Ten Things to Know Before Deploying Active Directory. written by Dmitry Sotnikov. White Paper

Similar documents
8 Administering Groups

Quest Enterprise Reporter 2.0 Report Manager USER GUIDE

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Designing and Operating a Secure Active Directory.

Windows Server 2003 Network Administration Goals

Advanced Security Measures for Clients and Servers

Microsoft Certified Solutions Expert (MCSE)

Quest Collaboration Services 3.6. Installation Guide

Microsoft Windows Server Administration Fundamentals. Download Full Version :

Identity with Windows Server 2016

MCITP CURRICULUM Windows 7

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Domain Isolation Planning Guide for IT Managers

Novell ZENworks Asset Management 7

Overview. Business value

Module 3: Managing Groups

Abstract. Introduction

Managing Group Policy application and infrastructure

Designing and Implementing a Server Infrastructure

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

WHITEPAPER A Selection Guide to Binary Tree s Directory Synchronization Software

Windows Server Security Best Practices

COURSE OUTLINE: 20413C Designing and Implementing a Server Infrastructure

Identity with Windows Server 2016

One Identity Active Roles 7.2. Replication: Best Practices and Troubleshooting Guide

Microsoft Certified System Engineer

70-742: Identity in Windows Server Course Overview

TestOut Server Pro 2016: Install and Storage English 4.0.x LESSON PLAN. Revised

One Identity Active Roles 7.2. Product Overview Guide

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

FREQUENTLY ASKED QUESTIONS FOR VERSION 4.0

Real-time Protection for Microsoft Hyper-V

Table Of Contents INTRODUCTION... 6 USER GUIDE Software Installation Installing MSI-based Applications for Users...9

M20742-Identity with Windows Server 2016

DefendX Software Control-Audit for Hitachi Installation Guide

Managing Group Policy application and infrastructure

Planning and Deploying System Center 2012 Configuration Manager

CorpSystem Workpaper Manager

Module 7: Implementing Sites to Manage Active Directory Replication

Designing and Implementing a Server 2012 Infrastructure

What s in Installing and Configuring Windows Server 2012 (70-410):

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

PROPOSAL OF WINDOWS NETWORK

SEVENMENTOR TRAINING PVT.LTD

Campus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1

EMC CLARiiON CX3-40. Reference Architecture. Enterprise Solutions for Microsoft Exchange 2007

Gathering Information and Analyzing Requirements

20742: Identity with Windows Server 2016

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

Campus Network Design

Course 20410D: Installing and Configuring Windows Server 2012

Windows Server 2008 Administration

Xcalibur Global Version Rev. 2 Administrator s Guide Document Version 1.0

StoneGate IPsec VPN Client Release Notes for Version 4.3.1

Oracle. Applications Cloud Using Functional Setup Manager. Release 13 (update 18A)

SharePoint Migration Cleanup and Pre-Migration Checklist for Success

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (Course 6425A)

Sage SQL Gateway Installation and Reference Guide

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Virtual Recovery Assistant user s guide

An Oracle White Paper September Security and the Oracle Database Cloud Service

Netwrix Auditor for Active Directory

COPYRIGHTED MATERIAL. Contents

HP Database and Middleware Automation

One Identity Manager Administration Guide for Connecting to SharePoint Online

One Identity Manager 8.0. Administration Guide for Connecting to Azure Active Directory

Faculty of Engineering Computer Engineering Department Islamic University of Gaza Network Lab # 5 Managing Groups

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Installing and Configuring Windows Server 2012

Microsoft - Configuring Windows Server 2008 Active Directory Domain Services (M6425)

Active Directory trust relationships

One Identity Manager 8.0. Administration Guide for Connecting to Cloud Applications

An AlgoSec Whitepaper MANAGE SECURITY AT THE SPEED OF BUSINESS

Technical MCSE. Content:

MySQL for Database Administrators Ed 4

One Identity Manager Administration Guide for Connecting to SharePoint

One Identity Manager Administration Guide for Connecting Oracle E-Business Suite

Four Essential Steps for Removing Risk and Downtime from Your POWER9 Migration

4.0. Quick Start Guide

x CH03 2/26/04 1:24 PM Page

PRAGATHI TECHNOLOGIES BTM Marathahalli Ph:

Quest Migration Manager Tips and Tricks

CISNTWK-11. Microsoft Network Server. Chapter 4

Identity with Windows Server 2016 (20742)

10 Hidden IT Risks That Might Threaten Your Business

WatchGuard XTMv Setup Guide

Marketing List Manager 2011

NETLOGIC TRAINING CENTER

Active Directory Change Notifier Quick Start Guide

One Identity Manager 8.0. Administration Guide for Connecting Unix-Based Target Systems

Course 10233: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Netwrix Auditor for Active Directory

Copyright 2010 Digiliant, LLC. All Rights Reserved.

At Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning

Benefits of an Exclusive Multimaster Deployment of Oracle Directory Server Enterprise Edition

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

Windows* 2003 Cluster Implementation Guide for the Intel RAID controller SRCU42X

Symantec System Recovery 2013 Management Solution FAQ

Tanium Integrity Monitor User Guide

Transcription:

Ten Things to Know Before Deploying Active Directory written by Dmitry Sotnikov White Paper

Abstract Active Directory migration raises many questions about the design of your new directory. As you attempt to wade through data and details, remember that planning is the key to a successful migration. This guide addresses ten questions you should ask before deploying Active Directory. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. However, because of the possibility of human or mechanical errors, Aelita Software does not guarantee the accuracy, adequacy, or completeness of any information in this publication, and is not responsible for any errors or omissions or the results obtained from use of such information. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. Aelita Software does not endorse or accept any responsibility for the content or usage of links and references to non-aelita Web sites or technical documentation. No part of this document may be reproduced, stored or transmitted in any form, by any means, or for any purpose, without the express written permission of Aelita Software Corporation. Aelita, Aelita Software, the Aelita Software Corporation logo, and all Aelita product names and slogans are either registered trademarks or trademarks of Aelita Software Corporation. Other product or company names mentioned herein may be trademarks of their respective owners. Copyright 1997-2004, Aelita Software Corporation. All rights reserved. Last revised March 18, 2003 AELITA SOFTWARE CORPORATION 6500 Emerald Parkway Suite 400 Columbus, Ohio 43016, Phone: 614-336-9223 1-800-263-0036 Fax: 614-761-9620 Email: URL: info@aelita.com www.aelita.com

CONTENTS TEN THINGS TO KNOW BEFORE DEPLOYING ACTIVE DIRECTORY... 5 1. What s in My Current Directory?... 6 2. How Will My Groups Change?... 8 3. Are Permissions Correctly Assigned?... 12 4. What Sites Should I Create?... 14 5. Where Are Services Running?... 16 6. Do I Need to Do any Renaming?... 18 7. Do I Have Unnecessary User Accounts or Groups?... 20 8. Are Software and Hardware Upgrades Needed?... 22 9. What About Exchange?... 26 10. How Will I Monitor My Network Configuration During Migration?... 28 CONCLUSION... 32 ABOUT AELITA SOFTWARE CORPORATION... 33 Ten Things to Know Before Deploying Active Directory 3

TEN THINGS TO KNOW BEFORE DEPLOYING ACTIVE DIRECTORY Planning is the key to migrating successfully from Windows NT to Active Directory, whether you re deploying Windows 2000 or Windows Server 2003. Planning is also necessary if you are doing any major restructuring of your existing Active Directory design. Successful planning allows you to identify all the tasks you need to perform as part of the migration and create the Active Directory design that best meets your needs. Planning also helps ensure that you avoid the many potential pitfalls often associated with Active Directory deployment. But it s often difficult to do what we know is right. Despite all the reasons to the contrary, the planning stage is often rushed, incomplete or poorly done. Many factors contribute to poor planning, including: Inability to collect adequate and accurate data Limited experience or lack of information about the issues involved in a migration Project deadlines that do not allow for proper planning For a successful migration, you need to thoroughly inventory the domains, groups, users and permission structures in your current environment. The result of this inventory can help ensure that you do not migrate unnecessary data or unknowingly grant users permissions they should not have. Since the relationships among the objects in your environment can be complex, knowing details about your existing structure will save time and resources as you plan and execute your migration to Active Directory. To take full advantage of Active Directory s features, you might need to upgrade certain hardware and software in your current environment. Before the migration, you need to identify any computers, application software or devices that need to be upgraded. Again, identifying these resources as you plan the migration will save time and money and prevent future problems. This guide examines ten things you should know about your environment before beginning your migration to Active Directory. The guide includes sample reports from Aelita Enterprise Directory Reporter that illustrate the kind of information you need to ensure a smooth project and a successful deployment. Ten Things to Know Before Deploying Active Directory 5

1 What s in My Current Directory? Migration provides an opportunity to examine your current environment and identify design improvements that better meet the needs of your organization. Do you have groups of users with special administrative needs? Do policies require that certain groups or departments have restricted access to resources? In Active Directory, you do not need to maintain a directory structure based solely on physical geographic boundaries. Instead, you can create a logical directory structure that represents the operational structure of your organization. As you plan your new directory structure, consider how you will take advantage of Active Directory scalability features, delegation of administration and Group Policies. For example, Group Policies can have a significant influence on how you structure your domains and organizational units. Such changes to your directory structure might require you to split or merge domains, determine new administrative boundaries and create forests. For your new directory structure, consider the following design issues: Forests Although domains provide for security isolation, total security and administrative isolation is possible only in a multi-forest deployment. (For more information, see: Protecting Active Directory from Domain Trust Vulnerability at www.aelita.com/adsecurity.) All the domains in a forest must share the same schema. If certain domains need different schemas, you must place them in different forests. Domains Active Directory domains are far more scalable than Windows NT domains, so you will likely merge some domains during Active Directory deployment. However, Active Directory domains still have size limitations, so you must analyze domain statistics before you decide to merge domains. Users who need different security or administrative policies (such as username and password restrictions) must reside in different domains. Since your new domain structure might not be based on geography, this might affect how you assign administrative privileges. 6 Ten Things to Know Before Deploying Active Directory

Organizational Units Active Directory does not require separate resource and account domains. You might want to merge resource and account domains and use organizational units to create separate containers for common objects within a domain. Since domains in Active Directory can hold many more objects than in Windows NT, you might be able to merge domains and use organizational units to delegate administration. Analyzing Your Current Domains Before you can begin planning your new directory structure, you need to analyze your current environment. Knowing your existing domain structure can help you determine your Active Directory design as well as define your migration strategy. In your current environment, you need to identify all your existing domains and gather information about each domain such as: The type of each domain (resource or account) All users, groups, domain controllers and resource servers associated with each domain The trust relationships between domains Once you have a complete understanding of your current domain structure, you can begin to make decisions about the forests, trees, domains and organizational units you need to create in Active Directory and which objects from your current directory (the source domains ) to move to these containers. Ten Things to Know Before Deploying Active Directory 7

A thorough analysis of your current domains is an essential first step in designing your new Active Directory and planning your migration. 2 How Will My Groups Change? Groups allow you to efficiently manage users and resources in your environment and are an important part of your directory design. Active Directory introduces a new kind of group (the universal group), as well as changes to the way groups work. For example, domain local groups can be used in Active Directory to set permissions on resources throughout the domain. As a result, you might want to migrate server local groups to domain local groups when you deploy Active Directory. Also, if you had set up file/print servers as domain controllers in NT to facilitate permissioning, you might want to demote these file/print servers to member servers in Active Directory and merge their domain local groups into the domain local group of the corresponding target domain in Active Directory. 8 Ten Things to Know Before Deploying Active Directory

To effectively plan your new Active Directory group configuration, you need to understand how groups differ in Windows NT and Active Directory. In Windows NT: Groups are only used for security purposes, to grant permissions on NT resources such as files, shares and printers. Instead of using groups, Exchange 5.5 uses distribution lists for mail distribution. Group scope is limited to global and local groups. Domain local groups can only be used to set permissions on domain controllers. In Active Directory: A group can be used for both security and distribution, which simplifies group administration. In addition to global and local groups, there are universal groups that can include members from multiple domains of a forest. Domain local groups can be used to set permissions on resources throughout the domain. Identifying Your Groups Since groups are different in Active Directory, you need to examine your existing groups and determine if any changes are needed. Understanding your groups is critical to maintaining users resource access and mail distribution during and after a migration. Group nesting can become complex, and you need to know your complete group structure to fully understand how permissions were assigned and to determine any changes you need to make. You can then begin to make decisions about your new group structure, such as group membership and groups to be combined or deleted. In your current environment, you need to identify all your existing groups and gather information about each group such as: The type of each group All users assigned to each group All references to each group Group nesting, such as users in global groups that are nested in local groups Exchange 5.5 distribution lists Ten Things to Know Before Deploying Active Directory 9

To ensure users maintain appropriate access to resources, you must fully understand your existing group structure, including nesting. Identify all mail distribution list members to plan universal groups in Active Directory. 10 Ten Things to Know Before Deploying Active Directory

Analyze your existing server local groups to decide whether to migrate them or merge them with domain local groups in Active Directory. Ten Things to Know Before Deploying Active Directory 11

3 Are Permissions Correctly Assigned? Migration can provide a good opportunity to review the permissions granted in your current environment and perform any necessary cleanup. Before migration, you need to determine if any users were assigned permissions they should not have and change any incorrect assignments to prevent them from being propagated to Active Directory. To reduce the impact of the migration on users, you need to ensure that permissions are reassigned correctly on network resources such as files, folders and printers. In addition, you should consider deleting groups that have no permissions assigned or merging groups that grant the same permissions. Identifying Permission Assignments To ensure that you maintain users access to resources during and after the migration, you need to analyze your current permissions structure. In your current environment, you need to identify: File, folder, share and printer permissions granted to users and groups throughout the directory Resources from one domain that users from another domain can access Users with administrative rights 12 Ten Things to Know Before Deploying Active Directory

Evaluate the permissions assigned to users and groups before your migration. Ten Things to Know Before Deploying Active Directory 13

4 What Sites Should I Create? While you create forests and domains to represent the logical structure of your network in Active Directory, you create sites to represent the physical structure of your network. The logical structure of a Windows NT 3.x 4.0 network almost always mirrors its physical structure. In Active Directory, however, the logical and physical structure of your network do not have to match. The trees and forests forming your organization s domain namespace represent your network s logical structure. To define the physical structure of your network, you must configure one or more site objects in Active Directory. Site objects are used to define areas of good network connectivity. To configure a site object in Active Directory, you associate a site with one or more TCP/IP subnets. Each TCP/IP subnet that you define for a site should share a high-bandwidth link (512Kbps or greater). In general, you will create a site object for each area of your network that is separated by low bandwidth. Sites determine how replication traffic is routed across your network. In Active Directory, all data is replicated between all domain controllers in a domain, but only certain data is replicated between domains. You can use sites to maximize the efficiency of replication in your network. 14 Ten Things to Know Before Deploying Active Directory

Identifying IP Subnets To plan your site structure, you need to know about the IP subnets in your current network. Most of the existing IP subnets are likely to become site objects in Active Directory. Identify IP subnets in your current network to plan your Active Directory sites. Ten Things to Know Before Deploying Active Directory 15

5 Where Are Services Running? As you plan your Active Directory structure, you need to be aware of the services currently running on your network servers. Changes to your network structure as well as upgrades to your operating system can affect these services. For example, if you are changing your DHCP and WINS configuration, you need to know what servers are running those services. Information on services is important for several reasons: Services such as DNS, DHCP and WINS are mission-critical and require special care during migration. For example, you might want to disable DHCP before migrating a server running this service. Services running under user accounts need to be updated as these accounts are disabled. If a user account is being used by a service, you do not want to disable that account without reassigning the service to the corresponding account in the target domain. Some services might be incompatible with Active Directory. You need to make sure that any services running in the new environment support Active Directory. 16 Ten Things to Know Before Deploying Active Directory

Identifying Services Knowing the services running in your network can help prevent unexpected problems during your migration. In your current environment, you need to identify information about services such as: Each service name The account used to run each service The computer running the service Know each service running on your servers to prevent network problems. Ten Things to Know Before Deploying Active Directory 17

6 Do I Need to Do any Renaming? There are several situations where you might need to change the names of user accounts, groups or computers in your new Active Directory. You need to be aware of these situations to prevent problems in Active Directory: Active Directory and Windows NT have different naming standards for computers, groups and user accounts. Some NT names might be prohibited in Active Directory, and these names need to be changed. Naming issues can arise when domains that contain objects with the same name are merged. This situation can be resolved in one of the following ways: If the objects incidentally used the same name, you can rename one of the objects during the migration. If the objects represent the same person (such as a person having an account in several domains) or group (two domains having groups for the same purposes, such as Sales), you can merge these user objects or groups during the migration. If the objects represent the same person, but one of the accounts is not required for some reason (such as multiple administrator accounts), you can delete one of the objects before migration or skip the object during migration. Analyzing Names To avoid naming conflicts in Active Directory, you must know the names of your existing directory objects. You can use this information to determine if there are objects you need to rename, merge or delete/skip. In your current environment, you need to identify: User accounts with the same name Groups with same name All computers, groups or users whose names are not allowed in Active Directory 18 Ten Things to Know Before Deploying Active Directory

Identify duplicate user accounts and groups to merge, rename or delete/skip. Identify directory objects whose names are not allowed in Active Directory. Ten Things to Know Before Deploying Active Directory 19

7 Do I Have Unnecessary User Accounts or Groups? Over time, your environment can become polluted with unused and disabled user accounts or empty groups. These accounts clutter your environment and confuse your inventory. More importantly, unused accounts are a security threat because rogue administrators can use them to carry out attacks without revealing their own identity. Migration to Active Directory is an opportunity to rid your network of such outdated data and security vulnerabilities. By deleting these user accounts and groups, you can also reduce the length and work load of the migration project. Identifying Unnecessary Groups Before migration, you also need to identify empty or unused groups that should not be migrated. Identify any empty or unused groups to be deleted or skipped. Identifying Unnecessary Accounts Before migration, you need to identify accounts that should not be migrated. In your current environment, you need to identify unnecessary accounts such as: Unused accounts Disabled accounts Expired accounts 20 Ten Things to Know Before Deploying Active Directory

Identify any unused, disabled or expired accounts to be deleted. Ten Things to Know Before Deploying Active Directory 21

8 Are Software and Hardware Upgrades Needed? To take full advantage of all the features of Active Directory, you might need to upgrade software and hardware in your network. As you plan your migration, you do not want forget the extra time, effort and cost required by these upgrades. Be prepared by considering the affect of these upgrades on your existing network. If you plan to reuse the hardware for domain controllers during the migration, you need to evaluate whether the existing hardware satisfies the requirements for Windows 2000/2003 domain controllers. Windows 9x and Windows NT prior to NT4 Service Pack 4 (SP4) do not fully support Active Directory features unless the Active Directory client software is installed on them. You need to locate such computers and decide whether to upgrade the operating system or to install the Active Directory client. If you decide to upgrade a computer s operating system, you also need to check hardware compatibility for those computers. Some hardware devices such as printers, video cards and modems might not be compatible with the new operating system. To help identify incompatible devices, Microsoft provides the Hardware Compatibility List (HCL). Older versions of software applications might not be compatible with the new operating system. Hardware and software upgrades affect the cost and timeframe for your migration project. As part of your migration plan, you need to estimate upgrade costs. 22 Ten Things to Know Before Deploying Active Directory

Identifying Computers Operating Systems For computers running older operating systems, you need to decide whether to upgrade the operating system or install the Active Directory client. In your current environment, you need to identify computers running Windows 9x or Windows NT prior to NT4 SP4. Identify computers running older operating systems. Ten Things to Know Before Deploying Active Directory 23

Identifying Installed Hardware Upgrades to a computer s operating system can affect hardware devices located on that computer. Before you upgrade, you need to ensure that computer devices such as printers, video cards and modems will function with the new operating system. In your current environment, you need to identify information such as: Computers to be upgraded Type of devices located on each computer Name of the device Manufacturer of the device Evaluate hardware devices on computers whose operating systems will be upgraded. 24 Ten Things to Know Before Deploying Active Directory

Identifying Installed Software You might also need to upgrade application software running on workstations and servers. Older versions of software might not be compatible with newer operating systems. In your current environment, you need to identify existing versions of application software and determine if this software is compatible with the operating system you will be running. Evaluate installed software to determine if upgrades are needed. Ten Things to Know Before Deploying Active Directory 25

Identifying Upgrade Costs To meet the requirements or recommendations for the operating system you are deploying, you might need to upgrade the processor, memory or hard disk on certain computers. Once you identify which computers do not meet the minimum requirements for the new operating system, you can determine your upgrade costs. In your current environment, you need to gather information such as: Computers to be upgraded Amount of memory on each computer Processor on each computer Amount of disk space (total, free) on each computer Determine the minimum requirements you want servers and workstations to meet and identify computers that don t meet those requirements. Combine this information with upgrade costs to estimate costs by computer, by domain and for your overall project. 9 What About Exchange? Your plan for a new Active Directory might also affect your Exchange messaging system. As part of your migration to Active Directory, you might choose to remain in Exchange 5.5, or you might migrate to Exchange 2000/2003. 26 Ten Things to Know Before Deploying Active Directory

Remain in Exchange 5.5 Though you can continue to use Exchange 5.5 after you migrate to Active Directory, you must make sure that all the permissions set in the Exchange 5.5 directory for source NT accounts are granted to the new Active Directory accounts. Consideration must be made for the following: Users with multiple mailboxes Mailboxes with multiple permissions Mailboxes with alias names different than the primary account Permissions on public folders Identify Exchange 5.5 permissions for mailboxes, public folders and distribution lists. Ten Things to Know Before Deploying Active Directory 27

Migrate to Exchange 2000/2003 Unlike Exchange 5.5, Exchange 2000/2003 uses Active Directory instead of the Exchange Directory Service. Since Exchange 2000/2003 is tightly integrated with Active Directory, your decision to migrate to Exchange 2000/2003 could affect your Active Directory design. Migration to Exchange 2000/2003 is a complex process, but detailed planning can help ensure a successful migration. For example, your design can include only one Exchange 2000/2003 organization per Active Directory forest. Identify existing Exchange organizations to plan your Exchange 2000/2003 design. 10 How Will I Monitor My Network Configuration During Migration? After migration has begun, you should regularly review Active Directory permission assignments, including the use of groups and Group Policy, to help promote network security. During a migration, the movement of users and groups at different times and by different administrators can cause unintentional rights assignments. You need to identify any migrated users who received inappropriate rights. After the migration is complete, you need to continue to analyze Active Directory permissions and confirm compliance with applicable legal regulations and your organization s security policies. 28 Ten Things to Know Before Deploying Active Directory

Monitoring Administrative Rights in Active Directory In Active Directory, you need to monitor the membership of the Administrators group, including accounts obtaining membership in the group via other groups. You can use membership lists to ensure that only the users who need the permissions granted to a group are members of the group. In addition, you need to make sure you understand what users have been given administrative rights. To help ensure the security of your network, monitor who has administrative rights in Active Directory. Ten Things to Know Before Deploying Active Directory 29

Monitoring Group Memberships in Active Directory Group memberships can be difficult to track, which can result in inappropriate permission assignments. With a detailed list of groups, you can analyze the purpose of each group and refine access permission assignments in domains. After a migration, similar groups might be consolidated. With information about group membership, you can determine if any users or groups should have their membership revoked. Keep track of your groups and group memberships in Active Directory. 30 Ten Things to Know Before Deploying Active Directory

Monitoring Group Policy in Active Directory Group Policy makes it easy to control settings on Active Directory objects, including user accounts. However, setting up policies can be complex and difficult, with sometimes unplanned results. To analyze and improve the security of your systems, you need to determine what policy settings are in effect and which policies are applied to users and groups. Monitor Group Policies to protect your network. Monitoring Administration Delegation in Active Directory In Active Directory, most administration delegation is accomplished at the organizational unit level. After migration to Active Directory, especially after merging domains, you need to verify the administration delegation structure in your post-migration environment. Evaluate your delegation of administrative privileges in Active Directory. Ten Things to Know Before Deploying Active Directory 31

CONCLUSION By performing an inventory of your current directory, both before and after migration, you gain valuable information for planning your migration and designing your new Active Directory, while avoiding major problems that can occur. Your planning efforts can be greatly improved with tools that collect and report on configuration data and software and hardware inventory, such as Aelita Enterprise Directory Reporter (EDR). EDR automates data and inventory collection, which allows you to collect more complete and accurate data. As shown throughout this guide, EDR s predefined reports represent best practices and expert knowledge of migration and security. Using a tool such as EDR can help ensure a successful deployment of Active Directory in your Windows 2000 or Windows Server 2003 environment. For more information on EDR, visit the Aelita website at www.aelita.com/edr. Or request a free consultation by contacting Aelita at consultation_request@aelita.com for personalized assistance from the experts in Active Directory management, migration and recovery. 32 Ten Things to Know Before Deploying Active Directory

ABOUT AELITA SOFTWARE CORPORATION Aelita Software provides systems management solutions to organizations that rely on Microsoft Windows technologies. Aelita s proven expertise with Active Directory and Exchange helps customers improve productivity, system availability and security. IT professionals choose Aelita solutions to administer, migrate, recover and audit these critical systems. The company s customers and partners include Bristol-Myers Squibb, HMS Host (formerly known as Host Marriott Services), Kmart Corporation, Pitney Bowes, Textron, Inc., Hewlett-Packard and Microsoft. Aelita is a global organization with headquarters in Columbus, Ohio. Contact Aelita at 800.263.0036 or visit www.aelita.com Contacting Aelita Software Corporation: Web: Technical Support: Sales: General Inquiries: www.aelita.com support@aelita.com sales@aelita.com services@aelita.com Phone: 614-336-9223 1-800-263-0036 Fax: 614-761-9620 Aelita Software Corporation 6500 Emerald Parkway Suite 400 Columbus, Ohio 43016 USA Ten Things to Know Before Deploying Active Directory 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback