Don't deploy too many GPOs. Keep your OUs simple, and definitely don't keep the KCC running. That's some of the advice Active Directory expert Doug Davis recently gave searchWindowsManageability. Confused yet?Bottom line: Active Directory management is complicated. But, it doesn't take a degree in rocket science to run it, either. So, Davis, director of Microsoft Solutions product management for Irvine, Calif.-based Quest Software, outlined some tips and tricks for successful Active Directory management. Quest's FastLane ActiveRoles is a role-based Active Directory administration product.
Do use Native delegation to ensure that you have the maximum flexibility for security and access, said Davis. "AD is not NT. You can be as granular as your business requires."
Don't use groups such as Enterprise Administrators to delegate access. "Use business-specific groups and assign rights as befits the roles these folks are using," he said. "Built-in groups with AD should be approached in much the same way as the built-in groups in NT."
Do keep your AD design as simple as possible, Davis said. "Start with a 1-1-1 configuration: one forest, one domain, and one organizational unit (OU)." Only add OUs and domains where it makes sense. The hardware costs of adding another domain can be quite high.
Don't replicate your geographic or business structure as your OU structure. "It rarely leads to a simple OU structure and does not add any value to your administrative processes." It's hard to manage an account when you can't find the right information in a complex OU structure, said Davis. Searches can help, but most users start off in Users and Computers and only revert to the AD search tools when they become frustrated. Ensure that you make it easy for them to find objects.
Do be aware of your replication schedule, status and connections. "Use tools like Replmon and RepAdmin, both found in the Windows 2000 resource kit, to make sure that replication is working." Dealing with replication problems after they occur is time consuming, so check replication often, Davis said.
Don't keep the Knowledge Consistency Checker (KCC) running within sites. The KCC is a process that runs on all domain controllers and checks that replication is working. "Leaving it running within sites can lead to extra intra-site connections going up," Davis said. Turn this off, and set up the connections and schedules that make sense for you.
Do create a Microsoft Management Console (MMC) snap-in console with all your required snap-ins. Make sure the configuration of the snap-ins is set to what you need, too, Davis said.
Don't deploy complex group policy objects (GPOs) as part of your initial deployment. Deploy GPOs gradually, as your understanding of how they work and how they get applied to objects increases. "GPOs are a powerful ally to keep your network humming, but need to have a cautious roll-out so they don't lock up the network," Davis concluded.
FOR MORE INFORMATION
What are your fears, concerns, and problems with Active Directory management? E-mail us at Editor@searchWindowsManageability.com