Chapter 6: Welcome to Hay Buv Toys

Section 2:
Migration Scenarios

The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

On This Page

Introduction
About Hay Buv Toys
Current Windows NT 4.0 Domain Model
User Account Domains Description
Resource Domains Description
Desktop Environment Description
Environment Summary

Introduction

This section takes the migration concepts discussed in Section 1 and applies them in real-world migration scenarios involving a fictitious company, Hay Buv Toys.

This chapter and the others in this section will describe:

  • Hay Buv Toys' current infrastructure and why it has evolved to the current state.

  • What Hay Buv Toys would like its Microsoft Windows 2000 environment to look like, and why.

  • How Hay Buv Toys migrated to the desired structure.

This section will take the scenario beyond migration and describe final architecture consolidation change after the migration to Windows 2000 is near completion.

About Hay Buv Toys

Overview

Hay Buv Toys manufactures, distributes, and sells children's toys throughout the world. The major engineering and manufacturing sites are located in Los Angeles, Mexico City, and Hong Kong, along with major distribution centers in Los Angeles and Hong Kong.

Hay Buv Toys has very few retail shops, since it mainly engineers, manufactures, and distributes the toys to major retail chains, but it is exploring the possibility of Web retailing in order to sell direct to the consumer.

Its main administrative headquarters and information technology (IT) organizations are in Los Angeles and Paris.

Environment Background

Until roughly two years ago, Hay Buv Toys' IT infrastructure mainly consisted of department and business unit Novell file and print servers along with many Microsoft Windows NT domains that were not centrally managed. The manufacturing and engineering sites used various UNIX operating systems as the main platform for many of their line-of-business applications and CAD systems.

The IT organization was very decentralized with each site architecting and supporting its own environment. As a result, there were several people with CIO-like decision power throughout the organization. This resulted in a diverse environment that was costly to manage.

Within the past two years, the IT organization has been restructuring its management structure into a centralized model with a single CIO located at the Los Angeles headquarters.

About one year ago, Hay Buv Toys chose Microsoft Exchange as its enterprise messaging system and developed a centralized messaging team that is located in Los Angeles. As part of the central messaging project, the team developed and implemented a new enterprise Windows NT domain model in order to best manage the Exchange servers. Since then, the team has created many other enterprise services that rely on a standard Windows NT logon, such as Web sites for company health benefits and 401K plans.

Because of the Windows-based enterprise services, most of the engineering and manufacturing sites that were primarily UNIX based now have both UNIX- and Windows-based computers and Windows Terminal Services.

Over the past year, Hay Buv Toys has been working on consolidating more than 16 separate Windows NT domains that contained user, group, and computer objects into its current Windows NT 4.0 domain model to ease domain administration and provide better services to the user community.

Current Windows NT 4.0 Domain Model

Geographic Structure

Hay Buv Toys uses a geographically based multimaster domain model with two master user domains (MUDs): one for America (United States and Mexico), where the company was originally founded, and one for other areas of the world (England, France, and Hong Kong). The domain names of the account domains reflect the structure: The first account domain that was created is HB-ACCT. Early on, this single account domain was sufficient. As the company grew, the need for a second account domain became apparent. The main driving point was network traffic created by account replication from the PDC in Los Angeles to all locations in the world. To streamline replication, the administrators created a second account domain for the world outside of America, HB-ACCT-ROW.

Another reason for choosing a geographic-based domain model is the fact that geography changes less frequently than corporate structure. In the past, naming schemes based on business units quickly became invalid after reorganizations and name changes within the businesses. Hay Buv paid great attention to the fact that renaming the fundamental building blocks of a system is typically very difficult once it has been rolled out and has already encountered Domain Name System (DNS) domain and Windows NT 4.0 domain naming schemes.

The following diagram shows Hay Buv Toys' current Windows NT 4.0 domain model.

Bb727130.ckch0601(en-us,TechNet.10).gif

Figure 6.1:

User Account Domains Description

Three Domains

The current domain model has three MUDs. The HB-ACCT and HB-ACCT-ROW domains are the IT-supported MUDs that were created as part of the Windows NT 4.0 domain consolidation project. These domains hold about 85 percent of all of the user accounts for the company.

The team chose two large account domains because it wanted the largest possible domains for administration purposes, but did not want to replicate domain traffic between the United States and Europe.

There are nearly 500 global groups throughout these account domains. These are used mainly to check membership during logon in order to process the appropriate logon scripts. Other global groups are used for authentication purposes to file shares and allow access to some of the line-of-business applications.

Hay Buv Toys still has one nonstandard domain, MANUFACTURING. It has been able to stay outside the managed domain structure because it has had, up to this point, the political clout to remain separate.

A summary chart of the account domains is as follows:

Account domain

Number of accounts

Number of groups

HB-ACCT

14,000

320

HB-ACCT-ROW

8,000

100

MANUFACTURING

3,000

50

Domain Consolidation

MANUFACTURING consists of both accounts and resources in the Los Angeles and Mexico City engineering and manufacturing facilities.

Until recently, the MANUFACTURING management team has remained separate for a number of reasons:

  • It wants to maintain complete control of its resources because it runs a continually operating facility that needs special attention. It does not believe that a centralized administration model can meet the demands of its users.

  • It believes a domain migration may cause downtime for its users and could bring the floor production systems to a halt, which is an unacceptable risk to its management.

  • It does not want to migrate because it already has good support and access to all the resources it needs, and team members believe they can get the enterprise IT organization to integrate their domain into the standard domain model.

Because Windows 2000 and Microsoft Active Directory have introduced these two key new featuresorganizational units (OUs) and sIDHistorythe MANUFACTURING management team has agreed to consolidate its domain into the new corporate structure.

Given the ability of Windows 2000 to delegate administration through an OU structure, the team's demand for complete local administration of its users and resources can be met. Also, the new sIDHistory feature of Windows 2000 for domain migrations eliminates the immediate need to redo the access control list (ACL) for resources and allows for fallback to the old user logon if problems occur with the migration to the new domain.

After testing the new replication features in Active Directory including store and forward replication and compression, Hay Buv Toys also decided that a single domain model is now doable. This model allows all users and groups to be in one domain. After evaluating five different namespace plans, the single domain model was chosen because the overall cost of ownership was the lowest. Although a single domain model creates more replication traffic, the following benefits made up for the costs:

  • Pervasive delegation models

  • Company-wide group policy settings (for user settings and software deployment)

  • Easy administration

Resource Domains Description

Their Purpose

The resource domains are based on geographic groups, such as HB-RES-WC for the western half of the United States, HB-RES-EC for the eastern part, or HB-RES-EUR for resources located in Europe. In some single cases, a dedicated resource domain was created for storing sensitive information that should not be saved outside the country, such as the London and Mexico facilities.

These resource domains were created to delegate administration of the resources to local administrators without giving them full rights to the user accounts and global groups. Another benefit of creating the computer accounts in the resource domains instead of the two large user account domains is that this would ensure that the size of the Security Accounts Manager (SAM) database of the user account domains would not grow to reach the recommended limit.

An exception to the resource domain naming convention is the HB-MESSAGING resource domain, which was created for the Exchange servers in order to give access to users in the nonstandard domains that existed when Exchange was first being implemented, and before the new domain model was fully in place. The messaging team also wanted centralized control over the messaging resources, which made creating a separate messaging domain an ideal solution.

Each resource domain runs a variety of resources, which are outlined in the following chart.

Resource domain

Services and applications deployed

HB-RES-WC

WINS, DHCP, DNS, FILE, PRINT, SQL, IIS, TERMINAL, RAS, PPTP

HB-RES-EC

WINS, DHCP, FILE, PRINT, SQL, IIS, TERMINAL, RAS

HB-RES-MEX

WINS, RAS

HB-MESSAGING

EXCHANGE, IIS

HB-RES-LONDON

WINS, DHCP, FILE, PRINT, SQL, IIS, TERMINAL, RAS

HB-RES-EUR

WINS, RAS

HB-RES-HONGKONG

WINS, DHCP, FILE, PRINT, SQL, IIS, TERMINAL,

MANUFACTURING

FILE, PRINT, IIS, TERMINAL, SNA, EXCHANGE

Desktop Environment Description

Windows NT Is Standard

The Hay Buv Toys desktop standard is based upon Windows NT 4.0 Workstation with SP5 and Office 97 Professional edition with Service Release 2. Some computers throughout the company still run Windows 95 and Windows 98, but these are not a supported platform and require business justification in order to remain on the network.

Some departments have completely deployed Windows 2000 Professional either by upgrading the current Windows NT 4.0 standard installation or reimaging the computer with the brand new Windows 2000 Professional image. Most of the corporation is running on a corporate standard image that was created using Microsoft System Preparation tool (Sysprep) and cloned using either PowerQuest Drive Image or Symantec Ghost.

Some local divisions have taken the corporate image and added or removed some applications and settings, but for the most part, the Windows NT 4.0 installations are pretty predictable in most environments because of desktop refresh projects that have been going on throughout the company for the past two years.

The majority of the users have local Windows NT profiles that have been customized, and some users, mainly the manufacturing floor workers, make use of roaming user profiles.

The desktop hardware consists mainly of Dell and Compaq brands, and the laptop hardware consists mainly of Dell, Compaq, and IBM brands. Each site is fairly consistent with their hardware brand of choice, with fairly up-to-date hardware, for example, Pentium 200 megahertz (MHz) with 64 megabytes (MB) of RAM or more, and most of the corporation is on a three-year hardware lease cycle.

There are some exceptions to the standard desktop hardware in some of the engineering and manufacturing areas, which have purchased a variety of workstations with multiple processors and redundant array of independent disks (RAID) controllers for high-end computing tasks such as CAD.

Environment Summary

The Company's Goal

The Hay Buv Toys enterprise has evolved from a diverse, decentralized IT environment to a somewhat less diverse, more centralized structure. The vision of the company is to completely centralize the IT organization and to minimize diversity in the environment by creating enterprise standards and coordinating the implementation of new systems on an enterprise scale.

With the advent of Windows 2000 and Active Directory, the current Windows NT model can be extended with the rich, new features of an operating system that can truly scale to meet the needs of the enterprise. The next chapter will describe the next step in the Hay Buv Toys enterprise architecture.

Macintosh is a registered trademark of Apple Computer, Inc.