News Stay informed about the latest enterprise technology news and product updates.

The polITics of Active Directory

How well will your Active Directory installation go? Maybe you're prepared for the procedure, but are you prepared for the politics? The power struggles going on in those nice offices upstairs can be the difference between a smooth rollout and a nasty wipeout.

More often than not, corporate politics govern how well, or how horribly a company's Active Directory installation turns out.

Customers and consultants with experience installing Microsoft Corp.'s Active Directory (AD) agree that power struggles among upper management within a corporation contribute heavily to the outcome of many IT decisions, and this outcome rarely dictates a business need.

"I'd say politics plays a role about 90%t of the time," said Peter Norkawich, president of WFR Associates Inc., a West Haven, Conn., integrator.

"Putting a technical solution to ego is not cost effective. There's always somebody who wants to be bigger than somebody else."

Howard Marks, founder and chief scientist at Networks Are Our Lives Inc., a Hoboken, N.J., consulting firm, has experience with about nine Active Directory installations. He is not joking when he suggests that corporate politics should sit as the eighth layer atop the familiar 7-layer OSI stack, which defines how applications on network-aware devices communicate with each other.

For purposes of assisting AD implementations, Marks also adds layer 9 to describe geophysical issues. This could involve any WAN implications that can impact a network design, and a layer 10, which refers to any geopolitical issues. "The final layer might be of concern to users who want to encrypt data and send it to France, but they need to realize that encrypted data in France is a felony," Marks said.

An IT administrator's first job should be to assemble business goals with the IT staff. What else is critical? Marks said that during the planning and rollout phase, make sure there is one person who is in charge of running interference with corporate executives. On the technical side, settle the question of how many forests, trees, domains, sites and organizational units are needed.

A directory is important because it gives users the ability to query servers across all of a company's domains. But simplicity and politics often butt heads, and sometimes creativity is required to make everything work out.

Call it a trust issue or an ego issue, but Marks said if there is more than one CIO in a company, it's best to make sure the directory structure has one forest per CIO. This is a good idea in a situation where the company is a conglomerate with completely independent business units that only communicate occasionally.

Marks defines a forest as a large group of domains that are joined in a common directory. They are also the largest unit in an Active Directory. In most cases, a company would want a single forest with many trees because it's easier from an administrative standpoint. Trees are domains with a common suffix. If there are too many forests, the company may need an independent synchronization system.

IT administrators are advised to keep as few domains as possible and not to use public domains. Domains are an administrative and replication boundary. Just to use an example, Marks said the General Motors GM domain on the Internet should point to a series of servers. The DNS for public space should include servers for the public face. "You don't want Active Directory information available for the outside," Marks said.

The DNS servers for GM can be manually maintained. The internal servers should only be available from private networks, he said.

When it comes to organizing domains, IT administrators must keep in mind issues of network traffic and reliability. Domain net controllers need to talk to each other about twice a day to replicate. All users in one domain share restrictions of that domain, including passwords, security and politics.

Keeping the structure simple makes administration easy and keeps the corporation flexible. One IT executive for a global electronics firm said that his company makes frequent acquisitions, so they take the idea of simplicity to the extreme. The electronics company, which has its headquarters in Europe, delegates administration of its network to more than 200 different IT organizations worldwide.

"We do everything in a single domain under an empty root place holder domain to allow for grafting in new companies that we may acquire," said the executive, who declined to be identified.

A lot of people confuse the fact that the Active Directory administration model has to mirror the organizational model. "There is no reason that should be the case," he said.

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.