Logical Domain
Structure
T
his chapter takes you into the realm of enterprise analy-
sis, which is new ground for most system administrators.
Sanity Check
By now, you are probably pretty psyched about Active
Directory. And you probably thought we were nuts in the
opening chapters when we urged you not to install Active
Directory and to deploy standalone servers until you are at
home with the new operating system. Now we are going to
go overboard. We are going to tell you not to build your new
domain until you have a) read this chapter, b) done psycho-
analysis of your company, and c) designed your domain on
a whiteboard or a math pad and come up with a blueprint.
Why? Does Microsoft recommend this? The answer is: Well,
sort of.
Microsoft, in both official documentation and in training, is
not firm enough in stressing that the root of a namespace can-
not be renamed, changed, or deleted without first hacking
down the forest and completely reinstalling the domain con-
troller. And this will remain the situation until Microsoft or
third parties ship some series Active Directory manipulation
and administration tools.
So, before you start, know this: When you delete the root
domain, or the last domain on a domain tree, from the server
(demotion), you uninstall the namespace. If you screw up the
namespace and decide, after many hours of hard work, that
you started wrong, you could end up losing those hours spent
creating user and computer accounts and configuring domain
controllers. And if you go into production, you also take down

several colleagues. We thus offer you a mini-guide to enterprise
analysis in this chapter in the hope that when you get ready to
break ground, you don’t slice your toes off in the process.
7
7
CHAPTER
✦✦✦✦
In This Chapter
Planning the Logical
Domain Structure
Partitioning the
Domain
Using Organizational
Units to Create
Domain Structure
Creating the Design
Blueprint
✦✦✦✦
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 223
224
Part III ✦ Active Directory Services
Keepers of the New Order
These are exciting times for network administrators. We spoke at length in Chapter
1 about the paradigm shift underway in corporate communications, networking,
and administration. As a Windows 2000 administrator, you now find yourself at the
center of the paradigm shift. You are also a pivotal component in the change that is
underway on the planet, in all forms of enterprise and institutional management.
Windows 2000 is a great facilitator in that paradigm shift. Companies are changing;
a new order is emerging. The way businesses communicate with their customers is
changing. Very little is regarded from a flat or uni-dimensional perspective. Today,

corporate workers, owners, and administrators need a multifaceted view of their
environment. Managers and executives need to look at everything from a 360-
degree panorama of the business— its external environment and its internal
environment.
You, the network administrator, specifically the Windows 2000 network administra-
tor, now have a lot more on your shoulders. Everyone is looking at you — what
you’re worth, what you know, how you conduct yourself — from the boardroom
members to the mailroom members, you are the person to take the company
beyond the perimeter of the old order. Why?
The tools to facilitate the shift can be found, for one reason or another, in Microsoft
Windows 2000. You learned a lot about the Windows 2000 architecture in Chapter 1,
so we won’t repeat it here, except to say that Windows 2000 Directory, Security,
Availability, Networking, and Application services are in your hands, and those of
your peer server administrators. The tools you will use to manage all the informa-
tion pertaining to these services and objects are the Active Directory and the
Windows 2000 network.
As mentioned in earlier chapters, Windows 2000 domains are very different from
legacy Windows domains. They are also very different from the network manage-
ment philosophies of other operating systems such as UNIX, NetWare, OS/2, and
the mid-range platforms such as AS400, VMS, and so on.
Before you begin to design your enterprise’s logical domain structure (LDS), there
are a number of important preparations to make. Besides items such as meditating,
education, lots of exercise, and a good diet, there are some network administration
specifics to consider. We discuss these items in the following sections.
Planning for the LDS
Back in Chapter 4, we discussed the steps to installation and conversion. One of
those steps was designing the logical domain structure. If you have been tasked
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 224
225
Chapter 7 ✦ Logical Domain Structure

with the installation of or conversion to Windows 2000, the first item on your list
should be to understand the steps to achieving the LDS and then implementing it.
Unless you can create an LDS blueprint, the myriad of other management functions,
such as creating and managing user accounts, groups, policies, shares and more,
will be difficult to implement and cost you a lot in time and material. The following
list represents the steps we will take in this chapter to arrive at the point when we
can begin the conversion process or even install in a clean or new environment.
1. Prepare yourself mentally.
2. Assemble an LDS team.
3. Survey the enterprise.
4. Design the Logical Domain Structure (LDS).
5. Produce the blueprint.
Preparing Yourself Mentally
Long gone are the days when installing a Windows-based network could be handled
with a sprinkling of administration experience gleaned from a few books or an edu-
cation based on crammed MCSE courses.
Running a successful Windows 2000 domain (no matter what the size) is going to
require more than a magazine education in networking, telecommunications, secu-
rity, and administration. If you have been managing or working with Windows NT
server, you have a headstart on the new administrators and administrators from the
other technologies who have chosen to defect. Nevertheless, the conversion and
installation process is arduous and mentally taxing. And how much time you spend
on fixing problems in the future will depend on how well you lay your foundations
now. Here is some advice that will help stem the migraine tide from the get-go.
Forget about Windows NT
Trying to create the LDS of Windows 2000 while thinking about Windows NT, and
even managing Windows NT, is like trying to meditate at a heavy metal concert. In
other words, it is very distracting. We would say that if you are involved in the day-
to-day management of Windows NT domains, you should take a break from being an
NT administrator while involved in the Windows 2000 LDS planning efforts, at least

in the initial phases. You will find it very frustrating to work in both environments
at the same time.
This is sobering advice if you have to manage an NT domain while you plan a
Windows 2000 domain. You will need to make a special effort to separate the old
from the new, the legacy from the up-and-coming.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 225
226
Part III ✦ Active Directory Services
Forget about Conversion
Trying to think about retrofitting, upgrading, or converting your legacy Windows
domains, and even your NetWare or UNIX environments, will only get you into a lot
of trouble. Forget about what everyone, including Microsoft, says about this, at
least until you have the new domain structure in place and are fully versed in the
techniques described in this chapter and the others described in this book. Only
when you fully understand the possibilities and the limitations of Windows 2000
domains should you begin to plan your conversion process.
If you try to convert before the Windows 2000 LDS is in place, as we discussed in
more detail in Chapter 4, you risk an IT disaster, and losing money and opportunity
in many respects. Set up a lab as we discussed in Chapter 4. We can’t tell you every-
thing you need to know or beware of in this book, nor can Microsoft. Only you will
discover how Windows 2000 accommodates your needs, and how you accommo-
date its needs. No two organizations are alike.
Stay Out of Active Directory
Before you break out into a cold sweat, this advice applies only to this chapter. The
Windows 2000 LDS is just that, logical. Until you have your blueprint in place, your
plans approved, the budget in the bank, you don’t need to do a thing in the Active
Directory.
Yes, Active Directory is the technology that makes the new LDS a reality, and
yes, we would not be discussing LDS in such direct terms as we do here if Active
Directory were not a reality, but trying to do LDS while tinkering around in

Active Directory is counter-productive. Don’t think you can stumble your way
to a design or blueprint.
We’re not saying you shouldn’t try to learn about Active Directory hands-on. Learn
as much about it as you can. If you know nothing about Active Directory, then you
should not be in this chapter just yet, because you should already be au fait with
directory service terms and concepts.
If you are not yet up to speed with Active Directory, study Chapter 2, read the
wealth of information in the help system, download as much information as you can
from Microsoft, and get stuck into books about Active Directory and LDAP. Chapter
2 is the chapter in which you can test examples and concepts in Active Directory. In
this chapter, you should be working with design tools and a whiteboard, a very
large one.
For information on LDAP, you can download RFC 2254, 2255, 2307 from the
Internet. These can usually be located at the Internet Engineering Task Force Web
site (www.ietf.org), but you can find these and many other LDAP references at
any main search engine.
Note
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 226
227
Chapter 7 ✦ Logical Domain Structure
Assembling the Team
Before you begin, it is vital to assemble a design team. No matter if you are a con-
sultant or administrator for a small company and are attacking this single-handedly,
or if you are a leader or part of a team working in a mega-enterprise, designing the
domain requires the input of a number of people. In very small companies adopting
Windows 2000, the team might consist of you and the owner or CEO.
The Domain Planning Committee
Your domain planning committee will include a number of people, especially if the
task is huge, who will assist you in the enterprise analysis you need to undertake.
Your team might be made up of the following members.

✦ Assistant analysts and consultants to help you quickly survey a large enter-
prise. The Millennium City example in this book, which is an Active Directory
domain structure that spans an entire city, replete with departments and divi-
sions, might need to employ about a hundred analysts to get the survey job
done as quickly as possible. It depends on how quickly you need to move, or
want to move. If you plan to use your IT department as a test case (going from
development to production), then you could probably get away with one or
two analysts.
✦ Documentation experts to assist you to get information down and in an
accessible form as soon as possible. These people should as far as possible
be trained in desktop publishing and documentation software, illustration and
chart-making software, group-ware, and so on. The documents should be
stored in a network share-point.
✦ Administrators to be involved in preparing the installation and conversion
process. These might include technicians and engineers currently involved in
the day-to-day administration of domains, technical support, special projects,
and so on.
Domain Management
As the LDS plan progresses from enterprise analysis to approval and implementa-
tion and conversion, you will need to appoint people who initially will be involved
in the day–to-day administration and management of the new domains.
If you have the resources at your disposal, it will make sense to appoint newly
trained staff or hire and train administrators from the legacy pool. These people
will help you to build the new Windows 2000 domain and will need to communicate
with the administrators of the old domains, and so on. If you are doing everything
yourself, then you have your work cut out for you.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 227
228
Part III ✦ Active Directory Services
Change Control

Appoint a person responsible for change management and control (see Chapter 11).
As the development domain begins to roll out phases into production, the conversion
team change control process will need to communicate with the MIS/Operations’
change control team, discussed in Chapter 4. All proposed changes need to be fully
discussed, and all teammates need to have the opportunity to assess the impact and
prepare for it . . . or argue against it. Trust us, you don’t want to roll out anything
without it being signed off at the appropriate levels.
Domain Security
You will need to appoint people or yourself to manage all the security aspects of
the new domains. Their role will be to test security in the development domain and
to apply the appropriate security mechanisms in the production domains. In addi-
tion, they will help you to determine domain policy, Group Policy, delegation,
workspace management, and so on.
See Chapter 3 for information on Windows 2000 security, and Chapter 11 for
information on security policies.
Intra-Domain Communication
A very important component is intra-domain communication, or the communica-
tions between Windows 2000 domain users and legacy domain users. You’ll need to
appoint an Exchange administrator if you plan on integrating Exchange, or else
Lotus Notes administrators, Send Mail people, and so on.
A vital component of the LDS is that information is able to flow freely through the
enterprise information network and between the operational environments in
which the company will find itself when a Windows 2000 domain greets the world.
Education and Information
You will need to generate information to keep management abreast of the develop-
ment with respect to the conversion process and the emergence of the LDS. Once a
plan has been approved, this information will need to be extended to educate peo-
ple throughout the enterprise.
Surveying the Enterprise
Before you can begin to plan the LDS, you need to survey your enterprise. Consider

the job of the land surveyor. He or she sets up the theodolite — an instrument that
measures horizontal and vertical angles — and charts the hills and valleys, the lay
Cross-
Reference
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 228
229
Chapter 7 ✦ Logical Domain Structure
of the land, the contours, and more. These scientists and engineers determine
where it is safe to build a house or skyscraper, where to bring a new road or a
bridge, where to place a town or a city. You need to do the same, not to determine
where the company is going (which is what enterprise analysts do), but how to plan
an LDS with what is already in place and what might be around the corner.
In surveying the corporate structure, you are not going to take on the role of offer-
ing management advice about its business, nor will you suggest that new depart-
ments or units should be added, moved, or removed to suit the new domain
structure. Not only would that be impossible, but also it would likely get you fired
or promoted out of networking.
On the other hand, the Windows 2000 LDS needs to be filtered up to the highest lev-
els of management. In fact, the LDS blueprint is what the CIO or CTO is going to
drop on the boardroom table, and the IT department is expected to implement the
changes desired by management to affect the DNA, e-commerce, the paradigm shift,
and more. The Windows 2000 LDS, because of what it may expose, may indeed
result in enterprise or organizational change, just don’t say it too loud.
Windows 2000 domains reflect the enterprise structure more than any other tech-
nology, and the domain structure will be representative of the layout and the land-
scape of your company, from an administrative and a functional point of view.
Windows NT domain administrators, network administrators, and IT/IS managers
have never before contemplated that their careers would take them into enterprise
analysis. Large organizations will no doubt hire expensive enterprise analysts, but
for the most part it will be an unnecessary expense, unless some serious first aid is

needed before a conversion to Windows 2000 can be considered.
In many cases, you already have the resources at hand. They exist in you, and in
your peers. You do not have to go overboard studying enterprise analysis, enter-
prise resource planning (ERP), and customer relationship management (CRM). Of
course, having the knowledge will help and may even get you the job you’re after.
This chapter serves as a guide if you are not sure where to start. The following sec-
tions discuss the key concepts of enterprise analysis.
Enterprise Analysis
Enterprise analysis is enterprise land surveying and enterprise engineering come
together for the future and good of the company. Enterprise analysts examine
where the company is today, what business it is in (many don’t know), and where it
wants to go (or where the board or shareholders want it to go), and make sugges-
tions on how it should go about achieving its objectives. Enterprise analysts help
suggest changes at all levels of the enterprise, in particular in information systems
and technology. They provide management with critical actionable information . . .
blueprints that start the wheels of change turning.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 229
230
Part III ✦ Active Directory Services
Without technology, very few of the desires of the corporation will become a reality.
You do not need to look far to see how misguided efforts in IT/IS have wrecked
some companies, while making others more competitive and profitable. In your new
role as enterprise analyst, you are surveying the corporate landscape to best deter-
mine how to implement a new Windows 2000-based logical domain structure.
You have two responsibilities. First, you have to study the enterprise with the
objective of implementing the new LDS as quickly and painlessly as possible. You
may have a lot of money to work with, or you may not have much of a budget. In
either case, you are going to need facts fast.
Second, you have to study the enterprise and forecast or project where it might be
heading. Is the business getting ready for IPO, to merge, to file Chapter 11, or to be

acquired? Is it changing focus? All these items and more will affect the LDS of not
only a company, but also the LDS of a city, a hospital, a school, and a government.
You might consider that you are doing the enterprise analysis for the good of the
company, but you are doing it for your own good. You will be expected to cater to
any change that may happen between sunrise and sunset. And not having the
wherewithal to implement or accommodate the sudden business direction that
management may throw at you is not good IT administration.
So where do you start? As mentioned before, you can’t plan the LDS by just looking
up all the groups you created in Windows NT and figuring that just importing them
all will do the trick. That would be the worst place to start, and the worst advice
anyone can take. Microsoft, we believe, makes too much noise about upgrading
Windows NT; we believe that countermands strategic LDS planning.
The new Group Policy technology is so sophisticated that it makes upgrading an
NT domain and inheriting its groups and user accounts a tricky business. Make
sure you fully understand Group Policy before you upgrade an NT domain. It is dis-
cussed in detail in Chapter 11.
Here is a short list of starting points. The items may be better in another order for
you, and you may add to the list as you deem fit:
✦ Get management on your side: This may not be difficult if you are the CIO, or
if the LDS directives come from the CIO or CTO. But in order to do the job well,
you need to have access to more than would be expected of network or domain
administrators. This means that management and HR are going to have to trust
you with sensitive information. We would like to add to this point: Get the CEO
on board. You are going to need to set up appointments with the most senior
staff in the enterprise. They need to know that your research is sanctioned at
the very top. You will probably encounter resistance at the departmental head
level, where change may be deemed a threat. Advise them in writing that if you
do not get cooperation their departments will be left out of the domain conver-
sion or “new order.” People tend to go crazy if their e-mail gets cut off, so you
can use this as a foot in the door.

Note
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 230
231
Chapter 7 ✦ Logical Domain Structure
✦ Get hold of organizational charts: Most enterprises and organizations have
these. Hopefully, they are up to date. If they are not, or they do not exist, you
are going to have to invest in a software tool that can make organizational
charts.
✦ Tell people what you are doing: It is important to be frank and open about
the process, without exposing the team to security risks.
Enterprise Environments
Before you begin an exhaustive enterprise analysis project, you should take some
time to understand the environments in which the enterprise or organization oper-
ates. Enterprise analysts often refer to these environments as operational environ-
ments. We have been teaching companies about their respective operational
environments for several years, long before the advent of Windows 2000. The ele-
ments in these environments will feature heavily on both the LDS and physical
domain structure (PDS).
There were once only two environments in which an enterprise operated. They
were the external and internal environments. The advent of the Internet and wide
area networks have resulted in a third environment: the extra environment or the
environment “in-between.” An analysis of these environments is essential in the
formulation of both the LDS and PDS.
To fully investigate the environments, you need to build lists of items to look for,
otherwise you will not know where to start and when to finish.
The external environment
The external environment is made up of several components: customers, suppliers,
distributors, cleaning staff, and so on. At the physical level, the corporation or
enterprise has to deal with the elements of the external environment directly.
Examples are: providing access to cleaning staff, dealing with customers, delivery

pick up, and more.
The external environment of a city, for example, includes voters, tourists and visi-
tors, businesses, foreign nationals, embassies, consulates, divisions of the United
Nations, organized crime, private hospitals, schools and universities, government-
sponsored bodies, such as the FBI, INS, and DEA, religious congregations, religious
boards, and so on.
The most important technological factor in the external environment is the Internet.
Like all enterprises and organizations, the Internet provides resources with which to
deal with the elements in the external environment electronically and a means of
interconnecting partitions of the internal environment. Any modern city is as pre-
sent in cyberspace as it is in the physical realm.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 231
232
Part III ✦ Active Directory Services
Today, the neural network in the external environment is the Internet. The tele-
phone system still plays an important and indispensable part, but it is becoming
less pervasive as people find the Internet more convenient in many respects.
The enterprise depends on several components on the Internet that are vital to its
existence in general. These include DNS, the locator service for the entity on the
Internet, and the Internet registration authorities that provide the entity the right
(for a fee) to participate in a global Internet infrastructure. These rights include the
registration of your domain names and the assignment of IP addresses, without
which you are unreachable.
Here is a short list of items you should pay attention to when you examine the
external environment:
✦ How is the company connected to the Internet?
✦ How does the company use the Internet’s DNS system?
✦ What are the public domains used by the enterprise?
✦ Who keeps the domains, and makes sure the fees are paid on time?
✦ Are the domains you need to register available?

The internal environment
The internal environment comprises all the departments, divisions, organizational
units, and key management entities (KMEs) that work together for the benefit of the
enterprise. This environment includes employees, contractors, executives and man-
agement, subsidiaries, divisions, acquisitions, equipment, intelligence, information,
data, and more.
The internal environment’s neural network is the private intranet and its relative
KMEs and administrative functions. The intranet is a private network, which is the
medium for the Internet protocols, TCP/IP. The local area network is fast becoming
a passe term, associated with outmoded and confining protocols such as NetBEUI,
Pathworks, IPX, and more. Windows 2000 is, for all intents and purposes, an
intranet operating system that still knows how to function on a LAN for backward
compatibility.
Very important to consider in the internal environment are all the legacy systems
and mid-range systems that are going to need facilities in the new realm.
Here is a short list of items you should pay attention to when you examine the
internal environment:
✦ How many employees work for the company?
✦ How many remote divisions or branches does the company have?
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 232
233
Chapter 7 ✦ Logical Domain Structure
✦ What functions do the remote divisions perform?
✦ How are the sites interconnected?
✦ Who is responsible for the management of the network that connects each of
the sites?
✦ What is the bandwidth of the links between the sites?
✦ How is the company prepared for disaster recovery?
The extra environment
The extra environment is the interface— and the environment in the immediate

vicinity of the interface — between the external environment and the internal envi-
ronment. In some cases, the division may be obvious and thus easy to manage
(such as a computer terminal in the public library or a voice mail system). In other
cases, the interface is harder to encapsulate or define and thus more difficult to
manage (such as how people hear about your product).
Examples in the extra environment are e-mail, communications between the inter-
nal and external environments that may need to be monitored, controlled, and
rerouted, corporate Web sites that let customers access portions of the internal
environment, and so on.
The network environment supporting this environment and its technology is known
as an extranet. A good example of such an extranet is FedEx, which lets customers
tap into the tracking databases to monitor their shipments.
Here is a short list of items you should pay attention to when you examine the
internal environment:
✦ What Web sites does the company use? Who manages them? Where are they
located?
✦ What call center or help desk functions are in place?
✦ How do contractors and consultants gain access to the enterprise to perform
their work without risking exposure to sensitive data?
Working with Organizational Charts
With the organizational chart in hand, you can zero in on the logical units of the
enterprise and begin enterprise analysis in a “logical” fashion. Figure 7-1 represents
a portion of the organizational chart of Millennium City (the entire chart is on the
CD in the Millennium City Domain Structure Blueprint PDF). The chart has been
adopted from the organizational chart of a major U.S. city, and we will use it
throughout the book to see examples of both logical domain structure and physical
domain structure, as well as configuration.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 233
234
Part III ✦ Active Directory Services

Figure 7-1: Abridged organizational chart of Millennium City
The full chart in Figure 7-1 is huge (more than 50 divisions and hundreds of boards
and councils), but you must realize that the LDS you are going to create may need
to accommodate such an environment. Obviously, it is going to take many years to
fully convert such an organization, and you’ll likely be working with Windows 2005
before achieving 100 percent penetration with an organization of this size.
In fact, in organizations of this size, you’ll likely never achieve a 100 percent pure
Windows 2000 domain structure, and you wouldn’t want to. Just a cursory glance
at such a chart tells you that you are going to be up to your neck in integration with
legacy and mid-range systems, UNIX and Mac platforms, and more.
You need to start somewhere, however. You’ll need to start conversion and installa-
tion with select departments, starting perhaps with your own department, where
you can learn a lot about the conversion process, the fabric of Windows 2000, and
the place to set up the labs and development environments that we discussed in
Chapter 4.
City Hall
Millennium City
To other departments
Deputy Mayor for
Operations
Police Department
Department of
Information
Technology and
Telecommunications
Fire Department
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 234
235
Chapter 7 ✦ Logical Domain Structure
We have selected three entities out of the chart to use as examples. We are going to

convert the Mayor’s office (City Hall), the Department of Information Technology
and Telecommunications (DITT), and the Police Department (MCPD).
Identifying the Key Management Entities
Key Management Entities (KMEs) are the management, administrative, or service
components of a business or organization that, taken as a whole, describe what the
entity does. These KMEs are not on the organizational chart and often span multiple
departments. For example, payroll processing is a KME that spans the enterprise.
While the KME for payroll is concentrated in the Office of Payroll Administration, the
KME spans Millennium City because it requires the participation of more than one
logical or organizational unit. Every department processes payroll by processing
time sheets, data input (time/entry databases), sick leave, raises, check issues,
check printing, bank reconciliation, direct deposits, and so on. The KMEs need not
be physical groups; they can be logically dispersed between several departments
and across several domain boundaries, remote sites, and so on.
All KMEs, once identified, are best represented on a matrix of the enterprise. Each
KME represents an area of responsibility that must be measured and evaluated.
Once you have identified the KMEs, you will be able to learn about the IT/IS sys-
tems and technologies that have been implemented to assist them, and ultimately
how both LDS and PDS will emerge to accommodate them. Figure 7-2 illustrates the
KME matrix for MIS.
Figure 7-2: KME matrix spreadsheets prepared in Microsoft Excel
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 235
236
Part III ✦ Active Directory Services
MIS people seldom research KMEs or even update previous reports and plans. An
important benefit or payoff of such research is that MIS learns how it can improve
efficiency in the KME.
It is also important to break the KMEs down further and extract the components
that require the services of IT/IS. You will need this information later when you
identify where to delegate administration and control in various organizational

units and domains.
Strategic Drivers
In the movie Wall Street, Michael Douglas’ character identifies greed as the strategic
driver in his effort to raid companies and make huge profits. Greed certainly is a
strategic driver in many companies and organizations, but there are many others,
and you could argue that they are subordinate to greed and profit. The Internet is
a strategic driver; the ambitions of the CEO and major shareholders are strategic
drivers; mergers and takeovers are others; as well as investment in new technology
and more.
Strategic drivers are also new laws, new discoveries, new technology, lawsuits,
labor disputes, and so on. Knowing what makes the company work and what will
keep it working is important in domain planning and structure. You need to have as
much information as you can about the enterprise, and where it is headed, so that
you are able to give 100 percent where and when needed.
We contend that if you know the strategic drivers of the organization you work for,
you will be in a position to cater to any IT/IS demands placed on you. More impor-
tantly and in relation to the task at hand, you will be able to implement a domain
structure to cater to the drivers that will influence the future of the enterprise.
Use your sixth sense, common sense, and logic in determining strategic drivers.
Remember that with the new domain comes new threats, denial of service, viruses,
information and intellectual property theft, data loss, loss of service level, and
more. A good example: In the weeks prior to New Year’s Eve, Y2K, we anticipated
that heightened security concerns would come from the CEO of the large distribu-
tor we support. So we preempted the request and investigated how best to lock
down their RAS and still provide access to key support staff that might be required
to dial in during the night. We effectively locked down all access and were able to
create a secure zone on the RAS machine, which authenticated users locally before
providing access to the domain. Being a good system administrator means going
beyond the theories you learn at MCSE school or computer science class. Windows
2000 is the wake-up call for stodgy sysadmins.

4667-8 ch07.f.qc 5/15/00 2:00 PM Page 236
237
Chapter 7 ✦ Logical Domain Structure
Identifying the Logical Units
Look at the organizational chart of Millennium City, and the logical units jump out
at you. Every department or organizational unit within each department will impact
the LDS in some form or another.
The Mayor’s office looks simple enough. There is the mayor and the people who
work for him or her, such as public relations people, advisors, and administrative
staff. The Mayor’s office is probably one of the simplest of the logical units to repre-
sent or quantify in the LDS plan. For all intents and purposes, it can be represented
as a single organizational unit on the LDS.
In corporations, the offices of the CEO and executive staff can range from being
extremely complex to being very simple. But the Department of Information
Technology and Telecommunications is very different. What are the logical units
within this department? Let’s identify some of them in the following list (we cannot
deal with every OU within this department because the list would run into too
many pages).
1. Operations: This unit is responsible for disaster recovery and maintenance
of critical systems. The people in this unit make sure systems are online, they
watch systems and applications for failures, they monitor production, they
print reports, and so on.
If Operations detects errors or problems, they try to fix them within certain
guidelines or parameters. They may be required to restore servers in the mid-
dle of the night, or call the on-call staff as needed. Operations staff are trusted
employees with heavy responsibilities. They probably need high levels of
access to certain systems; they may need to have authority to shut down
servers, reboot machines, perform backup, and so on.
2. Help Desk: This unit may be part of Operations or a separate unit. Help Desk
is responsible for getting staff out of jams with technology, teaching them how

to use new applications, and more. They also need special access to systems.
Help Desk often needs to troubleshoot applications and systems in the con-
text or stead of the users they need to help. For example, they may need to
log in to mailboxes, troubleshoot print queues, and escalate calls to second-
and third-level support.
3. PC Support: PC Support is a separate organizational or logical unit within the
Department of Information Technology. The people who work in this unit trou-
bleshoot desktop PCs, and upgrade, maintain, and ensure that all employees
within the entire company, often across physical organizational divides, have
the resources they need to do their work.
4. Security: The Security staff are responsible for catering to requests for user
and machine accounts, changing passwords, access to resources, and more.
The security staff work closely with network support in determining group
memberships, rights and permissions, access to shares and files, and so on.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 237
238
Part III ✦ Active Directory Services
5. Network Support: That’s where you (and we) come in. Network Support deals
with the upkeep of the intranet, servers, and WAN resources, dealing with net-
work providers, routers, circuits and more. You also deal with the location of
domain controllers, upgrading servers, interconnecting protocols, establish-
ing services, storage, backup and disaster recovery, and more.
Identifying the Physical Units
Between the various departments in an organization, there are numerous physical
units to consider. First, departments may be located in separate buildings and in
other cities. In Millennium City, for example, the Mayor’s office or City Hall is
remote from the Department of Information Technology and Telecommunications.
The Police Department, for example, is spread over numerous buildings all across
town.
We have intranets to deal with, WANs and dedicated connections between depart-

ments that cooperate closely. The Police Department of a city of this size employs
its own technical team that manages network resources and systems at both the
office of the Police Commissioner and at the individual precincts. The Police
Department is also hooked into the systems at the Department of Transportation,
the District Attorneys Office, the Department of Corrections, and so on. (We will get
to more detail about physical units in Chapter 8, but for now understand that your
LDS needs to take into account the physical makeup of your organization.)
Documentation
Once you have thoroughly surveyed the enterprise and are familiar with its layout
and organization, it is time to document your findings. Be aware that at this point
in the LDS design process, the documentation is far from complete, but it neverthe-
less forms the basis or departure point from which the conversion or management
team can begin planning and creating a blueprint. Remember too that the initial
conversion project should be open-ended enough to permit you to slide into contin-
uous domain administration and that the documentation should continue to evolve.
It will become the “bible” for the present and future administrative teams. The fol-
lowing short list is a suggestion of steps to take to complete documentation and
move forward with your LDS and conversion plan:
1. Update the organizational chart and then circulate it to department heads for
additions, accuracy, and comment.
2. List the KMEs throughout the enterprise and describe the extent of the admin-
istrative function in each KME. You will be noting the size of the KME and
complexity. Make a note of where the KME extends beyond departmental or
divisional boundaries of the enterprise. There are many formats that the doc-
umentation of KMEs might take. We suggest you create a matrix on a spread-
sheet, listing departments and divisions in the column headers and the KMEs
you have discovered as rows, like the one started in Figure 7-2.
4667-8 ch07.f.qc 5/15/00 2:00 PM Page 238