From NT Domain to Server 2003 Active Directory - Page 3
Using Server 2003 AD
After this change, though, you may need to do some client upgrading. Your Windows 98, Windows 95, and Windows NT computers, both servers and workstations, will need AD client software before they can see AD's resources. Even with an AD client, though, computers running Windows 95 and Windows NT4 SP3 or lower won't be able to access resources, as the AD upgrade to NT domain controllers default to having Server Message Block (SMB) Protocol packet signing enabled, and they can't handle this change. With packet signing on, they'll be unable to login, much less access resources. The answer is to go to the Group Policy Object Editor and disable the "Microsoft network server: Digitally sign communications (always)" setting.
To get the real goodies out of Server 2003 AD, you can't stay at Mixed level. Instead, you need to upgrade your Domain Functional Level first to W2K native and then to Server 2003 — or if you're foolhardy, you can jump all the way to Server 2003.
What happens along the way is that with W2K native, you lose the ability to have any NT4 servers in your domains. On the other hand, you gain the power to (1) have nested security groups, (2) migrate security principals between domains, and (3) convert security groups to distribution groups and vice-versa. While nice, these aren't deal breakers, which is another reason why relatively few people went from NT domains to W2K AD.
At the Server 2003 level, while you can no longer have W2K servers in AD, you gain some minor abilities plus the big winner, Domain Rename Tools, which enables you to rename domains and application directory partitions in a deployed Active Directory forest. Think this doesn't sound like much? Think again.
With these tools, you can rename items without repositioning any domains in the forest structure, create a new domain-tree structure by repositioning domains within a tree, merge domains, or create new trees. Trust me on this one — there are W2K AD managers who would have killed for this kind of power.
Of course, the downside is that to get to this point, you not only have to upgrade your NT Servers, you even have to upgrade your W2K servers to Windows Server 2003. Thus, as useful as the Domain Rename Tools are, I doubt we're going to see many people using these tools anytime soon. Yes, they're powerful, but the price of admission is simply too high for most people at this point.
Living with Server 2003 AD
So, in the end, will it be worth it? If you're currently going crazy trying to administer a horde of NT domains and you have the resources for a major upgrade, the answer is a definite yes. Windows Server 2003 AD makes managing large companies and Microsoft-based server farms much easier. In addition, it's never been easier to upgrade to AD.
On the downside, Server 2003 itself is half-baked. You can't run most bread and butter server applications, including Exchange 5.5, on it. Since you have to be running nothing but Windows Server 2003 in order to benefit from the full value of Server 2003 AD, I just don't see many, if indeed any, companies becoming 100% Server 2003 AD shops at any point this year.
Is it worth it? The bottom line is that with Microsoft setting NT 4 Server's service and support clock to run out on December 21, 2004, the move from NT 4 is now an inevitability for most of us.
What I'm personally doing is running Server 2003, W2K Server, NT4, and Samba machines with AD under mixed mode. No, I'm not getting the full benefits of AD, but I'm retaining all my legacy investment while enjoying some of AD's benefits. And the experience I've gained with AD will help me be better prepared for the day when I do retire my NT machines. For me, and I suspect for most of you, this is the best path to take.