Computerworld - How did I get overlooked? I just found out my company's IT department has been working on a plan to reorganize our Windows Active Directory architecture and settings. Naturally, when I heard about this, I figured I needed to get involved. After all, Active Directory is all about security. It is at its core a tool to manage user access and permissions. Therefore, I need to be a part of the design team, if not running the whole show. I have some important considerations I'd like included in the new design. This is a perfect opportunity to optimize our security techniques and make improvements to our Active Directory infrastructure.
So imagine my surprise when I found out that our IT department's Windows gurus have already completed the new design. Not only that, but they also spent a lot of hours with Microsoft professional services in design sessions. This was paid for as part of our premier support plan, and it's already used up. When I asked for an opportunity to sit down with the Microsoft engineers to review the design and add my feedback and input, I was told the engagement has already ended. Somehow, I completely missed the boat, and I never even knew there was a boat until it was too late.
How did this come to pass? We are all working a lot harder these days, due to the economy and its associated cuts, staffing reductions and budget limitations. Everybody's wearing multiple hats and working on many things, so there's not always time to step back and look at the big picture. Also, in this case, I think they were in a rush to get the design done and then move on to other things, and involving me might have been perceived as adding additional complexity that would slow things down. I admit that's probably true, but sometimes it's good to slow down a little bit in order to do things right.
In any case, now that I've been left behind, I'm trying to run to catch up. The design is already done, but I'm hoping I will have a chance to make a few tweaks. In designing an Active Directory architecture, there are a lot of choices that fit different business and security needs. We can go with a single domain, or multiple domains, or hybrid approach with child domains, all of which have their own merits and drawbacks. The way our business is structured, I think a multiple domain approach within a single Active Directory forest makes sense, but the design calls for a single domain. We can also distribute domain controllers regionally, and even break up the Active Directory server roles. Our current design relies on centralized domain controllers, which I think will cause problems with some of our remote sites.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
