Even though Windows 2000 Active Directory can make it easier for systems administrators to manage enterprise resources, there's not a big rush to implement this Microsoft technology. Don't blame Bill Gates or anti-monopolist sentiment for slow AD adoption. Instead, blame the "fear factor." Savvy IT professionals know that deploying AD is a "monumentally complex" task, said Olivier Thierry, vice president of strategic marketing for NetIQ Corp., a San Jose, CA-based e-business infrastructure management and intelligence solutions provider. Make a wrong move in AD design, and your organization will feel a lot of pain. In this interview with searchWindowsManageability, Thierry explains why organizations need to treat AD deployment with great respect and offers some advice about how to do the right thing with AD.
|searchWindowsManageability:||What are the benefits of migrating to Active Directory?|
Think of Active Directory as a kind of corporate database, the one place where you store everything. If you do deploy AD correctly, it acts like a shared global database and that has tremendous value. With Active Directory in place, you have one set of data for the whole organization. Also, Active Directory understands how the users of Windows 2000 are going to interact with the system. It makes it much easier
| for me to manage my resources in the enterprise, because they're all stored in the directory and they're all commonly defined. Active Directory is the intersection between a physical network and the users of that physical network and their resources.
|searchWindowsManageability:||What are some of the most common problems that people face in Active Directory migration?|
Active Directory is structured as a hierarchy and it's made up of an Organizational Unit hierarchy. In migration, you have to decide how the AD data structure is going to be mapped out to your entire organization. In the past with NT 4.0, you really only cared about the physical network architecture. In other words you've got servers here, in New York, in Houston, and in London. With Active Directory, you will have a lot more information available about the servers, the applications, and so on. You actually have to define a database, which is not usually what systems administrators do unless they happen to be DBAs.
So, the issue is how do I define the structure that makes sense? How do I define it right so that when I deploy it I don't say: "Uh oh! No, no, that's not the structure I needed. I need to undo it." Undoing it is hugely painful. You really cannot afford to deploy Active Directory incorrectly. You have to move all your existing stuff into Active Directory in the best possible way to start with.
|searchWindowsManageability:||Would you say, then, that migrating to Active Directory is not for the faint of heart?|
Migration to Active Directory is a huge project. It is not a weekend deal. For some organizations, this is almost a multi-year project. Overall, Active Directory is much more complex in definitional structure than anything that most IT people have encountered. That is the one key thing that I think is holding AD back. Active Directory's adoption is slower than Microsoft had anticipated, largely because migrating to AD requires a lot of planning, discipline, and compromise. Most organizations don't have the right methodology in place. That's why some organizations are deciding to just mirror what they have right now in NT 4.0 and not exploit all the benefits of AD.
|searchWindowsManageability:||Are a lot of people trying it and getting it wrong?|
Most are just admitting that they don't know how to do this and asking for help beforehand. I remember speaking to an early AD adopter, who said to me: "Well, we're on our ninth iteration of our OU hierarchy, and I think we're about ready to pick the least worst of the nine." In AD migration, you often have to make a series of compromises. It's not easy to take a three-dimensional organization and define it in terms of a two-dimensional hierarchy. Doing that is fraught with politics.
|searchWindowsManageability:||Are there basic do's and don'ts for Active Directory migration?|
Yes. First of all, do determine why you want to use AD. Figure out what you're going to use it for. For example, if you're going to migrate to Exchange 2000, then you need Active Directory. If that's the case, then do think about every aspect of the migration. Are you really using it only for Exchange 2000? Is this going to be used as a central hub for information on your employees? Is it only there to serve as the backbone of information for your NT or Windows 2000 network? Know what goal you are trying to achieve. Don't go into it just because Microsoft said you need to do it.
Do take a step-by-step approach. Your design has to be complete enough for everything that you want to do, but your implementation needs to be done in stages and very selectively. Think about and plan for the entire directory structure and then deploy incrementally and measure against that template.
Do put your best, most skilled people on the job. Don't give it to your summer student to go figure out. This is tricky stuff.
Do put people from all parts of your organization on the project team. You're going to need to have multiple parties agreeing on the definition of the structure of the directory because multiple parties will be using the directory. It's no longer just the purview of IT. Active Directory is going to be used by the business unit users. People are stunned by the politics of the definition of the Active Directory structure. Your project team needs top-down political buy-in.
Finally, do expect a long project.