What is important to document in an active directory server?

Question

Later this year I will be handing over support of my church’s active directory servers to someone else and would like to know what kind of information is important to document and share. Are there any good example documents that I could use?

Answer 1

First, be careful not to document Active Directory itself. Microsoft has already done that. It is not your responsibility, and it will reduce the time you have to document the configurations, policies, and procedures specific to your installation.

Here is a list of things that you should document.

• Explain your computer, user, domain, and OU naming conventions.
• Describe your OU hierarchy and the reasoning behind it.
• Briefly describe the main functions of your Group Policy Objects and why you organized them as you did.
• Describe your network numbering conventions and DHCP configuration, if applicable.
• Describe your DNS configuration.
• Describe your Windows Firewall exceptions.
• List the the Windows Server roles and third-party software installed on each server.
• Note the locations of Active Directory's FSMO roles.
• Describe the organization's policy for when to add new user accounts or revoke existing user accounts.
• Describe the organization's policies for user restrictions (related to GPO details above).
• If you are responsible for the network as well, provide a building wiring diagram.

Answer 2

Might be OTT for a smaller church, but the Microsoft Active Directory Topology Diagrammer is pretty funky. It automatically generates a diagram of your Active Directory topology in Visio.

Diagrams can be made of servers, domains, sites, routing groups, admin groups and connectors. It shouldn't take long to produce some nice illustrations that you can use to supplement your written handover notes.

Screenshot here (on a Sun blog!)

Answer 3

• Standard tasks:
  • Create/delete users
  • Grant/revoke permissions
• Things that separate your installation from out-of-the-box AD:
  • Changes in group policies
  • Schema extensions

Answer 4

A great tool to document your servers is http://sydiproject.com/.

Answer 5

This is a bit of an old post but, just in case anyone else finds it on Google and wants to know more, I thought I'd share my thoughts.

I would suggest including the following in your Active Directory documentation:

General Information - Domain name - NetBIOS name - Domain SID - Domain Functional Level - Forest Functional Level - Forest Name - Root Domain SID

Operations Masters - Server Names

Groups - Name - SAM Account Name - Canonical Name - Description - Group scope - Group Type - GUID - SID - Members

Schema Configuration - Distinguished Name - Schema Version - Schema Master - Schema Classes (Name, Type, Status, Description)

Group Policy Objects - Name - Status - Linked Locations - Security - Permissions

Trusts - Name - Type - Domain Functional Level - Transitive - Target Domain Mode - Target NetBIOS Name

Inter-Site Transports - Name - Description - Site Links - Replication Schedule

Subnets - Name - Site - Location - Description

Sites - Name - Location - Description - Subnets - Inter-Site Topology Generator - Inter-Site Topology Generator Site - Universal Group Membership Caching - Replication Schedule - Permissions

Domain Controllers - Name - Description - Domain - Bridgehead - Bridgehead server transports - Global Catalog - Server Type - DNS Hostname - Query Policy - Read-Only Domain Controller (RODC) Settings - Password Replication Policy - Host Information - Directory Service Installation Paths - Replicate From - Replicate To - Replication Connections - Connection Details - Schedule

We've created an Active Directory documentation tool which automates the process of documenting your servers. Hopefully it's ok to share a link to it here. There is a free version for small networks.