News Stay informed about the latest enterprise technology news and product updates.

When's it best to move to Active Directory?

The short answer is you are probably a good candidate if you are planning to run Exchange 2000, have outgrown your NT domains and possess good data on users. But there is really no magic formula when it comes to making the move to Active Directory. The process is long, complicated and requires special technical skills. It's also fraught with organizational challenges that go beyond mere technology.

Microsoft Corp.'s Active Directory serves as a master "telephone directory" of users, computers and other network resources, promising to dramatically cut the costs of administering user access, distributing software and managing network components.

But moving to AD can be long and complicated, filled with technical challenges about domain design and turf wars over who controls access rights and security policies. Then there's training and third-party migration and administration tools, which analysts estimate can make up as much as 25 percent of the overall cost of moving to AD.

When do the benefits outweigh the cost? There's no one simple answer, according to consultants and current AD customers, but there are some clear guidelines.

Migration/Project Management:
  • Active Directory Migration Tool from Microsoft.
  • DM/Manager from FastLane Technologies Inc. (now Quest Software Inc.)
  • Domain Migration Administrator from NetIQ Corp.
  • Controlled Migration Suite from Aelita Software Corp.

    Change and configuration management:

  • Synchronicity from NetVision Inc.
  • DirectoryInsight from NetPro Computing Inc.

    Cross-directory synchronization:

  • DirXML from Novell, Inc.
  • Microsoft Directory Synchronization Services.

    Source: Robert Scheier

  • First, if you're running or planning to run Microsoft's Exchange 2000 messaging platform you need AD because Exchange 2000 requires it. You're also a good candidate for AD if you're an all-or mostly-Microsoft shop that is outgrowing its NT 4.0 Domain Structure, since AD makes it easier to administer very large groups of users and network resources.

    The better you understand your corporate organizational structure, as well as which managers control functions such as assigning access rights to employees, the easier a move to AD will be. You're also a stronger candidate for AD if you have standards in areas such as naming conventions, so when consolidating user data in AD you won't have to figure out if "rscheier" and "bobs" are two users or the same user logging into two different applications.

    AD may be less attractive for companies running a wide mix of UNIX along with Windows operating systems, as well as those running IBM's Notes/Domino messaging platform rather than Exchange. Customers who are comfortably managing their environments with other directory products, or even with authentication and management tools shipping with individual applications, may not find it worth the trouble and expense to move to AD.

    Giga Information Group surveys indicate that 60 percent of companies moving from Windows NT to Windows 2000 are "clinging to the safety net of their legacy NT 4 domains" rather than moving to AD, says analyst Laura DiDio at the Cambridge, Mass-based consulting firm. The surveys also shows 25-35 percent of those polled plan to use other directory tools, such as NDS (Novell Directory Services), rather than move to AD, she says.

    Some customers are using AD with other directory services such as NDS and authentication technology such as Kerberos, although such coordination requires the use of metadirectory or other synchronization tools.

    Domains and standards

    AD is a database of users and network resources that IT managers can use to manage security and other functions in a networked computing environment. Users and network resources are domains, which may be divided into organizational units or combined with other domains to create "trees" and "forests."

    Improvements in AD's domain over the NT domain structure are a key factor in deciding whether to migrate. In NT 4.0, each domain was relatively independent of other domains and could hold, according to Gartner Inc., a maximum of about 15,000 objects. This forced large customers to build multiple domains, and manually manage the "trust" relationships among them. In Windows 2000, by contrast, domains can hold upwards of one million objects and can automatically share changes such as the hiring or termination of employees.

    "If you had NT 4.0 and were really struggling with the domain model...then AD solves those problems," says Gartner Analyst Neil MacDonald.

    Another key in deciding if you should move to AD is whether you have standards in areas such as naming conventions, which define how a user's name is presented when logging into an application.

    "The biggest thing you could do to prepare yourself is to normalize your data," says John Reynolds, a senior advisor at Anthem Blue Cross and Blue Shield, headquartered in Indianapolis, Ind., who is in the process of moving to AD from a mix of NT 4.0 domains, NDS and Sun MicroSystems Inc.'s NIS (Network Information System) network administration tool. That means not only common naming conventions, he says, but common procedures for administration chores such as creating or deleting users.

    A customer's skill set also determines their readiness for AD. MacArthur says it's easier to find staff skilled in NDS than in AD, and that while many IT professionals are skilled in Windows NT they may not be familiar with the major changes in Windows 2000, Active Directory or in implementing enterprise-wide directories."

    Mix and Match

    In many cases, customers won't move completely to AD but will use it in conjunction with existing directories.

    For example, "if you're a Novell shop, then you don't need Active Directory for managing your file and print services because, very likely, you're using (NDS) for that," says MacDonald. But that customer might also want AD to manage some parts of their infrastructure, and use their existing NDS skills and expertise to manage AD through NDS, he says. Tools such as Novell's DirXML allow customers to synchronize not only NDS and AD, but user accounts on applications such as Lotus Notes, says MacDonald.

    In some cases such cooperation is necessary for both technical and political reasons.

    Al Williams is academic computing director for a large East Coast university, which like many decentralized organizations allows departments to choose their computing platforms. While many department-hosted applications run on UNIX, most students use Windows on their personal PCs, and Williams needs Active Directory to ease chores such as software updates on their machines.

    For the systems he supports, he has essentially made AD a "slave" to the Kerberos system, allowing Windows users to log on through Windows but maintaining control and administration of the passwords with Kerberos. This allows the two directories to co-exist without having to go through the cumbersome task of adding more than 100,000 users (and their passwords) now authenticated through Kerberos into AD's database of users.

    Such complexities are why there's no simple answer to the question: Should I move to Active Directory? The first and most important questions, says MacDonald, are instead: Why are you migrating and what's the business value in rolling out Active Directory? If the business value is high enough, you can justify what it takes to be ready.

    Robert L. Scheier is a former technology editor at Computerworld, analyst with the Hurwitz Group, and is now a freelance writer and editorial consultant in Boylston, Mass. He can be reached at

    Dig Deeper on Windows client management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.