Chapter 2. Active Directory Design Principles

In order to design a proper Active Directory infrastructure, knowledge of its workings, and what it is based on, is essential. The basis for Active Directory is the Lightweight Directory Access Protocol (LDAP), which is an X.500 standard (to read more about the X.500 standard please visit: http://en.wikipedia.org/wiki/X.500). LDAP defines that a directory is a tree of entries, with each entry containing a set of attributes. Each entry has a unique identifier and therefore cannot be duplicated. This way everything is an object in an LDAP-based directory.

There are many great books available for Active Directory design and some of them go into great detail. Compressing all this into a single chapter is just not possible, so in this chapter, we will stick to the basics and a high-level view, instead of too much detail. This will provide a good overview of how to design a proper Active Directory, with different strategies in mind, and tailor it best for your organization.

The one thing to keep in mind is that when designing your Active Directory, never go at it from a, present needs, point of view. Technology and systems are changing so fast nowadays that you have to design with the most open and future-proof concept that you can think of.

It was only a few years back when Windows 95 revolutionized the personal computing platform by pushing 32-bit addressing to the mainstream. Before that it was 14 years where everyone ran 16-bit programs on 16- or 32-bit processors. In April 2003, Microsoft launched the 64-bit version of its Server Operating System and in April 2005, the 64-bit version of its Desktop Operating System, Windows XP. These are less then a decade after the big Windows 95 push. Active Directory was introduced with Windows 2000, which is only Five years after Windows NT 4's "enhanced omain structure".

The trend is that new features and new technologies are constantly being invented and introduced. While there are quite a few companies that have a proper open and flexible design in their Active Directory structures, there are a lot more organizations that see Active Directory as the answer to all their prayers and just keep adding things to it and to the schema. To read more about the technical aspects of the AD schema, please refer to http://msdn2.microsoft.com/en-us/library/ms675085.aspx.

Software companies nowadays are pushing "Active Directory compatible" features more and more, and problems can arise when these packages need complete domain administrator rights in order to function (or modify the Active Directories' inner workings), which they usually do not advertise up-front.

The need for proper planning and design of the AD is extremely high in order to ensure that your DR strategies will work and are easy to implement. A properly designed AD is extremely resilient and still very flexible.

Whenever you intend to add new services, make sure that you test and re-test the things that are necessary for the service to function properly. As the IT department, you are responsible to keep the systems going and ensure business continuity. We will touch on this subject of becoming more involved in the chapter, "Design and implement a Disaster Recovery plan for your Organization".