®

Ten Things to Know BeforeDeploying Active Directory

written byDmitry Sotnikov

White Paper

AELITA SOFTWARE CORPORATION

Phone: 614-336-92231-800-263-0036

Fax: 614-761-9620

Email: info@aelita.comURL: www.aelita.com

6500 Emerald Parkway Suite 400Columbus, Ohio 43016,

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. However, because of the possibility of human or mechanical errors, Aelita Software does not guarantee the accuracy, adequacy, or completeness of any information in this publication, and is not responsible for any errors or omissions or the results obtained from use of such information.

Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

Aelita Software does not endorse or accept any responsibility for the content or usage of links and references to non-Aelita Web sites or technical documentation.

No part of this document may be reproduced, stored or transmitted in any form, by any means, or for any purpose, without the express written permission of Aelita Software Corporation.

Aelita, Aelita Software, the Aelita Software Corporation logo, and all Aelita product names and slogans are either registered trademarks or trademarks of Aelita Software Corporation. Other product or company names mentioned herein may be trademarks of their respective owners. Copyright © 1997-2004, Aelita Software Corporation. All rights reserved. Last revised March 18, 2003

Abstract Active Directory migration raises many questions about the design of your new directory. As you attempt to wade through data and details, remember that planning is the key to a successful migration. This guide addresses ten questions you should ask before deploying Active Directory.

CONTENTS

TEN THINGS TO KNOW BEFORE DEPLOYING ACTIVE DIRECTORY ... 5 1. What’s in My Current Directory? .......................................................................... 6 2. How Will My Groups Change? .............................................................................. 8 3. Are Permissions Correctly Assigned? .................................................................... 12 4. What Sites Should I Create? ............................................................................... 14 5. Where Are Services Running? ............................................................................. 16 6. Do I Need to Do any Renaming? ........................................................................ 18 7. Do I Have Unnecessary User Accounts or Groups? .................................................. 20 8. Are Software and Hardware Upgrades Needed?.................................................. 22 9. What About Exchange? ...................................................................................... 26 10. How Will I Monitor My Network Configuration During Migration?............................. 28

CONCLUSION ........................................................................................................... 32 ABOUT AELITA SOFTWARE CORPORATION................................................. 33

Ten Things to Know Before Deploying Active Directory 3

TEN THINGS TO KNOW BEFORE DEPLOYING ACTIVE DIRECTORY

Planning is the key to migrating successfully from Windows NT to Active Directory, whether you’re deploying Windows 2000 or Windows Server 2003. Planning is also necessary if you are doing any major restructuring of your existing Active Directory design. Successful planning allows you to identify all the tasks you need to perform as part of the migration and create the Active Directory design that best meets your needs. Planning also helps ensure that you avoid the many potential pitfalls often associated with Active Directory deployment.

But it’s often difficult to do what we know is right. Despite all the reasons to the contrary, the planning stage is often rushed, incomplete or poorly done. Many factors contribute to poor planning, including:

• Inability to collect adequate and accurate data

• Limited experience or lack of information about the issues involved in a migration

• Project deadlines that do not allow for proper planning

For a successful migration, you need to thoroughly inventory the domains, groups, users and permission structures in your current environment. The result of this inventory can help ensure that you do not migrate unnecessary data or unknowingly grant users permissions they should not have. Since the relationships among the objects in your environment can be complex, knowing details about your existing structure will save time and resources as you plan and execute your migration to Active Directory.

To take full advantage of Active Directory’s features, you might need to upgrade certain hardware and software in your current environment. Before the migration, you need to identify any computers, application software or devices that need to be upgraded. Again, identifying these resources as you plan the migration will save time and money and prevent future problems.

This guide examines ten things you should know about your environment before beginning your migration to Active Directory. The guide includes sample reports from Aelita Enterprise Directory Reporter™ that illustrate the kind of information you need to ensure a smooth project and a successful deployment.

Ten Things to Know Before Deploying Active Directory 5

What’s in My Current Directory? 1

Migration provides an opportunity to examine your current environment and identify design improvements that better meet the needs of your organization. Do you have groups of users with special administrative needs? Do policies require that certain groups or departments have restricted access to resources? In Active Directory, you do not need to maintain a directory structure based solely on physical geographic boundaries. Instead, you can create a logical directory structure that represents the operational structure of your organization.

As you plan your new directory structure, consider how you will take advantage of Active Directory scalability features, delegation of administration and Group Policies. For example, Group Policies can have a significant influence on how you structure your domains and organizational units. Such changes to your directory structure might require you to split or merge domains, determine new administrative boundaries and create forests. For your new directory structure, consider the following design issues:

• Forests

Although domains provide for security isolation, total security and administrative isolation is possible only in a multi-forest deployment. (For more information, see: Protecting Active Directory from “Domain Trust” Vulnerability at www.aelita.com/ADSecurity.)

All the domains in a forest must share the same schema. If certain domains need different schemas, you must place them in different forests.

• Domains

Active Directory domains are far more scalable than Windows NT domains, so you will likely merge some domains during Active Directory deployment. However, Active Directory domains still have size limitations, so you must analyze domain statistics before you decide to merge domains.

Users who need different security or administrative policies (such as username and password restrictions) must reside in different domains.

Since your new domain structure might not be based on geography, this might affect how you assign administrative privileges.

6 Ten Things to Know Before Deploying Active Directory

• Organizational Units

Active Directory does not require separate resource and account domains. You might want to merge resource and account domains and use organizational units to create separate containers for common objects within a domain.

Since domains in Active Directory can hold many more objects than in Windows NT, you might be able to merge domains and use organizational units to delegate administration.

Analyzing Your Current Domains

Before you can begin planning your new directory structure, you need to analyze your current environment. Knowing your existing domain structure can help you determine your Active Directory design as well as define your migration strategy. In your current environment, you need to identify all your existing domains and gather information about each domain such as:

• The type of each domain (resource or account)

• All users, groups, domain controllers and resource servers associated with each domain

• The trust relationships between domains

Once you have a complete understanding of your current domain structure, you can begin to make decisions about the forests, trees, domains and organizational units you need to create in Active Directory and which objects from your current directory (the “source domains”) to move to these containers.

Ten Things to Know Before Deploying Active Directory 7

A thorough analysis of your current domains is an essential first step in designing your new Active Directory and planning your migration.

How Will My Groups Change? 2

Groups allow you to efficiently manage users and resources in your environment and are an important part of your directory design. Active Directory introduces a new kind of group (the universal group), as well as changes to the way groups work. For example, domain local groups can be used in Active Directory to set permissions on resources throughout the domain. As a result, you might want to migrate server local groups to domain local groups when you deploy Active Directory. Also, if you had set up file/print servers as domain controllers in NT to facilitate permissioning, you might want to demote these file/print servers to member servers in Active Directory and merge their domain local groups into the domain local group of the corresponding target domain in Active Directory.

8 Ten Things to Know Before Deploying Active Directory

To effectively plan your new Active Directory group configuration, you need to understand how groups differ in Windows NT and Active Directory.

In Windows NT:

• Groups are only used for security purposes, to grant permissions on NT resources such as files, shares and printers. Instead of using groups, Exchange 5.5 uses distribution lists for mail distribution.

• Group scope is limited to global and local groups.

• Domain local groups can only be used to set permissions on domain controllers.

In Active Directory:

• A group can be used for both security and distribution, which simplifies group administration.

• In addition to global and local groups, there are universal groups that can include members from multiple domains of a forest.

• Domain local groups can be used to set permissions on resources throughout the domain.

Identifying Your Groups

Since groups are different in Active Directory, you need to examine your existing groups and determine if any changes are needed. Understanding your groups is critical to maintaining users’ resource access and mail distribution during and after a migration. Group nesting can become complex, and you need to know your complete group structure to fully understand how permissions were assigned and to determine any changes you need to make. You can then begin to make decisions about your new group structure, such as group membership and groups to be combined or deleted.

In your current environment, you need to identify all your existing groups and gather information about each group such as:

• The type of each group

• All users assigned to each group

• All references to each group

• Group nesting, such as users in global groups that are nested in local groups

• Exchange 5.5 distribution lists

Ten Things to Know Before Deploying Active Directory 9

To ensure users maintain appropriate access to resources, you must fully understand your existing group structure, including nesting.

Identify all mail distribution list members to plan universal groups in Active Directory.

10 Ten Things to Know Before Deploying Active Directory

Analyze your existing server local groups to decide whether to migrate them or merge them with domain local groups in Active Directory.

Ten Things to Know Before Deploying Active Directory 11

Are Permissions Correctly Assigned? 3

Migration can provide a good opportunity to review the permissions granted in your current environment and perform any necessary cleanup. Before migration, you need to determine if any users were assigned permissions they should not have and change any incorrect assignments to prevent them from being propagated to Active Directory. To reduce the impact of the migration on users, you need to ensure that permissions are reassigned correctly on network resources such as files, folders and printers. In addition, you should consider deleting groups that have no permissions assigned or merging groups that grant the same permissions.

Identifying Permission Assignments

To ensure that you maintain users’ access to resources during and after the migration, you need to analyze your current permissions structure. In your current environment, you need to identify:

• File, folder, share and printer permissions granted to users and groups throughout the directory

• Resources from one domain that users from another domain can access

• Users with administrative rights

12 Ten Things to Know Before Deploying Active Directory

Evaluate the permissions assigned to users and groups before your migration.

Ten Things to Know Before Deploying Active Directory 13

What Sites Should I Create? 4

While you create forests and domains to represent the logical structure of your network in Active Directory, you create sites to represent the physical structure of your network. The logical structure of a Windows NT 3.x–4.0 network almost always mirrors its physical structure. In Active Directory, however, the logical and physical structure of your network do not have to match. The trees and forests forming your organization’s domain namespace represent your network’s logical structure. To define the physical structure of your network, you must configure one or more site objects in Active Directory.

Site objects are used to define areas of good network connectivity. To configure a site object in Active Directory, you associate a site with one or more TCP/IP subnets. Each TCP/IP subnet that you define for a site should share a high-bandwidth link (512Kbps or greater). In general, you will create a site object for each area of your network that is separated by low bandwidth.

Sites determine how replication traffic is routed across your network. In Active Directory, all data is replicated between all domain controllers in a domain, but only certain data is replicated between domains. You can use sites to maximize the efficiency of replication in your network.

14 Ten Things to Know Before Deploying Active Directory

Identifying IP Subnets

To plan your site structure, you need to know about the IP subnets in your current network. Most of the existing IP subnets are likely to become site objects in Active Directory.

Identify IP subnets in your current network to plan your Active Directory sites.

Ten Things to Know Before Deploying Active Directory 15

Where Are Services Running? 5

As you plan your Active Directory structure, you need to be aware of the services currently running on your network servers. Changes to your network structure as well as upgrades to your operating system can affect these services. For example, if you are changing your DHCP and WINS configuration, you need to know what servers are running those services.

Information on services is important for several reasons:

• Services such as DNS, DHCP and WINS are mission-critical and require special care during migration. For example, you might want to disable DHCP before migrating a server running this service.

• Services running under user accounts need to be updated as these accounts are disabled. If a user account is being used by a service, you do not want to disable that account without reassigning the service to the corresponding account in the target domain.

• Some services might be incompatible with Active Directory. You need to make sure that any services running in the new environment support Active Directory.

16 Ten Things to Know Before Deploying Active Directory

Identifying Services

Knowing the services running in your network can help prevent unexpected problems during your migration. In your current environment, you need to identify information about services such as:

• Each service name

• The account used to run each service

• The computer running the service

Know each service running on your servers to prevent network problems.

Ten Things to Know Before Deploying Active Directory 17

Do I Need to Do any Renaming? 6

There are several situations where you might need to change the names of user accounts, groups or computers in your new Active Directory. You need to be aware of these situations to prevent problems in Active Directory:

• Active Directory and Windows NT have different naming standards for computers, groups and user accounts. Some NT names might be prohibited in Active Directory, and these names need to be changed.

• Naming issues can arise when domains that contain objects with the same name are merged. This situation can be resolved in one of the following ways:

If the objects incidentally used the same name, you can rename one of the objects during the migration.

If the objects represent the same person (such as a person having an account in several domains) or group (two domains having groups for the same purposes, such as Sales), you can merge these user objects or groups during the migration.

If the objects represent the same person, but one of the accounts is not required for some reason (such as multiple administrator accounts), you can delete one of the objects before migration or skip the object during migration.

Analyzing Names

To avoid naming conflicts in Active Directory, you must know the names of your existing directory objects. You can use this information to determine if there are objects you need to rename, merge or delete/skip. In your current environment, you need to identify:

• User accounts with the same name

• Groups with same name

• All computers, groups or users whose names are not allowed in Active Directory

18 Ten Things to Know Before Deploying Active Directory

Identify duplicate user accounts and groups to merge, rename or delete/skip.

Identify directory objects whose names are not allowed in Active Directory.

Ten Things to Know Before Deploying Active Directory 19

Do I Have Unnecessary User Accounts or Groups? 7

Over time, your environment can become polluted with unused and disabled user accounts or empty groups. These accounts clutter your environment and confuse your inventory. More importantly, unused accounts are a security threat because rogue administrators can use them to carry out attacks without revealing their own identity.

Migration to Active Directory is an opportunity to rid your network of such outdated data and security vulnerabilities. By deleting these user accounts and groups, you can also reduce the length and work load of the migration project.

Identifying Unnecessary Groups

Before migration, you also need to identify empty or unused groups that should not be migrated.

Identify any empty or unused groups to be deleted or skipped.

Identifying Unnecessary Accounts

Before migration, you need to identify accounts that should not be migrated. In your current environment, you need to identify unnecessary accounts such as:

• Unused accounts

• Disabled accounts

• Expired accounts

20 Ten Things to Know Before Deploying Active Directory

Identify any unused, disabled or expired accounts to be deleted.

Ten Things to Know Before Deploying Active Directory 21

Are Software and Hardware Upgrades Needed? 8

To take full advantage of all the features of Active Directory, you might need to upgrade software and hardware in your network. As you plan your migration, you do not want forget the extra time, effort and cost required by these upgrades. Be prepared by considering the affect of these upgrades on your existing network.

• If you plan to reuse the hardware for domain controllers during the migration, you need to evaluate whether the existing hardware satisfies the requirements for Windows 2000/2003 domain controllers.

• Windows 9x and Windows NT prior to NT4 Service Pack 4 (SP4) do not fully support Active Directory features unless the Active Directory client software is installed on them. You need to locate such computers and decide whether to upgrade the operating system or to install the Active Directory client.

• If you decide to upgrade a computer’s operating system, you also need to check hardware compatibility for those computers. Some hardware devices such as printers, video cards and modems might not be compatible with the new operating system. To help identify incompatible devices, Microsoft provides the Hardware Compatibility List (HCL).

• Older versions of software applications might not be compatible with the new operating system.

• Hardware and software upgrades affect the cost and timeframe for your migration project. As part of your migration plan, you need to estimate upgrade costs.

22 Ten Things to Know Before Deploying Active Directory

Identifying Computers’ Operating Systems

For computers running older operating systems, you need to decide whether to upgrade the operating system or install the Active Directory client. In your current environment, you need to identify computers running Windows 9x or Windows NT prior to NT4 SP4.

Identify computers running older operating systems.

Ten Things to Know Before Deploying Active Directory 23

Identifying Installed Hardware

Upgrades to a computer’s operating system can affect hardware devices located on that computer. Before you upgrade, you need to ensure that computer devices such as printers, video cards and modems will function with the new operating system. In your current environment, you need to identify information such as:

• Computers to be upgraded

• Type of devices located on each computer

• Name of the device

• Manufacturer of the device

Evaluate hardware devices on computers whose operating systems will be upgraded.

24 Ten Things to Know Before Deploying Active Directory

Identifying Installed Software

You might also need to upgrade application software running on workstations and servers. Older versions of software might not be compatible with newer operating systems. In your current environment, you need to identify existing versions of application software and determine if this software is compatible with the operating system you will be running.

Evaluate installed software to determine if upgrades are needed.

Ten Things to Know Before Deploying Active Directory 25

Identifying Upgrade Costs

To meet the requirements or recommendations for the operating system you are deploying, you might need to upgrade the processor, memory or hard disk on certain computers. Once you identify which computers do not meet the minimum requirements for the new operating system, you can determine your upgrade costs. In your current environment, you need to gather information such as:

• Computers to be upgraded

• Amount of memory on each computer

• Processor on each computer

• Amount of disk space (total, free) on each computer

Determine the minimum requirements you want servers and workstations to meet and identify computers that don’t meet those requirements. Combine this information with upgrade costs to

estimate costs by computer, by domain and for your overall project.

What About Exchange? 9

Your plan for a new Active Directory might also affect your Exchange messaging system. As part of your migration to Active Directory, you might choose to remain in Exchange 5.5, or you might migrate to Exchange 2000/2003.

26 Ten Things to Know Before Deploying Active Directory

Remain in Exchange 5.5

Though you can continue to use Exchange 5.5 after you migrate to Active Directory, you must make sure that all the permissions set in the Exchange 5.5 directory for source NT accounts are granted to the new Active Directory accounts. Consideration must be made for the following:

• Users with multiple mailboxes

• Mailboxes with multiple permissions

• Mailboxes with alias names different than the primary account

• Permissions on public folders

Identify Exchange 5.5 permissions for mailboxes, public folders and distribution lists.

Ten Things to Know Before Deploying Active Directory 27

Migrate to Exchange 2000/2003

Unlike Exchange 5.5, Exchange 2000/2003 uses Active Directory instead of the Exchange Directory Service. Since Exchange 2000/2003 is tightly integrated with Active Directory, your decision to migrate to Exchange 2000/2003 could affect your Active Directory design. Migration to Exchange 2000/2003 is a complex process, but detailed planning can help ensure a successful migration. For example, your design can include only one Exchange 2000/2003 organization per Active Directory forest.

Identify existing Exchange organizations to plan your Exchange 2000/2003 design.

How Will I Monitor My Network Configuration During Migration? 10

After migration has begun, you should regularly review Active Directory permission assignments, including the use of groups and Group Policy, to help promote network security. During a migration, the movement of users and groups at different times and by different administrators can cause unintentional rights assignments. You need to identify any migrated users who received inappropriate rights. After the migration is complete, you need to continue to analyze Active Directory permissions and confirm compliance with applicable legal regulations and your organization’s security policies.

28 Ten Things to Know Before Deploying Active Directory

Monitoring Administrative Rights in Active Directory

In Active Directory, you need to monitor the membership of the Administrators group, including accounts obtaining membership in the group via other groups. You can use membership lists to ensure that only the users who need the permissions granted to a group are members of the group. In addition, you need to make sure you understand what users have been given administrative rights.

To help ensure the security of your network, monitor who has administrative rights in Active Directory.

Ten Things to Know Before Deploying Active Directory 29

Monitoring Group Memberships in Active Directory

Group memberships can be difficult to track, which can result in inappropriate permission assignments. With a detailed list of groups, you can analyze the purpose of each group and refine access permission assignments in domains. After a migration, similar groups might be consolidated. With information about group membership, you can determine if any users or groups should have their membership revoked.

Keep track of your groups and group memberships in Active Directory.

30 Ten Things to Know Before Deploying Active Directory

Monitoring Group Policy in Active Directory

Group Policy makes it easy to control settings on Active Directory objects, including user accounts. However, setting up policies can be complex and difficult, with sometimes unplanned results. To analyze and improve the security of your systems, you need to determine what policy settings are in effect and which policies are applied to users and groups.

Monitor Group Policies to protect your network.

Monitoring Administration Delegation in Active Directory

In Active Directory, most administration delegation is accomplished at the organizational unit level. After migration to Active Directory, especially after merging domains, you need to verify the administration delegation structure in your post-migration environment.

Evaluate your delegation of administrative privileges in Active Directory.

Ten Things to Know Before Deploying Active Directory 31

CONCLUSION

By performing an inventory of your current directory, both before and after migration, you gain valuable information for planning your migration and designing your new Active Directory, while avoiding major problems that can occur. Your planning efforts can be greatly improved with tools that collect and report on configuration data and software and hardware inventory, such as Aelita Enterprise Directory Reporter (EDR). EDR automates data and inventory collection, which allows you to collect more complete and accurate data. As shown throughout this guide, EDR’s predefined reports represent best practices and expert knowledge of migration and security. Using a tool such as EDR can help ensure a successful deployment of Active Directory in your Windows 2000 or Windows Server 2003 environment.

For more information on EDR, visit the Aelita website at www.aelita.com/edr. Or request a free consultation by contacting Aelita at consultation_request@aelita.com for personalized assistance from the experts in Active Directory management, migration and recovery.

32 Ten Things to Know Before Deploying Active Directory

ABOUT AELITA SOFTWARE CORPORATION

Aelita Software provides systems management solutions to organizations that rely on Microsoft Windows technologies. Aelita’s proven expertise with Active Directory and Exchange helps customers improve productivity, system availability and security. IT professionals choose Aelita solutions to administer, migrate, recover and audit these critical systems. The company’s customers and partners include Bristol-Myers Squibb, HMS Host (formerly known as Host Marriott Services), Kmart Corporation, Pitney Bowes, Textron, Inc., Hewlett-Packard and Microsoft. Aelita is a global organization with headquarters in Columbus, Ohio. Contact Aelita at 800.263.0036 or visit www.aelita.com

Contacting Aelita Software Corporation:

Web: www.aelita.com Technical Support: support@aelita.com Sales: sales@aelita.com General Inquiries: services@aelita.com

Phone: 614-336-9223 1-800-263-0036 Fax: 614-761-9620

Aelita Software Corporation

6500 Emerald Parkway Suite 400 Columbus, Ohio 43016 USA

Ten Things to Know Before Deploying Active Directory 33