At some point before final implementation you must make a series of interrelated decisions. Each of these choices will affect how you will plan your approach to the overall project, so it is important to be aware of the consequences.
Page 4: Staff and Organizational Concerns
Which DNS to use? Those using UNIX DNS servers will have to make sure they support SRV (service) records. In Bind 4.9.7 or later, the default dynamic updates setting is recommended but not required. You are encouraged to use Bind 8.2.2 or later for this capability. If necessary for your infrastructure, Active Directory can work with versions earlier than BIND 4.9.7.
DNS is used to store software service locations and define the organizational structure used by Active Directory entries. SRV records are used by NetLogin to find the PDCs and BDCs in an Active Directory environment. Those using Microsoft DNS can take advantage of integrated administrative tools within the Windows operating system.
- Co-existence or complete turnover? Windows Server 2003 provides two major options. The first is moving your domain controllers and clients completely over to Windows Server 2003. If you choose this option, you can take advantage of the new operating system features.
The second option is to live in a mixed mode environment, ideally with a Windows Server 2003 in NT PDC/BDC emulation mode (or with some NT PDCs/BDCs) and your clients running various Windows operating systems. A secondary question is how long do you plan to stay in mixed mode? The answer should be “as short a period as the company can operationally and organizationally stand.”
- In-place installs or upgrades? Microsoft allows you to upgrade your current NT PDCs/BDCs to Windows Server 2003 (if compliant) or replace them with new hardware. The advantage of an in-place install is that no new hardware is needed; your user information, third-party software, ACLs, and existing directory structure are all maintained and converted to the new system. The disadvantage is that if anything goes wrong during the conversion, you might find yourself dead in the water with a major outage.
- What will you monitor? Monitoring can help you avoid problems and also provides invaluable information when problems do occur. Those who want to stay with an all-Microsoft solution can use the Microsoft Operations Manager (MOM) with the Active Directory Management Pack. With over 40 reports and 400 pre-set monitoring rules available to help you evaluate your environment’s viability, MOM can:
- Monitor the health of all Active Directory components and their services
- Save performance information
- Evaluate replication health
- Query response and service level agreement compliance
- Allow anonymous LDAP operations? Performing LDAP operations such as queries using an anonymous ID is turned off by default. This is because of the possibility that a user might retrieve secure information about your servers and users.
Because you are unable to monitor who is behind the LDAP operation, you are potentially left with a big security hole. On the other hand, using anonymous logins means that users will not have to authenticate to perform LDAP queries and other operations, thereby simplifying your operations and administration.
- Extend the schema? Those in vertical industries or using third-party applications may want to extend the Active Directory schema to better suit their specific needs. This is not a novice task, though, and should only be approached with a good deal of planning and understanding of the risks involved.