Users who have been down the road with Active Directory (AD) say they've learned some tricks for saving time and money on AD design projects. Here are their recommendations:
- Domain controllers need to be free. Management has to realize that the domain controllers need to function only as domain controllers -- no doubling up with file and print services or other applications, says John Hann, senior systems engineer at BancorpSouth Inc. in Tupelo, Miss. "It's a performance issue," he says.
- Have an object-naming convention. Naming standards are also important when creating objects because AD's built-in tools can't see more than 10,000 objects at a time, says Todd Wright, engineering manager at Well Fargo & Co. in San Francisco. Prefacing group names with common descriptors such as "DRV" for drive mapping groups and "SEC" for security groups has made Lightweight Directory Access Protocol searches easier. "Naming standards are very important. That's a big consideration," he says.
- Don't overdo the OUs. The ability to create group policies across organizational units (OUs) and delegate administration is powerful, but keep it simple, advises Ken Pate, migration and interoperability manager at General Motors Corp. "We got really granular, then we realized that we don't need this kind of granular structure to delegate," he says, "At one point, we anticipated creating an OU for every location where people would reside. We have hundreds of locations in North America alone. Then we realized that it made more sense to collapse those locations."
- Lay it all out before placing objects. "The sites have to be there before you populate them," warns Hann. "Otherwise, your domain controllers won't know where to go."
Include service providers in the administrative design. "It's important for companies that have multiple service providers or that have administrative organizations managing resources to look at that when they design the Active Directory," says Pate. The reason: Trying to differentiate administration within a domain can be very difficult. In GM's case, it had both IBM and Electronic Data Systems Corp. managing within a single domain.
The key is to set up some rules. "We made one organization the king of the kingdom and created a delegation model that allows the other service providers to access and manage their own resources without necessarily violating the administrative integrity of the domain," says Pate.- Backward-compatibility is critical. Users expect to have continuous, transparent access to all resources during the migration. Failing to do sustain that will result in a loss of IT critical support, users and analysts warn. During GM's migration, it needed to maintain shared access to NetWare and Windows NT server resources and keep that transparent to users. "There needs to be a lot of thought to how you're going to maintain that," says Pate. "We decided to move those resources onto Windows 2000 servers. [Novell Directory Services] and NT 4 users access them without realizing that they don't exist on that platform. That sounds like something that was easy to do, but it was a challenge."
Replication requires tuning. "Replication in a large organization like GM needs to be well thought out," says Pate. "Your wide-area network connectivity needs to be understood. We're still tweaking that. It's naive to think that you're going to top-down design a replication topology and not go back and improve it or modify it."
And be sure to test replication over slow WAN links, adds Hann. Bandwidth isn't the only issue. "Although [replication] didn't appear to be affecting network bandwidth, it was affecting domain controller performance," he says. "They were either busy or incapable of talking," so users requesting log-ins would end up being authenticated against domain controllers in another state. With initial latency times approaching 10 hours, Hann changed replication schedule times to help with slow links. "Now it's less than two," he says. It would be less than an hour, he adds, but one region had more than 50 bank branches, "and I had to split the load across a number of servers to go to all of them."