Active Directory

Best Practice Active Directory Litmus Test

Professionals: Install the Active Directory feature of Windows 2003

Amateurs: Windows 2003 only as a member servers in an NT 4.0 Domain

Implementing Active Directory

While the uptake of Windows Server 2003 has been brisk, only a minority of administrators are confident of installing the Active Directory feature.  What amateurs do is only install Windows Server 2003 as a member server for their SQL database and mail servers.

It is a great shame that amateurs carry on using NT 4.0 domain controllers.  Professionals on the other hand, install Windows 2003 domain controllers and unleash the full benefit of Active Directory services.

Best practice for installing Active Directory

When you move to Active Directory, there are crucial decisions to make.  By analysing the following factors the best practice will become clear.

1) How will you begin your migration?  Reformat the machines and build from scratch; I have heard this strategy called 'Wipe and Roll'.  Alternatively, go for an 'In Place' upgrade to the new system.  Simple, but no rollback, therefore impractical for big organisations.

2) Understand DNS and choose the best naming system for your new root domain.  DNS with its new SRV records is vital for Active Directory.  So do not even think about promoting a member server to a domain controller until you are an expert on DNS.

3) Plan how many domains you really need, and how they will be linked?

4) Take advantage of Organizational Units and delegation to manage your users and computers.

5) Develop a vision of your desktops, create that lockdown through Group Policy.

6) Calculate the best distribution of physical sites.  Consider upgrading network connections.

7) Take the time to understand the Windows 2000 Schema as it defines all the objects in Active Directory.

8) Upgrade the desktops first.  The reasons for this tactic are practical rather than logical - users need the benefits of XP Professional quickly.

See much more about Active Directory here.

FSMO Roles

For most operations Windows 2003 uses the multiple master model.  For example if you have three domain controllers, you can physically create a new user in the NTDS.dit database on any of the three.  Five minutes later, the new user object will be replicated to the other domain controllers. 

Unlike NT 4.0, there are no primary and backup domain controllers in Windows 2003.  However, a few operations are so critical that only one domain controller can carry out that operation.  These operations are called Flexible Single Master Operations (FSMO); creating a new child domain would be one example of a single master operation.

I have to confess a hidden agenda with FSMO.  If I want to instantly know how well someone knows Active Directory, I introduce FSMO into the conversation and watch their reaction.  Professionals will know what FSMO means and its significance, amateurs just frown.

The five FSMO roles are

1. PDC Emulator - For NT 4.0 BDC's.  But also for synchronizing time and creating group policies.
2. RID Master - Each object must have a globally unique number.  The RID master makes sure each domain controller issues unique numbers when you create objects like users.
3. Infrastructure Master - Responsible for checking Universal group membership in multiple domain forests.
4. Domain Naming Master - Ensures that each child domain has a unique name.
5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2000 adds the mailbox property to users.

Active Directory Training.  As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Active Directory or go for a combination of modules.  See more about Active Directory training

See much more about Active Directory here.

Sign up to my new Ezine and get a free Best Practice ebook. 

 *