Problem solve Get help with specific problems with your technologies, process and projects.

Locating the server vault for Active Directory security

Find some specifics for designing a server vault, with details on how it applies to Active Directory.

An Active Directory network is worthless and useless without reliable communications between network members and the domain controllers. So, make it a priority to provide physical protection for your domain controllers. Remember, without secured domain controllers, you cannot have a secure network. Often, think about your environment from the perspective of a major crisis that threatens or interferes with your AD network's ability to support productive work. Then design the AD structure and the physical layout to accommodate as many protection mechanisms as possible.

You need to have a server vault. A server vault is a protected room where mission critical and other valuable systems reside. The server vault is not accessible to anyone but a few specific administrators. The door to the server vault remains locked at all times and entry into the server vault is monitored and logged. Place your Active Directory domain controllers, your DNS servers, and any other mission critical or important systems in the server vault.

You may even want to go so far has to have two or more server vaults. This would enable you to place backup, secondary, and tertiary systems in different protected rooms across your facility. Since the deployment of AD always demands a minimum or 2 or 3 domain controllers per domain, place each domain controller in a different server vault within your facility. Keep in mind that AD domains are logical constructions, not physical. This allows for physical overlap of cabling (such as from one side of the building to another), without forcing you to overlap the logical layout of the domains. As long as you don't use cables beyond their maximum length rating (e.g. 100 meters for twisted pair) without employing repeaters, concentrators, or amplifiers, the physical placement of DCs will not affect your AD domain's functionality, capabilities, or performance.

Server vaults can be designed to use gaseous based fire-suppression systems, such as CO2 or the EPA approved Halon-replacement gas known as FM-200. These gas based fire suppression systems remove the oxygen from the air and in some cases interfere with the chemical reaction of burning. However, use of these systems can be hazardous to people, so they should only be used where people do not frequent. And those people who do enter those areas should be trained on how to escape quickly and use portable breathing devices. Selecting a fire suppression medium that will cause the least amount of damage to your computer systems is important. Keep in mind that the hardware you deploy to support your AD domain controllers as well as the other mission critical systems are usually very expensive. Protecting your hardware investment from fire damage will mean little if you damage the equipment with water or other inappropriate suppression medium.

Server vaults can manage the local environment to be more appropriate for computer hardware. This means the room can be kept at a lower temperature than the rest of the facility (usually 64-70 F). And keeping humidity between 45-60% to prevent static electricity and condensation. Once again, take the efforts to provide your AD controllers the best environment possible for them to operate in. In addition to temperature and humidity, don't forget to protect your domain controllers from dust, smoke, air-born debris, strong magnetic fields, cleaning chemicals (such as ammonia which damages the platters of hard drives), vibrations, and power fluxuations (power conditioning is always a must for severs of any type, but especially AD controllers).

If your AD domain controllers are as valuable to you as they should be, you should endeavor to provide them as many layers of physical protection as possible. Server vaults should be located as much as possible in the center of the building. This provides the most layers of physical protection from the outside world. Whenever possible, you should also avoid the ground floor, the top floor, and the basement. The ground floor is most easily accessible to intruders. The top floor is vulnerable to roof leaks due to rain and snow. The basement is vulnerable to floods from weather and pipe breaks.

With some additional planning and effort, it is possible to establish solid and reliable physical protection for your valuable servers, such as your Active Directory domain controllers. Such protection may prove itself invaluable when an incident or crisis occurs.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Microsoft Active Directory Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.