Feeling the cosmic pull of Active Directory

Organisations are starting to feel the gravitational pull of Active Directory as it begins to gain strength in the market after two years in limbo. But, like entering a black hole, there can be no turning back once you go in. Danny Bradbury looks at its strengths, weaknesses and quirks.

Active Directory, the Windows directory service, has arguably been Microsoft's most criticised product in recent years. Customer adoption of the technology, which was introduced in February 2000 as part of the Windows 2000 operating system, has been shaky. And one of the biggest reasons has been the planning requirements that it placed on organisations that chose to implement it.

The introduction of Active Directory needs very careful planning, because once you have created your directory structure using the Domain Name Service (DNS) mechanism, it is non-reversible. And once you have rolled out your directory you could get into trouble if, for example, you found that another business unit had been using a different naming scheme and that the two were not compatible.

The upshot is that while many companies have implemented Windows 2000, few have chosen to switch on Active Directory. Richard Berends, chief technical officer at Microsoft reseller Lankind, says that only now are a significant number of companies beginning to use the technology.

For its own part, Microsoft will be eager to persuade customers of the potential business benefits of moving to a directory service. Five benefits often discussed are:

• Creating, modifying, and removing end-users and system resources in one place and managing their access rights to multiple systems can save IT departments much time and energy, not to mention cost
• Helping end-users find the information and resources relevant to them. Being able to search for a printer with particular properties that is located nearby can increase a user's productivity, for example
• The directory can theoretically become an authoritative record of information about any particular user or resource
• Integrating with other applications, such as Exchange, enables those applications to use the information in the directory
• Employee life-cycle management. When an employee joins an organisation, the directory is used as a central point of administration and reference to create accounts for that individual in all necessary areas of the business. As the employee moves through the organisation, gaining access rights to different systems, all changes can be administered from a single point. When the employee leaves the organisation, all accounts can be shut down from the directory, leaving no security loopholes, such as unused accounts and old passwords.

All this sounds attractive, but as with many discussions of business benefit, there is a deep chasm between what Microsoft is proposing and what customers are experiencing. Adrian Polley, technical directory of IT consultancy Plan-Net, explains that applications have not been integrated with Active Directory because too many suppliers are pulling in different directions. "Microsoft provides the building blocks, but it's the other people providing end-user systems that need to adopt it as a central point of control," he explains. "There needs to be a much greater impetus for change."

So, customers using a variety of applications would need to transition user information from the native data store into Active Directory, or at least to use an interface between the two products to propagate information. Unfortunately, supplier support for Active Directory seems scant, undoubtedly because of the low customer take-up. And attempting to write custom interfaces between legacy applications and Active Directory is likely to fall fairly low on any user's list.

Another significant problem for implementers has been the quality of Microsoft's management tools. IT departments implementing Active Directory manage it through the Microsoft management console - the central resource in Windows 2000 into which "snap-ins" are added for the management of particular resources.

"The stuff that Microsoft provides is like a lot of systems management stuff - it's OK as a first pass, but if you want more, you need to look at third-party software," says Polley.

Microsoft provides the basic operations framework for tasks such as creating users and other resources to be stored in the directory, for example, but implementers cannot assume that things will always run smoothly. "If you get errors, you have to find them and go fix them, and we're at a point where there is very little scope for repairing those things," warns Polley.

Berends explains that, for example, he would like to see a better facility for the direct editing of objects within Active Directory.

Ewan Dalton, an architectural systems engineer at Microsoft, doesn't encourage that, arguing that the administrators could do serious damage by manipulating the raw data within Active Directory. It is possible to make changes at the Lightweight Direct Access Protocol (LDap) level using Active Directory Service Interfaces (ADSIEdit), Microsoft's low-level directory editing tool, but it is not exactly intuitive. "There are certainly plenty of third-party tools that would make management of the Active Directory easier or more powerful from a scripting point of view," says Dalton.

Ratmir Timashev, president and chief executive of just such a third-party tools supplier, particularly criticises Microsoft's migration tools - or the lack of them. He manages Aelita, a company that produces a range of migration suites and wizards for Microsoft Exchange and Windows 2000. He particularly criticises Microsoft's lack of migration tools, not only for moving from pre-Active Directory products, but also from Active Directory to Active Directory. "You rarely do Active Directory perfectly the first time," says Timashev.

His other bugbear is the lack of application integration facilities within the product. There is no rules engine that can be configured to create work flow-level integration with external applications, for example, leaving manual updates in the hands of technical staff. "If I hire someone, they come to the HR department, and I do their paperwork. That gets sent to an administrator, but the directory administrators are overwhelmed. It could take a month for that information to be entered," Timashev says.

At present, customers wanting to integrate Active Directory with other directory systems and with applications must do so at a lower level by manipulating LDap and ADSI, or use the Microsoft Metadirectory System. This product is currently being updated, and a new version will be released at the same time as .net Server 2003, which is being made available to enterprise server and datacentre server customers.

Just as with management and maintenance tools, the alternative for users who do not want to use Microsoft's facilities is to speak to one of the many third-party tools suppliers that have built their businesses on the lack of such facilities in Active Directory. A list of them can be found at www. microsoft.com/windows2000/partners/categories/deployed.asp, and include Quest Software (formerly FastLane), and NetPro.

Third-party tools also become particularly important when discussing data recovery in an Active Directory environment. Microsoft boffins explain that an Active Directory could corrupt for two reasons. First, the right information could be entered in an invalid format, caused by a disc controller failure, for example. Second, the wrong information could be entered in a valid format, perhaps due to user error or a badly configured application. In the first scenario, the data will not propagate, say Microsoft experts. In the second one, it will. In that case, you can either reapply the original value using low-level editing tools such as ADSIEdit - something which Dalton previously discouraged - or you can restore a previous back-up of the directory, propagating the restored values to the rest of the directory infrastructure.

That is all very well, says Timashev, but it makes the granular recovery of a particular object or user account far more difficult. "Secondly, you have to take the particular domain control offline, and it takes at least three or four hours to go through the recovery process," he argues, adding that such recoveries also create extensive replication traffic which slows down the network. Such a situation is far from ideal, and strengthens the case for third-party tools, which any potential Active Directory implementers should factor into their planning.

The world is set to change with the release of .net Server, Microsoft's next major server operating system release, which is due before the end of this year. This will include a version of Active Directory with a range of new features. One of the most important features will be the ability to rename domains, making it easier for companies to reverse their initial decisions on domain structure, although this will still require the domain controller to be rebooted. Other new features include the ability to deactivate attributes and class definitions in the Active Directory schema, so that mistakes made in the initial definition of the schema can be rectified. Replica can also be installed from media, meaning that if a large database has to be replicated, administrators can send a tape to the location, drastically reducing network traffic. And dependability features will enable systems administrators to verify replications between domain controllers.

Active Directory still has a long way to go before it can be said to be a successful product in terms of customer adoption. Nevertheless, Microsoft's commoditisation of the product by bundling it with the operating system, in conjunction with the management enhancements in the next version, will go some way towards opening up the market for its directory service. It has a long way to go before it reaches the level of market maturity that some of its rivals have, but it is coming along in leaps and bounds - as Microsoft always seems to do.

Guest editor's comment
Microsoft .net code release is due in December; with it comes greater flexibility within Active Directory.

This undoubtedly will make deployment in large enterprises much more of a reality than it was with Windows 2000. The question in my mind is what will this really mean? Active Directory will potentially become the cornerstone in many businesses. Eventually it will be integrated with many other systems, specifically human resource applications, and will provide the employee gateway to the whole enterprise network.

Does this make it business-critical? And if so, is Microsoft - and our own IT organisations - geared up to support the environment should it fail or corrupt?

Businesses considering implementation should review their directory services and enterprise architecture strategies carefully and holistically. They should then plan deployment and integration in minute detail to avoid inadvertently being sucked into a massive black hole.

A step-by-step guide to an AD roll-out

• Planning an Active Directory structure is a complex task, but Microsoft advises the following basic steps in creating a domain structure:
• Create a forest plan
• Determine the number of forests
• Create a change control policy for each forest
• Create a domain plan for each forest
• Determine the number of domains
• Choose a forest root domain
• Assign a DNS name to each domain
• Plan DNS server deployment
• Optimise authentication with shortcut trusts
• Create an organisational unit (OU) plan for each domain
• Create OUs to delegate administration
• Create OUs to hide objects
• Create OUs for group policy
• Create a site topology plan for each forest
• Define sites and site links
• Place servers into sites.

Alternatives to rolling out Active Directory
Active Directory gets a lot of press, mostly because it is distributed free with the operating system. But there are other alternatives.

The two most common ones are iPlanet's directory, and Novell's, which is the industry veteran. Deployments of Active Directory are much lower than those of the other directory products according to industry commentators. Calendra, a directory content management system supplier, for example, says that 70% of the directory deployments it has seen have focused on the iPlanet Directory Server (now the Sun One Directory server).

Technical explanations and glossary
ADSI - Active Directory Service Interfaces. A set of interfaces that enable developers to query and manipulate directory service objects

Domain - a unit defined by its security boundary

Domain Controller - a Windows server responsible for controlling a local domain

Forests - domains in Active Directory can be structured into hierarchies called trees. A forest is a collection of domain trees

LDap - the Lightweight Directory Access Protocol. A lightweight replacement for the old X.500 mechanism that enables applications to access a directory service.

Case study: House of Fraser learns as it progresses
James Park, network systems manager for the House of Fraser, is in the middle of his Active Directory project. With 2,000 client machines distributed across 60 sites, a large IT centre and an equally large head office, he has his work cut out.

He chose to go with Windows 2000 and Active Directory after throwing in his lot with Microsoft and signing an enterprise agreement as part of the supplier's much-maligned Software Assurance-based licensing scheme. House of Fraser is currently finishing the design of the Active Directory network, which has proven to be a substantial task. "It was completely new to us and a bit scary," says Park, who worked with IT consultancy Plan-Net on this system. "We aren't replicating what was in the NT environment, because that got messy over the years. Now we have the chance to wipe the slate clean."

The company developed a team of people working under two managers, one of whom was in charge of the IT centre and the retail network, and the other who was responsible for the head office. The implementation team has planned the domain structure based on roles within the company, including buyers and store managers. It was able to use an existing organisational chart to work out the roles as it went along. Starting with the IT centre and head office and subsequently moving down through the retail network, the team is planning the design on an incremental basis, so that it is able to learn from its mistakes as it progresses.

Park explains that the team was not keen on Microsoft's native management tools, choosing instead third-party software company Quest for its Activeroles Active Directory management tools. This provides it with better visibility of permissions and properties for particular objects than the Microsoft MMC snap-in, says Park.

Having planned its Active Directory domain structure, the team now plans to gradually switch over its existing NT 4 domain controller architecture to the new domain controllers. On a site-by-site basis, it will run the NT 4 domain controllers in tandem with the new ones, gradually copying over the less-used files from one machine to the other. At the critical transition point, the team will copy over the final 10% of files that are more frequently used on the old machine, during a short period of planned downtime.

Park offers the following tips to organisations planning the transition to Active Directory:

• Plan your directory structure from the top down and design it incrementally, tackling different parts of the organisation in succession so that you can learn from your mistakes as you go
• Don't necessarily replicate your previous organisational structure. If appropriate, use the implementation of Active Directory to re-engineer previous systems' infrastructures that may have become unwieldy.

Case study: Basingstoke Council finds help with internal reorganisation
It doesn't normally take Terry Finch, IT manager at Basingstoke Council, three months to plan an IT project. Active Directory was different, however, because of the potential effect on his user base should the project go wrong. "It would affect every single user," explains Finch. "The complete business would have ground to a halt." Consequently, although he started planning in March this year, he did not begin migration until May.

His Active Directory project, led primarily by the need to move to Exchange 2000 and to deploy Microsoft's Sharepoint Portal server, is particularly complex because of the company's existing use of the Novell directory server. "It's very hit and miss, and it took a lot of research," says Finch. "Novell publishes instructions on how to do it, but it's very patch-oriented - you have to have specific versions of things."

The company did a trial migration from NT 4 to Active Directory and from NDS 8.5 to 8.6. Doing them individually was easy, but Finch says doing them together in an integrated environment is a nightmare. The biggest problem is that putting future patches onto a domain controller is like walking on eggshells, because patches have to be tested to ensure that they don't affect the existing Active Directory and NDS integration. That wouldn't be so bad if Microsoft didn't have such a propensity for issuing security patches. "It has made the administrative overhead very high," Finch complains.

Implementing Active Directory helped the council from an organisational perspective because it is currently reorganising internally. By moving to Active Directory and Exchange 2000, the council managed to flatten its company structure, enabling it to move users wherever they were needed in the directory structure. Finch likes the native Active Directory management tools provided by Microsoft, although he prefers command line administration. When training people in first line support that haven't been brought up with Dos, they don't handle non-graphical user interface (GUI) activity very well, he says. Consequently, Microsoft's GUI-oriented approach was a boon for him.

Finch's advice to organisations migrating to Active Directory is:

• Test your patches before rolling them out
• Use fault-tolerant domain controller configurations where possible
• Create a project board with business managers included, so that senior managers are aware of what you are doing.

When good directories go bad

What to do when Active Directory corrupts
In the event of corruption, you can recover Active Directory in two ways. Either re-install Windows 2000 and repopulate your directory through normal replication, or restore Active Directory from a back-up.

Recovery by re-installation and replication

• Use the sites and services snap-in on an existing domain controller to remove references to the damaged controller
• Re-install Windows 2000 Server on the damaged system
• Install Active Directory, which will make the installed server a domain controller in the process
• Wait for that implementation of Active Directory to be brought up to date via replication from a healthy controller.

Recovery by restoration from back-up
This requires that you restore in non-authoritative mode - meaning that the restored back-up will subsequently be updated through replication via another domain controller

• Take Active Directory offline by putting the server into Directory Services Restore Mode
• Restore your system using either the Restore Wizard, or manually via the graphical user interface
• Perform advanced verification of the system using the appropriate utility (Ntdsutil) before restarting the domain controller in normal mode
• If appropriate, perform an authoritative restore after the above steps have been completed. This lets you set an object or subtree to take precedence over those in other domain controllers. It is generally used where data corruption has occurred across the Active Directory infrastructure and a restored back-up needs to be propagated across the network.