Georgia Institute of Technology
PC photos

Windows Active Directory

crumb trail: Home >> OIT >> Active Directory
 

Georgia Tech Active Directory (GTAD)
Hardware and Software Requirements

last updated: 27 February 2004

Requirements are directly tied to how you plan to participate in GTAD. In general, there are two options available to administrators when joining AD. We strongly recommend joining AD as an OU for several reasons, however, there is no policy that forces a department to make a decision to join as a Domain or OU. We will assist administrators in choosing the best option for their environment.

 

Option 1: Joining as an Organizational Unit (OU)

This option is strongly recommended by OIT.

Pros:

  • Very easy migration migration and integration process.
  • Easy to maintain complete compliance with GTAD Forest
  • Lowest cost to the Institute. (No extra hardware and staff requirements)
  • Reduced administrative overhead.
  • Very low hardware requirements. If you don't have internal services,
    you won't even need a server!
  • Fully delegated administrative control. (You manage everything,
    right down to user desktop profiles & group policies!)
  • Reclaim old PDC & BDC hardware! (Use them as Windows 2000 file servers or high-end workstations.)
  • Very flexible structure and upgrade path! (Move AD objects around easily!)
  • Complete read access to Forest wide GAL!
  • Simple to move to a Domain structure if need identified later on

Cons:

  • Creating trusts to external entities require central support.
  • Can't maintain your own enterprise service that may require AD schema modifications. (MS Exchange 2K comes to mind!)
  • Domain-wide password policies aren't enforced at an OU level.

Minimum Requirements for Joining as an OU:

Desktop/Member Server Requirements:

  • Windows desktop OS should be at least Windows 2000 and have hardware to support such to receive benefit of the GTAD service.
  • Windows member servers should be at the Windows 2000 level and have hardware to support such.

 

Option 2: Joining as a Domain

This option is not recommended by OIT.

Pros:

  • Can implement domain-only policies. (Not really worth much because GT's password policy is based on our Kerberos system)
  • Can run your own Exchange 2000 (Exchange 2003 is not supported as a root.)

Cons:

  • More hardware required!
  • Adhere to secure account management process (Disable/Delete old accounts, automate process)
  • Support Staff required to have substantial knowledge of Active Directory
  • Major increase in administrative overhead! (Maintain backups, secure DCs, resolve replication issues...)
  • Must have local on-call status to resolve issues related to your domain that affects the Forest. (Site related)
  • Must have disaster recovery solution for your DCs.
  • Must participate in Schema update discussions & decisions (Domain Administrator responsibility)
  • Have to physically secure Domain Controllers (DC).
  • No reliable 24x7 emergency response center in place (Root DCs have OIT 24 x 7 responsibility)
  • Must adhere to more stringent Domain policy considerations.
  • Will have to coordinate with other Domain administrators for unscheduled outages or major upgrades.
  • Not very flexible and difficult to collapse into an OU structure later.

Minimum Requirements for Joining as a Domain:


Domain Controller Requirements:

Minimum Requirements

Processor: Single 550 MHz PIII or comparable.

Memory: 512 MB of RAM

Hard Disks: Two 9 GB - Mirrored

Network: 100 Megabit Ethernet

Systems: 2 Windows 2000 SP4 Servers- Redundancy

 

Recommended Requirements

Processor: Dual Intel Xeon or comparable.

Memory: 1 GB of RAM

Hard Disks: Three 9 GB – RAID5

Network: 100 Megabit Ethernet

Systems: 2 Windows 2000 SP4 Servers- Redundancy

 

Desktop/Member Server Requirements:

Windows desktop OS should be at least Windows 2000 and have hardware to support such to receive benefit from the GTAD service.

 

Windows member servers should be at the Windows 2000 level and have hardware to support such.

 

Other Options

Of course you can always choose to maintain your own separate AD Forest, but this is highly discouraged. Aside from the issues involved with joining as a domain, building an entirely different forest severely impairs your users' ability to easily share and access other resources at Georgia Tech. Windows 2000 lack of cross-forest interoperability provides other challenges too. You will not be closer to achieving single sign-on integration with GT's Kerberos service nor will you have the great automated account management system in place that help's ensure compliance with the strict security policies of the Institute. The Office of Information Technology (OIT) will not be able to provide AD support to external Active Directory Forests.