The votes are in, and it's clear that deploying Microsoft's Active Directory is a task like none other ever attempted by seasoned Windows NT administrators.
The complexity of the directory -- from planning, to corporate politics, to the actual technology -- is stretching some deployment projects well past their original timetables.
Nearly half of IT executives planning to roll out Windows 2000 in the next year are deferring a full Active Directory deployment indefinitely, according to a recent survey by Giga Information Group. And of the 30% of NT users that have deployed or are deploying the directory, only about half are doing a full-scale rollout.
Despite the conservative plans, users say they want to run Active Directory to ease user and resource management.
What is needed to get over the hump?
Planning, of course, is key. But from a technology perspective, experts say IT executives must budget for third-party tools to help with the migration as well as ongoing management.
"About 80% of Active Directory deployments will require third-party tools because what Microsoft gives you out-of-the-box is not very adequate," says Neil MacDonald, an analyst for Gartner Group.
Microsoft, for its part, says its Active Directory Migration Tool (ADMT) will be adequate for 80% of organizations with a simple NT environment or tight deployment plan. Microsoft is adding password migration in future versions, according to Perry Anton, product manager for Active Directory.
But even Microsoft used third-party tools for its migration to Active Directory.
Paying the price
Most enterprise users will pay between $35 and $55 per user for a decent suite of tools. IT executives can expect costs to range from nominal to a noticeable percentage of the overall project, depending on which tools are used.
There is, however, some budgetary relief available. FastLane Technologies is providing its DM/Manager, a domain consolidation and user migration tool, for free for 12 months to those who register by June. NetIQ's tools are free to those who contract with Microsoft Consulting Services. NetPro is publishing chapter-by-chapter an online book on migration.
Other vendors, such as Aelita and BindView, also provide tools.
The range of features is dizzying and includes tools for assessing the readiness of current network environments, migrating users and accounts from NT or other platforms, and modeling directory architectures. The tools also provide rollback mechanisms to correct errors, management of group policy and delegation rights, mapping of Secure ID (SID) history, monitoring of directory replication and other functions, and management products for post deployment.
"It's cut and dried for our environment -- we require third-party tools for a rollout to be a success in an enterprise our size," says Greg Speer, project manager for the NT domain architecture team at a large semiconductor manufacturer. Speer, who has 20,000 globally dispersed users, says Microsoft's ADMT won't cut it.
For example, ADMT has weak project management, which is a must-have for Speer. "The third-party tools facilitate that process and allow us to manage multiple parts of the project at once," says Speer, who is testing FastLane's DM/Manager.
Speer says such tools handle heavy-duty jobs such as resetting access control lists and modifying source and target accounts.
While experts say every organization with more than 1,000 employees will need tools, even smaller firms are being swayed.
"We don't know which specific tools we'll be using, but we've already built them into our budget," says Brook Smith, network administrator for Forum Financial Services. Smith has 300 users he will migrate to Windows 2000 by year-end.
"We realize from a risk perspective we need a tool so we can roll back to a known stable environment if we have trouble," he says. "We don't have a tolerance for risk."
Minimized risk is one benefit, but the message also is one of easing server consolidation and user migration.
Competition between the tool vendors heated up last year when BindView gobbled up Entevo, NetIQ consumed Mission Critical, and FastLane was acquired by Quest Software. The result now is that each vendor offers a suite of tools that IT executives can use from start to finish and beyond when rolling out Active Directory.
Aelita, BindView, FastLane and NetIQ all provide tools for migrating users from NT to Windows 2000.
The tools, which also support migrations from Novell's NetWare, let users clean up and consolidate domains before moving users to Active Directory.
Project management is a key feature for FastLane's DM/Manager, NetIQ's Domain Migration Administrator, BindView's bv-Admin for Windows 2000 and Aelita's Controlled Migration Suite.
"Directory technology is complex, but that is the least of the issues," says David Waugh, vice president of marketing for FastLane. "Project management is the largest."
One key issue is integrating NT's SID history with Active Directory's access controls. The SID history helps users maintain links to NT resources when running Active Directory with a combination of NT and Win 2000 servers.
Project management also helps IT executives create a history of what they've done, what succeeded and what failed.
"The software allows you to set up multiple projects and define what you are doing and then report on the results," says Greg Todd, director of product and migration tools for NetIQ.
Modeling is another key feature of the tool suites. This lets users create a model of their planned directory architecture and test how it will function.
On top of that, companies such as NetPro with its Directory Analyzer and BMC Software with Patrol offer tools that monitor and report on functions such as replication, domain controllers and global catalogs.
"We are seeing the sobering of thought in IT as it finally starts to believe in the complexities of Active Directory," says John Dandeneau, manager of the Microsoft practice at integrator ePresence, which runs a seminar series on migrating to the directory. "There is no one [right] way to do migrations, but there are lots of wrong ways. You don't want to do this without some sort of tool."
This story, "Fill that toolbox before tackling Active Directory" was originally published by Network World.