IFASDOM Migration Recommendations – Executive Summary

July 9, 2003

Download and print [24KB doc]

Situation – Retiring Windows NT 4.0

The IFAS centralized computing and network system (IFASDOM) currently operates under Microsoft Windows NT4, which has an official retirement date of January 1, 2003. Mission-critical services, including e-mail, web, and resource sharing are based upon this old technology. Microsoft Windows 2000 is the incremental upgrade to NT4 and was released over 2 years ago. The new technology is built around a centralized directory service called Active Directory (AD) which offers many advantages and improvements over NT4 (some specific advantages/disadvantages are listed below).

A grassroots effort to organize a UF-wide AD was initiated last year, but that group (Windows 2000 Consortium) has made no progress to date. There are indications, however, that an IFAS-led initiative could provide the framework for a UF-wide AD implementation. Planning is the most critical phase in a Windows 2000 migration project, and that process should begin now in order to avoid a "light switch" migration approach as NT phase-out nears. The cost to IFAS of delaying the upgrade could far exceed the costs of implementation.

Recommendation

ICC recommends that:

  1. ITPAC request conceptual approval from IFAS Administration for upgrading to Active Directory.
  2. A directive be issued to IFAS-IT to focus appropriate resources toward planning and implementation of Active Directory.
  3. The planning and implementation effort should be conducted in cooperation with the ICC AD Subcommittee to facilitate willing participation.
  4. Unit and Department Directors should be encouraged to lend assistance by providing unit IT expertise to serve as AD Project Team members for the initial planning and implementation effort.

The goal of the project will be to build a centralized computing environment that every IFAS unit will want to participate in.

Return to top

Situation – Unit Participation in Centralized Computing Services

Despite improved efficiencies and economies of scale inherent to a centralized computing environment, there are currently several barriers to participation for many IFAS department and units. Even prior to the creation of IFASDOM, participation has been limited by two major issues – trust and control. Specifically, non-participatory units have been reluctant to join primarily due to:

  1. Lack of trust in the ability of IFAS-IT to deliver an acceptable level of service.
  2. Loss of direct administrative control of local IT resources.

Recommendation

Windows 2000 Active Directory addresses and resolves most of the barriers related to direct control of local resources. Those local control issues that are not solved by AD must be addressed in the planning effort as a matter of policy, and must include procedures for redress.

Barriers and service level issues relating to trust must be addressed as a matter of policy, procedure, and funding internally at the IFAS-IT level. It is nonetheless critical to identify and describe those barriers and suggest improvements as part of the planning effort. In particular, two issues relating to service offerings have been identified as needing improvement. The ICC recommends that IFAS-IT:

  1. Establish written minimum service level requirements for key areas:
    • Service enumeration and prioritization (web, email, backup, etc.)
    • Communication & contacts
    • Security
    • Disaster recovery
  2. Review, update and improve online documentation system with a focus on:
    • End user documentation needs (instructional, procedural)
    • IT admin documentation needs (instructional, procedural, planning)
    • Creating a change control documentation system (what’s broken, what’s fixed, by whom)

Identifying and addressing these and other trust issues associated with level of service will assist in removing barriers to unit participation in a centralized computing environment.

Return to top

Microsoft Active Directory – Advantages and Disadvantages


Advantages of Active Directory (AD)

  • AD is the next logical step in the natural progression of Microsoft’s enterprise computing platform, and officially replaces Windows NT4.0 to which IFAS committed in 1998.
  • Kerberos support brings IFAS computer users one step closer to a single sign-on computing environment (i.e. Gatorlink / UF OIT Directory project).
  • Allows delegation of administrative control to unit administrators without jeopardizing security of the entire domain.
  • Provides simplified means for improved collaboration between IFAS users at different units/departments.
  • Allows centrally managed software installs, updates, & repairs. Admins can track licensing, install service packs & security updates without having to visit each desktop.
  • Provides means for granular control of the user environment (i.e. drives, printers, desktop) for users and/or computers based on physical site, logical domain, or organizational unit.
  • Supports secure remote control and administration of servers and workstations.
  • Provides for establishment of a consistent user environment (including applications) regardless of where the user logs in.
  • Provides significantly improved server operating system stability, speed, and scalability.
  • Provides support for disk quotas.
  • Provides improved security infrastructure, including EFS (encrypted file system), PKI (public key infrastructure), and IPSec (over-the-wire data encryption).
  • Optimizes replication and logon traffic over slow links.
  • DNS records are dynamically maintained.

Disadvantages of Upgrading to Active Directory

  • Because the directory is shared, any modifications to the schema will require coordination with a central entity (IFAS-IT?). Procedures for this must be established.
  • Domain members (potentially every IFAS unit and department) must agree on a common password security model (i.e. length, expire time, lockout duration, etc.).
  • IFAS-IT could conceivably mandate unwanted policies with no option for overriding at the unit level (domain, or OU). Procedures for redress must be established.
  • Migration to AD will require some server upgrades / replacements.
  • Migration may require allocation of additional FTE’s to support maintenance of the directory.

Return to top