April 18, 2001, 10:12 AM — Windows 2000 has been available for more than a year, but many people are still struggling with how to implement the most promising and most complex part of Microsoft Corp.'s new operating system: Active Directory. Windows 2000, Microsoft's first enterprise-ready operating system, uses Active Directory to provide scalable, secure and Lightweight Directory Access Protocol (LDAP) standards-based directory services. Many tools are available to assist administrators and planners in this process, but administrators may wonder where to start.
Designing an Active Directory requires a methodology with a strong focus on your political, business and security requirements. You also need to take into consideration how the big picture evolves as you integrate new applications with a Windows 2000 infrastructure over time. This becomes even more important as the Microsoft software is evolving into the .Net world. We focus here on the 10 most critical steps you'll need to consider during the design of your corporate Active Directory.
Build the project teams
To properly start a Windows 2000 project, it's critical to first understand the reasons for implementing the new infrastructure. One may be to consolidate servers and domains to reduce ownership, administration, maintenance and troubleshooting costs. Another might be to provide an infrastructure for mission-critical applications, such as Microsoft Exchange 2000 Server. You must also understand your current IT environment and administrative model before creating a project plan and project team.
The number and size of each team varies from project to project but groups are generally created for the directory, networking, operations and management, security, migration, client platforms, application deployment and development and system sizing.
Designing Active Directory also requires strong cooperation between different teams in your organization -- teams that had little in common in the past. An Active Directory can't be effectively implemented without good communication between the directory, networking and security groups in your organization.
In an Active Directory design, roles may be inverted creating further tensions. In the past, for example, the Windows NT people owned the data and the Exchange group owned the directory. Now with the Web store in Exchange 2000, the messaging group will own the data and the NT people will own the directory. Furthermore, the NT group now must provide the necessary services for e-business in terms of security, interoperability and availability.
Design the Active Directory schema
The Active Directory schema design defines what Active Directory objects (such as users, groups and servers) will be created. Setting up the schema design is easy if the default Active Directory schema will satisfy the needs of your organization. Your organization may, however, require the storage of special objects or attributes in the Active Directory. This may require the generation of new object identifiers, which define object classes and their attributes. The Active Directory schema design also defines which objects and attributes will be indexed and what will be published in the Active Directory's Global Catalog (GC), the domain controller that acts as a master directory of all domain objects.
Your Active Directory schema design should also extend beyond your Windows 2000 environment too integrate with other directory services or metadirectories. Such requirements may bring up synchronization and integration challenges, so you should detect them as early as possible in the Active Directory design.
Design the DNS model
The planning and design of the Windows 2000 Domain Name System (DNS), which translates user friendly domain names to actual Internet Protocol addresses, can be split into two design subtasks: the DNS namespace design, which describes each domain, and the DNS server infrastructure design.
Because of the tight integration of DNS and the Active Directory infrastructure, the namespace design goes hand-in-hand with the Active Directory design. Both DNS and Active Directory infrastructure design are iterative processes that will influence each other continually.
During the namespace design, it's important to first examine your business needs. Next, you need to decide whether you plan to integrate Windows 2000 DNS with a legacy DNS infrastructure and whether you need to consider the impact of an Internet presence for your corporate DNS name space design.
During the DNS design, remember that this is a critical service for Active Directory and Windows 2000. The DNS server infrastructure must be fault-tolerant, highly available, easily accessible and must provide minimal latency for the replication of DNS database changes.
Design the domain model
