Freigeben über


Windows 7 deployment: Getting your head around Active Directory

 

Thinking about deploying Window 7 but not sure what to consider regarding Active Directory? Let me share the main Active Directory elements that are essential for a Windows 7 deployment.

Active Directory is a requirement for any large image deployment. It’s primary use, a part from authenticating and authorizing accounts, is to store the Group Policies Objects that target Windows 7 users and computers in order to configure the numerous settings (3300+ with the default administrative templates – see Group Policy Settings Reference for Windows 7).

Active Directory is also a key infrastructure element for Configuration Manager 2007 (the recommended deployment solution when deploying Windows 7 at a large scale). For example Windows clients can query Active Directory to locate the Configuration Manager Management servers or their Configuration Manager site information (additional info here).

Active Directory is also used by Windows Deployment Services for various functions. The Pre-Boot Execution Environment (PXE) provider creates machine accounts and service control points (SCPs) in Active Directory. An SCP is a child object under a Windows Deployment Services server account object, and it is used to store configuration data for the server. For example, an SCP can mark the server as a Windows Deployment Services server so that other Windows Deployment Services servers can find it.

While there are no important Active Directory remediation actions required to deploy Windows 7, we strongly recommend the following:

- Create a dedicated Organizational Unit structure for Windows 7 laptops, Windows 7 desktops, and Windows 7 users. You will then be able to apply specific Group Policies Objects to them, as separating your previous users and machines ‘s accounts from Windows 7 accounts will mainly reduce the possible conflicts you could have by applying the same Group Policy Objects to them, and will make it easier for you to troubleshoot any possible issues.

- Create a central store folder within the System Volume folder of the Domain Controllers for the .admx Group Policy Objects administrative templates. This will help to optimize the size of your Sysvol folder and help you manage your Group Policy Objects centrally. Additional info here : How to create a Central Store for Group Policy Administrative Templates and Editing Domain-Based GPOs Using ADMX Files

For companies that want to enjoy advanced Windows 7 features, it is worth considering the following Active Directory infrastructure actions:

- Back-up recovery information for BitLocker-protected drives to Active Directory. Active Directory can provide a centralized location for storing BitLocker Drive Encryption recovery information so that your helpdesk department can easily assist users if they are forced into recovery. If your Active Directory is at the Windows Server 2008 or later functional level, no specific Active Directory action is needed. However, if your Active Directory is at a functional level of Windows Server 2003 or earlier, you will need to update the schema to support BitLocker. For additional info. See Backing Up BitLocker and TPM Recovery Information to AD DS

- Wireless network policies can be controlled with Group Policy Object settings. This is available by default when your domain controllers are running Windows Server 2008 R2 or Windows Server 2008. However, to support these enhancements for an Active Directory environment consisting of domain controllers running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended. See Active Directory Schema Extensions for Windows Wireless and Wired Group Policy Enhancements

Hope this helps,

Laurent Bouchery – Senior Infrastructure Consultant – Microsoft Ireland Services

laurent.bouchery@microsoft.com