Lesson 4: Analyzing an Active Directory Design | MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)

In this lesson, you'll learn how to analyze and plan an Active Directory design to determine its suitability with respect to the structure of OUs, administration, and security. You'll then investigate several Active Directory designs to determine the issues and advantages to be considered in each.

After this lesson, you will be able to

Analyze an Active Directory design to determine its suitability for the upgrade.
Identify any conflicts between the design and the migration goals.
Maintain administration and security during the upgrade.

Estimated lesson time: 20 minutes

Active Directory and Planning

The goals you set for the migration will determine the final design of Active Directory. Remember that, as with all mapping of goals to their implementation, you'll need to prioritize and compromise. One overriding principle is to keep the design as simple as possible. If your design includes many forests and explicit trusts, you're probably heading in the wrong direction.

Use a move to Active Directory as an opportunity to reduce the number of domains in use. The Windows NT SAM database size limitation and the replication issues raised by large Windows NT domains don't apply to Windows 2000 Active Directory. You can also use OUs to delegate control with a greater granularity than Windows NT was able to provide.

You can organize Active Directory on the basis of the following:

Business function. In this design, each OU groups elements of the organization that perform a similar task. For example, sales, marketing, and administration are the more common business functions. In an OU subtree beneath a sales OU, you could have software, hardware, and service OUs to represent the different areas of sales.
Geography. In this design, each OU groups elements of the organization along geographical lines throughout the country or world. For example, United States, Asia, and Europe would reflect a geographical OU structure, probably with subtrees of countries or regions below them.
Objects. This design creates OUs that group resources in the way you want to protect and access them. An example of an object OU design is shown in Figure 5.7.
Hybrid. You might find that whatever OU structure you decide to implement, it can't fully support your design needs because of other conflicting considerations. For example, cultural problems might arise when planning a business OU structure, which might necessitate incorporating a geographical design element in what was originally planned to be a business function OU design.

click to view at full size.

Figure 5.7 Sample OU hierarchy

There are many ways to arrange your OU structure, such as by project. A project OU design might be appropriate for organizations such as construction companies where several buildings might be under construction at the same time. You might come up with your own unique designs. The important point is that when selecting the optimal arrangement, you should look for the OU model that's least likely to change over time while offering the best potential for expansion.

TIP
To design their OU structure and then evolve it, many companies start with the names of resource domains and then see which resources the system policies and mandatory profiles are applied to. For example, if you have a resource domain called SALES and mandatory profiles for SERVICES SALES and PRODUCT SALES, a potential starting OU structure would be a first-level OU named Sales containing two second-level OUs called Services and Products, respectively.

The Active Directory Design as a Goal

Part of your migration objective will be creating the ultimate Active Directory design for your corporation. You must examine this goal in light of any network restrictions; for example, you might need additional hardware to support both a Windows NT and an Active Directory environment during the upgrade process. You need to address these three areas:

Forest, tree, and domain arrangement. Determine whether the arrangement of OUs, domains, trees, and forests meets the requirements of the organization, and ensure that the proposed design is practical.
Sites design. Examine the sites design to determine any limitations that might affect the upgrade process or restrict the final system; for example, greater network traffic caused by running two parallel systems could affect business continuity during migration. Refer back to the "Site Design" section of the previous lesson for further details.
Administration and security. Consider the administration and security plans to ensure that security isn't compromised during the upgrade and that users aren't denied access to resources because of changes to environments. For example, users might encounter RRAS problems in signing on to the mixed environment during migration. Chapter 4, "Assessing Your Network Infrastructure," and Chapter 6, "Performing an Upgrade," discuss RRAS problems and possible solutions.

Forest and Domain Arrangement

In Windows 2000, domains can be grouped together into trees, with a single domain at the root of the tree and others beneath it. As we have seen, all trees within a forest are automatically linked at their root domains via two-way transitive trusts. When analyzing an Active Directory design, you should first consider whether you need more than one forest.

Single Tree or Single Forest

A single-tree design is the easiest to create and manage. The first domain that you upgrade becomes the root of the tree and the forest and further domains are placed beneath it. As you add each domain, trust relationships are created automatically. The global catalog provides users with a unified view of all resources in the tree.

TIP
You might want to create a placeholder Windows 2000 root domain prior to migration. Otherwise, the first Windows NT domain you migrate will become the forest root. If you don't want to do this, remember to migrate the desired root domain first because you can't change it later, apart from completely reinstalling all systems.

A single tree defines the namespace for all the objects within it. If you need a disjoint namespace (in Figure 5.6, microsoft.com and msn.com are roots of separate namespaces), you must form separate trees for each namespace.

Multiple Forests

You might require a multiple-forest environment based on the following needs:

Isolate administration. If the microsoft.com and msn.com domains shown in Figure 5.6 want to completely isolate the administration of their network from one another; the administrators would be able to design their own Active Directory schema and have their own global catalogs.
Restrict resource access. In a single forest, the two-way transitive nature of the trusts ensures that resources in any domain can be assigned to users from any other domain. If the resources and users are in separate forests, there are no automatic transitive trusts between them; therefore, only resources explicitly made visible through manually applied trust relationships can be accessed.

However, implementing a multiple-forest Active Directory design is much more complex because you must manually configure all resource access across forests. In addition, the users will be unable to obtain a single, consistent view of available resources. In general, multiple forests are only recommended in cases where you have different subsidiaries that require different schemas, perhaps due to political, cultural, or language biases. Multiple forests can also be useful if you are planning an inter-forest restructure at a later stage of a migration.

Administration and Security During a Migration

You should examine the Active Directory design to decide when to implement its new features and to ensure that they minimize any disruption to the production environment. You must validate all new features in the test environment before deploying them. To properly design an Active Directory solution you will need to analyze how your administration and security function.

The Administrative Plan

When you examine your existing IT administrative regime in light of the new facilities that Windows 2000 offers, you might decide that the IT culture in the organization will need to be substantially revised to take advantage of such new features as OUs. The migration plan will have to include the rollout of the new procedures, which must be synchronized with the other parts of the migration strategy.

The administrative plan should provide details of the rollout of the new features and also consider the enterprise's current organizational structure to best map it to an Active Directory design. The administrative plan should be produced after widespread consultation with all stakeholders in the migration.

NOTE
Ensure that the proposed administrative plan is rigorously tested during the testing and pilot programs. The final Active Directory plan, the OU hierarchy, and the group policies to be used must be verified in their target environment with the applications that will be used.

Remember that during the upgrade, you could be supporting two operating systems and three administrative regimes: the old regime, the interim regime, and the final regime. The administrative plan should consider the following:

Provision of user applications
Provision of system and user backup facilities
Provision of printing facilities
Provision of remote access facilities
Provision of user management facilities
Replication of information between the Windows NT and Active Directory servers

The Security Plan

During the upgrade, the level of protection for resources might change because of the nature of trust relationships between domains in Active Directory trees. You might also decide to use new Active Directory security features to better manage users and resources. In order to do this, you should create a security plan, which documents both the current security environment and the structure of the migrated one as outlined in Chapter 3, Lesson 3, "Security Assessment."

NOTE
As with the administrative plan, you should rigorously test the security plan before deployment. You should also review the intermediate phases of the migration relative to their possible security implications.

If your Active Directory design contains new Windows 2000 security features, your security plan should reflect these changes and identify the features that are to be deployed. In addition, your security plan should describe how security is to be maintained during the upgrade process. Issues to be considered in the security plan include these:

Authentication of users
Access to resources
Auditing of access
Proper application of policies
Availability of profiles during the migration and afterwards
Application and impact of additional security features offered by Windows 2000 such as certificate services and data encryption on the local systems and across the network

TIP
For a good description of the process of Active Directory design, review the Windows 2000 Resource Kit Deployment Lab Scenarios at http://www.microsoft.com/windows2000/library/resources/reskit/deploymentscenarios/.

Lesson Summary

In this lesson, you learned the fundamentals of Active Directory analysis. You saw that you should consider Active Directory with respect to the overall domain arrangement, site design, network administration, and network security. You also saw how important it is to consider all the design aspects in light of the migration goals.