Is It Time to Rethink Active Directory?
Most likely, it's time to at least consider restructuring your current domain and forest design. With the right planning and tools, migrating to a new structure won't be as painful as you might think.
How much do you love your current domain and forest design? Odds are, your organization is like many, and you've been living with the same basic design for quite some time now. If so, it's time to think about a redesign.
Let's quickly revisit the two things that a directory design needs to accommodate. First is delegation, meaning your design or -- more specifically -- the layout of your organizational units (OUs). The second main design goal in Active Directory is the accommodation of your Group Policy needs, facilitating a minimum number of Group Policy Objects (GPOs) to achieve whatever you need. Unfortunately, these two goals -- delegation and GPOs -- can often be contradictory, or at least not complementary. Of the two, Group Policy is the one that's completely inseparable and the one that can't be abstracted, so most modern Active Directory designs tend to focus on the GPO aspect of the directory.
Delegation, on the other hand, can be abstracted from the directory through the use of third-party tools. Essentially, rather than managing delegation in Active Directory itself, you allow the tool to do so. The tool, in turn, provides you with an abstracted organizational design that doesn't need to correspond to the actual domain design. You delegate however you like within the tool, and it handles the lower-level permissions in the directory itself.
Let's say that you're eyeing your existing Active Directory design with a little distaste, and wishing you could redo it. A redesign can involve significant user pain, re-permissioning, tons of admin overhead and more. The key word there is "can," because a restructure doesn't have to be all pain. In fact, it's entirely possible to do a no-pain restructure.
First, consider your existing design. If you have the right domain and forest structure, but the OU structure isn't meeting your current needs, then you're in for an easy time. Rearranging OUs is a piece of cake. Get a good backup of the directory, and then get your design finalized on paper and start dragging and dropping. Most redesigns I deal with, however, involve changing the underlying domain and/or forest design: consolidating domains and forests, moving to an entirely new forest and so on. Those are more difficult, in large part because of the "client touch." In this kind of migration, user security IDs (SIDs) are going to change, meaning users' workstation profiles will need to be migrated, file servers will need to be re-permissioned, Exchange mailboxes will need to be migrated and so on. These are non-trivial tasks that, when accomplished manually, take a great deal of time and leave a lot of room for human error (meaning downtime). These kinds of redesigns are more properly thought of as migrations. Part of the problem is simply that these migration skills aren't ones commonly used in your environment, and they aren't needed after the project is complete -- so few organizations have the experience needed already on staff.
But in the word "migration" is the key to your success. The same companies that made tools to migrate from NT to 2000 (and which often made companion tools to handle the Exchange migration) still make those tools -- and, in fact, continue to improve them. Large enterprises are in an almost continual state of migration given the rapid pace of mergers and acquisitions these days, and they use these third-party migration tools to ease their pain. The right tools can, for the most part, completely automate a migration. Migrating can literally be done with a few mouse clicks, and the right tools can even roll back failed steps so that you can get online quickly and rethink whatever went wrong.
The bottom line is that you don't need to be satisfied with an outdated Active Directory design. Migration isn't necessarily a painful, downtime-inducing career-killer. Think of migration -- with the right software, of course -- as just another tool in the toolbox of strategic business technology.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of PowerShell.org, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.