Microsoft: Partial, Distributed AD Deployments OK Sometimes

PHILADELPHIA -- Microsoft Corp. signalled an important shift in its attitude toward single-forest versus multi-forest Active Directory deployments here this week.

Speaking at the MCP Techmentor Summit on Active Directory, Microsoft group program manager for Active Directory Stuart Kwan said Microsoft has put too much emphasis on advocating single-forest Active Directory environments in the past.

"Multi-forest deployments can be entirely appropriate in certain situations," Kwan told conference attendees on Tuesday. "Consolidation is easy in small companies. It may be more difficult in larger companies."

Kwan said the shift in thinking at Microsoft has been occurring over the last few months. Although multi-forest domains have appeared in Microsoft literature, Microsoft's message has traditionally been that everyone should do everything possible to create single-forest Active Directories -- next question please.

Kwan still emphasized that a single-forest Active Directory is Microsoft's recommended method technically for creating Active Directories.

But he said political and some technical reasons mean other approaches are sometimes necessary.

Kwan used some relatively new terms and concepts during his keynote, such as "resource forest" and limited Active Directory deployments specifically to implement Exchange 2000 Server, which requires Active Directory to run.

Microsoft defines an Active Directory forest as a collection of one or more Active Directory trees, organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. All trees in a forest share a common schema, configuration and Global Catalog.

Many customers, especially at larger organizations, have argued that there is not enough business justification to conduct a top-down rearchitecting of their IT infrastructure just to implement Active Directory according to Microsoft's recommended method. They've also asked Microsoft for more flexibility in the Active Directory technology to allow them to make changes down the road -- such as during mergers and acquisitions.

Kwan outlined changes planned to the Active Directory in the 2002 Windows .NET Server release and beyond that indicate Microsoft is listening to those concerns.

Organizations deploying native Windows .NET Server Active Directories will be able to change domain and forest root names.

Post-Windows .NET Server, Microsoft's design goals for Active Directory technology include supporting easier multi-forest deployment and enabling grassroots deployment through features such as inter-forest synchronization and restructuring.

Al Gillen, an analyst at market research firm IDC, said such overtures from Microsoft indicate that the software giant is coming to grips with customers' real concerns.

"This is a reality that Microsoft does have to face that not everybody is going to go to Active Directory, and even if they do that there are going to be some challenges they face," Gillen says. However, Gillen notes that it will be a pity of many customers don't get to full Active Directory deployments that allow them to leverage cost-saving management features such as software distribution.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.