If you believed Microsoft a few years back, Active Directory was the answer to all your network users and system resources universal directory prayers. Ha!
Upgrading from NT domains to W2K Active Directory (AD) was as scary a job as a network administrator could ever want to avoid. It was a horror show of tasks that cost many LAN managers their jobs and took many companies over a year to complete. And once it had been completed, you were still stuck with such unlikely and annoying problems as being unable to delete schemas if you had made a mistake in implementing your original design or if you simply wanted to clean up directory clutter.
Is it any wonder then that many companies stuck with NT? Managing a large set of NT domains may have been messy, but at least it worked. Besides, under NT, adding a Samba server or Backup Domain Controller (BDC) was a piece of cake. And if you had W2K Servers, you simply added them to the domain via the “Server Manager” on your NT Primary Domain Controller (PDC) and then joined the new server to the domain. No fuss, no muss.
Today, though, Windows Server 2003 has made AD much more friendly, useful, and faster, as well as much, much easier to upgrade to from NT domains.
First Things First
Easier isn’t necessarily the same thing as simple, though. Before you even think about upgrading your domain structure, you need to know exactly what’s what on your network. Think you know? I doubt it.
Unless you’ve been tracking your network’s evolution religiously, I suspect you’ll find unknown servers and BDCs on your network running everything from early models of Samba to NT4 SP3, not to mention some oddball trust relationships and Security Accounts Manager (SAM) records.
Besides, even if you know exactly what’s what, you’ll want to spend some time deleting duplicate and unused user, group, and computer accounts. You’ll also want to consolidate group accounts that duplicate the same permissions. In other words, take the time to do some spring cleaning on your network — it will help not only with AD, but also with removing potential security issues from your network.
You’ll also need to check your current NT server operating system patch level. You shouldn’t even think about upgrading if your machines aren’t running at least NT4 SP4. The latest shipping version of Samba, v2.2.8a, will also run with Server 2003 as a server, but I’d be wary of using Samba systems as BDCs until there’s been a lot more time spent running Samba and Windows Server 2003 on the same networks.
Once you have a handle on these issues and you’ve cleaned up any gratuitous SAM accounts, demoted any Samba servers from PDC or BDC to server status, resolved any potential security hazards, and all that other fun stuff, you’ll finally be ready to start thinking about your upgrade.
Yes, thinking. There are three ways to upgrade from NT to Server 2003 AD, and while it’s a lot easier to back up in an AD deployment than it used to be, you really don’t want to start down the wrong path. You’ll end up wasting man-days, not man-hours, if you do.
Your three choices are: 1) upgrade, 2) restructure, or 3) upgrade and restructure. With an upgrade, you basically keep the exact same structure you’re already using, but now you have AD at the top so you can better run the whole show. This, as you might guess, is also the easiest path, takes the least amount of time, has the lowest risks, and requires the fewest resources. It also presumes that instead of adding a new Server 2003 server, you’re just converting at least one of your existing NT servers to Server 2003.
Your existing structure showing its age? Want better overall server uptime? In either of these cases, you’ll want to restructure your network. If you want to retain your existing domain structure but add new Server 2003 machines and implement AD’s features now rather than later, you’ll want to do both an upgrade and a restructure.
But before charging out there, you also need to consider practical constraints. Even a mere upgrade of a small business network will take up a weekend. Do you have a free weekend? Do you have the budget to pay for people to work that weekend? Do you have working backup servers in place so your company can keep going even if your upgrade doesn’t?
And let’s not forget that if you’re going to bring your application servers over to Server 2003 as well, you have to ask yourself will your applications still work? After all, Server 2003 may be a killer file and Web server, but it has amazingly few applications that will run on it today.
Only make the move once you’re 110% certain that you really want to do it and you have the resources to do it right.
Down and Dirty
OK, you now know exactly what you’re doing, and you’re ready to get the show on the road. Your next step is to head over to the Microsoft website and grab a copy of Active Directory Migration Tool 2.0. It’s not just a great tool — it’s a must-have tool for NT domain administrators on the AD move. I’d no more try an upgrade without it than I would face the day without brushing my teeth.
You’ll also want to read Microsoft’s white paper Migrating Windows NT Server 4.0 Domains to Windows Server 2003 Active Directory before making the move.
Once armed with these tools and information, you’ll want to start with your PDC. What’s that, your PDC can’t handle Server 2003? In that case, start with a BDC, then upgrade it to a PDC and downgrade the old NT PDC to a BDC. After that, you can upgrade all the other BDCs. Or if you want, you can decommission them as BDCs and either leave them as NT servers or install Server 2003 on them. In ether case, make them ordinary member servers.
If you haven’t done so before, you’ll also need to install Domain Name Service (DNS) on at least one of your servers. Active Directory needs DNS to resolve AD domain, site, and service names to IP addresses. You can use NT, W2K, or Server 2003 DNS, but for best results I recommend running Server 2003 AD and DNS on the same machine.
Along the way, you’re also going to be creating Containers that will hold your NT users, computers, and groups. These objects are named Users, Computers, and Builtin. No, Builtin isn’t just a funny name for groups. NT 4 built-in local groups, like Administrators and Server Operators User accounts, go into the Builtin container. Local and network groups that you’ve set up in NT 4 – the “jocks from accounting,” for instance – are placed in the Users folder.
As you upgrade your PDC, you’ll likely want to set it as the first domain in a new Server 2003 forest. If that’s the case – and if you’re upgrading from NT to Server 2003 it almost certainly will be – you should set your forest functional level to “Windows interim” — aka Windows 2000’s Mixed level. Don’t worry about looking for the menu choice to do it; you’ll be prompted for it during the upgrade. It gives you all of Windows 2000 ‘s level forest functionality and also includes improved replication capabilities and speed.
Using Server 2003 AD
After this change, though, you may need to do some client upgrading. Your Windows 98, Windows 95, and Windows NT computers, both servers and workstations, will need AD client software before they can see AD’s resources. Even with an AD client, though, computers running Windows 95 and Windows NT4 SP3 or lower won’t be able to access resources, as the AD upgrade to NT domain controllers default to having Server Message Block (SMB) Protocol packet signing enabled, and they can’t handle this change. With packet signing on, they’ll be unable to login, much less access resources. The answer is to go to the Group Policy Object Editor and disable the “Microsoft network server: Digitally sign communications (always)” setting.
To get the real goodies out of Server 2003 AD, you can’t stay at Mixed level. Instead, you need to upgrade your Domain Functional Level first to W2K native and then to Server 2003 — or if you’re foolhardy, you can jump all the way to Server 2003.
What happens along the way is that with W2K native, you lose the ability to have any NT4 servers in your domains. On the other hand, you gain the power to (1) have nested security groups, (2) migrate security principals between domains, and (3) convert security groups to distribution groups and vice-versa. While nice, these aren’t deal breakers, which is another reason why relatively few people went from NT domains to W2K AD.
At the Server 2003 level, while you can no longer have W2K servers in AD, you gain some minor abilities plus the big winner, Domain Rename Tools, which enables you to rename domains and application directory partitions in a deployed Active Directory forest. Think this doesn’t sound like much? Think again.
With these tools, you can rename items without repositioning any domains in the forest structure, create a new domain-tree structure by repositioning domains within a tree, merge domains, or create new trees. Trust me on this one — there are W2K AD managers who would have killed for this kind of power.
Of course, the downside is that to get to this point, you not only have to upgrade your NT Servers, you even have to upgrade your W2K servers to Windows Server 2003. Thus, as useful as the Domain Rename Tools are, I doubt we’re going to see many people using these tools anytime soon. Yes, they’re powerful, but the price of admission is simply too high for most people at this point.
Living with Server 2003 AD
So, in the end, will it be worth it? If you’re currently going crazy trying to administer a horde of NT domains and you have the resources for a major upgrade, the answer is a definite yes. Windows Server 2003 AD makes managing large companies and Microsoft-based server farms much easier. In addition, it’s never been easier to upgrade to AD.
On the downside, Server 2003 itself is half-baked. You can’t run most bread and butter server applications, including Exchange 5.5, on it. Since you have to be running nothing but Windows Server 2003 in order to benefit from the full value of Server 2003 AD, I just don’t see many, if indeed any, companies becoming 100% Server 2003 AD shops at any point this year.
Is it worth it? The bottom line is that with Microsoft setting NT 4 Server’s service and support clock to run out on December 21, 2004, the move from NT 4 is now an inevitability for most of us.
What I’m personally doing is running Server 2003, W2K Server, NT4, and Samba machines with AD under mixed mode. No, I’m not getting the full benefits of AD, but I’m retaining all my legacy investment while enjoying some of AD’s benefits. And the experience I’ve gained with AD will help me be better prepared for the day when I do retire my NT machines. For me, and I suspect for most of you, this is the best path to take.