Windows 2000’s Active Directory (AD) may offer big improvements over Windows NT 4’s flat domain model. But early adopters say that although the results have been good, the transition has been slow and sometimes painful. Along the way, these IT professionals have gained experience that could benefit other organizations planning to migrate to AD.
Many early deployments have gone more slowly than anticipated, users and consultants say. Large deployments can take several years, so IT managers should set their expectations accordingly.
For example, General Motors Corp. launched its AD initiative in August 1999 but is still migrating its 115,000 users from Windows NT and Novell Inc.’s NetWare. “We’re aggressively working to have [all users migrated] by the end of 2002,” says Kent Pate, a migration and interoperability engineer at GM.
Why will it take so long? “When you’re looking to image [desktop PCs] over the network, bandwidth becomes a limitation,” Pate says. Plans to upgrade workstations to Windows 2000 have also led to long deployment times.
Wells Fargo & Co. began a workstation deployment in March last year, says Tom Egan, a vice-president for the wholesale group at the San Francisco-based bank. He hopes to have 10,000 workstations migrated by February, he says. After that, other groups will still need to migrate about 100,000 machines.
“I wish we could have made the rollout without touching every workstation,” he says. “We’ve gone as far as we can to automate the process, but we’ve still got at least a 40-minute upgrade at each machine.”
Only a handful of other large-scale AD implementations with more than 50,000 objects have been undertaken, and few have been completed, says John Enck, an analyst at Stamford, Conn.-based Gartner Inc. While Enck says initial benchmarks look promising, he cautions that scalability has yet to be fully proved in the field.
Deployment may take up most of the time, but getting the initial design right is the most critical step and the one where outside consultants can have the biggest impact, practitioners say. BancorpSouth Inc. in Tupelo, Miss., needed a design that would accommodate the $10 billion bank’s 280 locations and more than 3,500 clients in six states. The IT team went to training on Windows 2000.
“We went through a design on our own and then trashed that,” says senior systems engineer John Hann. He then brought in consultants from Unisys Corp. to help. “I said, ‘I can do this, but I think I need validation,’ ” says Hann, who faced a deployment deadline of five months.
A one-week course is no substitute for experience when it comes to design issues. “To do Windows 2000 properly, you need help. It’s stuff you need to have done and seen. It’s not something you learn in a book,” says Micky Balladelli, a fellow at Seattle-based consulting firm Avanade Inc.
“I would strongly recommend bringing in [outside consulting] experience on the overall organizational unit design,” agrees Todd Wright, engineering manager at Wells Fargo. “But everything else designing the desktop and even the physical domain controller and global catalogue could be done by someone [in-house] who knows the NT world.”
Consultants can help, but the final design decisions are yours to make, cautions Enck. “The biggest issue I’ve seen is that Microsoft-trained consultants push clients really hard to a single domain model and push for AD to be the DNS [Domain Name System] server of choice in the enterprise,” he says. Unfortunately, “there are too many business cases where you can’t do a single domain,” he adds.
BancorpSouth decided to implement a two-domain design: an empty root domain, and a child domain that contains the bank’s directory information. Within that, Hann created organizational units (OU) based on the bank departments common to each branch. With this design, “if something happened [in the child domain], the other domain would have the information to be able to [recover],” he says.
It would also accommodate acquisitions. “If we acquire someone else that already has [an AD domain] design, we can bring them in with ease,” he says. Microsoft Corp.’s planned support for cross-forest trusts will make it easier for users to deploy AD on the upcoming Windows .Net Server, scheduled for release in mid-2002.
In contrast, GM’s global operations dictated a design based on geographic region. “It had a lot to do with how AD was going to be administered,” says Bob Cole, GM’s manager of global desktops. For example, some countries have regulations requiring that user account information be housed within that country.
Although Wells Fargo and GM already had Novell Directory Services domain hierarchies, both firms chose to create a new design rather than pursue an in-place upgrade. “We wanted to start clean,” says Cole.
Wells Fargo created 10 regional domain controllers but organized its OUs along business lines. “It allows us to logically group together businesses and distribute software better,” Wright says. But if you have slow links between sites, he cautions, the preferred method would be geographical.
OU design is critical for administration and performance. “If you let yourself get thrown into one flat OU structure without giving any thought to how policies might be applied, it’s going to be very hard for you,” Wright says.
Wells Fargo created a sophisticated OU hierarchy that includes global group policies that propagate down to the OUs of individual business units. From there, “if they want to lock something down further, they can create their own group policies and links that would apply after the [global] policy gets applied,” Wright says.
But, he cautions, “until there is a good tool for determining which group policies are applied and where they’re coming from, you have to be really organized about only defining them in once place.”
Active Directory’s OU structure allows the creation of group policies at a very granular level, says Wright. “As long as you don’t apply too many group policies in each OU, you don’t seem to suffer much of a performance problem,” he says.
Even the best AD design can’t work without a solid DNS. “DNS is now the core component of Windows 2000 from a name-resolution standpoint and is what drives everything else,” says Aric Bernard, a senior technical consultant at Compaq Global Services, part of Compaq Computer Corp.
Many companies already have an enterprise DNS in place, although the DNS and Windows server administrators may be in different IT groups. Both must be involved in the new design, according to users and analysts.
“You have to put a lot of thought into your legacy DNS and whether those are going to be autonomous or if you’re going to migrate,” says Pate.
The DNS administrators are likely to resist migrating to a Windows 2000 enterprise DNS, and they may have a good point. Although Microsoft encourages the use of Windows 2000 as the default namespace, doing so “is just not practical for a lot of companies,” says Enck.
Fortunately, you don’t have to set up a Windows 2000-based DNS to support your entire infrastructure. Third-party DNS packages and Berkeley Internet Name Domain 8.2.8 are fully interoperable with Windows 2000 DNS, Bernard says.
Users report that the AD migration effort, while time-consuming, has been worthwhile. They cite benefits in the areas of server consolidation, scalability to support more objects and easier administration.
So, what are the keys to success?
“It’s the design upfront. That’s the most important thing,” says Wright. “I can’t emphasize enough the need for naming standards, for organization of group policies and for OU design with regard to how policies are applied.”
And make sure you have plenty of resources for the migration, which can take longer than expected. Spend the time needed to create your DNS, and give yourself plenty of time between the design and implementation phases, advises Hann, who says he wishes he had known more about Visual Basic scripts when creating his own policies at BancorpSouth. “It would have made my job so much easier,” he says.
Get plenty of outside assistance, advises Cole. In addition to bringing in consultants, talking with peers at other companies can help smooth the process.
“We used to have conference calls with other companies sharing experiences,” he says. “We could talk about struggles we were encountering. It was definitely beneficial.”
Active Directory Potholes
You can learn some things about AD from the school of hard knocks, say consultants and users. Here are some AD weaknesses identified by deployment pioneers: