Organizing and Evolving the Active Directory Team
As you embark on building the Active Directory team to design, implement, deploy, and eventually leverage your investment in Active Directory, it is important to recognize the evolution that takes place within the team and the team's relationship with the organization.
In the beginning, Active Directory design started with some fact finding about the requirements for the directory and about the types of directories currently existing in the organization. This activity starts the first phase of developing the directory. Phase 1 is called "Understanding, Labbing, and Prototyping." Phase 1 is the learning phase in which the team works together to understand Active Directory and to determine how to implement it in the organization.
Phase 1: Understanding, Labbing, and Prototyping
During Phase 1, the Active Directory team consists of the directory services manager/lead, Active Directory engineer, Active Directory Operations Specialist (ADOS), and a DSAS. The team is striving to create an architecture document that identifies the requirements for Active Directory. These might include reduced administrative costs and greater consistency of information across the enterprise. As the team might be new to the technology, there should be some time planned for taking the ideas and technology into the lab and validating functionality based on the requirements. The lab portion should result in a reasonable architecture document.
This type of discovery process, close to the beginning, requires an action-oriented staff. It also requires analysis of how to balance the requirements. This first phase requires senior staff in the organization for identifying the needs of the organization, most likely through some type of interview process. The results should be documented and integrated into the architecture document. The team should document all the findings and develop standards for implementation.
Now that you have an understanding about the requirements, the next step is to create a lab environment to validate the functionality and demonstrate to those in various roles how the product actually works against the requirements. This is a time for the Directory Services Operations Specialist (DSOS) to validate some of the administrative tasks.
In the third part of this phase, the organization should work to establish a preproduction prototype for a small representative group of users. The objective of this phase is to provide the users with an understanding of the function of the design in a real-world environment. Performance and operational procedures surrounding the implementation should also be noted for any unusual variances to what might be expected.
During this phase, a directory services manager/lead needs to be identified to deal with all the logistics for rolling out the product and through the preproduction pilots. Training requirements need to be identified for staff, end users, and developers.
Phase 2: Implementation of Active Directory and Applications
During this phase of the development, t he team changes the focus from investigation, discovery, and documentation to the actual building of the systems and processes for the directory. Initially, the directory services team focused on design and design validation. With design complete, the team focuses on rolling out Active Directory and providing a structured operation for supporting the new environment.
The jump from planning to implementing creates a dramatic change for the complexion of the team. Depending on the size of the organization, there might be a need for temporary staff during the role out. In any case, there is the challenge of moving from a largely analytical phase to a largely "can-do" phase, during which the focus is on getting the product rolled out.
In conjunction with the roll out of the directory, there should be special consideration for rolling out an application that takes advantage of the enterprise directory. This application should have been in development and tested during the preproduction pilot, and it should go through the typical application quality-assurance process. As the directory scales to the enterprise's size, you can deploy the application. We would recommend that at least 50 percent of the deployment is completed, and that the 50 percent that is completed is representative of the organization as a whole. In addition, the first application that uses the directory should be a simple application, and one that is used by only a small population within the organization.
You can deploy applications that use Active Directory after the initial installation and stabilization of Active Directory. The use of Active Directory by applications is a great leveraging point for the new directory service, but it is understandable that some organizations are reluctant to deploy a new operating system, directory infrastructure, and a custom application at the same time.
The objective of the implementation phase is to deploy a clean, relatively simple implementation of the directory across the organizations. It is realistic to expect less than the entire organization moving to Active Directory during the initial implementation. Primary for this phase is deploying an implementation that is reliable as a platform for the organization. The organization should not see some new intrinsic benefit of the directory at this phase. Although this might occur, this phase focuses on laying a strong foundation for more expanded uses of Active Directory.
In Phase 2, the directory services team has moved from analytic and discovery driven to task–oriented and process driven. This is a challenging transition. Most architects are interested in seeing their designs come to fruition, but dealing with the rigors of a day-to-day installation is not an ideal situation. As Table 1.2 demonstrates, the directory services engineer and the DSAS are supporting the roll out and doing some planning for future enhancements. Enhancements include exposing features that you did not initially implement, adding third-party software, and customizing the directory.
| Role | Phase 1 | Phase 2 | Phase 3 |
|---|---|---|---|
| DSE | Design initial functionality | Support design modifications, as required for implementation. | Support design changes as needed. |
| Start on future design enhancements. | Continue with future design enhancements. | ||
| Provide Tier 3 support. | Work with directory services manager to develop a directory services vision for future phases. | ||
| DSAS | Participate in designing initial functionality. | Support application implementations using directory services | Develop roadmap directory-enabled for applications. |
| DSOS | Understand the design. | Support implementation /roll out. | Operate directory services. |
| Provide Tier 2 support. | |||
| Project Manager | None | Drive effective implementation. | Conduct post mortem and evaluate lessons learned. |
Phase 3: Maturity, Leverage, and Evolution
In Phase 3, the team defines a new mission. After the implementation is complete, the foundation for leveraging directory services is in place. This does not constitute the end but only the beginning of the challenge. After directory services are in place, the team has learned many things about the product and its use. This phase of the project is to truly create an operating environment. The design phase provided a vision for the implementation. The implementation phase built Active Directory to that vision, and in turn, most likely leads to many lessons about the product, end users, application use, and directory services team. In Phase 3, the directory is fine-tuned, based on what we learned.
Maturity
The directory services environment and the directory services team matures during this phase. The implementation phase probably encouraged many individuals to work together to get things done, regardless of the responsibility. The Project Manager is now gone, and he or she has turned over the outstanding issues of the implementation. During Phase 3, the team should mature the system based on the outstanding issues. Regular performance, system utilization, and problem summaries should be captured for trend analysis and proactive resolution of problems.
Just as the system matures, the directory services team matures. The team now has a firm understanding of how the system works. The Active Directory design team should expand to include some if not all the DSOSs. The DSOSs are a vital link to the day-to-day operational functions and challenges.
Working directly with the DSOS, the DSAS can identify opportunities for developing tools to enhance the support of the enterprise system.
Leverage
At this point, you have several pieces in place. Active Directory is running and stable. The organization is using the directory. At least one custom application is up and running on the directory. Now, you are prepared to leverage the directory. This effort should be lead by the directory services manager and the DSAS for application development. The opportunity is to identify applications, both those currently in place and new ones, which can take advantage of the directory for more effective and dynamic use in the organization.
Several application uses come to mind. Applications that are used in HR and need to kept track of, or communicated with employees. A common example would be the new employee interface. After the new employee has finished orientation, a HR person would be able to programmatically enable the new employee's email and network account. On exit, the HR person could disable the account. With regular employee-benefits information sent out, communications could be sent to users based on a location that is identified in the company's directory. This is a short list, but the directory probably has hundreds of uses that are valuable—now that we know the directory is run and maintained by an organization chartered with that responsibility.
Evolution
Now that the directory has matured and is starting to be used to an advantage in the organization, the process of evolving the directory (just as the organization and industry are also evolving) is important. The evolution of the directory starts from the beginning. The directory services manager, the directory services engineer, and the DSAS should work together to define the evolution. Questions about the direction of this mission critical service need to be answered.
Will this service scale with the organization's direction?
What are the emerging service standards that are going to be required as the service becomes integral to all the activities of the organization?
Are we ready for the next release of the product?
Are there features in the current product that we are ready to expose?
Does the current application functionality need to be increased?
The answers to these questions help to define the evolution that will undoubtedly take place as directory services takes an increasingly important role in your organization.
Now we have covered the organization, the directory services team, and the various roles they play in your organization. There is also an important design requirement that can have an impact on your organization and how your IT staff organizes around these requirements.