Windows system >> Windows Server System Tutorial >> Windows Server Tutorial

General questions about Active Directory

Under Windows 2000, has there been a successful case of Active Directory?

In general, the answer is yes. Gartner has talked to companies that have implemented Active Directory, which is designed to accommodate floating changes from hundreds to 175,000 in a single area. Gartner also ensured that a user uses Active Directory as an extranet (Lightweight Directory Access Protocol (LDAP)) directory to drive 3,500,000 users. If you want to make a comprehensive evaluation of the configuration of Active Directory, it is: the development prospects are long-term, very good!

What are the general flaws in enabling Active Directory?

The following are the most common hits Gartner has found in companies:

Inadvertently estimate the administrative aspects of catalog design and development. The debate about organizational units (OUs) and regional boundaries, regional and forest boundaries, and integrated solutions for non-Windows domain name systems is still a hot topic. These arguments may lead to delays in design and implementation time.

There is no comprehensive analysis of Active Directory replication requirements from the following aspects: 1) The amount of network bandwidth available 2) The hardware configuration of the zone controller (especially the network hub domain controller). If Active Directory cannot reliably complete the replication process, it will not be able to fully function.

Excessive nesting of OUs or groups results in extremely complex group policies or low performance during group policy processing. Gartner has also communicated with several companies that have designed very complex group policies, and they say they must be low-complex, as this will greatly reduce performance or some unpredictable consequences. We recommend that you do not exceed five levels of nested OUs when configuring your enterprise.

Configuration, Deployment
If an enterprise has not yet launched Active Directory, should it wait to configure the Windows Server 2003 version of Active Directory?

You should decide on this based on your needs for time and Active Directory features.

In terms of time, Windows Server 2003 Active Directory will be released in 2003 (probability is 90%). We believe that Active Directory is suitable for small configurations in Type B enterprises (mainstream adopters of technology) (the number of users can reach 5000). However, we recommend that Type B enterprises wait 60 days before configuring the Windows Server 2003 Active Directory domain controller and associating the Windows 2000 domain controller. We also recommend that Type B wait 60 days before performing mid-range configuration (users up to 25,000) and wait 90 days before configuring large (users over 25,000) Windows Server 2003 Active Directory environments.

Finally, we recommend that Type C companies (companies that are conservative about technology adoption) wait six months before performing any type of configuration. For most businesses, this means that in 2003 you should plan to configure Windows Server 2003 Active Directory on a large scale.

In terms of features, Windows Server 2003 includes bug fixes and improvements to Active Directory. Enterprises should evaluate the new features of Windows Server 2003 Active Directory before deciding whether they have the value to configure their Active Directory. If there is no real value, companies should consider configuring Windows 2000 Active Directory and later upgrading to Windows Server 2003 Active Directory (for example, 2004). It's worth noting that the value of a hybrid configuration of Windows 2000 and Windows Server 2003 Active Directory domain controllers is limited, and companies should plan to achieve a stable version.

order to meet the changing needs of plan may, I should use what kind of organization?

taking into account the major changes in the administrative structure of the enterprise and the public sector, for that matter there is no universally applicable rules. However, Gartner has found three effective methods used for Active Directory to establish a change control technology:

Let directory team or directory architect manage change requests. This method works best when the directory team/architec is part of the global IS department.

For multi-domain environments, set up a regional administrator's management department, these administrators must have no objection to any changes. Obviously, this method works well only if it is a finite number of domains.

Create a department that brings together professionals in various areas such as security, networking, Windows system management, and desktop and application development. In this case, although this idea is perfect, it has not been formally approved.
Do I need third-party tools to effectively manage Active Directory?

Many companies can use the tools and resources provided by Microsoft to manage the Active Directory environment. However, in some particular field of third-party tools provide additional value:

safety reports and audits
manage multiple domains or multiple-forest management and configuration to achieve
Group Policy
Monitoring Active Directory Status Is Normal
Implementing a Task-Based Management Model (Comparative to Active Directory Hierarchical Model)
Vendors providing tools are: Aelita Software, BindView, FullArmor, NetIQ, NetPro, and Quest Software .

For my own directory, can I standardize according to Active Directory?

In most cases, the answer is no. Operating systems and applications are usually associated with a specific directory. For example, NetWare requires eDirectory, Oracle applications require Oracle Internet Directory, Lotus Notes requires a Notes directory, and so on. Gartner strongly recommends that companies take the directory integration path.

Should I use Active Directory as my directory protocol library (LDAP) directory?

This depends on the application that will access the directory. Here there are two points to consider:

Although Active Directory is to adapt LDAP 3, but there are a large number of extensions to the LDAP specification. Programmers may choose specifications that are not supported by Active Directory when writing programs. In the current market, this problem does not only occur in Active Directory, the enterprise must test the compatibility of the application with the target directory.

Even when an application uses Active Directory to work, vendors may not support it. In fact, any vendor only supports a limited number of directory formats, and their products are not compatible with any LDAP directory. Gartner believes that for most businesses, the risk of configuring a directory that is not supported by a software developer is quite high.
It is also worth mentioning that comprehensive LDAP support in Active Directory will continue to improve. The release of Windows Server 2003 includes some new LDAP features, and Gartner predicts that Microsoft will release an improved version called Active Directory in Application Mode (AD/AM) in 2003 to support LDAP alone.

Bottom Line
The development of Active Directory is very good. Once a new product is released, organizations must carefully match their configuration requirements to Windows Server 2003 Active Directory and Active Directory in Application Mode. Enterprises should also pay attention to the successful configuration of Active Directory cases (or other directory products), and need to pay attention to application compatibility and corporate administrative structure.