InformationWeek.com

Welcome Guest. | Log In| Register | Membership Benefits

March 13, 2000

Windows 2000:
Active Directory Tribulations
continued...page 2 of 2

Related links:

sidebar: DNS Updates For Windows 2000

Win2000: It's Only The Beginning (2/21/00)

And from our sister publications:

InternetWeek Anatomy Of A Breach (2/28/00)

InternetWeek Special Report: Win2000 Security (2/28/00)

InternetWeek Windows 2000 Server: Worth The Wait (1/31/00)

TechEncyclopedia

Need a definition of a technology term? Look it up here:

Send Us Your Feedback

There's another set of common IP schemes that affects how you create an efficient Active Directory topology. Consider a company such as CMP Media Inc., InformationWeek's publisher. CMP possesses many domain names, including informationweek .com and cmp.com. Corporate mergers and acquisitions also tend to result in one company managing numerous domain names. Among survey respondents, 42% of companies used four or more domain names.

Another even more common circumstance creates wrinkles in the Active Directory scheme: multiple IP subnets. A subnet is a contiguous group of IP addresses. Most companies possess a collection of Class B (192.72.xxx.xxx) or Class C (192.72.166.xxx) subnets. More than half the respondents managed 10 or more subnets.

Because domains under Active Directory are inexorably connected to domain names in the Internet sense, each Active Directory tree can contain just one root DNS domain name. To realize the greatest benefit from Active Directory, particularly in regard to easily managing and efficiently replicating a directory structure, it's desirable to keep the entire company in one tree. This maximum efficiency, however, would force many companies to alter their naming schemes dramatically.

Obviously, Microsoft is well aware of this, and Active Directory supports several variations to allow for multiple domain names and different mechanisms for partitioning the name space among different domain controllers and DNS systems. Multiple Active Directory trees, however, involve the sort of complicated trust relationships that many companies dislike about the NT domain-management scheme, although you may still be able to reduce the number of domains when migrating from NT's domain system to Active Directory.

Similarly, relying on non-Windows 2000 DNS servers for the collection of hosts that you want exposed to the Internet while using Active Directory and the Windows 2000 DNS server for the private portion of a network can quickly become complicated in companies with multiple domain names and a mix of client systems. They may well want to organize their DNS structure so that all internal (non-Internet) systems fall into a distinct domain, such as corp.informationweek.com.

The need to support a mix of clients will also affect how different Active Directory trees interact. Differing support for Proxy AutoConfiguration files, Name Exclusion Lists, and similar tools for differentiating between private network resources and public Internet hosts may lead companies to maintain secondary DNS "zone" information for other corporate domain name spaces rather than forwarding requests to other DNS servers.

Each of these topologies has different implications for replication and backbone traffic, but the choice is in some ways dictated by the type of clients you support. Likewise, the need to support Windows NT hosts, which rely on the Windows domain name system for name resolution, may lead companies to place all NT systems in one domain space, such as wins.corp.informationweek.com, served by a WINS server to which Windows 2000 servers connect using a WINS Referral mechanism in Windows 2000.

Use of the Windows 2000 domain name system server isn't mandatory. Any DNS server implementation supporting Service Location Resource Records and Dynamic Update is sufficient to provide the name service for computers running Windows 2000. Because this implementation of DNS is designed to take full advantage of the Windows 2000 Active Directory service, it's the recommended DNS server for any networked organization with a significant investment in Windows or extranet partners with Windows-based systems.

For example, while conventional DNS servers use single-master replication, Windows 2000 DNS can be integrated into Active Directory service, so that it uses the Windows 2000 multimaster replication engine, a more flexible--albeit more complicated--replication scheme. In this way, network managers can simplify system administration by not having to maintain a separate replication topology for DNS.

However, given past issues, many administrators may have reservations about trusting Microsoft's new DNS server to interoperate seamlessly with other DNS servers, especially those running on Sun Microsystems' Solaris operating system.

return to page 1