Understanding Windows Active Directory
A properly designed directory represents a model of the organization it serves, including not only information about computers, users and resources, but also establishing and enforcing security policies, access controls, data flows and much more. That’s why Active Directory sits at the heart of any modern Windows network, and it’s what makes understanding Active Directory techniques so important. This is a subject that anyone could spend years studying, and a decade to master completely. Here, we’ll explain what’s involved in working with Active Directory throughout information system lifecycles.
Understanding Comes First
Before you try to do anything with Active Directory, it’s essential to understand what it is and what it does. By analogy, Active Directory is to a collection of Windows servers (called domain controllers), along with the computers, users and other resources that fall under their control, what the Windows registry is to any individual Windows machine. By definition, Active Directory (AD) is Microsoft’s proprietary directory service and provides an information storage and control system that’s both centralized (there’s only one logical database behind any single given directory tree) and distributed (the system allows multiple copies to exist and keeps them synchronized and coordinated).
The intent of AD is to capture information about and to automate management of user data, security and access controls, and distributed resources of all kinds. AD uses standard directory protocols and services (such as the IP-based LDAP protocol) so that it can work with other directory services, such as Novell Directory Services (NDS) or Sun Directory services (though this is always easier in theory than in actual practice). Active Directory is organized into individual containers called directory trees, which may be further aggregated into directory forests. It’s a complex environment with many tools and utilities involved in its design, maintenance, troubleshooting and so forth.
Key AD features include the following:
- Support for the ISO X.500 standard for global directories.
- Support for secure, Web-based network operations.
- Hierarchical organization with delegation of authority to enable local management of local resources and centralized management of global resources and controls (to a restricted class of domain/directory administrators).
- Object-oriented data representation and storage, for easy searching of and access to directory data.
- Designed to work with older Windows domain models (such as NT 4.0 domain controllers) and to interoperate with newer implementations (so that AD for Windows 2000 works well with AD for Windows Server 2003, albeit through a restricted logical view).
Before anyone goes to work on AD, some learning and study is highly recommended. Microsoft offers lots of tutorials and educational material through TechNet and applicable product documentation. The company has also published numerous books on AD under the Microsoft Press imprint, and it offers numerous training courses on AD for both Windows 2000 and Windows Server 2003. A plethora of third-party books, courses and other information about AD is also available.
Two Paths to Active Directory Implementation
The best techniques and practices that apply to AD vary according to whether an organization has already implemented AD or whether it seeks to implement (or migrate to) Active Directory for the first time. For those on the migration or first-time-implementation path, some initial design and planning is absolutely essential. For those working in environments where AD is already up and running, assessment and analysis will indicate whether additional design and planning are needed or not. In the sections that follow, we’ll step through a complete collection of categories under which Active Directory techniques and best practices can be organized; these may not apply in all situations, so use your best judgment as you decide on their applicability to your circumstances.
Planning for Active Directory
For many organizations, moving to AD also means migrating to newer versions of Windows—namely, Windows 2000 Server (the first platform to support AD) or Windows Server 2003 (the most current AD implementation available). During this phase of activity, planning falls into multiple categories:
- Examining processor, memory, storage and other system requirements for the chosen Windows version, and deciding if existing equipment is suitable or if new equipment must be acquired.
- Identifying and piloting migration from earlier Windows environments (typically, Windows NT 4.0) to understand and learn the process before moving into full-scale production. Please note that Microsoft offers numerous migration tools to help administrators preserve and transport such information about systems, users, resources, access controls and so forth as makes sense during such a move. (Search Microsoft.com or TechNet for “Active Directory migration tools” to see what’s available.)
- Establishing relationships with IT and other executives to educate them about AD and to explain how building directory services can have political ramifications. (This gets increasingly important as more sites or autonomous operating units fall under a single organizational umbrella.)
Numerous consulting companies specialize in Active Directory-related services and are available to help with all phases of AD activity. Use them if you can’t grow sufficient expertise in your own organization to do things entirely on your own.
Designing an Active Directory
This phase requires that you inventory system and information assets, review (or formulate) security policy and understand the kinds of users, user communities, communications links and access controls your organization requires. This is roughly the same as the assessment phase mentioned later in this story, except it’s always more work to do this for the first time than it is to inspect an existing directory services environment and decide how well it continues to fit current needs and circumstances.
Once the inventory and assessment phases are completed, you’ll need to create a model of your organization that includes information about users, how users fit into various organizational operating units or job roles, how desktops and servers fit into information processing and delivery needs and how other resources fit into the overall picture. This brief description can’t really tally the amount of work that needs to be done, nor the levels of approval and management buy-in that are necessary, but this phase often takes three months or longer to complete and usually involves a team of professionals. This is also the point at which security policy is mapped into AD Group Policy Objects and where controls for local and remote network access must be formulated.
Implementing Active Directory
If a pilot migration has succeeded, a real migration will get underway, followed by adding all the data that AD requires that Windows NT domains never dreamed existed. Many organizations choose to implement AD piecemeal and create organizational units, each with its own directory context, so that entire multi-site networks don’t have to make the switch all in one go. Experience teaches that the more complex and far-flung the organization, the more sense incremental directory implementation makes. This is particularly true when not all sites or organizations have trained, directory-savvy IT staff on site and must rely on headquarters staff or experts housed in other locations. This is also the final step in the first-time process, so that IT professionals working in existing AD environments may not need to tackle them any time soon (but