Tài liệu Logical Domain Structure pdf

Logical Domain StructureThis chapter takes you into the realm of enterprise sis, which is new ground for most system administrators.. You learned a lot about the Windows 2000 architectur

Logical Domain Structure

This chapter takes you into the realm of enterprise sis, which is new ground for most system administrators

analy-Sanity Check

By now, you are probably pretty psyched about ActiveDirectory And you probably thought we were nuts in theopening chapters when we urged you not to install ActiveDirectory and to deploy standalone servers until you are athome with the new operating system Now we are going to

go overboard We are going to tell you not to build your newdomain until you have a) read this chapter, b) done psycho-analysis of your company, and c) designed your domain on

a whiteboard or a math pad and come up with a blueprint

Why? Does Microsoft recommend this? The answer is: Well,sort of

Microsoft, in both official documentation and in training, isnot firm enough in stressing that the root of a namespace can-not be renamed, changed, or deleted without first hackingdown the forest and completely reinstalling the domain con-troller And this will remain the situation until Microsoft orthird parties ship some series Active Directory manipulationand administration tools

So, before you start, know this: When you delete the rootdomain, or the last domain on a domain tree, from the server(demotion), you uninstall the namespace If you screw up thenamespace and decide, after many hours of hard work, thatyou started wrong, you could end up losing those hours spentcreating user and computer accounts and configuring domaincontrollers And if you go into production, you also take downseveral colleagues We thus offer you a mini-guide to enterpriseanalysis in this chapter in the hope that when you get ready tobreak ground, you don’t slice your toes off in the process

Keepers of the New Order

These are exciting times for network administrators We spoke at length in Chapter

1 about the paradigm shift underway in corporate communications, networking,and administration As a Windows 2000 administrator, you now find yourself at thecenter of the paradigm shift You are also a pivotal component in the change that isunderway on the planet, in all forms of enterprise and institutional management

Windows 2000 is a great facilitator in that paradigm shift Companies are changing;

a new order is emerging The way businesses communicate with their customers ischanging Very little is regarded from a flat or uni-dimensional perspective Today,corporate workers, owners, and administrators need a multifaceted view of theirenvironment Managers and executives need to look at everything from a 360-degree panorama of the business — its external environment and its internal environment

You, the network administrator, specifically the Windows 2000 network tor, now have a lot more on your shoulders Everyone is looking at you — whatyou’re worth, what you know, how you conduct yourself — from the boardroommembers to the mailroom members, you are the person to take the companybeyond the perimeter of the old order Why?

administra-The tools to facilitate the shift can be found, for one reason or another, in MicrosoftWindows 2000 You learned a lot about the Windows 2000 architecture in Chapter 1,

so we won’t repeat it here, except to say that Windows 2000 Directory, Security,Availability, Networking, and Application services are in your hands, and those ofyour peer server administrators The tools you will use to manage all the informa-tion pertaining to these services and objects are the Active Directory and theWindows 2000 network

As mentioned in earlier chapters, Windows 2000 domains are very different fromlegacy Windows domains They are also very different from the network manage-ment philosophies of other operating systems such as UNIX, NetWare, OS/2, and the mid-range platforms such as AS400, VMS, and so on

Before you begin to design your enterprise’s logical domain structure (LDS), thereare a number of important preparations to make Besides items such as meditating,education, lots of exercise, and a good diet, there are some network administrationspecifics to consider We discuss these items in the following sections

Planning for the LDS

Back in Chapter 4, we discussed the steps to installation and conversion One ofthose steps was designing the logical domain structure If you have been tasked

with the installation of or conversion to Windows 2000, the first item on your listshould be to understand the steps to achieving the LDS and then implementing it.

Unless you can create an LDS blueprint, the myriad of other management functions,such as creating and managing user accounts, groups, policies, shares and more,will be difficult to implement and cost you a lot in time and material The followinglist represents the steps we will take in this chapter to arrive at the point when wecan begin the conversion process or even install in a clean or new environment

1 Prepare yourself mentally.

2 Assemble an LDS team.

3 Survey the enterprise.

4 Design the Logical Domain Structure (LDS).

5 Produce the blueprint.

Preparing Yourself Mentally

Long gone are the days when installing a Windows-based network could be handledwith a sprinkling of administration experience gleaned from a few books or an edu-cation based on crammed MCSE courses

Running a successful Windows 2000 domain (no matter what the size) is going torequire more than a magazine education in networking, telecommunications, secu-rity, and administration If you have been managing or working with Windows NTserver, you have a headstart on the new administrators and administrators from theother technologies who have chosen to defect Nevertheless, the conversion andinstallation process is arduous and mentally taxing And how much time you spend

on fixing problems in the future will depend on how well you lay your foundationsnow Here is some advice that will help stem the migraine tide from the get-go

Forget about Windows NT

Trying to create the LDS of Windows 2000 while thinking about Windows NT, andeven managing Windows NT, is like trying to meditate at a heavy metal concert Inother words, it is very distracting We would say that if you are involved in the day-to-day management of Windows NT domains, you should take a break from being an

NT administrator while involved in the Windows 2000 LDS planning efforts, at least

in the initial phases You will find it very frustrating to work in both environments

at the same time

This is sobering advice if you have to manage an NT domain while you plan aWindows 2000 domain You will need to make a special effort to separate the oldfrom the new, the legacy from the up-and-coming

Forget about Conversion

Trying to think about retrofitting, upgrading, or converting your legacy Windowsdomains, and even your NetWare or UNIX environments, will only get you into a lot

of trouble Forget about what everyone, including Microsoft, says about this, atleast until you have the new domain structure in place and are fully versed in thetechniques described in this chapter and the others described in this book Onlywhen you fully understand the possibilities and the limitations of Windows 2000domains should you begin to plan your conversion process

If you try to convert before the Windows 2000 LDS is in place, as we discussed inmore detail in Chapter 4, you risk an IT disaster, and losing money and opportunity

in many respects Set up a lab as we discussed in Chapter 4 We can’t tell you thing you need to know or beware of in this book, nor can Microsoft Only you willdiscover how Windows 2000 accommodates your needs, and how you accommo-date its needs No two organizations are alike

every-Stay Out of Active Directory

Before you break out into a cold sweat, this advice applies only to this chapter TheWindows 2000 LDS is just that, logical Until you have your blueprint in place, yourplans approved, the budget in the bank, you don’t need to do a thing in the ActiveDirectory

Yes, Active Directory is the technology that makes the new LDS a reality, and yes, we would not be discussing LDS in such direct terms as we do here if ActiveDirectory were not a reality, but trying to do LDS while tinkering around in Active Directory is counter-productive Don’t think you can stumble your way

to a design or blueprint

We’re not saying you shouldn’t try to learn about Active Directory hands-on Learn

as much about it as you can If you know nothing about Active Directory, then youshould not be in this chapter just yet, because you should already be au fait withdirectory service terms and concepts

If you are not yet up to speed with Active Directory, study Chapter 2, read thewealth of information in the help system, download as much information as you canfrom Microsoft, and get stuck into books about Active Directory and LDAP Chapter

2 is the chapter in which you can test examples and concepts in Active Directory Inthis chapter, you should be working with design tools and a whiteboard, a verylarge one

For information on LDAP, you can download RFC 2254, 2255, 2307 from theInternet These can usually be located at the Internet Engineering Task Force Website (www.ietf.org), but you can find these and many other LDAP references atany main search engine

Note

Assembling the Team

Before you begin, it is vital to assemble a design team No matter if you are a sultant or administrator for a small company and are attacking this single-handedly,

con-or if you are a leader con-or part of a team wcon-orking in a mega-enterprise, designing thedomain requires the input of a number of people In very small companies adoptingWindows 2000, the team might consist of you and the owner or CEO

The Domain Planning Committee

Your domain planning committee will include a number of people, especially if thetask is huge, who will assist you in the enterprise analysis you need to undertake

Your team might be made up of the following members

✦ Assistant analysts and consultants to help you quickly survey a large

enter-prise The Millennium City example in this book, which is an Active Directorydomain structure that spans an entire city, replete with departments and divi-sions, might need to employ about a hundred analysts to get the survey jobdone as quickly as possible It depends on how quickly you need to move, orwant to move If you plan to use your IT department as a test case (going fromdevelopment to production), then you could probably get away with one ortwo analysts

✦ Documentation experts to assist you to get information down and in an

accessible form as soon as possible These people should as far as possible

be trained in desktop publishing and documentation software, illustration andchart-making software, group-ware, and so on The documents should bestored in a network share-point

✦ Administrators to be involved in preparing the installation and conversion

process These might include technicians and engineers currently involved inthe day-to-day administration of domains, technical support, special projects,and so on

Domain Management

As the LDS plan progresses from enterprise analysis to approval and tion and conversion, you will need to appoint people who initially will be involved

implementa-in the day–to-day admimplementa-inistration and management of the new domaimplementa-ins

If you have the resources at your disposal, it will make sense to appoint newlytrained staff or hire and train administrators from the legacy pool These peoplewill help you to build the new Windows 2000 domain and will need to communicatewith the administrators of the old domains, and so on If you are doing everythingyourself, then you have your work cut out for you

Change Control

Appoint a person responsible for change management and control (see Chapter 11)

As the development domain begins to roll out phases into production, the conversionteam change control process will need to communicate with the MIS/Operations’change control team, discussed in Chapter 4 All proposed changes need to be fullydiscussed, and all teammates need to have the opportunity to assess the impact andprepare for it or argue against it Trust us, you don’t want to roll out anythingwithout it being signed off at the appropriate levels

addi-See Chapter 3 for information on Windows 2000 security, and Chapter 11 forinformation on security policies

Intra-Domain Communication

A very important component is intra-domain communication, or the tions between Windows 2000 domain users and legacy domain users You’ll need toappoint an Exchange administrator if you plan on integrating Exchange, or elseLotus Notes administrators, Send Mail people, and so on

communica-A vital component of the LDS is that information is able to flow freely through theenterprise information network and between the operational environments inwhich the company will find itself when a Windows 2000 domain greets the world

Education and Information

You will need to generate information to keep management abreast of the ment with respect to the conversion process and the emergence of the LDS Once aplan has been approved, this information will need to be extended to educate peo-ple throughout the enterprise

develop-Surveying the Enterprise

Before you can begin to plan the LDS, you need to survey your enterprise Considerthe job of the land surveyor He or she sets up the theodolite — an instrument thatmeasures horizontal and vertical angles — and charts the hills and valleys, the lay

Cross-Reference

of the land, the contours, and more These scientists and engineers determinewhere it is safe to build a house or skyscraper, where to bring a new road or abridge, where to place a town or a city You need to do the same, not to determinewhere the company is going (which is what enterprise analysts do), but how to plan

an LDS with what is already in place and what might be around the corner

In surveying the corporate structure, you are not going to take on the role of ing management advice about its business, nor will you suggest that new depart-ments or units should be added, moved, or removed to suit the new domainstructure Not only would that be impossible, but also it would likely get you fired

offer-or promoted out of netwoffer-orking

On the other hand, the Windows 2000 LDS needs to be filtered up to the highest els of management In fact, the LDS blueprint is what the CIO or CTO is going todrop on the boardroom table, and the IT department is expected to implement thechanges desired by management to affect the DNA, e-commerce, the paradigm shift,and more The Windows 2000 LDS, because of what it may expose, may indeedresult in enterprise or organizational change, just don’t say it too loud

lev-Windows 2000 domains reflect the enterprise structure more than any other nology, and the domain structure will be representative of the layout and the land-scape of your company, from an administrative and a functional point of view

tech-Windows NT domain administrators, network administrators, and IT/IS managershave never before contemplated that their careers would take them into enterpriseanalysis Large organizations will no doubt hire expensive enterprise analysts, butfor the most part it will be an unnecessary expense, unless some serious first aid isneeded before a conversion to Windows 2000 can be considered

In many cases, you already have the resources at hand They exist in you, and inyour peers You do not have to go overboard studying enterprise analysis, enter-prise resource planning (ERP), and customer relationship management (CRM) Ofcourse, having the knowledge will help and may even get you the job you’re after

This chapter serves as a guide if you are not sure where to start The following tions discuss the key concepts of enterprise analysis

sec-Enterprise Analysis

Enterprise analysis is enterprise land surveying and enterprise engineering cometogether for the future and good of the company Enterprise analysts examinewhere the company is today, what business it is in (many don’t know), and where itwants to go (or where the board or shareholders want it to go), and make sugges-tions on how it should go about achieving its objectives Enterprise analysts helpsuggest changes at all levels of the enterprise, in particular in information systemsand technology They provide management with critical actionable information blueprints that start the wheels of change turning

Without technology, very few of the desires of the corporation will become a reality.You do not need to look far to see how misguided efforts in IT/IS have wreckedsome companies, while making others more competitive and profitable In your newrole as enterprise analyst, you are surveying the corporate landscape to best deter-mine how to implement a new Windows 2000-based logical domain structure.

You have two responsibilities First, you have to study the enterprise with theobjective of implementing the new LDS as quickly and painlessly as possible Youmay have a lot of money to work with, or you may not have much of a budget Ineither case, you are going to need facts fast

Second, you have to study the enterprise and forecast or project where it might beheading Is the business getting ready for IPO, to merge, to file Chapter 11, or to beacquired? Is it changing focus? All these items and more will affect the LDS of notonly a company, but also the LDS of a city, a hospital, a school, and a government

You might consider that you are doing the enterprise analysis for the good of thecompany, but you are doing it for your own good You will be expected to cater toany change that may happen between sunrise and sunset And not having thewherewithal to implement or accommodate the sudden business direction thatmanagement may throw at you is not good IT administration

So where do you start? As mentioned before, you can’t plan the LDS by just looking

up all the groups you created in Windows NT and figuring that just importing themall will do the trick That would be the worst place to start, and the worst adviceanyone can take Microsoft, we believe, makes too much noise about upgrading

Windows NT; we believe that countermands strategic LDS planning.

The new Group Policy technology is so sophisticated that it makes upgrading an

NT domain and inheriting its groups and user accounts a tricky business Makesure you fully understand Group Policy before you upgrade an NT domain It is dis-cussed in detail in Chapter 11

Here is a short list of starting points The items may be better in another order foryou, and you may add to the list as you deem fit:

✦ Get management on your side: This may not be difficult if you are the CIO, or

if the LDS directives come from the CIO or CTO But in order to do the job well,you need to have access to more than would be expected of network or domainadministrators This means that management and HR are going to have to trustyou with sensitive information We would like to add to this point: Get the CEO

on board You are going to need to set up appointments with the most seniorstaff in the enterprise They need to know that your research is sanctioned atthe very top You will probably encounter resistance at the departmental headlevel, where change may be deemed a threat Advise them in writing that if you

do not get cooperation their departments will be left out of the domain sion or “new order.” People tend to go crazy if their e-mail gets cut off, so youcan use this as a foot in the door

conver-Note

✦ Get hold of organizational charts: Most enterprises and organizations have

these Hopefully, they are up to date If they are not, or they do not exist, youare going to have to invest in a software tool that can make organizationalcharts

✦ Tell people what you are doing: It is important to be frank and open about

the process, without exposing the team to security risks

Enterprise Environments

Before you begin an exhaustive enterprise analysis project, you should take sometime to understand the environments in which the enterprise or organization oper-ates Enterprise analysts often refer to these environments as operational environ-ments We have been teaching companies about their respective operationalenvironments for several years, long before the advent of Windows 2000 The ele-ments in these environments will feature heavily on both the LDS and physicaldomain structure (PDS)

There were once only two environments in which an enterprise operated Theywere the external and internal environments The advent of the Internet and widearea networks have resulted in a third environment: the extra environment or theenvironment “in-between.” An analysis of these environments is essential in the formulation of both the LDS and PDS

To fully investigate the environments, you need to build lists of items to look for,otherwise you will not know where to start and when to finish

The external environment

The external environment is made up of several components: customers, suppliers,distributors, cleaning staff, and so on At the physical level, the corporation orenterprise has to deal with the elements of the external environment directly

Examples are: providing access to cleaning staff, dealing with customers, deliverypick up, and more

The external environment of a city, for example, includes voters, tourists and tors, businesses, foreign nationals, embassies, consulates, divisions of the UnitedNations, organized crime, private hospitals, schools and universities, government-sponsored bodies, such as the FBI, INS, and DEA, religious congregations, religiousboards, and so on

visi-The most important technological factor in the external environment is the Internet

Like all enterprises and organizations, the Internet provides resources with which todeal with the elements in the external environment electronically and a means ofinterconnecting partitions of the internal environment Any modern city is as pre-sent in cyberspace as it is in the physical realm

Today, the neural network in the external environment is the Internet The phone system still plays an important and indispensable part, but it is becomingless pervasive as people find the Internet more convenient in many respects.

tele-The enterprise depends on several components on the Internet that are vital to itsexistence in general These include DNS, the locator service for the entity on theInternet, and the Internet registration authorities that provide the entity the right(for a fee) to participate in a global Internet infrastructure These rights include theregistration of your domain names and the assignment of IP addresses, withoutwhich you are unreachable

Here is a short list of items you should pay attention to when you examine theexternal environment:

✦ How is the company connected to the Internet?

✦ How does the company use the Internet’s DNS system?

✦ What are the public domains used by the enterprise?

✦ Who keeps the domains, and makes sure the fees are paid on time?

✦ Are the domains you need to register available?

The internal environment

The internal environment comprises all the departments, divisions, organizationalunits, and key management entities (KMEs) that work together for the benefit of theenterprise This environment includes employees, contractors, executives and man-agement, subsidiaries, divisions, acquisitions, equipment, intelligence, information,data, and more

The internal environment’s neural network is the private intranet and its relativeKMEs and administrative functions The intranet is a private network, which is themedium for the Internet protocols, TCP/IP The local area network is fast becoming

a passe term, associated with outmoded and confining protocols such as NetBEUI,

Pathworks, IPX, and more Windows 2000 is, for all intents and purposes, an

intranet operating system that still knows how to function on a LAN for backwardcompatibility

Very important to consider in the internal environment are all the legacy systemsand mid-range systems that are going to need facilities in the new realm

Here is a short list of items you should pay attention to when you examine theinternal environment:

✦ How many employees work for the company?

✦ How many remote divisions or branches does the company have?

✦ What functions do the remote divisions perform?

✦ How are the sites interconnected?

✦ Who is responsible for the management of the network that connects each ofthe sites?

✦ What is the bandwidth of the links between the sites?

✦ How is the company prepared for disaster recovery?

The extra environment

The extra environment is the interface — and the environment in the immediatevicinity of the interface — between the external environment and the internal envi-ronment In some cases, the division may be obvious and thus easy to manage(such as a computer terminal in the public library or a voice mail system) In othercases, the interface is harder to encapsulate or define and thus more difficult tomanage (such as how people hear about your product)

Examples in the extra environment are e-mail, communications between the nal and external environments that may need to be monitored, controlled, andrerouted, corporate Web sites that let customers access portions of the internalenvironment, and so on

inter-The network environment supporting this environment and its technology is known

as an extranet A good example of such an extranet is FedEx, which lets customers

tap into the tracking databases to monitor their shipments

Here is a short list of items you should pay attention to when you examine theinternal environment:

✦ What Web sites does the company use? Who manages them? Where are theylocated?

✦ What call center or help desk functions are in place?

✦ How do contractors and consultants gain access to the enterprise to performtheir work without risking exposure to sensitive data?

Working with Organizational Charts

With the organizational chart in hand, you can zero in on the logical units of the

enterprise and begin enterprise analysis in a “logical” fashion Figure 7-1 represents

a portion of the organizational chart of Millennium City (the entire chart is on the

CD in the Millennium City Domain Structure Blueprint PDF) The chart has beenadopted from the organizational chart of a major U.S city, and we will use itthroughout the book to see examples of both logical domain structure and physicaldomain structure, as well as configuration

Figure 7-1: Abridged organizational chart of Millennium City

The full chart in Figure 7-1 is huge (more than 50 divisions and hundreds of boardsand councils), but you must realize that the LDS you are going to create may need

to accommodate such an environment Obviously, it is going to take many years tofully convert such an organization, and you’ll likely be working with Windows 2005before achieving 100 percent penetration with an organization of this size

In fact, in organizations of this size, you’ll likely never achieve a 100 percent pureWindows 2000 domain structure, and you wouldn’t want to Just a cursory glance

at such a chart tells you that you are going to be up to your neck in integration withlegacy and mid-range systems, UNIX and Mac platforms, and more

You need to start somewhere, however You’ll need to start conversion and tion with select departments, starting perhaps with your own department, whereyou can learn a lot about the conversion process, the fabric of Windows 2000, andthe place to set up the labs and development environments that we discussed inChapter 4

installa-City HallMillennium City

To other departments

Deputy Mayor forOperationsPolice Department

Department ofInformationTechnology andTelecommunicationsFire Department

We have selected three entities out of the chart to use as examples We are going toconvert the Mayor’s office (City Hall), the Department of Information Technologyand Telecommunications (DITT), and the Police Department (MCPD).

Identifying the Key Management Entities

Key Management Entities (KMEs) are the management, administrative, or servicecomponents of a business or organization that, taken as a whole, describe what theentity does These KMEs are not on the organizational chart and often span multipledepartments For example, payroll processing is a KME that spans the enterprise

While the KME for payroll is concentrated in the Office of Payroll Administration, theKME spans Millennium City because it requires the participation of more than onelogical or organizational unit Every department processes payroll by processingtime sheets, data input (time/entry databases), sick leave, raises, check issues,check printing, bank reconciliation, direct deposits, and so on The KMEs need not

be physical groups; they can be logically dispersed between several departmentsand across several domain boundaries, remote sites, and so on

All KMEs, once identified, are best represented on a matrix of the enterprise EachKME represents an area of responsibility that must be measured and evaluated

Once you have identified the KMEs, you will be able to learn about the IT/IS tems and technologies that have been implemented to assist them, and ultimatelyhow both LDS and PDS will emerge to accommodate them Figure 7-2 illustrates theKME matrix for MIS

sys-Figure 7-2: KME matrix spreadsheets prepared in Microsoft Excel

MIS people seldom research KMEs or even update previous reports and plans Animportant benefit or payoff of such research is that MIS learns how it can improveefficiency in the KME.

It is also important to break the KMEs down further and extract the componentsthat require the services of IT/IS You will need this information later when youidentify where to delegate administration and control in various organizationalunits and domains

Strategic Drivers

In the movie Wall Street, Michael Douglas’ character identifies greed as the strategic

driver in his effort to raid companies and make huge profits Greed certainly is astrategic driver in many companies and organizations, but there are many others,and you could argue that they are subordinate to greed and profit The Internet is

a strategic driver; the ambitions of the CEO and major shareholders are strategicdrivers; mergers and takeovers are others; as well as investment in new technologyand more

Strategic drivers are also new laws, new discoveries, new technology, lawsuits,labor disputes, and so on Knowing what makes the company work and what willkeep it working is important in domain planning and structure You need to have asmuch information as you can about the enterprise, and where it is headed, so thatyou are able to give 100 percent where and when needed

We contend that if you know the strategic drivers of the organization you work for,you will be in a position to cater to any IT/IS demands placed on you More impor-tantly and in relation to the task at hand, you will be able to implement a domainstructure to cater to the drivers that will influence the future of the enterprise

Use your sixth sense, common sense, and logic in determining strategic drivers.Remember that with the new domain comes new threats, denial of service, viruses,information and intellectual property theft, data loss, loss of service level, andmore A good example: In the weeks prior to New Year’s Eve, Y2K, we anticipatedthat heightened security concerns would come from the CEO of the large distribu-tor we support So we preempted the request and investigated how best to lockdown their RAS and still provide access to key support staff that might be required

to dial in during the night We effectively locked down all access and were able tocreate a secure zone on the RAS machine, which authenticated users locally beforeproviding access to the domain Being a good system administrator means goingbeyond the theories you learn at MCSE school or computer science class Windows

2000 is the wake-up call for stodgy sysadmins

Identifying the Logical Units

Look at the organizational chart of Millennium City, and the logical units jump out

at you Every department or organizational unit within each department will impactthe LDS in some form or another

The Mayor’s office looks simple enough There is the mayor and the people whowork for him or her, such as public relations people, advisors, and administrativestaff The Mayor’s office is probably one of the simplest of the logical units to repre-sent or quantify in the LDS plan For all intents and purposes, it can be represented

as a single organizational unit on the LDS

In corporations, the offices of the CEO and executive staff can range from beingextremely complex to being very simple But the Department of InformationTechnology and Telecommunications is very different What are the logical unitswithin this department? Let’s identify some of them in the following list (we cannotdeal with every OU within this department because the list would run into toomany pages)

1 Operations: This unit is responsible for disaster recovery and maintenance

of critical systems The people in this unit make sure systems are online, theywatch systems and applications for failures, they monitor production, theyprint reports, and so on

If Operations detects errors or problems, they try to fix them within certainguidelines or parameters They may be required to restore servers in the mid-dle of the night, or call the on-call staff as needed Operations staff are trustedemployees with heavy responsibilities They probably need high levels ofaccess to certain systems; they may need to have authority to shut downservers, reboot machines, perform backup, and so on

2 Help Desk: This unit may be part of Operations or a separate unit Help Desk

is responsible for getting staff out of jams with technology, teaching them how

to use new applications, and more They also need special access to systems

Help Desk often needs to troubleshoot applications and systems in the text or stead of the users they need to help For example, they may need tolog in to mailboxes, troubleshoot print queues, and escalate calls to second-and third-level support

con-3 PC Support: PC Support is a separate organizational or logical unit within the

Department of Information Technology The people who work in this unit bleshoot desktop PCs, and upgrade, maintain, and ensure that all employeeswithin the entire company, often across physical organizational divides, havethe resources they need to do their work

trou-4 Security: The Security staff are responsible for catering to requests for user

and machine accounts, changing passwords, access to resources, and more

The security staff work closely with network support in determining groupmemberships, rights and permissions, access to shares and files, and so on

5 Network Support: That’s where you (and we) come in Network Support deals

with the upkeep of the intranet, servers, and WAN resources, dealing with work providers, routers, circuits and more You also deal with the location ofdomain controllers, upgrading servers, interconnecting protocols, establish-ing services, storage, backup and disaster recovery, and more

net-Identifying the Physical Units

Between the various departments in an organization, there are numerous physicalunits to consider First, departments may be located in separate buildings and inother cities In Millennium City, for example, the Mayor’s office or City Hall isremote from the Department of Information Technology and Telecommunications.The Police Department, for example, is spread over numerous buildings all acrosstown

We have intranets to deal with, WANs and dedicated connections between ments that cooperate closely The Police Department of a city of this size employsits own technical team that manages network resources and systems at both theoffice of the Police Commissioner and at the individual precincts The PoliceDepartment is also hooked into the systems at the Department of Transportation,the District Attorneys Office, the Department of Corrections, and so on (We will get

depart-to more detail about physical units in Chapter 8, but for now understand that yourLDS needs to take into account the physical makeup of your organization.)

neverthe-It will become the “bible” for the present and future administrative teams The lowing short list is a suggestion of steps to take to complete documentation andmove forward with your LDS and conversion plan:

fol-1 Update the organizational chart and then circulate it to department heads for

additions, accuracy, and comment

2 List the KMEs throughout the enterprise and describe the extent of the

admin-istrative function in each KME You will be noting the size of the KME andcomplexity Make a note of where the KME extends beyond departmental ordivisional boundaries of the enterprise There are many formats that the doc-umentation of KMEs might take We suggest you create a matrix on a spread-sheet, listing departments and divisions in the column headers and the KMEsyou have discovered as rows, like the one started in Figure 7-2

3 Forward the KME matrix to department heads and invite feedback The KME

list is likely to grow, and you’ll probably be informed of more KMEs you didnot uncover

4 Divide the organizational chart into sections or make a listing of the divisions

or departments you believe or have decided will be the best prospects withwhich to begin conversion Note the reasons and mark them for debate at thenext conversion team meeting

The next phase of the LDS plan is the investigation of the administrative models

in place over IT throughout the enterprise What we present here will not get youthrough Harvard, but it will be enough to give you something to think about

Administrative Modeling

Administrative modeling deals with management and administrative styles andpractices The following list illustrates several core management styles that may

be in place in a company for one reason or another:

✦ The box-oriented company

✦ The human assets-oriented company

✦ The change-oriented company

✦ The expertise-oriented company

✦ The culture-oriented company

It is worthwhile to understand the definition of the term box because it will

influ-ence the ultimate layout of your LDS Box refers to the way management controls acompany Enterprise analysts and corporate executives talk about soft-box compa-nies and hard-box companies

The soft-box driven company management team does not rule with an iron fist and trusts its managers to act in the best interests of the enterprise It goes withoutsaying that these companies have a lot of faith in their people, and have achieved

a system that is comfortable for everyone The soft-box company is likely to have asmall, employee handbook and provides little direct control at certain levels, givingregional managers a wide berth

The hard-box driven company is very rigid The employee handbook at this pany is likely to be about two bricks thick, and there are probably rules for every-thing from dress code to eating in your office

com-There are good and bad companies in both models The best exist somewherebetween both extremes However, a hard-box company is more likely to employ arigid centralized administrative approach at all levels in general and with respect

to IT in particular “Softer” companies are likely to be more decentralized

Centralized administration and decentralized administration models do not onlyapply to general administration, they apply also to IT, MIS, or network administration.

Bigger companies that operate from a single location, or a clinic or a school, mayemploy the services of small technical teams and still outsource The really bigcompanies that still operate from single locations will use a centralized administra-tion model, supported by their own teams

Decentralized administration

The decentralized approach dictates that management or administration is persed to geographically remote locations This is usually a practice among thelargest of enterprises Departments, locations, and divisions, some of them onopposite sides of the world, are large enough to warrant their own MIS or IT departments

dis-Most multinationals today employ varying degrees of both approaches, and theiroperations will dictate to what extent administration is both centralized and decen-tralized This is probably the most sensible of the management models and variesfrom corporation to corporation

Companies determine how much and what makes sense to delegate to the remotelocations or seemingly autonomous divisions For example, they might dictate thatremote administrators take care of responsibilities like backup and printer manage-ment out at remote centers or depots

Other systems, even ones located at the remote sites, might make more sense aged from a central location For example, if you have ten sites and need to install

man-an e-mail server at each site, it does not make sense to hire or train people at theremote sites when a single e-mail administrator, and possibly an assistant, can man-age all e-mail servers from a single location Windows 2000 and a dedicated reliablenetwork make it entirely possible to manage a highly sophisticated IT infrastructurefrom a remote location with no technical staffing on-site whatsoever And it wouldmake sense and go a long way to reducing TCO to invest in products like Exchange

or Lotus Notes that are designed to function in clusters and are managed from a single location regardless of where the physical equipment is actually located The advent of such admin-centralized technologies is making the decentralizedapproach more feasible to adopt From 1998 to the present, we have managedservers in more than 20 cities throughout the United States, and we have neverbeen physically on-site

The good, the bad, and the unwise

Each model has its pros and cons The centralized model is often the most usedfrom an IT point of view, and part of the reason is that legacy systems — both mid-range and Windows NT — do not lend themselves to any meaningful decentralizedadministration or controlled delegated responsibility The Windows NT SAM, forexample, can only be written to at the primary domain controllers (PDC) Copies ofthe SAM on the backup domain controllers (BDC) can be read for service requests,but not written to If at any time the PDC became unavailable to remote locations(loss of link, maintenance, and so on), delegated administration at remote locationsbecomes impossible

On the other hand, many companies go overboard and delegate willy-nilly to alldepartments and divisions Some companies have carried the decentralized model

to the extreme, forcing the remote or otherwise separated units to request theirown budgets and acquire and support their own systems These companies areoften impossible to deal with because they have no central buying authority andintegration of systems is a nightmare

Often, newly acquired companies in mergers and takeovers end up looking afterthemselves as management absorbs them at an agonizingly slow pace What youend up with is a hodgepodge of systems that are incompatible and impossible

to integrate For example, one side might support Compaq, and the other IBM

Amicable mergers or acquisitions often turn sour because IT and MIS cannot getthe two or more technology departments to speak the same language

Windows 2000 allows you to delegate to various levels of granularity, all the waydown to the organizational unit, in tandem with a highly distributed and redundantdirectory service As such, Windows 2000 provides the pluses of the centralizedmodel, such as buying of like systems and technology, with the undeniable benefits

of decentralized administration, allowed controlled delegation of administrativefunction, and partial or substantial relief of the administrative burden at HQ

At Millennium City, you have strong decentralized administration in place All budget and organization-wide IT planning, however, is done at the Department ofInformation Technology and Telecommunication All technical hiring, firing, andrequests from Human Resources for staff takes place at the DITT New systems,maintenance, technical support, help desk, and more is also done here

However, the Police Department (MCPD) is autonomous and distinct from the mainoffices of the City MCPD is a separate administrative authority that will rely on theDITT for investment decisions, choice of technology, and more, but local adminis-trators will keep it going and keep it secure

DITT thus remains as the command center, ensuring that systems at MCPD can talk to systems at the DA’s office or that crime units have familiar access to theDepartment of Transportation without having to physically go and sit at the

department’s computers DITT also ensures that an administrator at the DA’s officecan apply for an opening at MCPD without having to be retrained on systems atMCPD that are different to systems at the DA In short, one of the chief functions ofthe DITT is to strive for homogenous systems as far as possible throughout the city,and that the heterogeneous systems are interoperable and can be integrated.

Logical Domain Structure: The Blueprint

The logical container for domains in Windows 2000 is a forest Forests containtrees, which have roots, and domain trees make up a Windows 2000 network It

is not necessary to understand forests to design a namespace, and forests are discussed in various contexts in Chapters 2, 3, and 8

As stressed at the beginning of this chapter, once a domain root has been created,you are for the most part stuck with it, and you don’t have many easy changeoptions if the namespace no longer suits you down the road In the same breath,you must remember that the deeper the namespace, the more flexible it is, andobjects can be moved around domains and between domain trees if you later getstuck However, you don’t want to be tearing down domains that are already heavilypopulated So use the information culled in the enterprise analysis wisely and planproperly As we emphasized in Chapter 4, test everything

The Top-Level Domain

You cannot start or create a Windows 2000 network without first creating a root ortop-level domain What the root should be named and what role it should play per-plexes a lot of people If you are confused, you are not alone, because there are noclear-cut rules that work for every company

When we refer to the role played by the root, we mean whether the domain should

be populated with objects or should just serve as a directory entry point, in a lar fashion to the root domains on the Internet

simi-Naming the root

One of the first things you have to decide is what to name the top-level or rootdomain of your Windows 2000 domain There is more to this name than identity It

is the foundation for your corporate Active Directory namespace Your enterprisemost likely already has a domain name registered with an Internet authority, inwhich case you already have a namespace in existence, even if you never thought

much about it as a namespace probably more like a parking space You’re

proba-bly thinking, “What the heck does the domain we registered have to do with ourcorporate network?”

In our example, Millennium City is registered with the InterNIC (Network Solutions,Inc.) as mcity.org But how your two namespaces coexist on your intranet and the Internet is not the issue How you integrate the two namespaces is.

You have two options:

1 You can leave your public domain name applicable only in the external

envi-ronment, resolved by an ISP’s DNS server

2 You can use your public domain name also as the root domain in the

direc-tory and on your intranet

We have pondered over this extensively Let’s examine the two options a littleclosely:

If your domain name is listed in the comor orglevels of the DNS, it becomes lished on the public Internet and is available as a point from which to resolve yourpublic Internet resources, such as Web servers and mail servers For example, aquery to the root (.org) for mcity.orgwill refer the client to the DNS serveraddresses that will be able to resolve MCITY host names authoritatively to servers

pub-on the public Internet DNS servers around the world that regularly service “hits”

for the mcity.orgwill be able to draw on cached records to resolve IP addressesfor their clients

In your case, would you then want to use the public domain name as the domainroot in your LDS? In the MCITY example, we saw no reason not to The results ofyour enterprise analysis may indicate otherwise, for a number of reasons We dis-cuss some of them here, as pros and cons:

Reasons to have identical external and internal DNS namespaces are as follows:

✦ The domain suffix is identical in both environments and is less confusing for users

✦ There is only one namespace to protect on the Internet

✦ There is one namespace to administer

Reasons not to have identical external and internal DNS namespaces are as follows:

✦ Domains remain separate, and there is a clear distinction between resources

on the outside and resources on the inside This means that the corporateintranet is more protected, but you will still need a good firewall

✦ The company may change direction and also change the name

✦ Proxy configurations for separate namespaces are easier to manage

Exception lists can be created to filter the internal names from the externalnames

✦ TCP/IP-based applications such as Web browsers and FTP clients are easier toconfigure You would not have to make sure that clients that are connected toboth the intranet and the Internet at the same time resolve the correctresources

Several items in the previous lists demand more discussion