Managing Active Directory Forests in the Business Wilderness - Page 2
Collecting data, including "interoperability influences"
Planning should also include collection of "physical, political, and emotional" data. "What are our locations? How centralized are we? Who has authority? Who trusts whom?" asks Marks. "Maybe Chicago is its own domain. Who will give things up? Who will say, 'You need a new server? No problem!'"
In addition, team members should "identify interoperability influences" on AD. "Unix, Linux, Win9x, Win3x, WinXP, WinME — will they all have to interoperate?"
Even beyond OS issues, administrators should look at whether Windows 2000/2003 features such as IPsec, Intellimirror, and ZAW will come into play. Other pieces of the interoperability picture include services such as e-mail, databases, Kerberos security, and certificate servers.
Parting the Forests
"How many trees will there be? How many forests? How many domains in the forests?" he continues. One of the toughest areas for AD administrators is figuring out how to set up forests, according to Marks.
Forests, trees, and domains all revolve around the W2K ownership concept. "In Windows NT Domains, a single 'person' owned everything. AD allows us to separate into two different roles."
"Service owners" oversee service availability, while "data owners," in contrast, are responsible for data maintenance and day-to-day administration.
"Forest owners" are "service owners," too, since they are "ultimately responsible for the delivery of directory services in the forest." Forest owners establish policies for the forest, as well as processes for making changes to the shared configuration.
Moreover, forest owners are also "gatekeepers for new domains." It is the forest owner who assigns domain owners – and these domain owners are, themselves, service owners.
Three Forest Models
The trainer recommends the following best practices for using each of three forest models.
Forest Model #1: Strong Central Control
Under this model, all business units share a centralized Directory Services (DS) infrastructure.
Forest Model #2: Hybrid/Subscription
Here, business units can decide to either opt-in or opt-out of the centralized infrastructure.
Forest Model #3: Distributed Infrastructure
In this case, each business unit maintains a separate DS infrastructure.
In assigning forests, organizations should weigh "administrative autonomy" versus "collaboration." Model #2 looks like a good choice "if nobody likes each other – but they have to deal with each other," quips Marks. Model #3 can work out better if "nobody likes each other – and they aren't talking to each other, either."
Teams should also create a list of candidate forest owners, starting with IT groups that are chartered to deliver directory services. These might include owners of previously deployed forests, as well as owners of Windows NT Master User Domains (MUDs).
AD trees, by the way, "do not really exist," according to Marks. "A tree is just a set of domains with a shared DMS root."