The project leader for an enterprise Active Directory migration has to be one part technologist, one part diplomat, and one part prognosticator. "To take an NT 4.0 domain structure, which is usually pretty fragmented, and bring it into a unified Active Directory hierarchy involves careful handling of political, integration, and connectivity issues," said Keith Millar, director of Microsoft Solutions product management for Irvine, CA-based Quest Software, an applications management software vendor. Failing to take a team approach to and make a long-term plan for each of these issues can cause project delays.
To help present and future project teams avoid common Active Directory migration problems, Millar offered these deployment tips.
Don't ignore the value of native Microsoft tools for accessing objects, changing passwords, changing attributes, editing attributes, and so on. Such tools as the native Active Directory Delegation Model and Microsoft Management Console applications are specifically designed to help teams deploy Active Directory successfully.
Do check out the reference guides from Microsoft's Active Directory product group. "They help you do benchmarking around what size of connection pipes and types of servers you need for the type of Active Directory deployment you're doing," Millar explained.
Don't rely on third-party products that promise to simulate Active Directory before you roll it out. "We've never seen that work," Millar said. In his experience, the businesses that have been able to test replication before deployment have actually taken Active Directory into a lab and simulated help desk loads. "They've choked down some of the connectors between those domain controllers using routers that allow you to configure to simulate loading," he said. "You need to use Active Directory to see what Active Directory is going to do in a production environment."
Do get a high-level executive on board to help spearhead your project. This will avoid unplanned political delays and will build awareness for your Active Directory migration team.
Do have a clear plan for meeting your service level agreements on Active Directory.
Do set up the administrative tools that will be used everyday with Active Directory. Test them and have them in place before you start migrating the masses into Active Directory. "If you don't have an administrative structure, you're going to have complete mayhem when users start logging in," Millar warned. "You won't have a good way to pick up and manage help desk calls effectively. Indeed, you may encourage some security holes by not having your security set properly."
Do lock down Active Directory permissions appropriately before migration. "The help desk doesn't suddenly go on vacation during migration," Millar said. As users move over to Active Directory, the help desk has to continue to do routine jobs -- resetting passwords, creating new accounts, adding people to and removing people from groups -- and to maintain the service level agreements that have been signed. So, make sure the help desk is given the appropriate permissions within Active Directory to handle routine tasks.
Finally, don't expect your initial Active Directory plan to win universal approval from everyone in the organization. It takes quite a bit of time for an organization to come to an agreement on what the Active Directory hierarchy will look like.
FOR MORE INFORMATION
This was first published in November 2001