Here’s what to keep in mind when implementing Windows 2000 Server
Architecture, site design and Active Directory structure are all important issues
If you’re in the business of helping companies plan and implement Windows 2000 Server, you have your work cut out for you.
A couple of months ago, I was instructing a class called “Designing a Windows 2000 Directory Services Infrastructure” to a group of network administrators and enterprise architects. At the end of the class, the general consensus was that companies planning to implement Windows 2000 Server will need to be aware of more issues and will require far more planning time than in the past.
Companies planning to upgrade or migrate will have to consider issues such as domain design structure, site design, Active Directory structure, naming conventions in Windows 2000, enterprise security and Internet issues, DNS design and working in a mixed environment.
In Windows 2000, the architectural design is completely different than Windows NT 4.0. NT has two kinds of controllers – Primary Domain Controller (PDC) and Backup Domain Controller (BDC). The PDC is the only controller that holds a read/write copy of the directory database (SAM). The BDC holds a read only copy of the directory database. All changes have to be submitted to PDC, which then gets updated with the BDC.
DOMAIN DESIGN changes
In Windows 2000 Server, the PDC disappears. All domain controllers are equal and hold a writable copy of the Active Directory database.
The simplest design you can have in Windows 2000 would be to implement a single domain (which can have several domain controllers holding a replica copy of the Active Directory database) in a single tree in a forest.
As more domains (child domains) may be added to the tree for valid reasons within the same forest, the Active Directory database will grow, requiring more resources, more controllers and more sites based on the physical locations of the controllers.
Once you’ve worked through the Domain design structure, the next consideration is the site topology.
A simple site design consists of a single site. This means that replication takes place automatically between the domain controllers. However, if you have multiple sites you’ll have to consider several issues such as connectivity, network bandwidth, performance and cost for replication to take place between the sites. When setting up replication, factors such as when to replicate and how often will have to be considered carefully.
Next, what is the logical design structure of the Active Directory going to look like?
There are two main types of administration models to consider when designing an Active Directory structure – centralized and decentralized, with also the possibility of combining the two, depending on the organization’s business structure.
The Active Directory structure design will also reflect how the network administrator will manage the user accounts, the network security and the network resources for the entire organization. In a centralized administration model, all the network administration and operation functions are managed at a central point for the company. On the other hand, a decentralized model allows each business unit to manage its own structure, therefore all divisions, for instance, manage their own accounts, security, configuration of replication and server operations.
Windows 2000 Server uses the same naming convention as the DNS (Domain Name System). Each object is identified by a LDAP (Light Directory Access Protocol) Distinguished Name such as CN=Tazmin Velji, CN=Users, DC=CDI, DC=Com.
The LDAP distinguished naming convention references the LDAP server in the DNS resource records, which resolves Active Directory queries such as searching for printers, user names and network resources. NETBIOS names are used only for reverse compatibility with previous versions of NT.
Since the naming convention of Windows 2000 is the same as DNS, it is critical that the DNS naming strategy reflect how Active Directory queries will be handled. The other factor to consider when designing the naming convention is whether your company currently has or plans to use the Internet. If your company’s registered Domain name is used as the root domain name for the Active Directory database, careful considerations will need to be made between the internal and external DNS servers in terms of security.
Upgrading or migrating to Windows 2000 Server clearly requires vigorous planning. The accompanying chart provides a checklist of issues to consider.
Velji is a senior technical instructor/consultant with CDI Corporate Education Services in Toronto. She is at Tazmin.Velji@cdi.ca.
Consider the following…
REVIEW YOUR ENVIRONMENT
– network design
– administration model
– locations of all controllers
– network topology and network bandwidth
– current domain design and trust relationships
– user habits
– application environment
– network resources
– current DNS design
– current hardware
– Active Directory structure, based on Internet presence
– Plan a Domain design to reflect your current structure or plan a new one.
– Design a site based on controllers location, including issues such as network bandwidth, cost, performance, etc.
– Outline a replication strategy based on number of sites, grouping fast-link and slow-link sites together.
– Plan an Active Directory naming convention to reflect company DNS
– Create a good DNS strategy
– Draft the Active Directory structure based on a centralized, decentralized or combined administration model.
– Plan to maintain a mixed environment until Windows 2000 has been completely deployed to Windows 2000 controllers.
– Create a solid recovery plan in case of problems with the deployment of controllers.
– Decide where Global Catalog servers will be located and how many.