In this lesson, you'll learn how to analyze and plan an Active Directory design to determine its suitability with respect to the structure of OUs, administration, and security. You'll then investigate several Active Directory designs to determine the issues and advantages to be considered in each.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
The goals you set for the migration will determine the final design of Active Directory. Remember that, as with all mapping of goals to their implementation, you'll need to prioritize and compromise. One overriding principle is to keep the design as simple as possible. If your design includes many forests and explicit trusts, you're probably heading in the wrong direction.
Use a move to Active Directory as an opportunity to reduce the number of domains in use. The Windows NT SAM database size limitation and the replication issues raised by large Windows NT domains don't apply to Windows 2000 Active Directory. You can also use OUs to delegate control with a greater granularity than Windows NT was able to provide.
You can organize Active Directory on the basis of the following:
Figure 5.7 Sample OU hierarchy
There are many ways to arrange your OU structure, such as by project. A project OU design might be appropriate for organizations such as construction companies where several buildings might be under construction at the same time. You might come up with your own unique designs. The important point is that when selecting the optimal arrangement, you should look for the OU model that's least likely to change over time while offering the best potential for expansion.
To design their OU structure and then evolve it, many companies start with the names of resource domains and then see which resources the system policies and mandatory profiles are applied to. For example, if you have a resource domain called SALES and mandatory profiles for SERVICES SALES and PRODUCT SALES, a potential starting OU structure would be a first-level OU named Sales containing two second-level OUs called Services and Products, respectively.
Part of your migration objective will be creating the ultimate Active Directory design for your corporation. You must examine this goal in light of any network restrictions; for example, you might need additional hardware to support both a Windows NT and an Active Directory environment during the upgrade process. You need to address these three areas:
In Windows 2000, domains can be grouped together into trees, with a single domain at the root of the tree and others beneath it. As we have seen, all trees within a forest are automatically linked at their root domains via two-way transitive trusts. When analyzing an Active Directory design, you should first consider whether you need more than one forest.
A single-tree design is the easiest to create and manage. The first domain that you upgrade becomes the root of the tree and the forest and further domains are placed beneath it. As you add each domain, trust relationships are created automatically. The global catalog provides users with a unified view of all resources in the tree.
You might want to create a placeholder Windows 2000 root domain prior to migration. Otherwise, the first Windows NT domain you migrate will become the forest root. If you don't want to do this, remember to migrate the desired root domain first because you can't change it later, apart from completely reinstalling all systems.
A single tree defines the namespace for all the objects within it. If you need a disjoint namespace (in Figure 5.6, microsoft.com and msn.com are roots of separate namespaces), you must form separate trees for each namespace.
You might require a multiple-forest environment based on the following needs:
However, implementing a multiple-forest Active Directory design is much more complex because you must manually configure all resource access across forests. In addition, the users will be unable to obtain a single, consistent view of available resources. In general, multiple forests are only recommended in cases where you have different subsidiaries that require different schemas, perhaps due to political, cultural, or language biases. Multiple forests can also be useful if you are planning an inter-forest restructure at a later stage of a migration.
You should examine the Active Directory design to decide when to implement its new features and to ensure that they minimize any disruption to the production environment. You must validate all new features in the test environment before deploying them. To properly design an Active Directory solution you will need to analyze how your administration and security function.
When you examine your existing IT administrative regime in light of the new facilities that Windows 2000 offers, you might decide that the IT culture in the organization will need to be substantially revised to take advantage of such new features as OUs. The migration plan will have to include the rollout of the new procedures, which must be synchronized with the other parts of the migration strategy.
The administrative plan should provide details of the rollout of the new features and also consider the enterprise's current organizational structure to best map it to an Active Directory design. The administrative plan should be produced after widespread consultation with all stakeholders in the migration.
Ensure that the proposed administrative plan is rigorously tested during the testing and pilot programs. The final Active Directory plan, the OU hierarchy, and the group policies to be used must be verified in their target environment with the applications that will be used.
Remember that during the upgrade, you could be supporting two operating systems and three administrative regimes: the old regime, the interim regime, and the final regime. The administrative plan should consider the following:
During the upgrade, the level of protection for resources might change because of the nature of trust relationships between domains in Active Directory trees. You might also decide to use new Active Directory security features to better manage users and resources. In order to do this, you should create a security plan, which documents both the current security environment and the structure of the migrated one as outlined in Chapter 3, Lesson 3, "Security Assessment."
As with the administrative plan, you should rigorously test the security plan before deployment. You should also review the intermediate phases of the migration relative to their possible security implications.
If your Active Directory design contains new Windows 2000 security features, your security plan should reflect these changes and identify the features that are to be deployed. In addition, your security plan should describe how security is to be maintained during the upgrade process. Issues to be considered in the security plan include these:
For a good description of the process of Active Directory design, review the Windows 2000 Resource Kit Deployment Lab Scenarios at http://www.microsoft.com/windows2000/library/resources/reskit/deploymentscenarios/.
In this lesson, you learned the fundamentals of Active Directory analysis. You saw that you should consider Active Directory with respect to the overall domain arrangement, site design, network administration, and network security. You also saw how important it is to consider all the design aspects in light of the migration goals.