As SearchWin2000.com began to receive nominees for this year's Windows Manageability Innovator Award, it became apparent we had a long review process ahead of us. The stories this year ranged from migration milestones to upgrade gratifications and hardware "hallelujahs."
There were many to choose from, and all were worthy of a shot at the award. We finally picked Todd Myrick and his project team at the National Institutes of Health (NIH) because of the enormous scale of their undertaking and the significant results they achieved. By improving the manageability of a large decentralized network through a combination of new technology upgrades and third-party software applications, the NIH was able to reduce hardware costs and security risks while increasing available e-mail storage.
The NIH, part of the Department of Health and Human Services, is the government's primary clearinghouse for health-related
The NIH's Center for Information Technology (CIT) operates the Institutes' main data center, but the 28 smaller agencies' data centers have varying levels of technology and staffing. CIT's marching orders were to develop a framework for deploying Windows Server 2000 and Active Directory at the far-flung agencies, roll it out without breaking anything and make the whole process invisible to the system's 30,000 end users.
Myrick knew that the challenge of standardizing a myriad of platforms and IT processes across disparate organizations into "one central NIH" infrastructure would be daunting. But the rewards -- better application integration, server consolidation, enhanced security, improved manageability, opportunities to move to next-generation collaboration platforms and Web-based applications -- would be substantial.
As a research organization, the NIH prides itself on its freedom and ability to "think outside the box." But by 1999, the organization had begun to realize that it needed a centralized infrastructure.
The NIH's agencies were running various non-standard Windows NT deployments. Two groups -- Health and Human Services (HHS) and the Office of the Secretary -- were on a Banyan Vines network and wanted to move to Windows. According to Myrick, all the users were using Exchange 5.5, so other possibilities, like switching to Linux, weren't options.
The project team's first task was to deploy Windows Server 2000 and Active Directory, which would enable them eventually to upgrade all the users to Exchange 2000. Specific goals of the project were to:
- Design an AD forest structure so that one or more autonomous divisions with their own AD forest could later connect with the main CIT forest.
- Build operational consistency across the Active Directory for various processes, such as how domains would be established.
- Select third-party tools for migration, security, tactical reporting and so forth.
- Implement a disaster recovery plan.
- Standardize troubleshooting processes.
The first milestone was reached with the creation of a placeholder domain, which other departments could join over time, as they began to see the benefits of a centralized structure that was fully scalable and could be easily managed. The placeholder domain would allow divisions within each agency's own Active Directory forest to connect with the main CIT forest and still have an autonomous namespace and operation.
"If you build it, they will come," Myrick remembers joking to colleagues. Today, he reports they are showing up in droves. Since efforts got underway, the CIT has consolidated 300 domains into 28.
By reducing the number of domains, the CIT saved the NIH roughly $500 million in server costs. And, with fewer Exchange sites, there is less of a need for antivirus protection, and the NIH enjoys quadruple the available e-mail storage. By combining multiple directories with AD, NIH also was able to standardize applications, increase collaboration and better coordinate messaging. But, says Myrick, "ease of maintenance after the introduction of Active Directory is where you see the real ROI."
Politics as usual
Myrick attributes the success of the project to the support of NIH top brass. While past experience had shown him that, in the private sector, technological advances could be implemented very quickly, he knew from the start of his time at NIH that he was dealing with a very different animal. "Your political environment will depend on how quickly change is adopted and accepted," Myrick said. The project team knew that, in an organization as far-flung and culturally diverse as the NIH, executive-level sponsors and buy-in would be crucial.
Another critical decision was to use third-party tools rather than the less-intuitive, more mistake-prone native tools. The third-party tools and corresponding vendor support helped with tasks such as migration, security and tactical reporting and directory management. CIT deployed Quest's ActiveRoles for domain migration and identity access management on some of the smaller delegations, ePresence technology for the Banyan Vines migration and NetPro's Directory Troubleshooter and Directory Analyzer. Also used were tools from Hyena and BindView Corp., as well as Aelita Software Corp.'s Enterprise Directory Manager (EDM).
Although planning started way back in 1999, the project's "golden spike" was driven on Jan. 6, 2001, with the success of the first in-place upgrade of the placeholder accounts domain. It took nearly another year to develop final architectural standards, such as establishing "authorities" to make decisions about changes that would affect the overall configuration and schema of the Active Directory. The majority of 2002 was spent joining NIH and HHS NT account domains to the Active Directory as child domains under NIH or HHS domains.
The project may never truly cross a perceivable finish line. There will be constant restructuring as departmental initiatives change and evolve. Still on the drawing board are initiatives to link user identity to network operating system credentials via Active Directory management software, to standardize on a single messaging and collaboration platform and to integrate Windows Server 2003. Myrick is also looking forward to having digital signatures across the agency and a closer integration with enterprise authentication.