During my years working with Active Directory based solutions, I've been thrilled by the way companies tend to make it more complicated then necessary. When Microsoft introduced the new way of organizing a Windows Domain using Organisational Units (OU), Trees and Forests back in the late nineties, everyone went berserk in their struggles to become the most creative designer, without really listening to the Mantra: Keep it simple....
Today, fifteen years later, we have to face the consequences and clean the mess, leading to endless amounts of CleanUp projects and Migration Projects, often initiated as "Missions of Mercy", to save what is savable before the final crash.
Having taken part of quite a few of those projects during the last 4-5 years, I have once again had to put up with the creative people, that suddenly have popped up from their crypts again, just waiting to create yet another AD bubble that will burst in a few years.
I will give you a few advises from my experiences so far on how to avoid this situation again (and by the way, this is only my strictly personal perspective), or at least ease the pain.
1. Most likely ONE single Active Directory Domain will cover all your needs today and tomorrow.
2. Think administrative delegation not organization when building the domain/OU structure.
3. Make sure the Governance Model is in place, before running DCPROMO.
4. ADFS, ADRMS, RODC, PKI, DFS, DNSSEC etc...are not only cool terms or features, use them and use them correctly.
5. The Schema is not full of Attribute classes for no reason, make sure you use the attributes provided in a meaningful way, this is your future connection to surrounding systems.
6. Yes, you can utilize only Universal Groups, that's enough.
7. Make sure the part of the identities you store in Active Directory is both secure and well-managed.
8. This list can actually continue for a while, but I will stop it here to avoid taking myself out of business, by just once more providing you with the most basic advise when it comes to Directory Services in general and Active Directory in particular:
KEEP IT SIMPLE!!
tisdag 14 maj 2013
tisdag 30 april 2013
I have had the luck being able to enjoy the result of numerous implementations of Quest One ActiveRoles Server and of course the latest version 6.8 is bringing it to yet another level. It's been comfortable to be able to assist customers in the struggles to achieve uniformity and consistency in the provisioning and de-provisioning of objects in Active Directory, using this intuitive tool and by that mean speeding up the processes and bringing real business to the table.
<snip from Quest>
Secure access – Acts as a virtual firewall around Active Directory, enabling you to control access through delegation using a least privilege model. Based on defined administrative policies and associated permissions generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
Automate account creation – Automates a wide variety of tasks, including:
ActiveRoles Server also automates the process of reassigning and removing user access rights in AD and AD-joined systems (including user and group de-provisioning) to ensure an efficient and secure administrative process over the user and group lifetimes. When a user’s access needs to be changed or removed, updates are made automatically in AD, Exchange, SharePoint, OCS, Lync and Windows, as well as any AD-joined systems such as Unix, Linux and Mac OS X.
Day-to-day directory management – Simplifies management of:
ActiveRoles Server also includes intuitive interfaces for improving day-to-day administration and help desk operations via both an MMC snap-in and a Web interface.
Manage groups and users in a hosted environment – Works in tandem with Quest One Quick Connect in a hosted environment where accounts from client AD domain are synchronized with a host AD domain. ActiveRoles Server enables user and group account management from the client domain to the hosted domain, while also synchronizing attributes and passwords.
The solution uses out-of-the-box connectors to synchronize your on-premises AD accounts to cloud-based services such as Salesforce.com, Google Apps, Microsoft Office 365, Lync Online and SharePoint Online.
Consolidate management points through integration – Complements your existing technology and identity and access management strategy. Its Extend All feature simplifies and consolidates management points by ensuring easy integration with many Dell products, including Quest One Quick Connect, Quest One Identity Manager, Privilege Password Manager, Desktop Virtualization, Authentication Services, Defender, Password Manager, Webthority and ChangeAuditor. ActiveRoles Server also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable Web interfaces.
<End snip from Quest>
What suddenly strikes me like lightning from clear blue sky, is the mail I received a couple of weeks ago from Quest, not only stating but also providing a link to......The swedish version of the ARS Web Interface.
I didn't see that one coming.
This of course is a sign, telling me that finally the swedish market is wakening up, realizing there are other ways of managing your AD, perhaps even better, than using the native tools like ADUC and so forth.
This also marks a milestone in my extended travelling as being a consultant in the specific area, from now in I will be able to work in Sweden as well.
I'm coming home!