December 17, 2001 [Number 221]     Printable version (379k PDF)

Index

Previous Story

Next Story

Windows 2000 and the NIH Active Directory

The transition to Windows 2000 marks the biggest change to Windows since it was first released in 1994. With Windows NT 4, having many independent domains linked with trust relationships worked reasonably well—there was no compelling reason for those domains to be linked into a centrally administered structure. In a Windows 2000 world, however, this is no longer true. The introduction of Active Directory (AD)—the directory service for the Windows 2000 Server—makes domain structures and the relationships between domains much more important. Active Directory is the foundation of Windows 2000 distributed networks—it stores information about objects on the network and makes this information easy for administrators and users to find and use.

Because of the changes in Windows 2000, the NIH Information Technology Management Committee (ITMC) convened a Windows 2000 working group to make initial recommendations on how to coordinate an Active Directory deployment at the NIH. The result was the ITMC decision to create a NIH Active Directory infrastructure for IC-based domains and to start a migration project to Active Directory.

The Windows 2000 working group meets every month to discuss issues related to the Active Directory architecture and its deployment. Before the end of the year, the working group plans to submit to ITMC a standards document that will finalize the requirements for NIH institute and center (IC) participation in the Active Directory. The document will also discuss creating an Active Directory community to manage the future growth and changes.

Benefits of Active Directory

The Active Directory is an industry-standard LDAP-accessible directory. It is an optimized network service used by applications and network services to store and retrieve information about enterprise resources (e.g., users, computers, printers, servers, network servers). The Active Directory allows organizations to coordinate, manage, and share information about network resources and users while acting as the central authority for network security. Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network.

The benefits of upgrading from Windows NT domains to Windows 2000 Active Directory revolve mostly around coordinating security and reducing the dependence of applications that maintain their own directories. All of these benefits help to improve information accuracy and security, and to reduce information redundancy and costs associated with storing and managing information.

Deployment in Stages

The NIH Active Directory deployment project has three phases.

• Phase One (January-December 2001)
  The initial deployment of the NIH Active Directory infrastructure was approved by ITMC on the basis of recommendations from the NIH Windows 2000 working group. With the success of the initial deployment, the ITMC approved the upgrade of NIH domain Windows NT 4 servers and services to Windows 2000. During the summer, the NIH domain was converted to a pure Windows 2000 native mode domain. The remaining part of phase one is winding down with the conversion of NT network services to Windows 2000 network services, and the finalizing of Active Directory Architecture Standards by the Windows 2000 working group and ITMC.
• Phase Two (August 2001-Summer 2002)
  This phase began with the merging of Exchange 5.5 directories information with Windows 2000 account information. During this phase the NIH.GOV Active Directory domain will be modified to support distributed administration for the IC network administrators. ICs that run NIH Exchange sites are planning to join the NIH Active Directory as sub domains. CIT is also working with other NIH enterprise initiatives (e.g., NED, PKI, NIH Portal, and NBRSS) to integrate these services into the NIH Active Directory design. The initial goal of this phase is to get all NIH Exchange sites to begin their migration to Active Directory. Other goals include the selection of a commercial off the shelf (COTS) Web-based administration tool for distributed administration of the NIH.GOV domain. Once all Exchanges sites are upgraded to Active Directory, the NIH Central Exchange Service (CES) Exchange 2000 deployment will begin.
• Phase Three (Completed by Early 2003)
  This phase of deployment begins with the fine tuning of the NIH Active Directory to support Exchange 2000. This includes modifying code that synchronizes NIH directory services with the rest of the NIH and DHHS applications and directories, and also involves addressing Central Email Service (CES) IC customer domains integration into the NIH.GOV domain tree. In this phase, we will address full integration of NIH domains.

More Information

A new NIH Active Directory Web site—covering both technical and non-technical questions—will soon be available.

Further developments in the deployment of Active Directory at NIH will be announced in future issues of Interface.

If you have any questions, please call TASC (301.594.6248) and ask to speak to someone on the Active Directory project team.