Why Active Directory Requires Companywide Planning

Companies can migrate to the Windows 2000 operating system incrementally-machine-by-machine or department-by-department-but they can’t migrate to the Active Directory service this way. Companies can deploy Active Directory department-by-department; Windows 2000’s “mixed mode” enables companies to bring it up on one domain controller at a time and fall back to NT 4.0 if necessary. However, before activating its first Windows 2000 domain controller, a company must take care of several tasks:

Name space design. Active Directory requires companies to assign a unique name to each object (user, machine, and so forth) on the network. The names must align with the company’s domain name system (DNS) structure and comply with DNS naming conventions, which are more restrictive than those of existing Windows name services and may force companies to rename machines. Also, an object’s name strongly influences the security properties of the object-what rights which users have to that object. Name space design is thus a companywide effort, because it must align with DNS, and is politically risky because it determines security boundaries between departments.