Some tout Active Directory as the best thing for networking since twisted-pair cable. But not everything in the world of an Active Directory domain-based network is fine and dandy. In fact, there are several shortcomings of Active Directory that you should be aware of before deploying a Windows 2000- or Windows 2003 Server-based Active Directory domain in your organization.
Before we get to the bad news, let me establish an even playing field by spouting the benefits of Active Directory. First and foremost, Active Directory is generally considered to be a significant improvement over Windows NT Server 4.0 domains or even standalone server networks. Active Directory provides a centralized administration mechanism over the entire network. It also provides for redundancy and fault tolerance when two or more domain controllers are deployed within a domain. Active Directory automatically manages the communications between domain controllers to ensure the network remains viable. Users can access all resources on the network for which they are authorized through a single sign-on. All resources in the network are protected by a robust security mechanism that verifies the identity of users and the authorizations of resources on each access. Even with Active Directory's improved security and control over the network, most of its features are invisible to end users; therefore, migrating users to an Active Directory network will require little re-training. Active Directory offers a means of easily promoting and demoting domain controllers and member servers. Systems can be managed and secured via group policies. Active Directory is a flexible hierarchical organizational model that allows for easy management and detailed specific delegation of administrative responsibilities. Active Directory is capable of managing millions of objects within a single domain.
However, you should fully understand the downside of Active Directory. Active Directory is difficult to integrate into pre-existing network systems. There is little interoperability between Windows 2000/2003 Active Directory and NetWare or Unix systems. Active Directory offers no means to manage non-Windows clients (such as Macintosh or Unix) or servers and supports very little management control over pre-Windows 2000 systems (such as Windows 98 and Windows NT). Active Directory was designed to use a single forest for each organization. Those companies that need multiple schemas or global catalogs must implement multiple forests. Multiple forests re-introduce the same problems that occurred with multiple Windows NT domains and they introduce related increases in administrative overhead. Separate domains and forests cannot easily be merged together. Instead, you need an arduous migration process to move the important entities from one domain or forest into the other.
Active Directory relies upon DNS to function, but not all DNS servers are capable of supporting Active Directory. Existing DNS systems may need to be upgraded or replaced before they can support Active Directory.
Finally, Active Directory offers a new way of performing activities on the network for both end users and administrators. That's good, but often the transition from one set of processes to another can result in significant reduction in productivity until the new system is mastered.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.