FRAMINGHAM (03/09/2000) - One clear message is emanating from early adopters of Active Directory - don't underestimate this baby. IT executives not heeding that advice are likely to tie themselves and their organizations into knots that will not easily be undone.
The upside, however, is that those who have done extensive design planning and testing of the technology that is at the heart of Microsoft Corp.'s Windows 2000 are reporting efficiencies for managing users, network resources and applications that they didn't have with NT 4.0.
But those results have only come after careful planning of naming conventions, network topology and user migration, and testing of directory designs.
And while advice to plan and test are nothing new to most IT executives, early adopters say the big difference is that everyone from the chief information officer to the smallest IT group in the company must be involved.
"If you don't plan well, you will be in a world of hurt," says Eric Craig, network architect for Continental Airlines. "Don't underestimate the amount of resources needed." Continental spent months developing its directory design and testing it in its labs.
"We spent six months on designing and testing our namespace and getting buy-in from the business units and our IT groups," says Ian Saggers, director of engineering for Credit Suisse First Boston, a leading global investment bank with more than 60 offices in 30 countries. The Active Directory namespace is modeled after the Domain Name System (DNS) that is the foundation of the Internet. Users will have to set up their DNS namespace before they can roll out even a single domain.
Saggers says Active Directory wouldn't have been a success without initially getting everyone to agree because the design had to account for not only the namespace structure, but also consider applications in each business unit and how they could benefit from the directory. The plan also had to consider a coming rollout of Exchange 2000, Microsoft's new messaging server.
A major goal for Credit Suisse was to reduce the amount of domain replication traffic the firm had with NT 4.0. That NT 4.0 domain traffic taxed Credit Suisse's WAN links.
Saggers says the design work paid off, and the bank has seen a dramatic drop in replication traffic. Now six months into its production release, Saggers says "the decrease was enough that we'll probably avoid upgrading some of our WAN links and that will save us some money."
Active Directory is arguably the most complex technology ever produced by Microsoft. It promises to give IT executives fits because its hierarchical directory structure is so different from the flat domain structure they are accustomed to in NT 4.0.
Gartner Group, a consulting agency in Stamford, Conn., predicts that inexperience with directory services and the nuances of Active Directory will cause 60% of Active Directory installations to be redesigned within 18 months of deployment. The prediction is significant because a successful deployment of Active Directory is vital to the success of Windows 2000 on corporate networks.
"I remember when NetWare 4.0 and Novell Directory Service came out, and what a huge change it was and that it took a lot of time and energy to get it right," says Jack Williams, a vice president at Computerjobs.com, a Microsoft development partner. "I can't imagine six years later it will be any different with Active Directory."
Success with Active Directory involves more than planning, early adopters say.
User migration and testing are key.
"To migrate users and resources, you have to have an understanding of what's on your network," says a systems engineer with a Fortune 500 multinational corporation who requested anonymity. "We have to understand what we are migrating, or we will move junk."
The task might not be so easy for NT 4.0 shops that have seen their domain structure grow from the bottom up without a lot of top-down control.
The migration issue is critical for the systems engineer at the Fortune 500 company because his NT 4.0 network has 11 master domains, which contain some 30,000 users in nearly 800 groups, and 500 resource domains that contain computers and resources such as printers.
Realistically, he hopes to have a single Active Directory "tree" that is made up of 10 to 20 domains. "We will cut over users in stages to minimize the risk and impact on our existing network," the engineer says.
Tim Matthews, associate director of technology at the University of Texas College of Business, has already been through the migration phase and agrees that cleaning up NT 4.0 domains was key for a trouble-free move to Active Directory.
The college now has 5,000 users running through the directory with more to come, and Matthews says designing and testing are really paying off.
"We tested everything in the lab because once you go live with Active Directory, it is a real headache to back out," Matthews says. But now that the directory is running, Matthews says, "From an administrative perspective, I like seeing everything in one place. I don't have to open half a dozen programs to do my different administrative tasks like creating users or accessing services or groups."
And design work is paying off for others.
Credit Suisse is using the directory to locate users and route approvals for a workflow application. Computerjobs.com plans to store Web-server configurations in the directory that can be loaded automatically onto new servers, thereby reducing set-up time from hours to minutes. Continental Airlines has collapsed its human resources system into the directory.
Early adopters say their experience has taught them that Active Directory is not just another operating system upgrade, and those who treat it as such may be left longing for Active Directory's promised land as they unravel the problems caused in their haste to install the new operating system.