Defining a Set of Implementation Tasks

Defining a set of implementation tasks is the heart of the implementation plan. It is the tasks that make your Active Directory design come to life. The tasks are defined and then applied to specific geographic locations based on a rollout schedule. The categories of tasks include

• Preparation Tasks—prepare the enterprise for implementation.

• Base Services—are those tasks that establish the root domain and basic Active Directory services.

• Coexistence Tasks—prepare the existing directory services and resources for coexistence with Active Directory.

• Geographic Location Tasks—are the redundant tasks that are applied to each geographic location.

• Post Rollout Tasks—are the tasks that are applied to the enterprise after rollout is complete.

• Coexistence Breakdown Tasks—are tasks that breakdown coexistence and phase out the existing directory services. These tasks might take place several months after the rollout is complete.

The tasks that make up your task list depend on the type of rollout your implementation requires. For example, the set of tasks for a new installation of Active Directory is different than the set of tasks necessary for an upgrade or migration from an existing directory, such as Windows NT. This is because each approach is different in how you get from where you are to the prescribed design. Upgrading from Windows NT to Windows 2000 and Active Directory is a different process with different tasks than implementing a new Active Directory domain structure and cloning objects from Windows NT to the new Active Directory domain structure.

As always, after these tasks are defined, they should be tested in the lab to confirm that the end result is what is expected. This might take some additional time and resources, however, if lab testing ensures a smooth implementation, it is well worth it.

Preparation Tasks

The tasks to prepare for implementation include such things as readying the existing directory services to be migrated to Active Directory. Again, specific tasks depend on the type of implementation that you are planning to undertake and the end product described by your Active Directory design. In the case of a migration from Windows NT, such tasks might include

• Evaluating existing NT group structure and assuring that the existing Global Groups and Local Groups are necessary

• Inventorying NT group membership

• Accounting for existing NT accounts, their purpose, and their destination in the Active Directory domain structure

• Purchasing hardware required to support Active Directory design

• Upgrading any existing hardware that continues to be used to support Windows 2000 and Active Directory

• Collapsing NT domains if consolidation occurs before migration

• Installing and testing migration tools and preparing NT DCs as needed by migration tools

Base Services Tasks

Another set of tasks that must be defined are those that establish Active Directory in your environment. These tasks might include

• Installing the first DC in the forest

• Creating enterprise administrative accounts and delegating appropriate permissions

• Installing and configuring DNS, including integrating DNS into Active Directory if specified in your Active Directory design

Coexistence Tasks

Coexistence tasks define the steps necessary to establish coexistence between existing directory services and Active Directory. Where and when these tasks are performed depends on the type of rollout you are planning. If you have a multi-domain Active Directory and you are migrating from a multi-domain Windows NT directory, then these tasks fall just after each domain has been established. The list of tasks varies depending on the type of coexistence you require for migration.

For example, if you are installing a pristine Active Directory domain structure and then moving users between the existing Windows NT domains and Active Directory using tools, such as ClonePrincipal, then trusts need to be established. These trusts can be created manually, or in complex domain environments where there are many resource domains, you can use a tool, such as NetDom, to script the creation of trusts. On the other hand, if you are upgrading your NT domains in place, either to leave the domain topology as is or to move user objects after the domain has been upgraded, then the tasks necessary for preparing for coexistence are simplified.

Geographic Location Tasks

Geographic tasks are those tasks required to establish domain services in specific geographic locations. Each geographic location can be a domain in itself, or it can be part of a larger multi-location domain. In either scenario, there are two different sets of tasks depending on whether the domain is being established or whether the location is going to support additional DCs.

Establishing Domains

The first set of geographic-specific tasks is for establishing the domains in a multi-domain Active Directory. These tasks include

• Installing the first DC in the domain within the existing forest

• Creating sites as prescribed by the Active Directory design

• Creating the domain OU structure as prescribed by the Active Directory design

• Creating Group Policy Objects (GPOs) and applying them to sites, the domain, and OUs where appropriate

• Creating groups as prescribed by the Active Directory design

• Delegating permissions as prescribed by the Active Directory design

• Confirming directory configuration and schema partition replication with root domain

• Shipping hardware to remote location and configuring for localization.

Extending the Domains to all Locations

After the domains have been established, additional DCs are installed and configured and then located, as defined in the Active Directory design. The steps to ready these domain services might include the following:

• Install the DC and join the existing domain.

• Move the DC into the destination site.

• Configure site links with appropriate protocol, as prescribed by the Active Directory design.

• Confirm the domain, configuration, and schema replication.

• Install the DNS if defined in Active Directory design.

• Configure the DC as a Global Catalog (GC) server if defined in Active Directory design.

• Ship the DC if necessary, and then readdress to the local subnet. Confirm that the DNS has been updated.

• Deploy MMC snap-in(s) to the appropriate administrative workstation.

Again, this is not meant to be an exhaustive list of tasks for DC implementation. Modify this list to include the tasks that you had to go through when you implemented your Active Directory pilot.

Post-Rollout Tasks

Post-rollout tasks can be done at the end of the geographical implementation or during the implementation, whenever appropriate. These tasks center on deploying the services that are required by users or that are required to support your Active Directory. Such tasks include

• Implementing remote access to your Active Directory, as defined in the Active Directory design. This might include a Virtual Private Network (VPN) solution, a RAS solution, or both.

• Implementing network services, such as QoS.

• Installing scripts to be used to administer Active Directory. Administrators or Helpdesk personnel can use these scripts to maintain Active Directory.

• Implementing IntelliMirror as defined in the Active Directory design. This can include creating network installation points, and so on. More information on IntelliMirror can be found in Chapter 12, "Managing the Desktop."

• Installing and configuring the Active Directory Connector (ADC). If your organization uses Microsoft Exchange 5.5, you can populate your Active Directory with directory data from Exchange. The ADC is installed as described in the Active Directory design.

• Assigning Flexible Single Master of Operations (FSMO) roles as defined in Active Directory design.

Coexistence Breakdown Tasks

Some organizations might continue to coexist with existing directory services indefinitely. However, if you plan on decommissioning the existing directory services after the migration is complete, the final implementation task list includes those tasks required to de-configure Active Directory's coexistence with the old directory service.

In the case of Windows NT, this can include turning down the remaining Backup Domain Controllers (BDC) that are not going to be upgraded, and then configuring Active Directory to run in Native Mode never to support Windows NT DCs again.