Microsoft

Clients can benefit from migrating to Active Directory

Ever wonder if you should recommend a client upgrade to an AD environment? The centralized nature of AD can make your client's lives easier. RIS, Intellimirror, DFS, and other services are only a few of the features outlined in this article.


When Windows 2000 was first released, I was responsible for managing a 25,000-node network at a government facility. Any time a new PC was purchased, someone from my division (the Department of Information Management) would have to set up the computer. Unfortunately, this meant manually loading Windows and installing all of the applications that the user would need. The department found some shortcuts to the process, such as using Norton Ghost images, but we still needed a separate Ghost image for every hardware configuration.

That's why I was excited when we finally implemented Active Directory (AD). AD used Remote Installation Service (RIS) to install Windows onto a brand new PC without having to use a lot of manual intervention. RIS works by either using the PC's network card (if it has a boot PROM) or a RIS boot disk to attach to the network. Once the connection has been made and some login credentials have been entered, Windows is automatically loaded onto the new PC. While AD plays an integral role in large PC deployments using RIS, you will find that it includes many more helpful features that you can pass on to clients. Let's examine a few you should be aware of.

Publishing and assigning applications
Publishing an application means making it available to users. The application isn't actually installed onto a user's computer unless the user selects the application from the Add/Remove Programs Control Panel applet. Assigning applications works differently. You can either assign an application to a user or to a computer. If you assign an application to a user, then a desktop icon and/or a Start menu option is added to the user's profile. However, the application isn't actually installed until the first time the user attempts to run the program. If, on the other hand, you decide to assign the application to the computer, then the application is automatically installed onto the assigned computer.

Benefits of assigning
There are three main benefits to assigning an application to a computer. First, it relieves the client's administrators from having to manually install the application. Second, because the application is assigned, only an administrator may uninstall it from the workstation. This prevents users from uninstalling programs to free up hard disk space. Finally, if an assigned application becomes damaged, the Windows installer is often smart enough to either fix the problem or reinstall the application automatically.

The ability to publish or assign applications is tied to an AD feature called Intellimirror. Intellimirror is a set of AD mechanisms designed to increase system availability for users. The idea is that a user's software, data, and desktop settings can all follow the user regardless of where the user logs in. Essentially, Intellimirror is like Windows NT's roaming profiles on steroids. A user's data, settings, and applications not only follow the user from PC to PC, but they are also available to the user whether they are logged in or not.

Enhanced roaming profile
When a user logs in, the user profile, settings, and applications are all read from the AD and downloaded to the PC. This allows the user's settings and applications to follow them from PC to PC. If a user attempts to log on to a PC and, for whatever reason, the network is unavailable, then Windows will look to see if the user has logged onto the PC before. If so, then the user's profile information is read from a cache stored on the PC's local hard drive rather than from the network.

Having the user's data be available while offline or online works similarly. Essentially, the My Documents folder can be redirected to a network location. When the user logs on, documents in this folder are copied to the user's PC. The user can then work with these documents as though they were local. Even if there is a temporary network outage, the user's work is unaffected because they are working off of a locally cached copy of the document files. It's also possible to perform redirection on just about any folder.

DFS
The Distributed File System (DFS) was available in limited capacity in Windows NT but is much more robust in an AD environment. The original idea behind the DFS was that it is not uncommon to have user's files scattered across multiple share points on multiple servers and that DFS can consolidate all of these locations into a single virtual directory, thus making it easier for users to find their files.

In an AD environment, DFS is often used more for scalability and availability. For example, if your client has a share point that is heavily used, you can have synchronized copies on several DFS servers. By doing so, you balance the workload, thus preventing any one server from having to carry the full burden of serving the files.

Having multiple copies (known as replicas) on different servers helps the client's administrator too. The reason is that if they need to take a file server down for maintenance, they can do so during the middle of the day. User traffic is simply directed to another replica. The users will never even know that an administrator has taken the server offline unless she tells them.

Higher-level application integration
All of the application and data management techniques are made possible because of the centralized nature of the AD. However, some applications take even further advantage of the AD. Higher-level applications are often integrated into the AD. For example, if you have ever used Exchange Server 5.5 or below, then you know that Exchange requires you to create a mailbox for each user and then link the mailbox to the user's Windows account. Each user's mailbox is stored within a dedicated database known as PRIV.EDB and is completely isolated from the Windows Security Accounts Manager.

Exchange 2000, on the other hand, is designed to integrate itself into the Active Directory. Rather than creating separate mail accounts and linking them to Windows user accounts, the existing Windows user accounts are simply mail-enabled. This is done by adding Exchange-related attributes to the existing user entries in the Active Directory database. The Exchange messages themselves are still stored in a separate database, but all Exchange management is done entirely through calls to the Active Directory.

Users benefit the most
Having applications integrated into the AD benefits your client's users as well. The reason for this is that the application is already aware of the AD into an Active Directory-aware application. Instead, the user simply logs into the domain and the Active Directory uses single sign on (SSO) technology to give the user access to the Active Directory-integrated application.

Editor's Picks