Windows 2000 has been available for more than a year, but many people are still struggling with how to implement the most promising and most complex part of Microsoft Corp.'s new operating system: Active Directory. Windows 2000, Microsoft's first enterprise-ready operating system, uses Active Directory to provide scalable, secure and Lightweight Directory Access Protocol (LDAP) standards-based directory services. Many tools are available to assist administrators and planners in this process, but administrators may wonder where to start.
Designing an Active Directory requires a methodology with a strong focus on your political, business and security requirements. You also need to take into consideration how the big picture evolves as you integrate new applications with a Windows 2000 infrastructure over time. This becomes even more important as the Microsoft software is evolving into the .Net world. We focus here on the 10 most critical steps you'll need to consider during the design of your corporate Active Directory.
Build the project teams
To properly start a Windows 2000 project, it's critical to first understand the reasons for implementing the new infrastructure. One may be to consolidate servers and domains to reduce ownership, administration, maintenance and troubleshooting costs. Another might be to provide an infrastructure for mission-critical applications, such as Microsoft Exchange 2000 Server. You must also understand your current IT environment and administrative model before creating a project plan and project team.
The number and size of each team varies from project to project but groups are generally created for the directory, networking, operations and management, security, migration, client platforms, application deployment and development and system sizing.
Designing Active Directory also requires strong cooperation between different teams in your organization -- teams that had little in common in the past. An Active Directory can't be effectively implemented without good communication between the directory, networking and security groups in your organization.
In an Active Directory design, roles may be inverted creating further tensions. In the past, for example, the Windows NT people owned the data and the Exchange group owned the directory. Now with the Web store in Exchange 2000, the messaging group will own the data and the NT people will own the directory. Furthermore, the NT group now must provide the necessary services for e-business in terms of security, interoperability and availability.
Design the Active Directory schema
The Active Directory schema design defines what Active Directory objects (such as users, groups and servers) will be created. Setting up the schema design is easy if the default Active Directory schema will satisfy the needs of your organization. Your organization may, however, require the storage of special objects or attributes in the Active Directory. This may require the generation of new object identifiers, which define object classes and their attributes. The Active Directory schema design also defines which objects and attributes will be indexed and what will be published in the Active Directory's Global Catalog (GC), the domain controller that acts as a master directory of all domain objects.
Your Active Directory schema design should also extend beyond your Windows 2000 environment to integrate with other directory services or metadirectories. Such requirements may bring up synchronization and integration challenges, so you should detect them as early as possible in the Active Directory design.
Design the DNS model
The planning and design of the Windows 2000 Domain Name System (DNS), which translates user friendly domain names to actual Internet Protocol addresses, can be split into two design subtasks: the DNS namespace design, which describes each domain, and the DNS server infrastructure design.
Because of the tight integration of DNS and the Active Directory infrastructure, the namespace design goes hand-in-hand with the Active Directory design. Both DNS and Active Directory infrastructure design are iterative processes that will influence each other continually.
During the namespace design, it's important to first examine your business needs. Next, you need to decide whether you plan to integrate Windows 2000 DNS with a legacy DNS infrastructure and whether you need to consider the impact of an Internet presence for your corporate DNS name space design.
During the DNS design, remember that this is a critical service for Active Directory and Windows 2000. The DNS server infrastructure must be fault-tolerant, highly available, easily accessible and must provide minimal latency for the replication of DNS database changes.
Design the domain model
As with Windows NT, a domain in Windows 2000 is a security boundary, but it's also an Active Directory partition. As the name space within the Active Directory is hierarchical, the domain structure in Windows 2000 is made up of a series of parent/child relationships between the different domains. These domain structures are called trees and forests.
Trees are hierarchies of domains linked by trust relationships. Each tree shares a contiguous name space. A forest is a set of trees linked together via trust relationships. The trees that are joined together at the top level of the forest don't necessarily have to share the same name space.
During your domain model design, you'll have to decide upon this domain structure, how many domains you want, how they'll fit together in trust relationships and how they'll be linked to your namespace design.
Design the organizational units
You build the Active Directory from a collection of organizational units (OU), which form the base of the hierarchical representation of objects within a domain. When designing your OU hierarchy, you'll probably want to start off by examining your organization's administrative support hierarchy.
An OU is a general object container. It can contain any object in the domain, including other OUs. OU design is tightly linked to the Group Policy Object design. You use Group Policy Objects to centralize control over user environments. You can also use OUs to delegate administrative control to a particular group of users without allowing them to have administrative permissions for other objects in the domain.
The challenge is that designers are looking at this structure from a delegation of administration perspective as well as from a policy inheritance and object organization view. The best way to design an OU structure is to look at how objects are managed within the company today. This should form the basis for the delegation and therefore the tree of organizational units. An OU structure shouldn't necessarily look like an organizational chart.
Design security
Windows 2000 provides for easier security management and stronger security features, but they also add complexity to your overall Active Directory design. You'll have to decide how you'll harden your domain controllers; how you'll set up access control on your Active Directory, file system and registry objects; how you'll set up auditing; and whether you'll need any third-party tools to provide additional security features such centralized auditing, advanced alerting, intrusion detection, integrity protection and hard disk-level encryption.
Windows 2000 also comes with remarkable public-key infrastructure (PKI) capabilities. The Windows 2000 PKI can be tightly integrated with Active Directory and thus leverage the effort and cost you put in your Active Directory design.
Design the site topology
The Windows 2000 site topology is a logical model, layered on top of the physical network that must accurately reflect the underlying network topology. In Windows 2000, the site topology sits above the physical network layer and below the domain structure layer.
It's important to make a distinction between domain structure design and site topology design. Sites reflect the location of user communities, whereas domains contain objects. A domain is mapped to a site by placing a replica of the domain within the site. A site doesn't contain a portion of a domain. It contains the entire domain. Sites contain domain controllers are entire replicas of a domain. If a GC is placed in a site, then the entire Active Directory becomes available to the site. From a different perspective, if a site doesn't contain a domain controller or a GC, it's essentially useless as no objects are available within the site.
Plan for Active Directory capacity
One major benefit of migrating to Windows 2000 is the ability to consolidate servers, including the total number of domains and domain controllers, to reduce the cost of hardware, troubleshooting and management.
Planning for consolidation involves sizing domain controllers and GCs. During this process, you'll want to pay particular attention to the choice of server and storage hardware. The trend in scalable designs is to separate the server sizing and storage design. This greatly simplifies the approach. You should address CPU and memory considerations in the server design and I/O subsystem and I/O performance in the storage design.
Design backup and restore strategy
A side effect of server consolidation is that unavailability of your Active Directory infrastructure becomes more expensive. The Active Directory's multimaster architecture supports replication between domain controllers, so as long as one Active Directory domain controller is available, you're likely to be safe. Nonetheless, you'll need to design a backup and restoration strategy. You can't rely on replication when replication is unacceptably slow (and much slower than a restore), when a link to a remote site is unpredictable or when a site contains a very large subset of your Active Directory population.
Plan the migration
Migrating to Windows 2000 involves several preparation steps and a thorough understanding of migration techniques and their implications. Before attempting the migration, you must have in place a full design of your Windows 2000 infrastructure. The design phase defines what the future infrastructure will look like. The migration phase defines the steps involved in getting there.
The migration phase should provide a strategy for migrating the current infrastructure to Windows 2000 without interrupting daily business. This is a challenging aspect of the migration. Global corporations may have a large existing infrastructure composed of many Windows NT 4.0 domains.
Windows 2000 is more than a major upgrade -- it's a whole new operating system that was designed with the enterprise in mind. Before attempting to design an Active Directory infrastructure you should carefully understand the replication topology required for effectively disseminating data throughout the enterprise at a reasonable cost. Understanding how the schema must evolve, what objects should be published in Active Directory, how Active Directory will integrate with the DNS name space and who needs to have access to what Active Directory objects are prerequisites for a successful Active Directory design.
Jan De Clerq and Micky Balladellis are the authors of Mission-Critical Active Directory (Digital Press, 2001).
Jan De Clercq is a senior consultant in Compaq Computer Corp.'s Technology Leadership Group. He is based in Belgium and focuses on Windows 2000, Exchange 2000 and .Net security. He can be reached at jan.declercq@compaq.com. Micky Balladelli is a fellow at Avanade Inc. in France focusing on Windows 2000 services. He is a speaker at various Microsoft and Windows 2000 related conferences and has worked with multiple companies on the design of their Windows 2000 infrastructures. He can be reached at mickyb@avanade.com.
Questions about Active Directory? Head to Computerworld's Windows 2000 Forum to discuss migration issues with your peers.