Migrating a network to Microsoft's Windows 2000 Active Directory can be an intimidating project. AD, though not a new technology on the Windows scene, still throws off IT pros. Patience and humility, always good qualities, are a must when it comes to AD, which is notoriously unforgiving, our experts say. In this story, they provide AD tips that are bound to save IT pros time and aspirin. They also shared some AD horror stories.
One expert stressed a general tip: a decent grasp on AD takes training, time and mistakes.
"Many people pick up a one-week class and go for it," said Doug Paddock, a computer science instructor at Louisville Technical Institute in Louisville, Ky., and a TechTarget advisor. "One week ain't enough. You need to roll around in it, blow it up a few times."
1. Plan, plan, plan
Our experts are adamant that comprehensive, deliberate planning is the best way to a smooth AD migration.
"The most common error is a lack of planning," said SearchWin2000.com's Ask the Expert (ATE) AD advisor Paul Hinsberg. "Folks horribly underestimate the impact … an AD migration may have on their environment. They don't research the environment thoroughly, nor do they properly develop migration plans."
Planning is especially important if the migration involves maintaining Windows 2000 controllers concurrently with NT 4.0 BDCs, said Laura Hunter, a SearchWindowsManageability.com ATE advisor and senior IT specialist at the University of Pennsylvania.
There are some security settings within Windows 2000 that, though useful in a homogenous Windows 2000 environment, will render Windows NT 4.0 BDCs incapable of authenticating logons or replicating properly, she said. Hunter offered this setting example: HKLMSystemCurrentControlSetControlLSALMCompatibilityLevel.
"The casual adjustment of a single registry entry without adequate testing can bring your network availability crashing down around your ears," Hunter said.
To develop an in-depth network design, companies should spend time evaluating their current structures and needs and adjust them for future growth, Paddock said. This can prevent headaches and save time down the road.
At the end of a thorough evaluation, IT pros "will know their AD requirements for structure, security, bandwidth, hardware and timeline," he said. "AD is not forgiving, so it's easier to get it right the first time than try to clean up afterward."
A side note to the planning tip: testing. Some companies tend to think testing wastes time, Paddock said, but a successful AD migration depends on it. "Theory is great," he said. "But it won't catch errors that a simple test might find."
2. Ask for help
Going it alone is a sure-fire way to blow it, said AD expert Keith Millar, a Microsoft Solutions product management director for Irvine, Calif.-based Quest Software.
Typically, a company will assign a team to tackle the AD architecture and rollout and, because of either pride or ignorance, the group will try to reinvent the wheel, he said. They'll ignore the deep experience of integrators, Microsoft Consulting Services and others.
Not asking for help before starting the project is asking for trouble and results in the same mistakes experts have seen – and solved – many times.
"Ask for help, and make sure you have educated, humble people on the team," Millar said.
3. Ensure redundancy
A lack of server redundancy can be the costliest of AD blunders, Hunter said. Except for single-server environments, a minimum of two domain controllers should be installed for load-balancing and failover, she said.
"IT pros should ensure that the five FSMO [flexible single master operations] roles are distributed among all existing DCs, because by default they will all remain on the first DC that is brought online in a given environment," Hunter said.
She added, "Remember that the Infrastructure Master needs to exist on a server that is not a Global Catalog server."
4. Enlist executive support
Millar suggested IT pros recruit an executive that can run "air cover" during the project to avoid stalls and politically charged meetings. This will avoid what Millar calls the "no-high-level-executive mistake."
AD deployment usually requires a redesign from the current NT 4.0 domain structure to a single hierarchy, he said. The project can become political, and someone may object to a new hierarchy and stall the project.
5. Seek advanced management tools before migration
Reading up on advanced management tools beforehand will result in a smoother AD migration, Millar said. Make that part of your well-hashed plan, and test the tools in a lab so the IT staff can more easily manage what will be a new network system.
Some AD deployment teams look for advanced management tools for AD after the implementation is started.
"This means the user base is running into problems while AD is in production," Millar said.
>> Back to the AD horror stories.
FOR MORE INFORMATION
Tech seminar: Coping with Active Directory's shortcomings
Paul Hinsberg: Answers to your AD question