Problem solve Get help with specific problems with your technologies, process and projects.

Putting Active Directory in place: Dos & don'ts

You've sweated your way through a migration to Windows 2000 and Active Directory. Now what do you do with this new and different directory?

You've sweated your way through a migration to Windows 2000 and Active Directory. Now what do you do with this new and different directory?

"Because Active Directory (AD) brings a unified structure together, there's a whole sanity now with your IT infrastructure," according to AD expert Keith Millar. That organizational sanity was not present in NT. To get the benefits of AD, however, IT managers must take an organized approach to deployment and management, said Millar, Microsoft Solutions product management director for Irvine, CA-based Quest Software.

To help IT managers make the most of AD and Group Policy functionality, Millar offered this list of dos and don'ts tips.

Don't assume you can understand AD because you mastered NT 4, said Millar. "Just because you walked on water in NT 4, don't even assume you're ready to start doing anything on AD," he said.

Do make simplicity your underlying principle, said Millar. Some organizations' AD design committees mistakenly ask each department how many organizational units (OUs) they will want. Subsequently, "everybody submits their laundry list," Millar said. "You end up with these crazy AD designs with 250 OUs."

"Don't shoot for utopia," said Millar. The more complexity you put in AD, the more management dollars it will cost. Go with the most basic structure you can get away with. Millar recommended: domain, OU, and site.

Do use Group Policy as soon as you deploy AD. Group Policy is one function of AD that doesn't get used to its potential because people don't understand it, said Millar. Yet, one of the biggest value adds of Windows 2000 is Group Policy. "It's this whole Catch-22. It's one the best pieces of AD yet no one understands it." It's very different from NT 4, he said, but "it's not scary, it just has some complexity to it."

Don't leave Group Policy object (GPO) deployment until after users and computers are in operation. "It's much easier to never give end users features than to take them away," Millar said.

Do adopt the same attitude with access controls and security management. "Don't try to set up your help desk after all the users are calling," Millar said. This might sound silly, but sometimes people get sidetracked and focus on the migration too much. They don't think about setting up the help desk, said Millar.

Do make sure you understand Domain Name Service (DNS), and do make sure your DNS is set up properly. If you don't understand DNS, you can have a lot of problems with Windows 2000.

Do take advantage of the native delegation model in AD. NT 4 lacked a delegation model, Millar said. "There was no 'you manage this person or that person.' You either owned the whole domain or not," said Millar. Using the native delegation model in AD, you can give help desk workers the right to reset passwords and change group memberships, for example.

Do formulate an AD deployment team that will educate end users. This team should teach them how to do searches and publish shares and printers in the directory, said Millar. "If that requires you to have a hit squad that goes across the world to educate, that's a good thing."

Do educate end users on the intertwined relationship between AD and the desktop and the benefits of an underlying directory. "Get people to realize how ingrained AD is in Windows 2000," said Millar. For example, end users can go into the network neighborhood, look at the directory, find a user, right mouse-click and send an e-mail to them. Self-service is another good built-in tool, he said. Users can find their names in the directory and change their addresses, phone numbers and last names. "It's all baked in," said Millar. If you educate end users, "you'll get a power and momentum behind your deployment.

Do make sure some administrators understand Lightweight Directory Access Protocol (LDAP). "It's the lingua-franca for directories," said Millar. "When you understand LDAP, AD opens up." Querying becomes possible, he said, and LDAP can also help you interact with other directories.

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.