Many Windows NT Administrators are reluctant to upgrade to Windows 2000. What additional functionality does Windows 2000 offer over Windows NT? The answer to this can be summed up in two words: Active Directory.
Active Directory (AD) is a directory service structure that is as configurable as any available. A directory service, in this respect, is very much what the name implies. A directory service stores information about network resources and makes these resources available to users and software who have the proper permissions or rights. With AD you can control security, delegate responsibility of objects and resources, roll out and maintain software and, of course, maintain user and group rights assignments.
AD is comprised of many parts with the most basic being the domain. A domain is a security boundary in AD. Depending on management structure (hierarchy) and certain security policies, a corporation may need more than one domain. For instance, the most common of these would be the need for different logon password policies between departments. If the password length, password complexity, and/or life of the password are different between groups or departments, separate domains will be required. This is not to say that all administrative tasks will require separate domains (and thus a higher total cost of ownership – TCO), but that some will.
Not all group policy differences will necessitate separate domains; however, through two-way transitive trust, separate domains are not the administrative headache that they can be with Windows NT. What two-way transitive trust is, is a trust relationship between parent and child domains that does not have to be explicitly defined. Two-way transitive trusts are not restricted to only parent/child domain relationships, either. As long as the domains involved are in “Native Mode” (which is a domain comprised of only Windows 2000 domain controllers), as opposed to “Mixed Mode” (which is a domain that may have one or more Windows NT domain controllers), any two domains in the same forest will have two-way trust relationships by default.
A quick note on Native Mode and Mixed Mode. By default, Windows 2000 installs in Mixed Mode. There are many advantages to switching to Native Mode and this is very easy to change, but, be careful. Once you have switched a domain controller from Mixed Mode to Native Mode, you can not change it back. In other words, if you do this, you will have effectively ostracized your Windows NT domain controllers and, although all of the account information on them is not lost, it is difficult (or, I should say, more difficult) to recover.
In other words, suppose that you have a parent domain, domain.com. Now, suppose that you create two child domains of domain.com and they will be named child1.domain.com and child2.domain.com, respectively. With Windows NT, trust would have to be explictly stated between not only the parent and the child domains, but between the two child domains as well. With Windows 2000 all of these trusts are already established by default. In other words, not only do child1.domain.com and child2.domain.com trust domain.com, but child1.domain.com trusts child2.domain.com.
Many common administrative tasks in AD can be handled through the use of Organizational Units in conjunction with Group Policy, Users, Groups, and Resources. An Organizational Unit (OU) is simply a container that stores objects in a domain or domains. An object is simply any user, group, resource or even another OU that will need access to resources on the network. Group Policy can be applied at the OU level as well as the domain level.
With AD, you can delegate responsibilities of an OU to a single person (or more than one person, if that is what your business model requires) without compromising resources outside of that OU.
An example of the use of an OU might be in the situation where you have several locations for your business, but you would like the IT department at each location to handle administrative tasks for that location. You would not want to give administrators at that particular location administrative privileges throughout the entire domain. In this instance you could create an OU for each location and then grant administrative control of these OUs to certain individuals. These individuals, in turn, could add, remove, and modify objects in their own OU. OUs are not necessarily limited to locations, either. An OU could represent departments of a company. In this case, you could control resources by departments, perhaps.
Another interesting feature of AD is what is known as a “Site”. Sites are physical locations of network resources and are used as a replication tool. Domains can traverse sites; sites are independent of logical domain structure. For instance, suppose you have a domain, domain.com. Because of a more stringent password policy for the accounting department, you are required to make a separate domain for accounting, accounting.domain.com. Now, let us suppose that your corporation has several locations. Each location has enough users to justify their own domain controllers for logon traffic.
Does this mean that you need to make separate sites for each domain at each location? No. Sites are independent of this. All of the replication traffic can now be scheduled according to site, regardless of how many domains there are, as long as they are in the same forest of domains, so that they will have access to the AD database. In fact, several “metrics” of replication paths can be configured so that if one connection were down, another connection could be utilized. In other words, suppose that normally you would replicate through normal channels such as DSL, ISDN, or T1 etc… Now let’s suppose that that connection is down, but changes have still been occurring to the AD database and will need to be replicated. Now suppose you have a not-so-reliable dial-up connection to home office. Replication can take place by SMTP (being that dial-up is unrealiable) over this dial-up until the normal connection is restored.
My point is simply this: if you are taking care of several domains, or even a single domain spread across several locations, and you require a more granular control of the network and its resources, then Windows 2000 and Active Directory are for you. If you are taking care of a domain that does not have that degree of administrative overhead, I would say that you probably do not need Windows 2000 just yet, although with the new licensing schemes that Microsoft has come up with, you may have no choice in the matter. Simply put, Active Directory can allow you to run your network as broadly or as granularly as you like, it depends entirely on how much research and planning thatyou put into your Active Directory infrastructure. For larger networks, AD and proper planning can reduce administrative overhead dramatically by handling trust issues for you, rolling out software according to group policy, replicating without constant supervision or third party software, allowing you to delegate administrative control of objects, and the list goes on.
I hope that you have enjoyed this article. Questions, comments, etc..are always welcome.
Jay Fougere is the IT manager for the Murdok network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@https://www.murdok.org.