Active Directory 'forests' may cause pain

REDMOND, WASH. - Network executives who don't build their Active Directory infrastructures as a single "forest" may face the onerous chore of manually configuring management and security controls much like they must do today to link Windows NT domains.

Corporations that rush into Active Directory, the key management technology in Windows 2000, could find themselves with multiple directory forests - something Microsoft advises against. Forests are directory structures that include "trees," which in turn consist of domains containing users, groups and resources such as printers.

The forest concept is intended to simplify both end-user access to the directory and management of multiple domains. Under this structure, all domains and trees in a forest inherently trust one another for the purpose of authentication, which is based on Kerberos security. Such trust is not extended between forests, which means directory administrators must use NT LAN Manager (NTLM) to manually configure one-way trusts between forests. NTLM is the much maligned security model in NT 4.0.

"If you want to live in hell right away, go to multiple forests," says Dave Gasiewicz, lead architect of Microsoft's internal IT department. "Administratively, it opens up boondoggles. The security model is very complex."

Additionally, all the components in each forest must be managed separately, users must be trained to run queries on multiple forests, and processes must be devised to update data imported from one forest to another.

Multiple forests have the potential to invade enterprises the same way NT domains spun out of control when department and regional administrators began carving out their own domain fiefdoms.

Political issue

"Active Directory does not solve the domain issue, which is a political issue," says Neil MacDonald, an analyst with Gartner Group in Stamford, Conn. "The way that issue reappears with Active Directory is multiple forests."

Users can set up a new forest simply by clicking a button in a dialog box when setting up a Windows 2000 server.

"If you populate that new forest with users, it's a major problem to back out," says Ed Bradford, architect for NT solutions at IBM. Microsoft needs some grafting tools to essentially join two forests, he says.

Third-party vendors such as FastLane Technologies are offering tools to help migrate users between forests. Microsoft says its metadirectory tools will help manage multiple forests and that grafting tools are forthcoming.

There are certain scenarios that do call for multiple forests, and IT executives should consider their options carefully, according to Microsoft.

One systems engineer for a large multinational oil and gas company who requested anonymity says he will have multiple forests because of slow WAN links in some countries that can't handle replication traffic and because of joint ventures that require separate forests.

"We need to put up some restrictive boundaries, so the cost of multiple forests for us will outweigh the risks," the systems engineer says.

Some organizations, including Microsoft and Compaq, also have separate forests for production and test environments.