AD is quick, painless and mostly maintenance free. That's easy. Think of it as an app that comes with it's own directory just like so many others :)
Sounds like you want the account lifecycles to be authoritative in another system and just have them flow down to AD. If that's the case, they MIIS might be your ticket. It could also be that you want to have a look at the current metadirectory systems you have (for lack of a better name even if they're homegrown) to see if they can do what you want.
For more reading on the product and how to plan, deploy, and run it have a look at the website: http://www.microsoft.com/ad
Note that AD relies heavily on DNS which is the usual biggest fight for deployment. Best bet is to delegate a sub zone for AD usage and get the workstations to use a AD DNS and forwarders to other DNS systems if your environment is similar to ones I've seen before. That allows your AD infrastructure to be self-contained and mostly integrated with the other systems in the landscape. Over time somebody is bound to realize that the AD is the more important of the systems as it contains and controls the desktops which are the only access points of "gates" to the back room infrastructure. Helps to have it in place and working first though :)
While we do run BIND for everything else, we HAVE created a separate subnet for the labs and classrooms. I haven't started using it yet, but switching over would be trivial. So I could just let the AD server do the DNS for that subnet, I suppose. I'm assuming that AD's DNS server can be et up to take its cues from our other servers?
...ROMeyn -- signat-url: http://www2.potsdam.edu/prescor/signat-url.htm List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
