Microsoft's Active Directory, regarded as a breakthrough technology, has also been known to mangle networks. AD is touchy and can make life miserable for IT pros who don't treat it with care and approach it with humility.
In this article, our experts share AD horror stories that might scare IT pros into a more caring and humble attitude. In a related story, our experts shared
For our first stroll down nightmare alley, AD expert Paul Hinsberg recounts two incidents where poor planning doomed AD migrations.
Consider the case of the unquestioning consultant. Hired to handle an AD migration, he moved ahead without making proper inquiries. He didn't ask why the company was moving to AD, about company business procedures, or to see network diagrams -- all information necessary for a successful migration.
During the migration, the dynamic DNS failed because the consultant didn't know the Unix systems were the DNS default. Consequently the virtual private network failed because the remove access service server was NT 4.0, and authentication stopped working.
"WINS [Windows Internet Naming Service] and DHCP [Dynamic Host Configuration Protocol] were not configured properly," Hinsberg said. "My company was then hired to clean up the mess and re-start the migration from scratch."
The second misadventure happened at a company with a complex network involving international offices, multiple domains and Unix systems. DNS name resolution, which is a key AD function, wasn't set up properly.
DNS name resolution refers to AD Services that are registered by Windows 2000 Domain Controller (DC). "When name resolution is not set up properly, clients often cannot reach the DCs or access the AD," said Hinsberg. "However, clients on the same subnet may still reach the server, and this results in some clients working and others not."
AD and Exchange interaction were crippled, and any attempt to migrate from Exchange 5.5 was impossible. "The company worked around the problem by manually creating DNS entries and static WINS entries to keep the system afloat," Hinsberg said.
Unfortunately, some damage had already been done. The AD problems had slowed workers and delayed product shipping.
This mistake illustrates just one reason why AD migrations must be carefully planned. A migration team that's not detail-oriented will be as busy creating obstacles as leaping them.
Communication is the key to success in AD migrations, according to AD expert Keith Millar. In fact, poor communication caused the biggest migration mistake he's ever seen. Here's how that nightmare unfolded:
A large company was moving from a multi-forest AD design to a single-forest design for its worldwide operations. This unifying move was undermined, however, by the failure of IT shops on two continents to get on the same page.
"North America upgraded to one forest and Europe upgraded to another," said Millar, a Microsoft Solutions product management director for Irvine, CA-based Quest Software. "The company was stuck with two forests instead of one."
This resulted in increased management and support costs.
Expert Douglas Paddock watched a large company rush full steam ahead into a migration horror story. The company's IT staff was expected to complete a migration over one weekend. In short, haste made a waste of the company's Windows 2000 infrastructure.
IT pros at the company in question did not test all its equipment before the migration. No test lab was set up, because the IT department felt it was unnecessary, said Paddock, Paddock. an IT instructor at Louisville Technical Institute in Louisville, Ky. and a TechTarget advisor.
"For example, the CAD systems had some unique boards in them, but a CAD-type system was not tested prior to the migration," Paddock said. "The existing boards were expensive and, of course, not compatible with Windows 2000."
It gets worse.
Some of the hardware was compatible but required new drivers. The company didn't know which drivers to use, and vendor support wasn't available until the following Monday. Domain names were not thought through and resulted in names unsuitable for future growth.
"The personnel doing the migration had no clear vision of where they wanted to be when they were finished, both in structure and security," Paddock said. "With no clear plan and goals in view and no backup plan in case of failure, everything went wrong."
A rushed migration may work for very small companies, but "it can be a nightmare for larger ones," said Paddock.
There are few parts of an organization not touched by moving to Active Directory, our experts concluded. In particular, it requires clearly defining business processes and network structure. Migration teams that don't plan and communicate well can throw their organizations into chaos. They can also become the subjects of an AD migration horror story.
This was first published in January 2003