Quick Deployment Guide
This guide provides a streamlined workflow for deploying and auditing the Tier Model in production environments.
Prerequisites
Before deploying the Tier Model, ensure the following requirements are met:
Environment Requirements
- PowerShell 7.0 or later (PowerShell 5.1 is not supported)
- Domain Admin membership for deployment operations
- Network access to your preferred Domain Controller
Required PowerShell Modules
ActiveDirectory(version 1.0.1.0 or later)GroupPolicy(version 1.0 or later)Pester(version 5.7.1 or later) - Must be obtained from public sources (PowerShell Gallery)
Installation
Install Pester from the PowerShell Gallery:
Install-Module -Name Pester -MinimumVersion 5.7.1 -Force -SkipPublisherCheck
Obtain TierModel
Download the latest TierModel release from GitHub
Unblock the downloaded zip file
Unblock-File -Path "$env:USERPROFILE\Downloads\TierModel.zip"
# Extract to C:\ Expand-Archive -Path "$env:USERPROFILE\Downloads\TierModel.zip" -DestinationPath "C:\" -Force
Navigate to the TierModel directory
cd C:\TierModel
**Note:** The deployment and audit scripts automatically import the TierModel module and validate prerequisites.
## Deployment Workflow
### Step 1: Plan the Deployment (Dry-Run)
Run the deploy script in **planning mode** (default behavior) to preview all changes without applying them:
```powershell
.\Deploy-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com
This will: - Validate prerequisites - Generate a deployment plan showing all proposed changes - Display adds, updates, and potential issues - NOT apply any changes to Active Directory
Review the output carefully to ensure the planned changes are correct.
Step 2: Execute the Deployment
After reviewing the plan, apply the changes using the -ConfirmApply parameter:
.\Deploy-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com -ConfirmApply
This will deploy all Tier Model components in the correct dependency order: 1. Organizational Units (OUs) 2. Security Groups 3. User Accounts 4. OU ACL Delegations 5. Group Policy Objects (GPOs) 6. ADMX Administrative Templates
Step 3: Audit the Deployment
After deployment completes, run a full audit to verify compliance and detect any drift:
.\Audit-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com
This will: - Check all deployed components against the configuration - Identify any drift from the desired state - Generate a compliance report - Highlight any manual intervention required
Expected Results
Successful Deployment
- All components created or updated as specified
- Zero errors in the deployment log
- Audit shows full compliance with no drift detected
First Audit After Deployment
The audit should report: - All components compliant with the Tier Model configuration - No drift findings (or minimal informational findings) - Zero high-severity issues
If the audit identifies drift immediately after deployment, review the deployment logs and investigate the discrepancies.
Optional: Enable Logging
For troubleshooting or audit trails, enable detailed logging:
# Deployment with logging
.\Deploy-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com -ConfirmApply -Logging
# Audit with logging
.\Audit-TierModel.ps1 -FullDeployment -PreferredDc DC01.contoso.com -Logging
Logs are saved to the current directory or the path specified by -LogPath.
Troubleshooting
Prerequisites Failed
If Test-TierModelPrerequisites reports errors:
- Install PowerShell 7+ from https://github.com/PowerShell/PowerShell/releases
- Verify Domain Admin group membership
- Ensure required AD and GP modules are installed (use RSAT on Windows)
Deployment Errors
- Review error messages in deployment output
- Check logs if
-Loggingwas enabled - Verify JSON configuration syntax and schema compliance
- Ensure the preferred DC is reachable and responsive
Audit Drift Detected
- Compare audit findings against recent changes
- Review manual interventions that may have occurred outside automation
- Re-run deployment to converge environment back to desired state
Next Steps
After successful deployment: - Schedule regular audits to detect configuration drift - Document any manual changes made outside the automation - Update the configuration JSON for future deployments - Review audit reports periodically for compliance monitoring
For detailed documentation, see: - Detailed Deployment Guide - Deployment Methodology - Drift Detection Details - GPO Management Strategy