Examining the Current Infrastructure

Windows NT 4

The Windows NT 4 directory service was very limited in the amount of information it provided. However, if Exchange 5.5 exists within the network, additional information is available. The Exchange 5.5 directory service is actually the precursor to Active Directory. It is an X.500, Lightweight Directory Access Protocol (LDAP) “compliant directory that can hold additional information about accounts that could not be held in the default NT 4 database.

Starting at the highest level, the first thing to document is the layout of the domain structure. If you are working with a simple single domain design, this will not entail very much documentation. Do take note of the domain name , because this will more than likely remain the NetBIOS domain name within Active Directory. If there are several domains within the existing structure, document all of the domains and the domain names for each. Along with this information, you should also note the reason for the domain s existence. Many organizations use domains as a method of organizing resources. Account domains hold user and group accounts and the computer accounts for the domain, usually just the domain controllers. Resource domains house the resources that the user and groups need access to. This usually encompasses the member servers that are responsible for making printers, shared folders, applications, and other resources available.

Trust relationships should also be documented at this level so that the relationship between the domains is understood . Windows NT 4 trusts are one-way nontransitive. This means that a trust only defines which domain is trusted so that users can access resources. The trust relationship will not allow users to access resources within a domain where an explicit trust is not created.

In Figure 2.4, the trust relationship between Domain A and Domain B will not allow users from Domain C to access resources in Domain A, even though a trust relationship exists between Domain B and Domain C. In order for this information to be shared, a trust would have to be configured between Domain A and Domain C.

Figure 2.4: Nontransitive trust relationships

For each of the domain controllers, the type of domain controller ”Primary Domain Controller-(PDC) or Backup Domain Controller (BDC) ”should be recognized. Because the PDC is the only domain controller that can have changes made to its directory service, it will usually be located close to where the administrative staff is located. The BDCs will be located close to the client population to allow efficient authentication for the accounts. As changes are made to accounts within the domain, the PDC will replicate changes to the BDCs. Investigate the replication topology to determine when replication is allowed to the BDCs.

Figure 2.5 shows a diagram of the domain structure for a Windows NT 4 directory service and the information that you need when you are designing the upgrade of the directory service to Active Directory.

Figure 2.5: Windows NT 4 domain structure

Next, you need to document the administrative control over the resources on the network. This includes the domains themselves . Later you will want to review this information to determine if the current administrators still need to have control of those domains and resources. You will also be able to determine who needs to have administrative control over organizational units if the domain structure is collapsed . An example of the resource administrative design is shown in Figure 2.6.

Figure 2.6: Administrative delegation

Windows 2000 Active Directory

The reason most organizations move from a Windows 2000 “based Active Directory design to Windows Server 2003 Active Directory is to take advantage of the new and updated tools and utilities. Usually, the domain structure remains the same when moving to Windows 2003, but you are still able to rework it if you want. In fact, Windows Server 2003 has additional features that allow better integration between forests and tools that allow you to rename domains and domain controllers.

Just as in the Windows NT 4 environment, you want to document the domain structure and interrelationships. This includes the administrative control for all of the domains and any trusts that have been created between forests, as well as shortcut trusts between domains. If any Windows NT 4 domains are still within the infrastructure, make sure to note them along with the trust path .

When documenting the administrative control that has been delegated, you not only want to identify the domain administration, but also any OUs and the delegation of authority that has been provided to other users or groups. Although this may seem like more information to document than was necessary under the NT 4 model, you will note that although there are more OUs, there are usually fewer domains, and the OUs have a better, more logical administrative design. Figure 2.7 shows an example listing of the domain and OU administrative design mapped out.

Figure 2.7: Windows 2000 Active Directory administration document

Along with the administrative layout, network services should be identified and documented. These services include domain controllers, DNS and WINS servers, file and print servers, application servers, replication bridgehead servers, and others that may be within your environment. The documentation should include a listing of the sites within the organization and the resources within those sites.

For those sites where WAN links exist, you should document the current capacity of those links along with the current amount of data throughput. Without this information, you will not be able to identify the WAN links that need to be upgraded or where additional links should be added to augment the capacity. Active Directory replication needs to travel across these links. By determining how the links are currently used, you will understand the traffic patterns and have a basis for planning the replication timing for the new design.

Using a tool such as Performance Logs And Alerts, you can monitor the traffic to identify the current traffic patterns. This aids in determining when the links are used and the peak usage times. With Network Monitor, you can capture network traffic to determine what type of traffic is traveling on the WAN and then use that information to optimize the traffic.