Active Directory: Leap Forward or Long March?

As the countdown to Microsoft’s Windows 2000 release continues, it’s time to begin your Active Directory migration planning.

With features enabling single sign-on, improved roaming and remote administration, delegated administration, standards support and richer APIs, Active Directory represents a great leap forward from NT. But despite extensive beta testing, much remains unknown. How big can domains get? What reliability and performance levels will users see? Where will the cross-platform interoperability “gotchas” lie?

Active Directory can offer real business value and some long-term savings. If your existing NT environment is disorganized and unstable, return on investment (ROI) may come soon. But if your network is widely distributed with weak WAN links and old gear on the desktop, Active Directory will be more expensive to deploy.

In all cases, it’s important to set Windows 2000 guidelines soon. Otherwise, you may fall victim to bottom-up deployment as internal users begin deploying Windows 2000 without you, creating incongruous namespaces and inconsistent security practices that will be hard to change later.

To estimate ROI and provide guidance, you’ll need an Active Directory architecture that includes namespace and schema design, domain controller topology, security policies and administration conventions. Develop these in concert with overall enterprise network, desktop, server, Domain Name System, directory, security and other co-dependent enterprise architecture threads.

Then put together a migration plan. There are two basic methodologies: in-place migration and domain restructuring migration. In-place migration moves NT domains “as is” into Windows 2000. Domain restructuring lets you clean up the mess first, consolidating and throwing out unnecessary NT domains. However, domain restructuring requires massive changes to NT security IDs and access control lists during the move, so it’s riskier and requires sophisticated tools. Pay now or pay later, the choice is yours.

Microsoft will provide a Domain Migration snap-in for Web download concurrent with the Windows 2000 release; that may be enough for your domain restructuring needs. But if you need extensive premigration housecleaning, highly customized procedures or complex post-migration coexistence, consider third-party offerings from vendors such as Entevo and FastLane Technologies.

Many questions surround the migration effort, including what are the pitfalls, when should you start, how will you get there and who should you partner with. Build in plenty of time, budget for planning and get up to speed as soon as possible. Arm yourself with plenty of information as the long march to Windows 2000 begins.

Blum is senior vice president and principal consultant with The Burton Group, an IT advisory service.