Integrating Active Directory With Sharepoint 2010: Best Practices

Setting Up the Environment

The foundation for integrating Active Directory (AD) with SharePoint 2010 is establishing the proper hardware, software, networking and authentication protocols. Ensure hardware meets minimum system requirements for both Windows Server running AD and SharePoint. Use Windows Server 2008 R2 or higher to take full advantage of tight AD and SharePoint integration. Configure DNS with proper A records, CNAMEs and service (SRV) records. Create subnets, VLANs and firewall rules to enable communication between SharePoint servers, domain controllers and clients.

Follow best practices for AD schema, forest/domain structure, OU hierarchy, sites and replication. Install AD fully across all domain controllers before beginning SharePoint installation. Use dedicated service accounts for the SharePoint farm and web applications that have appropriate AD permissions to query user/group attributes, set permissions on sites/lists and enable SSO.

Connecting SharePoint to Active Directory

Integrating SharePoint with AD provides centralized authentication, authorization and auditing using AD accounts, group memberships and security policies. Users login with AD credentials via NTLM or Kerberos. SharePoint inherits permissions from AD security groups. Admins manage accounts and access controls through AD Users and Computers snap-in.

Table of Contents

Use SharePoint Central Admin to configure identity providers and map trusted domains for the farm. Service applications can be associated with a specific domain identity. Enable forms-based authentication with AD for intranet claims authentication. Federated authentication via ADFS extends SSO to extranet users. PowerShell provides automation for assigning permissions and syncing AD changes to SharePoint.

For service applications, configure identity delegation to allow SharePoint servers to directly access AD domains on behalf of users. Grant SharePoint service accounts the rights to query AD for user attributes and group membership. Service accounts should have minimum required privileges in AD domains.

Managing Users and Permissions

SharePoint 2010 provides both automatic and on-demand synchronization with AD accounts and groups for simplified user provisioning. Importing user profiles automatically with Active Directory import synchronizes password changes and updates to user attributes. You can specify import scheduling and filters to select specific OUs.

To align permission inheritance from AD, first create SharePoint groups that match your existing security groups or OUs, then assign the SharePoint group permissions within sites. As users are added/removed from AD groups, their SharePoint permissions stay in sync. Custom permission levels can combine AD group memberships with SharePoint roles.

Use PowerShell scripts to automate new user provisioning by creating the site, assigning permissions based on AD group, and sending a new account welcome email. For example:

$newUser = Get-ADUser jsmith -Properties mail
New-SPSite https://portal.DOMAIN/sites/jsmith
Add-SPUser -UserAlias jsmith -Group “Portal Users”
Send-MailMessage -To $newUser.email -Body “Welcome to the portal!”

This automates provisioning sites, setting permissions and notifications.

Enabling Single Sign-On

Active Directory Federation Services (ADFS) provides seamless SSO to SharePoint sites and services using federated identity. Users authenticate once with AD credentials then securely access resources without re-prompting for passwords.

Configuring ADFS for SharePoint SSO involves installing the ADFS role on your Windows Server, then creating a Claims Provider trust relationship within ADFS mapped to SharePoint web applications or service identities. ADFS uses LDAP connectivity to authenticate users directly with Active Directory then issues security tokens allowing access to SharePoint.

On the SharePoint side, configure identity providers and associate web apps to an issuer ID from ADFS. Turn on forms-based authentication for Windows-claimed identities using federated trusts. Test SSO by browsing SharePoint sites which should automatically log you in using AD credentials without showing a login prompt. Monitor ADFS logs for any access denied errors during SSO redirects.

Auditing Site Activity

SharePoint provides rich usage auditing capabilities especially when integrated with AD for detailed tracking tied to user accounts. Enable audit log trimming and site collection audit settings to specify what events should be captured. Configure information management policies to retain audit history.

Create audit reports that leverage user profile attributes from Active Directory to track activity by department, cost center, region or other metadata attached to users. Build PowerPivot workbooks to uncover trends and spots needing reviews. Implement alerts that trigger on specific audit events like unauthorized access attempts, file downloads or permission changes.

Use PowerShell to export audit logs into a SQL Server database for long term analysis with full user attributes. Pipe to ConvertTo-HTML to email visually appealing reports to site owners showing recent activity. AD integration enhances auditing with easy correlation to user details.

Best Practices for Administration

Properly administering an Active Directory integrated SharePoint 2010 farm requires automation of redundancy to ensure high availability. Script key processes like adding or removing web servers, creating site collections and managing solution packages.

Monitor performance with tools like SharePoint Health Analyzer that provide DNS, domain controller, and authentication connectivity status alerts. Tune page load times, search performance and other metrics for both intranet and federated users.

Use SQL Server log shipping to enable disaster recovery to a standby farm with read-only data access. Schedule regular backups of service applications and secure backup account permissions in Active Directory. Follow Microsoft’s security hardening guides to properly integrate SharePoint with your AD infrastructure.