Making Active Directory Easier

Windows 2000 Active Directory deployments can take much longer than expected. Just ask Eric Kornau, CIO at Cincinnati State Technical and Community College. "We have to teach Windows 2000 in our operating systems classes, so we need to have it on our network," he explains.

Kornau started planning the switch to Microsoft Corp.'s Windows 2000 and Active Directory (AD) last November and migrated 6,000 student accounts during spring break. But the migration for about 2,000 staff accounts was interrupted by a million-dollar donation for storage equipment. Cincinnati State is configuring the new storage before consolidating the entire school, including all student and staff accounts, into a single AD in the fall. In the meantime, the school has a native Windows 2000 domain for the students, and the school administration has Windows 2000 application servers running under Windows NT 4.0 domain controllers.

Such time frames aren't unusual. "AD migrations take a lot longer than most organizations anticipate," with many taking 12 to 24 months to complete, says Laura DiDio, an analyst at Giga Information Group Inc. in Cambridge, Mass.


Should You Wait?

The release of Windows.Net Server, the successor to Windows 2000 Server, is expected in the first half of next year and will include a beefed-up version of AD. Major changes include the following:

• Removal of the size limitation of 5,000 objects per group

• Elimination of the need for a global catalog at each site

• The ability to load directory content from tapes, CDs or DVDs

• Support for the inetOrgPerson class (a popular means of identifying users)

• Better address-replication conflict resolution for multivalued attributes when replicating between domain controllers

As with the migration from Windows NT to Windows 2000, there's a catch: All Windows 2000 domain controllers must be upgraded to Windows.Net before the new features will be available. That's not to say you can't install Windows.Net when it becomes available. But a Windows.Net Server running AD will automatically detect Windows 2000 domain controllers on the network and won't support the new AD features.

So are the improvements worth waiting for? "While these are all good changes for the most part, they will have a relatively minor impact on an enterprise," says John Enck, an analyst at Stamford, Conn.-based Gartner Inc. "Really, it is a timing issue. I don't see any feature or set of features that would cause enterprises to delay." But if you're planning on deploying AD late this year or early next year, he says, you may want to wait a few months and deploy the new version rather than having to go back to upgrade all the domain controllers later.

—Drew Robb

But until all domain controllers are upgraded to Windows 2000, enterprises are in a state of directory limbo known as mixed mode, in which directory features from Windows NT domain controllers remain enabled while new AD features, such as the ability to create universal and nested groups, are unavailable.

New security problems arise with administrative privileges for NT domain controllers operating in mixed mode. AD dial-in options such as verifying Caller ID and applying static routes won't work. In addition, network administrators must support multiple operating systems, multiple directories and, in some cases, multiple versions of applications.

Because of the complexity of managing mixed-mode domains, experienced IT managers say it's best to make the switch as quickly as possible. The right tools and methodologies can make the transition to native mode easier and help manage a mixed-mode domain.

Faster Migrations

Managers can reduce the time spent in mixed mode by thorough planning and testing and by using domain migration tools. "You should always test everything out in the lab before making the switch," says Bryan Brunetti, an information systems engineer at pharmacy retailer CVS Corp.

Prior to migrating 5,000 workstations and 120 servers at CVS headquarters in Woonsocket, R.I., last year, Brunetti set up a lab to test the migration. He chose Powell, Ohio-based Aelita Software Corp.'s Controlled Migration Suite to model the migration before it began. The result: a smooth domain-controller transition to Windows 2000 and AD over two weekends, followed by an in-place upgrade of other NT servers to Windows 2000 Server.

During the domain-controller migration, however, Brunetti discovered a security problem. The account operators group had privileges to the Windows 2000 administrative tools for password changes, and Brunetti says he realized that those users were able to create Dynamic Host Configuration Protocol scopes and Windows Internet Name Service entries on NT 4 servers. The company immediately upgraded the servers to Windows 2000 to eliminate the problem.

Kornau followed advice from consultants at Quest Software Inc. in Irvine, Calif., about how to model the migration. He set up backup domain controllers, replicated the domain structure on those machines, upgraded them to primary domain-controller status and created a duplicate domain.

"We used the duplicate domain to model different scenarios," says Kornau. "By the end of the week, we had written a comprehensive domain migration plan."

But even the best-laid plans can go awry. "Despite extensive planning and design, nothing turned out exactly as we envisioned," says Mark Vernon, a senior network engineer at Pioneer Hi-Bred International Inc., a biotechnology firm in Des Moines, Iowa. He set up a test lab to review migration tools but wasn't able to fully model his network's 18 domains and more than 4,000 groups and test all the procedures prior to the implementation. Vernon says that "until you start into the actual process, you don't really know how things will pan out."

His company is still in the midst of an AD migration that encompasses 5,000 users at hundreds of locations. Currently, Pioneer is running in what's called parallel mode: It has one NT domain that covers one group of sites and another Windows 2000 domain running AD in native mode for another. However, this has sowed confusion by creating two structures for controlling shared resources. Security administrators have trouble determining under which structure a given user falls and groups and object access rights.

Although Vernon is using San Jose-based Net IQ Corp.'s Domain Migration Administrator to manage the changeover, many third-party migration tools are available, as well as the Active Directory Migration Tool (ADMT) utility that comes with Windows 2000 Server.

But both Vernon and Kornau found ADMT too basic for their needs and don't recommend it for large or complex networks. ADMT lacks such features as user password migration, migration modeling, exclusion of disabled or expired accounts and the ability to clean up the security identification history. Also, it supports only native-mode AD servers. That's why DiDio declares AD domain migration and policy-based management tools as must-haves. But they don't come cheap: She cautions that these tools add 25% to 30% to overall upgrade costs.

Surviving in Mixed Mode

For all but the smallest networks, administrators operating in mixed mode can benefit from good management tools. For example, Kornau uses Quest's FastLane for AD migration, along with Brampton, Ontario-based Nortel Networks Corp.'s Optivity and Hewlett-Packard Corp.'s OpenView to manage routers and switches. He also uses Microsoft's System Management Server (SMS) for inventory and reporting, though he may abandon it. "What we're finding is, if you have a native AD domain, you don't need it," says Kornau.

Brunetti uses a similar range of tools to run in mixed mode: OpenView operates as his top-level management and network monitoring tool; Mountain View, Calif.-based Veritas Software Corp.'s Manage Exec monitors services running on servers; SMS manages clients; and Windows Terminal Server supports remote management of Windows 2000 Servers.

Although AD may represent a serious hurdle, the tools exist to survive in mixed-mode limbo. Used wisely, they can help companies not only live to tell the tale, but also to eventually make the transition to native mode.

Robb is a freelance writer in Tujunga, Calif. Contact him at


Managing AD in a hybrid network

While administering a network in mixed mode can be tough, hybrid networks add further complications.

Take the case of Mike Yoder, director of distributed systems at Mount Sinai NYU Health (MSNYU), a health care organization comprised of six hospitals in New York. He manages a network that includes Active Directory (AD) for Exchange 2000, Windows 2000 workstations accessing mainframe applications through IBM's SNA and servers running Novell Inc.'s NetWare, as well as a few storage-area networks and some virtual private networks. The MSNYU network contains 6,000 workstations, 300 to 400 servers and 12,000 users spread out among the hospitals. The whole system is tied together with Novell Directory Services (NDS) eDirectory.

Because its main applications are mainframe, rather than client/server, and most of its servers run NetWare, MSNYU doesn't intend to make the switch to native mode. The health service organization uses Novell's DirXML synchronization tool to coordinate the user identifications in AD and NDS so that users can enjoy single sign-on. "As we get additional products that use AD, we'll use DirXML to keep it in sync," says Yoder.

MSNYU also uses Houston-based BindView Corp.'s bv-Admin to provide a single view of the entire network, which operates on different directories. With it, says Yoder, "you can manage both NDS and AD trees from a single [graphical user interface]." BindView can also provide a single management interface for both the Windows NT and 2000 portions of networks undergoing Windows 2000 migrations, he says.

Active Directory migration and administration tools

  • Aelita Software Corp.

    Powell, Ohio

    Controlled Migration Suite

    Includes wizards for domain and Exchange migration, administration and modeling tools.

    $11 per user

  • BindView Corp.


    bv-Control, bv-Admin

    Cross-platform security and administration products.

    $9.95 per user

  • Microsoft Corp.

    Active Directory (AD) Migration Tool

    A limited version of the NetIQ Domain Migration Administrator included with Windows 2000 Server.

  • NetIQ Corp.

    San Jose

    Domain Migration Administrator, Exchange Migrator

    Tools for setting and enforcing policies for user accounts, groups, resources, services, events, files and folders.

    $9 per user

  • Quest Software Inc.

    Irvine, Calif.


    Includes modules for AD and Exchange migration, security and administration.

    $8 per user

Active Directory's modus operandi

Mixed mode:

A limited implementation of Active Directory (AD) that supports both Windows 2000 and NT domain controllers.

Pros: Administrators don't need to migrate all domain controllers to Windows 2000 at once. If necessary, they can roll domain controllers back to Windows NT. This could be useful when some servers, such as application servers, can't be immediately upgraded to Windows 2000.

Cons: Lacks advanced AD features such as universal groups, interdomain group membership and group nesting features.

Native mode:

Full deployment of AD with all domain controllers running Windows 2000.

Pros: All AD features are available.

Cons: Requires upgrade of all domain controllers. Once you flip the switch, fallback to mixed-mode operation or support for Windows NT domain controllers isn't possible.

Parallel mode:

Administrators create separate domains for different groups of servers.

Pros: They can operate the Windows 2000 domain in AD native mode without migrating all enterprise domain controllers to Windows 2000.

Cons: Managing dual domains can cause confusion. Separate domains are difficult to administer and support.

Related stories and links:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon