Managing Active Directory Forests in the Business Wilderness
A successful migration to Microsoft's Windows Active Directory (AD) calls for a team effort between business and technical managers. In setting up AD, it can sometimes be tough to tell the "forests" from the "trees," which is why pre-deployment planning is so important. Administrators should be careful to choose forest models that fit the business needs of their organizations.
Analyst firms have long recognized the need for sound planning in W2K AD deployments. "Aberdeen research indicates that several early adopters are now paying a high price for not including administration and management planning in the directory design process," wrote analysts at the Aberdeen Group, in a report issued back in the year 2000.
Active Directory planning should ideally be performed by a team of at least three people, advised Howard Marks, chief scientist at Networks Are Our Lives, Inc., in a "best practices" session at the recent PC Expo/TechNYXpo in New York City. "You need a 'champion' to get approval from above and run interference with politics," says Marks. Other roles include a "technical architect," for defining business goals and overseeing technical decision-making, and a project manager, for keeping track of progress on the design timetable.
Marks told the story of a large consulting firm that was hired to help out an internal project team in an implementation at a manufacturing plant. The week after the consultants arrived, however, top brass at the manufacturing plant decided to close down the plant. Evidently, communications could have been a lot clearer between the internal project team and business managers.
What does the company want to do?
According to Marks, before assembling an implementation team, administrators should conduct a careful analysis of what the company wants to do.
- First, identify the underlying business need.
"This is the most difficult part," notes Marks.
- Establish goals, constraints, and resource requirements.
"I want 3,000 servers to be running overnight, with no downtime, and no use of consultants," he illustrates.
- Agree on a project charter, approach, and timetable.
Collecting data, including "interoperability influences"
Planning should also include collection of "physical, political, and emotional" data. "What are our locations? How centralized are we? Who has authority? Who trusts whom?" asks Marks. "Maybe Chicago is its own domain. Who will give things up? Who will say, 'You need a new server? No problem!'"
In addition, team members should "identify interoperability influences" on AD. "Unix, Linux, Win9x, Win3x, WinXP, WinME — will they all have to interoperate?"
Even beyond OS issues, administrators should look at whether Windows 2000/2003 features such as IPsec, Intellimirror, and ZAW will come into play. Other pieces of the interoperability picture include services such as e-mail, databases, Kerberos security, and certificate servers.
Parting the Forests
"How many trees will there be? How many forests? How many domains in the forests?" he continues. One of the toughest areas for AD administrators is figuring out how to set up forests, according to Marks.
Forests, trees, and domains all revolve around the W2K ownership concept. "In Windows NT Domains, a single 'person' owned everything. AD allows us to separate into two different roles."
"Service owners" oversee service availability, while "data owners," in contrast, are responsible for data maintenance and day-to-day administration.
"Forest owners" are "service owners," too, since they are "ultimately responsible for the delivery of directory services in the forest." Forest owners establish policies for the forest, as well as processes for making changes to the shared configuration.
Moreover, forest owners are also "gatekeepers for new domains." It is the forest owner who assigns domain owners – and these domain owners are, themselves, service owners.
Three Forest Models
The trainer recommends the following best practices for using each of three forest models.
Forest Model #1: Strong Central Control
Under this model, all business units share a centralized Directory Services (DS) infrastructure.
Forest Model #2: Hybrid/Subscription
Here, business units can decide to either opt-in or opt-out of the centralized infrastructure.
Forest Model #3: Distributed Infrastructure
In this case, each business unit maintains a separate DS infrastructure.
In assigning forests, organizations should weigh "administrative autonomy" versus "collaboration." Model #2 looks like a good choice "if nobody likes each other – but they have to deal with each other," quips Marks. Model #3 can work out better if "nobody likes each other – and they aren't talking to each other, either."
Teams should also create a list of candidate forest owners, starting with IT groups that are chartered to deliver directory services. These might include owners of previously deployed forests, as well as owners of Windows NT Master User Domains (MUDs).
AD trees, by the way, "do not really exist," according to Marks. "A tree is just a set of domains with a shared DMS root."
More than 1500 users? How about a dedicated root domain?
If your network has more than 1500 users, you should probably use a dedicated root domain, says Marks. The dedicated root domain establishes clear separation between forest owners and other administrators. It also allows for easy transfer of forest ownership.
"By definition, a dedicated root domain has at least one level of child domains," he notes. Generally speaking, it's better practice to use geographic domains than organization domains. Geographic domains typically map well to both IT organizational structures and wide area network (WAN) layouts. Geography is also "relatively unchanging."
Organization domains, on the other hand, should only be used under certain circumstances. "If the company restructures frequently – or if it is subject to merger or acquisition – you might want to use organization domains."
Most often, though, if an organization within an enterprise wants to remain autonomous, it makes more sense to create a separate forest. AD is set up so that "forest owners must trust their domain owners, and domain owners within a forest must trust each other," he says.
More than 100,000 users? Go directly to Windows 2003
For networks of more than 100,000 users, Windows Server 2003 Active Directory is a better choice, in Marks' opinion. Early users of Windows 2003 AD include, for instance, Enterasys Networks; Det Norske Veritas (DNV), a Norwegian-based risk management services provider; and JR East Japan Information Systems Company, a subsidiary of East Japan Railroad Company
Windows 2003 AD brings a number of improvements in management, deployment, security, performance, and dependability, according to Microsoft officials. Examples include cross-forest authentication; cross-forest authorization; Microsoft Group Policy Management Console (MGPMC), for managing all Group Policy-related tasks; and Active Directory/Application Mode (AD/AM), a feature addressing application-related deployment scenarios.
Active Directory deployment is no trivial matter, on either the technical or business side. The setup of AD forests and domains needs to dovetail with business needs. Sound and thorough planning is absolutely essential.