Active Directory - Authentication & directory services
In the days of concers with IT security, access auditing, Sarbanes Oxley (SOX) requirements, authentication & directory services are a critical part
of the IT infrastructure. But hey, it's easy. Go to your Windows server, type "dcpromo" at the command prompt & your done. Right?
I have found Active Directory (and other directory services) to be an extremely powerful, very flexible tool. Unfortunately, as with anything,
this level of flexibility brings with it a level of complexity and, therefore, lots of traps! Installing Active Directory on the server is merely the
preparation fo rthe implementation. We need to consider physical topology, site replication, decide what sites will even have active diretory,
design the logical layout of the directory, extend the schema for directory enabled applications...even design the basis for our directory security & group policy!
The list goes on.
There are many traps for the young players, & unfortunately the best way to be aware of the possible issues you may face after implementation when
redesigning Active Directory is impossible, is to have experienced Active Directory design & deployment, & to have witnessed tht pitfalls.
The possibilities - and the pitfalls - have expanded with the introduction of Active Directory Application Mode (ADAM) which has it's own database, and as such
can have it's own schema. This is ideal for directory enabled applications which require schema extensions to store data in the directory, but which you
may not want (because of teh volume of traffice) to replicate to all the domain controllers in the domain, while still allowing for centralized authentication services.
Group policy has offered us a form of centralized management of workstations & servers. It is, however, dependent on the active directory schema being properly designed
for group policy to give us the advantages we were hoping for. Incorrectly designed, and we may not get the granularity of control hoped for. While security
roups can be utilized for group policy filtering, it slows down the processing of policies and should not be used to compensate for an inproperly designed Active Directory.
I can offer you experience in designing & implementing Active Directory on both a national and international scale. I've seen &/or witnessed many of the
common pitfalls & help you avoid them. Contact me for more information.