Defining Requirements
In any business decision-making process, there are costs and benefits. As with yin and yang, they must compliment one another. If one outweighs the other, and costs outweigh benefits, then everything becomes unbalanced; the decision to buy, or not to buy, becomes self-evident.
Requirements can come from several different levels of an organization. When considering an operating system such as Windows 2000, most requirements typically come from the IS department. Business requirements are most often the driving factor behind the implementation of applications. However, Windows 2000 and Active Directory have functionality that reaches out past the IS department and into the front office. Therefore, defining requirements for Active Directory should extend beyond the back office and into the business that Active Directory supports.
Business Requirements
Identifying business requirements helps solidify executive sponsorship for the expenditure necessary to implement a system like Active Directory. Articulating business requirements, such as single seat administration, BackOffice application integration, or organizing resources, and how these applications increase productivity and reduce costs, makes the decision to implement Active Directory more palatable. After executive sponsorship is secure, the executives not only understand the reasons for proceeding with the Active Directory project, but they also have some skin in the game.
Single Seat Administration
High up on the wish list of Windows NT 4.0 administrators is the ability for an administrator, anywhere in the organization, to manage the directory. This gives organizations the ability to adopt a variety of administrative models. If you are implementing a directory, it is important to devise an administrative model that makes sense for your organization. It is likely that some administrative tasks are centralized in a few locations, whereas other administrative tasks are decentralized across the enterprise. For example, take the organization that has several remote offices, each with someone responsible for maintaining the local servers. The administrators in those locations should have the permissions and rights necessary to perform their jobs, but they don't need all available permissions. The local administrator, although responsible for the local servers, might not be responsible for user account maintenance. User account maintenance might be centralized at a corporate Helpdesk. Hence, the local administrators do not need to have permissions to change user accounts. If a centralized user account administration and distributed server administration model is ideal for an organization, the directory must be flexible enough to support that model.
Therefore, as a business requirement, the directory should be flexible enough to adopt the IS administrative model that makes sense for an organization. An organization's administrative model should not have to be defined based on the inflexibility of the directory service.
Infrastructure for Business Applications
A directory within an organization should be the central point of user and resource information. It makes sense to leverage this data beyond just providing information to users. The directory should also be a source of information for applications.
Applications that rely on user information for functionality or controlled access should be able to access the directory for this user data. This means that the directory should be available throughout the organization along with the applications that require this user data.
How applications use the directory must be analyzed. Enabling applications to write to the directory, for example, can be dangerous, depending on the application and the information it stores in the directory. There need to be guidelines for the types of information stored in the directory and for when data should be stored on a file server or database.
As a business requirement, the directory should provide an infrastructure that allows business specific applications access to rich directory services. The directory service should also provide guidelines for application development.
Integration with BackOffice Applications
Extending the previous requirement that the directory integrate with applications in an organization, the directory should easily integrate with some core enterprise-wide applications. Many organizations, which currently use Windows NT and/or Novell NetWare also use Microsoft BackOffice applications. If your organization is one of these, your directory should integrate with these Microsoft BackOffice applications.
As a business requirement, Active Directory is the future directory for BackOffice. If an organization wants to benefit from the evolution of Microsoft BackOffice, Active Directory is a critical aspect to that evolution.
Directory Integration
Most organizations have more than one directory and, perhaps, more than one directory service. To provide users with a single source of directory information, the directory service that users rely upon should allow for integration with other directories in the organization. This provides users with a single source of directory information.
Centralized Resources
A directory should also be able to host several types of objects, not just users. Computers, printers, and conference rooms are but some of the types of objects that a directory should be able to host. By including resources other than users in the directory, it becomes a service that can meet a broader range of requirements across an organization. After these resources are in the directory, they are objects that can be administered in the directory, taking advantage of the centralized or distributed administrative model that has been deployed.
As a business requirement, centralized resources allow for the administration of corporate resources based on a defined and deployed administrative model.
Security and Controlled Access
As with most applications across the enterprise today, the directory must be secure. However, if the directory is to grant or deny access to resources, the directory must provide the security components necessary to assure that resources are only accessed by those who are allowed access. To foil unauthorized access to a resource, that resource must be managed by a secured system—one that cannot be manipulated at any level by someone or something that has not been granted permissions or rights to manipulate the directory. This means that access between the client and the directory must be secured, access into the directory must be secured, and policies must be configured that make it difficult for an imposter to gain access to a resource as someone they are not.
Flexible to Business Changes
Today more than ever companies are reorganizing, downsizing, and merging with other companies. There are several causes for these changes, many of which are based on the bottom-line. It's not that an organization is losing money and must layoff employees; it's that technology or some other factor has changed the way they do business. To meet that change, the organization needs to be reorganized in some fashion. It has also recently become common for organizations to grow through mergers and acquisitions. Capital of some kind is used to buy resources or talent, a portion of a market, or a name to supplement an organization's menu of products and services.
Whatever the case, an organization's directory needs to be able to expand and contract along with an organization. It needs to be flexible enough to meet the need of an ever-evolving company. X.500, as a standard, is good at allowing for changes. It is important, however, to make sure that the X.500 directory being analyzed for your organization is also flexible to changes.
Executive Requirements
Coupling executive requirements with business requirements and their benefits to the organization helps weigh the decision scale in favor of implementing Active Directory. What executives themselves want out of a service like Active Directory is for the directory to be available and easy to use. A good example of this is the telephone. The executive picks up the receiver and hears a dial tone every time. They don't care about the infrastructure required to provide that service; they just want it available 24 hours a day, seven days a week. They want it to sound the same, no matter which phone receiver they pick up, and they want it to be able to take the service with them when they leave the office.
Executive business requirements are usually less specific than most other business requirements. Executive requirements are usually basic and fundamental: increase productivity, reduce total cost of ownership (TCO) , increase competitive advantage, and give me a dial tone whenever I need it.
Increased User Productivity
Increasing user productivity decreases the amount of time it takes a user to perform his or her job, thus increasing the amount of work a user can accomplish in a week. If a technology can be used to make users more productive by streamlining their work processes, then that technology is a good investment.
Pointing to units of productivity and stating that they will increase by 25 percent as a result of a new technology is difficult. Some organizations go to great lengths to record what their users do on their workstations. They install software that measures how much time is spent in an application, how much keyboard activity occurs while in the application, what Web sites are visited, and so on. They use this data to determine the amount of time a user spends performing certain tasks. Whatever the method for measuring productivity, if a technology decreases the time it takes to perform tasks, decreases the time a user spends in training, and increases the time a service is available, then that technology is a good investment.
Reduced TCO
Pinpointing TCO is like obtaining enlightenment. If you question whether you've obtained it, you haven't. What TCO actually means depends on whom you ask, and its definition depends on the philosophy of your environment. Microsoft is good at identifying how their products can reduce TCO in a Microsoft environment, but it is rare for an organization to have only Microsoft products on the desktop or in the back office. TCO is a function of many things, including the cost of hardware and software, maintenance costs, and administrative costs. The most fruitful method for reducing TCO is to implement systems in a way that logically reduces the maintenance and administrative overhead associated with the workstation.
Opportunity for Competitive Advantage
By decreasing the TCO, theoretic competitive advantage can be had over an organization's competitors. Assuming all things are equal and two organizations supply the same quality products and services, by reducing TCO, users produce those products and services in less time than their competitor (and for less cost). This reduces overhead and increases margin, allowing for several areas of competitive advantage. For example, overhead could be shifted to other areas in the organization, such as research and development. Alternatively, if no additional overhead is needed, an increase in margin can be had, making the organization more profitable. Finally, the organization could keep the same overhead and margin but reduce the sales price of the products or service. Any of these options can provide a competitive advantage. By reducing TCO, making users more efficient, and reducing administrative overhead, the financial metrics of an organization can shift enough to provide a competitive advantage.
IS Requirements
IS requirements, for the most part, support business and executive requirements. IS, make us more efficient, deliver us from this maintenance nightmare, and give us the tools and functionality necessary to implement an IS model that is ideal for our organization.
Windows 2000 and Active Directory go a long way toward this utopia. Identifying the ideal IS model and mapping Active Directory functionality to that model is the point at which the design becomes critical. Some common IS requirements that compose the ideal IS model, such as controlling the environment and providing efficient, fault tolerant services to the client, are identified in this section.
Controlling the Environment
When client/server environments sprouted throughout organizations, the server portion of that relationship was reigned in to the computer room and controlled by IS. Security was soon applied and services were made accessible only to predefined users or clients. For the most part, however, the client side of client/server remains under the control of the end user. Users think the computer at their desk is their portal onto the network, to be configured and changed to meet their personal tastes. Nevertheless, the end user does expect a timely response from the Helpdesk when something fails, even if it is a result of their "customization." Moreover, in some organizations, the culture is such that this philosophy is accepted. However, this philosophy has its price. Non-standard client configurations increase cost of maintenance, software deployment, inventory control, software licensing, and in many cases, reduce user productivity.
By taking control of the desktop, the client/server environment becomes a single distributed system with standardized policies and security applied. The client is not an outsider looking in; the client becomes the controlled interface to services provided to the end users that make the user more efficient. How does allowing a user to browse the Internet (for example, make that user more productive)? Well, it can be argued that the Internet is a source of services itself, and it allows users to perform tasks, both personal and professional, more efficiently. Imagine that a user is planning a vacation. What takes less time: Purchasing airline tickets and reserving a hotel room and car online over the Internet, or having that user leave the office, drive to a travel agent, make travel arrangements, and then drive back to the office to resume work?
Therefore, the business requirement is to control the desktop in such a way that maintenance of that desktop is reduced, and the user becomes more productive and secure.
Providing Services to the Client
With a managed client, it becomes easier to automate the distribution of applications because you know what to expect on each desktop. Constructing software distribution packages for clients whose hardware and software configurations are known to IS has a much better chance for success than for those clients where available disk space, operating system, and client configurations are variable. As problems do arise, the capability for applications to fix themselves or for the Helpdesk to view what is happening on the desktop increases availability and reduces maintenance costs. The business requirement is to provide an efficient way to distribute software, and for software to recognize when something is wrong and to take appropriate steps to resolve the problem. This functionality is reliant on a reliable security-based directory service.
Fault Tolerance
When a server fails, it affects several users. When a client workstation fails, it only affects the user at the client workstation. Therefore, it is common practice for server-based systems to have some level of redundancy in either hardware or software that provides a fail-safe against loss of service on a single server. This is a huge and complex topic, with costs increasing exponentially as systems become closer to 100 percent availability. Active Directory, as a mission critical system that many applications and services rely upon for their operation and functionality, needs certain levels of fault tolerance. As a business requirement, when a directory service or one of its supporting services, such as domain name system (DNS), fails, users and applications must still be able to access directory services.
Administrative Requirements
Windows NT is a successful server operating system. As such, it evolved to meet customer requirements as best it could despite some design limitations. Multiple domain models appeared allowing some amount of scalability, but still there were design limitations that kept Windows NT from being implemented across the enterprise in a way that fits each organization's ideal client/server model. Windows NT dictated the administrative model to the organization. There wasn't a lot of choice concerning how an organization could administer Windows NT out of the box, so many organizations had to compromise when it came to the administrative model that best fit their organization. They typically had to adopt the Windows NT domain topology administrative model that best suited them.
Starting fresh, with a new server operating system and directory, allows organizations to re-evaluate their administrative model and adopt one that makes sense for their organization.
The business requirement here is driven from an organization's re-evaluation of its administrative model. The adopted directory must fit that model to the greatest extent possible. Be it a centralized administration model, distributed administration model, or something in between (which most are), the directory service should be able to mirror your administrative model.
Automated Administration
Automated administration is one of the ways to make directory administration more efficient. There are a couple of different approaches that can be taken when trying to offload administrative tasks from IS. One approach is to delegate administration of directory data down to the department that owns the data. For example, Human Resources (HR) would own user data, whereas Helpdesk and security would own and manage security data. To mitigate the risk of having non-IS people changing directory information, scripts can be used by the administrators in these groups to ensure that the data written to Active Directory meets naming and other organization-defined standards.
Scripts can also be used to process directory changes in batches during off-hours. For example, user additions and deletions to the directory made throughout the day can be batched to actually post changes to Active Directory in the evening, when network utilization is low, allowing replication between Domain Controllers (DCs) in the domain to occur primarily at night.
The capability to do automated administration should be an option for any directory service installed in an organization. The administrative model might not call for it immediately, especially if it was not part of the previous administrative model; but as scripting becomes more commonplace in organizations, administrative tasks also are candidates for automated scripts. It is also beneficial to be able to have the script run with administrative authority without making the user an administrator.
Delegated Administration
To decentralize administration without having to create multiple security contexts with multiple domains, administrative delegation becomes necessary. Administrative delegation is the ability to grant groups of appointed users specific permissions on groups of objects; specific permissions down to the rights and object attributes levels. Therefore, delegated administration is a prerequisite for decentralized administration.
Security Requirements
Security is always a requirement. Directory security can be broken down into these categories:
The directory's capability to secure the resources it represents
The directory's capability to secure the directory database
The directory's capability to secure communications between the directory client and the directory service
The directory's capability to secure resources
The directory's capability to secure its own database
The directory's capability to secure communications between itself and the client
For each of these categories there should be a minimum level of security required. Ideally, security would also be based on industry standards, which would make interoperability between directories and access by various standards-based clients possible.
Another aspect of security is the ability to tighten or relax it based on an organization's security policy. Some organizations thrive on the information they keep, and security is a very important aspect of these organizations' computing environment. Other organizations, such as colleges, have never had much security and probably never will. Whatever the requirements of your organization, be it Smart Card authentication or anonymous authentication, it is important that the directory provide the level of security you require.
Desktop Management
Desktop management was identified earlier as an integral part of reducing the cost of desktop management. To fully realize the financial benefit of desktop management, the desktop should be locked-down to some degree. By locking down the desktop, users can't add or break software on their computer. This keeps the corporate computer a resource for the user, not a source of entertainment, and it reduces maint enance costs. Locking down the desktop also makes it easier to deploy software. Most software deployment systems, such as Microsoft's System Management Servers (SMS) , are more successful at deploying software if they know the environment to which the software is deploying. By locking down the desktop, many of the variables and unknowns that can cause a software deployment to fail are eliminated.
As a business requirement, Desktop Management should be an option that uses the directory as a source of security information. Based on the user or administrator using the client computer or the computer itself, different polices should be applied that determine what type of changes can be made.
End User Requirements
Most directory services, especially the Windows NT directory, had little interaction with the end user. Therefore, most of the functionality and requirements that came from the Windows NT directory were administrative and security based. The user and how they used the directory were not often considered because their only insight into the directory was at the point of logging on. More advanced directory services, such as those based on X.500, have a charter that goes beyond just authenticating users; the directory is a source of end user information. How the directory is designed determines how useful the directory is to end users.
As an end user requirement, the directory should be an easily accessible source of information. There should be a single, familiar, interface to the directory that is available to users whether they are online or offline.