Example Bank’s infrastructure includes a Windows NT domain (EXBANK), an Active Directory domain (eb.com) with two domain controllers, and a two-way MMR Sun Java System Directory Server (dc=eb,dc=com) deployment. Example Bank has two main sites: one located in New York City and one in Los Angeles.
The following figure describes Example Bank’s deployment of its directory resources.
Sun Java System Directory Server is the corporate directory server that is used to control access to all web-based applications. Pluggable Authentication Module (PAM) for LDAP authenticates and manages passwords on the SolarisTM Operating System (Solaris OS) against Directory Server passwords. The two preferred Directory Servers manage a single root suffix, dc=eb,dc=com, and all users are stored in the ou=people,dc=eb,dc=com container with uid as the naming attribute. The directory servers, installed on Solaris systems, are running on separate machines: master-east.eb.com and master-west.eb.com.
The single Windows NT domain is called EXBANK. The Primary Domain Controller (PDC) runs on a pdc-east.eb.com machine in New York City. A backup domain controller (bdc-west.eb.com) runs on a machine located in Los Angles. All Windows NT user accounts have a Directory Server account with the exception of the built-in Windows NT accounts. The Windows NT USER_NAME attribute is the same as the Directory Server uid attribute.
The Active Directory deployment has a single domain, eb.com, with two domain controllers:
ad-east.eb.com (in New York City)
ad-west.eb.com (in Los Angeles)
In this deployment, ad-west.eb.com is the PDC Flexible Single-Master Operation (FSMO) role owner.
Users are stored in two separate organizations corresponding to the two sites:
ou=east,dc=example,dc=com
ou=west,dc=example,dc=com
Example Bank is in the process of migrating users from Windows NT to Active Directory. Each employee has a Windows NT or Active Directory account. The migration of the users is based (in phases) on the employees’ last names. Every week Example Bank moves users whose last name begins with the next letter of the alphabet. Currently, the company has migrated employees whose last names begin with letters A through F.
For users who have Directory Server accounts, the Active Directory samaccountname attribute stores the uid. When a user account is migrated from Windows NT, the user keeps the same login. That is, the Active Directory samaccountname attribute of the new user is the same as the Windows NT USER_NAME attribute.