This page is designed to help you understand Microsoft’s Active Directory. Just as you might admire a diamond by looking at its different facets, so you can build up a picture of Active Directory by examining its many sides.
The seven sides of Active Directory
Active Directory will be the backbone and nerve centre of Microsoft’s operating systems for the foreseeable future. The best way to understand Active Directory (AD) is to answer these questions.
Plan to have as few domains as possible. Learn from the mistakes of NT where there were far to many domains. Technically a domain can contain 1 million objects.
Remember that when ever you installWindows 2000 Server it begins life as a member server. To install AD on a Server, you go to the Start Menu, then Run, DCPROMO. That part is easy. The difficult part is planning the names of your domains, trees and OUs. To do this you must understand DNS and be proficient in LDAP.
Try out VISIO apowerful program to model your AD structure.
Migration from NT 4.0 is a separate topic from pure installation. In brief there are two main strategies, upgrade the PDC in an existing domain or start with a new domain and import the users from NT 4.0 using a bulk import program like CSVDE.
Now that you are building up an understanding of AD, I would like to stressthe importance of naming. It is vital to understand all the ramificationsof your namespace e.g. domain name, e-mail names and DNS names. Learn fromthe mistakes of others. It is claimed that all those who were at the leading edge of themigration to Windows 2000 Active Directory, have by now ripped out their first installation and started again. Why? Because somewhere along the line they got their naming wrong.
Two of the extra benefits of Active Directory are OU’s (Organisation Units) anddelegation. The idea isto manage users through OUs. Typically this can be done to reflect your organisation tree, or by creating anOU for each geographic site. You could get help from a network architect,or plan yourself with VISIO.
Use Group policies and software deployment to control the desktop. Group Policies started life asSystem Policies in NT 4.0. In Windows 2000 Group Policies are an essential part of your battle to win control of the desk top and to reduce expensive support calls for users who ‘break’ their systems. What is more, the idea of controlling the desktop has extended to almost all areas e.g. RAS dial-up control, Exchange 2000 mailbox limits. Everynetwork administrator likes being ‘Mr Nasty’ and screwing down the desktop, butthere is now a new role – ‘Mr Nice’. ‘Mr Nice’ uses Group policies to deploythe software that users need to do their job. Group policies are a topicin their own right, be sure to give yourself plenty of time for testing.
SEARCH (Replaces FIND)
So far we have described the object based nature of AD, but it also providesa Search mechanism for you to find users or printers on your network. Microsoft do not change names without good reason, you will notice in Windows 2000 that on the Startmenu, Find has been replaced with Search.
Do thoroughly test your Active Directory network. My point is many companies have a defined product or service and they would not dream of releasing a new product without thorough testing. So make sure your technical department has the same testing facilities for their network,which you would have for a new product. Another use of the test network is to act as a backup, in an emergency you can quickly replace a faulty server with one from thetest network.
The physical structure of Active Directory is much like sites in Exchange. Firstly sites are completely independent of the Domain and Tree logical structure. Secondly sites are defined by the subnet that the servers are on. Thirdly you need to create and configure a site connector to join and synchronise Active Directory between different sites.
Windows 2000 uses a change notification system to keep all the domain controllers synchronised. When you have more than one domain controller there will be a delay of 5 minutes in changes reaching the other partners at the same site.
The reasons for creating a second site would include slow network links and the desire to control directory replication. The site connectors allow you to control the intervals between replication, the default is 3 hours. Do remember to create subnet objects and to associate them with the appropriate sites. While Windows 2000 clients automatically work out which subnet they are in, you have to manually assign the server the correct IP and use the Active Directory Sites and Subnets snap-in to configure the server object.
The concept behind Group Policies is that administrators configure settings once, and then they apply continuously to the users. Furthermore, Group Policy can be applied to computers, so you can control the settings no matter who logs on. The way that Group Policies works is to alter settings in the registry.
The old saying "Prevention is better than cure", certainly applies to Group Policies. A good Group Policy will give greater productivity for the users, and save you time on routine administration. Think of all the damage and time wasting a user could spend trying out different control panel settings. The worst case that I have seen was a user who set the refresh rate too fast on a monitor, his screen literally went up in smoke!
Just wading through the 100’s of Policies is a Herculean task. My suggestion is to commission two opposite approaches. Get a ‘Techie’ who understands Windows 2000 to go through the policy and select those settings that he thinks appropriate. Then ask a manager to produce a vision or wish list of what the desktop should look like. Finally, bring the two disparate mind sets together weld them into your Group Policy. Click here for more on Group Policy
- Active Directory Replication Monitor – Support tools from the CD
- ADSI – Support tools from the CD
- Schema Snap-in. Run regsvr32 schmmgmt.dll, the Active Directory Schema snap-in will now available in the MMC or Administrative programs
Check list for further investigation
- Active Directory Sites and Services. (Administrative Tools)
- Global Catalog servers
- Locations especially with printers
- Active Directory Connections
- Kerberos Security
- Switching from Mixed to Native Mode