How to Consolidate Microsoft Active Directory

When Jonathan DeAngelo joined Chautauqua County, N.Y., as CIO, he inherited a Microsoft Active Directory (AD) structure that had been created without the benefit of standards or best practices.

As technicians began using more group policy for user authentication and authorization, they'd see errors on domain controllers (DCs). Lacking documentation, they couldn't pinpoint problems.

When Chautauqua County migrated to Microsoft Server 2008, DeAngelo's IT group wasn't able to take advantage of AD improvements because its DCs were still on Server 2003. "We were suffering, but I didn't have the resources to send my staff out for training and have them rebuild everything," he says.

The situation became untenable when the county upgraded to MS Exchange Server 2010 and brought the Office of the Sheriff into the network. Recognizing the need for across-the-board best practices to manage the two forests (AD top-level containers) and serve 1,500 users across 20 departments, DeAngelo decided to bring in experts to assess the AD situation and educate IT staff.

Read on to see what Chautauqua County and others have learned about AD management.

The Need for a Clear Vision

Many departments have implemented their own directories for server and workstation management, complicating efforts to create a unified, enterprisewide structure. "By ignoring the proliferation of directories over time, many organizations have built these byzantine, highly complex directory environments," says Andrew Walls, a research vice president for Gartner.

To leverage the authentication, authorization and management benefits that a well-designed AD environment provides, IT leaders must rein in the structures that have organically spread throughout their agencies. The complexities involved prompt many to turn to consultants for advice about optimizing their directory structures.

DeAngelo called upon CDW•G to "assess this monster we'd created and guide us toward managing it." CDW•G determined that Chautauqua County needed to design and document an overall directory services and identity management vision. "A vision defines what you want AD to do and directs your future decision-making," DeAngelo explains. The county's vision dictates that directory and group policy changes be based on improving efficiency while keeping the network secure.

Balance Optimization Against Needs

Tom Magrini, deputy CIO for the city of Phoenix, says, "Everyone knows it makes sense to have one AD for the entire organization, but if you don't take into account each cultural barrier, any one can defeat your best technical solution."

Like many AD environments, Phoenix's grew organically across 26 departments. In 2010, the IT department began consolidating forests and has completed all but those of the court system and police department. The city runs a federated but decentralized AD model: The central IT agency creates AD user accounts, and departmental LAN administrators handle permissions, roles and responsibilities for their groups.

For its part, Maine had a head start on directory consolidation because various groups agreed to standardize well before the state legislation mandated consolidation in 2005. Where the state did run into challenges was with political pushback over control of the directory structure that serves 13,000 users. "Some agency administrators wanted their own forest, child domains and organizational units," says Chief Technology Officer Greg McNeal. "We wanted to have one forest administrator and were able to work it out, but it's still a journey."

Institute Governance

To ensure that all parties weigh in, Maine established a governance committee chaired by an information architect and comprising technicians representing every IT administration area. "All requests for moves, adds or changes that impact our AD are vetted through the committee, which assesses why we're doing something, what the impact is and what the back-out process is should a change go awry," says McNeal.

Phoenix, too, has an AD working group that manages directory-specific issues. "With our federated model, we provide better resources to manage the AD than if we had centralized it," says Magrini. "Departments know their business better than central IT services does, so they're able to set groups and permissions in AD more quickly and better respond to their users."

Enforce Administration Roles

Maine has consolidated its executive branch and its quasi-agencies into a single forest with four child domains for agency organizational boundaries. "This allows us to standardize on the administration of our AD structure and adopt best practices that Microsoft has put forward across the enterprise, rather than having to negotiate with individual entities," McNeal explains. One person manages the statewide environment at the forest level.

The result is a highly reliable and stable AD structure that simplifies IT management, security administration, platform migration and application integration. "AD is our source of authentication for everything, and the more we tie into it, the better off we are," says Wayne Gallant, director of network and communication services for Maine.

Chautauqua County has also addressed its AD domain administration practices. Previously, every tech's account credentials doubled as domain credentials. Now IT staff have separate accounts for domain administration that are activated when needed.

"It's less convenient because techs have to log in under a different name to do domainwide work, but it's a big step forward for security," says DeAngelo.