If you're using a Windows NT 4.0 domain model that works, you're probably wondering why you should consider moving to Windows 2000's Active Directory (AD). One of the major benefits of moving is that you gain the opportunity to simplify your environment by performing domain consolidation. Domain consolidation, the process of reducing the number of domains that you have, lets you eliminate complexity and reduce total cost of ownership (TCO). Best of all, the AD features and functionality that make domain consolidation possible let you accomplish the goals (e.g., delegating administration, controlling replication traffic, setting the number of objects) that led you to create a multidomain environment in NT 4.0.
Win2K domains still serve the same basic functions that they did in NT 4.0: to provide users with one logon that can grant access to resources anywhere on the network, and to centralize administration. Whether you have one domain, a master domain model, or a multimaster domain model, a good domain design lets you accomplish the same objectives that one domain addresses through the use of trust relationships. Unfortunately, as the number of domains that you have under NT 4.0 or Win2K increases, the complexity of supporting and managing the network increases as well.
Delegated Administration
You might create multiple domains in NT 4.0 to delegate administration. Granting responsibility to manage a group of network resources to a user or group of users without granting the ability to manage all users or network resources often requires that you create an NT 4.0 resource domain. The resource domain functions as an administrative boundary. In Win2K, AD lets you provide similar functionality using organizational units (OUs), which are AD objects that contain other objects. OUs function much like the folders that you use to organize files. Not only can you use OUs to logically organize AD, you can also delegate administrative control of OUs to users or groups, letting you grant administrative control to a subset or certain objects without handing over administrative control to all the objects in a particular domain.
Controlling Replication Traffic
You might also create multiple domains in NT 4.0 to control replication traffic across WAN links. Every time someone makes a change to the SAM in NT 4.0, the change occurs on the PDC and replicates to all BDCs throughout the domain. To prevent replication traffic from using too much bandwidth, network architects often choose to use geographical boundaries as their domain boundaries.
In Win2K, AD lets you create sites to control replication traffic. Sites are collections of IP subnets connected by high-speed links. Domain controllers from AD domains reside at the different sites based on the IP subnet they belong to, which, with AD's two types of replication, helps to control replication traffic. Replication that occurs between domain controllers that are members of the same site is automatic and happens at frequent intervals, whenever changes occur. You control replication between sites with an administratively defined schedule, which lets you associate costs with links to define a preferred path.
Numbers of Objects
In NT 4.0, the maximum recommended number of objects for one domain is 40,000, a limit that keeps the SAM size under 40MB. AD provides much better scalability, allowing one domain to contain millions of objects. With such scalability, large organizations don't have to create multiple domains just to support more users.
As you can see, AD provides great flexibility for network architects when they're designing a domain structure to use in Win2K. Win2K lets you focus on designing a domain structure that's based on business needs, not just technical considerations. In upcoming columns, I'll look at the strategies and technologies you can use to perform domain consolidation as you move from NT 4.0 to Win2K. As you can imagine, there are many technical issues to consider.