According to the authors of "Mission-Critical Active Directory," a Directory Service (DS) is a "way to look up and retrieve information from anywhere within a distributed environment." Their book, subtitled "Architecting a Secure and Scalable Infrastructure," consists of an in-depth examination and discussion of Active Directory (AD), the DS that comes with Windows 2000.
The authors, Micky Balladelli and Jan De Clercq, have extensive experience in this field. Balladelli, a solutions architect, works closely with clients on the design of Win2K infrastructures. He also conducts presentations on AD around the world. De Clercq is a senior technology consultant specializing in Win2K, Microsoft Exchange 2000 Server, and Microsoft .NET security. He is a frequent speaker at Microsoft and general security conferences in different countries.
When they wrote "Mission-Critical Active Directory," Balladelli and De Clercq had a definite audience in mind--namely, solutions architects, technical consultants, network designers, developers, enterprise systems administrators, and other IT professionals who are engaged in large Win2K projects.
The book begins with an introduction to AD and lists the five key characteristics that a DS should have: scalability, availability, manageability, security, and accessibility. The discussion then covers topics such as AD namespaces, domains, AD schema, groups, domain nodes, naming conventions, and administration tools. At the end of the opening chapter, the authors highlight the role that AD plays when they state that AD is the "most important technology introduced in Windows 2000. It provides the foundation for the enterprise infrastructure." Throughout the book, the authors use diagrams, screenshots, and tables extensively to support the text.
In the second chapter, the focus turns to understanding and designing the Win2K DNS, the primary locator and name resolution service for Win2K. A thorough knowledge of this technology is essential for professionals who have been assigned the task of planning and designing a Win2K AD DNS namespace and infrastructure for their company or for a client's company. But vital to a good design and implementation is a strategy to administer and troubleshoot a newly installed Win2K DNS. The latter part of this chapter provides an overview of the tools that you can deploy. The authors include a Web address that provides a list of additional third-party tools.
The next two chapters tackle AD replication and AD storage architecture, respectively. The authors note that the goal of replication should be to "allow all controllers to receive updates and to maintain their copies of the Active Directory database in a consistent state." They regard AD replication as an "important step to master when dealing with large corporate deployments." The most interesting aspect of the chapter on storage architecture is that the chapter incorporates a practical exercise for creating a very large AD. The authors explain how to build an AD database capable of holding all the details from the US white pages (about 100 million listings).
Chapter 5 introduces the fundamentals of Win2K security. In addition to covering general concepts, such as the goals of security and an overview of cryptography, the authors discuss aspects of Win2K communications security and Win2K OS security. The authors included this chapter because they believe that a "solid understanding of the Windows 2000 security features is a key requirement for the creation of a secure and reliable enterprise Active Directory infrastructure."
Win2K authentication, the authors claim, is the most important security service. In the chapter devoted to authentication, the authors take a nuts-and-bolts approach to explain its implementation within the OS. The authors discuss in detail Kerberos, the default authentication protocol embedded in Win2K, beginning with its advantages and progressing to a comparison of Kerberos with Windows NT LAN Manager (NTLM), NT 4.0's default authentication protocol. Topics subsequently featured in this chapter include logging on to Win2K by using Kerberos, Kerberos configuration, and Kerberos and authentication troubleshooting. Because Kerberos is an open standard, it can be employed as a single sign-on (SSO) solution with various OS platforms.
One area of the technology that could potentially result in confusion for some professionals migrating to Win2K is the differences between Win2K group policies and NT 4.0 system policies. Fortunately, the authors devote a chapter to explaining Win2K Group Policy Objects (GPOs) and organizational units (OUs). Best of all, a table clearly summarizes the differences between NT 4.0, Windows 98, and Win95 system policies and compares these with Win2K GPOs (Administrative templates).
Chapters 8 and 9 cover the Win2K public key infrastructure (PKI), a set of technological building blocks used in the construction of security systems to provide authentication and confidentiality services. Chapter 8 introduces PKI and gives special attention to Win2K PKI basics and core components. Chapter 9 explains how to plan, design, build, and deploy a Win2K-based PKI within an enterprise. To effectively illustrate the theoretical aspects of PKI that this section of the book raises, the chapter ends with a PKI case study. Based on a fictional company that has customers on three continents, the case study progresses through a business-requirements analysis of the company and highlights the development of the company's PKI topology.
The book’s last chapter turns the spotlight on concerns involved with migrating to Win2K. The authors recommend that you not attempt a migration before you've successfully completed a comprehensive design of a Win2K infrastructure. To help any company or organization make the transition as painless as possible, the authors discuss the four phases involved in a migration: 1) assessment, 2) planning and design, 3) pilot, and 4) implementation and migration. And as a way of providing additional assistance, the authors include a number of migration strategies.
A clear sign that the authors of "Mission-Critical Active Directory" have confidence in their material is shown because they have willingly published their personal company email addresses in the book's preface. The generic "info@publisher.com" email address (which, unfortunately, appears in many other computer books) always leaves me wondering whether any email to authors is actually read and answered. Micky Balladelli and Jan De Clercq encourage readers to email their comments or suggestions regarding the contents of the book. Having easy access to authors is a major plus for readers and offers some assurance that the authors will quickly address reader questions.
Be sure to add this book to your professional IT reading list if you are involved in designing and building a secure and scalable network foundation for Win2K. You can find out more about the book and its authors by visiting the publisher's Web site
( www.bhusa.com/digitalpress ). From the book's companion Web page, you can also follow a link to read an article by the authors titled “Windows tech: 10 steps to creating an active directory.”
By Micky Balladelli and Jan De Clercq
Price: $49.99
Paperback 630 pages
Published by Digital Press, December 2000
ISBN: 1555582400