Get Active On Active Directories

In my October column, I discussed Windows 2000's Active Directory (AD) features andcontrasted them with the current domain model. This month, I'll discuss some things tomake your move to AD simpler.

AD uses a structure Microsoft describes as forest and trees. The tree derives from thehierarchical structure of the namespace. That is, individual hosts reside in treestructures that can grow to accommodate diverse branches. For instance, the tree can be divided into, or The tree can be furtherbranched with,or

This tree can closely model the network on the organization's actual structure. Infact, Microsoft describes these sections of the AD as organizational units.


Large firms may manage multiple organizations and it may not be appropriate for thesegroups to share a namespace. For instance, large aerospace firms have separate anddistinct divisions to support commercial, military and aerospace manufacturing. It makessense to treat these groups separately with tree structures such as, and

Multiple trees comprise a forest; these three separate namespaces can reside in asingle forest. The key to maintaining these apparently separate entities in a singleforest is the global catalog (GC).

The GC contains directory information from all source domains in the tree. All objectsin the AD have entries in the GC. The GC is maintained in part to provide a single sourcefor locating objects no matter where they are in the directory tree.

An abbreviated catalog is maintained with the objects and their attributes. Thisabbreviated catalog is a partial replication of individual directories within the trees,eliminating the need to go into the tree directories for every lookup.

2000 AD

AD will be quite different from NT's domain model. If you're planning a move to Win2000, consider what you can do now to ease the transition. Take into account what the ADis designed to do: provide a single, unified directory service to replace the difficult toconfigure and manage multiple domain structures.

If you have a single domain in your organization, you shouldn't need to do anything toprepare for AD. However, if you have multiple domains, consider consolidating them.Sometimes multi-domain schemes arise over time as an organization's various groups adoptNT. Shortcuts such as trust relationships make all the domains work together and soonbecome difficult to manage. To prepare for AD, simplify and consolidate these multi-domainstructures into fewer domains.

Unfortunately, this is not always simple because of security identifiers or SIDs. SIDsare unique numeric identifiers applied to objects such as domains, user groups and useraccounts generated when the account is created. The user name is for the human's benefitbut is only used by NT for display purposes.

The SID is really the basis of NT security as it is used to track a user's rights,group memberships and file ownership. It is generated by the primary domain controller andis unique to the object it identifies. Even if you exactly duplicate an account from onedomain to another, it won't have the same SID and won't have access to the same resources.


A tool called Phoenix from Fastlane Technologies (Lawrence, Kan.; addresses SIDs. It identifies users, global groups, local groups, accesscontrol lists, user rights and computers (all the items affected by SIDs) in order to copythem from one domain to another.

This makes consolidating domains simpler than manually identifying and changing allthese objects. After copying the SIDs from one domain to another, Phoenix tracks anychanges in a log file and leaves the original domain intact and usable.

Windows 2000 AD will allow you greater choice in network design. By abandoning thedomain model, an enterprise can organize its network virtually any way it wishes, makingWindows 2000 ready to support an enterprise.