Introduction
With Windows 2000, Microsoft has introduced Active Directory which is a new directory and management structure; it is comparable to Novell's NDS product which is used with Novell NetWare. Windows 2000 server installations depend on Active Directory in order to define and manage users and resources. For more information concerning Active Directory, please see Microsoft's Active Directory Overview.
Active Directory is unique in that it makes certain assumptions and places certain requirements on the campus Domain Name System (DNS) structure. This document is an attempt to describe the issues and the support for Active Directory that is available from the CIS Network Group.
The rest of the information on this page assumes a rudimentary knowledge of how Active Directory depends on and interacts with DNS. Microsoft has a good explanation of this background material on pages 3-8 of their document.
Support Issues
Deployment of Active Directory on the campus network raises some technical issues. First, in order for client computers to be able to login and to find resources, Active Directory requires the ability for Windows 2000 Servers to dynamically register information in the campus DNS system. Secondly, the Active Directory naming structure is dependent on this structure being represented in the campus DNS domain structure.
While Windows 2000 has the ability to handle many of these issues internally via native DNS services, it conflicts with existing protocols, procedures and implementation of the campus DNS system. The issues of authorization, authentication and protection of DNS registration information are critical to the stable and accountable use of the campus network.
For this reason, support for Windows 2000 on the campus network has been implemented in such a way as to avoid the need to run these internal DNS services for anything more than the information required for login and resource searching. All naming, IP address assignment and subdomain issues will still continue to be handled by the Network Group via NIM.
Naming Issues
As mentioned earlier, Windows 2000 Active Directory uses the DNS structure on campus in order to name the different domains and to interconnect them on campus. Before deployment of a Windows 2000 Server, you should carefully consider the DNS naming issues.
An effort is underway to interconnect separate Active Directory domains or trees into a single "forest" for the purpose of exchanging addressing, calendaring and other useful information. A group of Windows administrators meets regularly for the purpose of interconnecting Microsoft Exchange servers and sharing other resources and information. It is highly recommended that you talk with them (if even to just discuss the concepts and talk to others who have implemented Active Directory). If you would like to participate in this effort, you can contact them via mrc@tamu.edu.
The Network Group does not endorse any specific implementation Active Directory structure whether it be a separate tree, a single forest or even multiple forests. It is up to the campus community and in particular Active Directory administrators to design and develop a structure that meets the needs of their customers. In general of course, there are large resource gains and synergies possible via coordinated domains.
Guidelines
Active Directory domains must begin as a second level subdomain of tamu.edu; e.g. mydomain.tamu.edu. If a department chooses to be a standalone "tree", they can, if they wish, make the Active Directory domain the same as an existing DNS subdomain; e.g. cis.tamu.edu. This is graphically represented in the domain structure depicted below.
.-+ | +-> edu -+ | +-> tamu -+ | +-> mydomain | +-> cis (including Active Directory Domain and existing hosts)If departments currently do not have a subdomain and wish to allocate a new one for use with Active Directory, they must follow the existing guidelines and procedures for requesting a subdomain.
If a group of administrators wish to interconnect their Active Directory "trees" into a "forest", then child domains of an Active Directory domain will be allowed. In this case, the group must provide to the Network Group a point of contact for coordinating the naming and creation of new child domains. An example of this structure is depicted below:
.-+ | +-> edu -+ | +-> tamu -+ | +-> ourdomain -+ | +-> child1 | +-> child2In order to complete the steps of actually connecting an Active Directory to the campus DNS structure, a few special steps need to be taken by the NIM administrators. Requests to setup up an Active Directory domain and all associated enquiries should be sent to nim@tamu.edu.
References
The following is a collection of links to other university's sites concerning Windows 2000.