Retrieved from

https://technet.microsoft.com/en-us/library/cc755058(v=ws.10).aspx

What are domains and forests? (2014). Microsoft: Tech Net. Retrieved from

https://technet.microsoft.com/en-us/library/cc759073(v=ws.10).aspx

What's New in Group Policy in Windows Server? (2014). Microsoft: Tech Net: Windows Server.

Retrieved from https://technet.microsoft.com/en-us/library/dn265973(v=ws.11).aspx