Share via


Active Directory Domain Deployment Checklist

During an AD DS greenfield installations, system engineers always need checklists to keep up with what they should be doing to stand up a new domain.  This checklist is a working checklist, one that has been created here for peer review and peer additions.  This checklist should try and take into account all the high-level items one needs to look for and do during an AD DS deployment.  This checklist is not meant to be a step-by-step guide but a high-level overview to keep track of what needs to be discovered.

For a checklist on Active Directory Domain Discovery check out:
https://social.technet.microsoft.com/wiki/contents/articles/38512.active-directory-domain-discovery-checklist.aspx

  • Plan and Design High-Levell Information listed only)
    • Number ofForestst
    • Number of Domains
    • Namespace
      • FQDN
      • NetBIOS name
    • DNS
    • FSMO Roles
    • Sites and Services
  • Stand up new domain
    • Assign Domain Name
    • Build DCs
      • DC Name
      • DC IP addressing
      • Install AD DS role
      • Configure AD DS role
      • Complete AD DS configuration
      • Restart DCs
    • Update DCs
    • FSMO placement
      • Move FSMO roles
        • Schema Master on PDCe of the forest root domain
        • Domain Naming Master on PDCe of the forest root domain
        • Place RID Master on PDCe in the same domain
        • Infrastructure Master on a non-global catalog
        • Or
        • Infrastructure Master on a global catalog when all DCs are GCs
    • Health Checks
      • Run diagnostics to ensure health
      • Check event logs
    • Time sync
      • Set PDCe to synchronization with reliable internal or external time source
      • GPO to WMI filter time synchronization to PDCe
      • or
      • Set time settings manually on PDCe
    • Backup system state
      • As built documentation draft
    • Configure security
      • DC Security
        • Configuration
          • BitLocker
          • Security Baseline
          • AppLocker
          • Windows Defender
          • Credential Guard
          • Windows Firewall
          • Block outbound internet
            • Black hole proxy (proxy set to 127.0.0.1, allow internally)
          • Redirect
            • Computers Container
            • Users Container
          • Set OU Permissions
            • Register Schema DLL
              • Remove 2 groups - In schema
                • Account Operators
                • Print Operators
          • Adjust Add Workstation to domain
            • Remove "Authenticated Users" from being able to add computers to domain
            • Create group to add workstations to domain
              • Drop Server Team group into "Add Workstations to Domain" group
              • Drop Desktop Team(s) group into "Add Workstations to Domain" group
              • Create and drop service accounts into "Add Workstations to Domain" group
      • Administrative workstations (PAWs)
        • Configuration
          • BitLocker
          • Security Baseline
          • AppLocker
          • Windows Defender
          • Credential Guard
          • Windows Firewall
      • Install LAPS
      • Install ATA
      • Enable DS auditing
      • Set appropriate SACLs
      • Develop and implement a least-privileged access delegation model
      • Verify and audit all delegations and privileged access
      • Identify and minimize the number of users who possess privileged access in AD
      • Ensure only Domain Controllers have sufficient effective permissions to replicate secrets in the domain 
      • If modified AdminSDHolder, audit effective permissions to make sure you know what access it is actually entitling
    • Create Sites
      • Site Mirroring of old/trusted domain (migration)
    • DNS Configuration
      • Forklift name space(s) (migration)
        • Conditional Forwarders
        • Secondary Zone
      • Enable Scavenging
        • On server
        • On zone
    • Install Central Store
    • Install AD Recycle Bin
    • Create base OU structure
    • Create Trust (if needed)
    • Extend Schema
      • Exchange
        • Gather requirements
        • Implement change
      • SCCM
        • Gather requirements
        • Implement change
      • Other.
        • Gather requirements
        • Implement change
    • Baseline
      • Take a baseline snapshot of the new environment
        • Packet capture baseline traffic
        • Monitor incoming and outgoing TCP/IP traffic patterns
        • Monitor current CPU and RAM utilization levels
        • ATA learning burn-in
    • Complete "As Built" documentation

https://c.statcounter.com/11603533/0/3ee26957/1/