As a though exercise and to improve my mental model of AD security & resilience, I tasked myself to plan a re-design of our AD environment (think international company, complex multi-forest, multi domain, cloud-connected ecosystem).

I have the following items on my game plan:

[Design]

• Forest model (numbers, function)

• Domain model

• Trusts

• Network (Zones, Connections, Routes)

• Security Boundaries (Between Forests, Networks, Users, Servers)

• Failover & Redundancy

• Break-Glass & Emergency Access

• Cloud connection

[Architecture]

• Forest and Domain Hierarchy

• FSMO Roles

• Replication & Sites

• TIER Architecture

• AD Object Hierarchy and Containment (OUs, Groups, Users, …)

• Network segregation & Firewall Rules

• Device Management

[Migration]

• ?

(a few more minor items, but I’d rather have room for ideas, so let’s leave it at this)
I’m interested in feedback: What else would you have on your list, what else would you consider, what other design/architecture/migration/test-phases would you set up.