While Microsoft might wish otherwise, many companies have a few Windows NT 4 servers still kicking around functioning quite happily as web servers, application servers, or NT domain controllers. Systems administrators have long put up with NT’s slow performance, older technology, and constant server reboots because of squeezed budgets or fears that an upgrade to Windows 2000 servers could be too disruptive — particularly in the case of migrating from NT Domains to Active Directory.
Two recent announcements by Microsoft may finally force companies to retire those functional but obsolete systems. First, in January 2003, Microsoft announced a phased plan to retire Windows NT for good. After July 2003, NT will no longer be available for purchase through any channel, and by January 2005, Microsoft will have completely withdrawn official support for NT.
Fortunately, Microsoft is not leaving NT customers completely stranded. In its latest attempt to unseat the vast hordes of legacy systems, Microsoft started shipping Windows Server 2003 this past April. To lure reluctant upgraders to finally switch systems, Windows 2003 includes easier NT migration tools. It also has some tempting new network features for the nervous foot draggers, including easier network configuration, enhanced support for wireless LANs, improved network and remote access support, and most significantly, major enhancements to Active Directory. In other words, it’s time to give serious consideration to cutting the NT cord.
Given that some type of Windows server upgrade is likely to be in your near-term future, let’s delve into the murky details of converting to Active Directory. We will start with a brief history, then review the Windows Server 2003 improvements, and finally present an overview of some important reasons to convert. This will help you plan your upgrade path, and will hopefully offer a boost of confidence that allows you to pull off a NT/Windows Server 2003 migration project with aplomb!
The Birth of Active Directory
Active Directory was originally developed to replace the Windows NT domain controller software with a more scalable, powerful, and flexible technology that could compete directly with the feature-rich Novell Directory Service (NDS) product. Microsoft purchased Zoomit Corporation in 1999 to incorporate their Metadirectory Services directly into Active Directory.
The result was the release of Microsoft MetaDirectory Services (MMS), which provide data synchronization between Active Directory and a variety of other sources, including Microsoft Exchange and NT, third-party software like Novell NDS, databases such as Oracle, Lotus Notes, and common import formats like XML, CSV, and LDIF. Several subsequent releases have made further improvements to MMS and Active Directory applications.
Changes in Windows 2003 Server
There are some significant changes and enhancements to Active Directory in Windows 2003 Server that will be of particular interest to those considering converting from earlier versions. The most notable are:
- Support for the standard inetOrgPerson schema used by other LDAP directories (such as iPlanet, Novell, IBM,and OpenLDAP). This improved interoperability between Active Directory and other non-Microsoft directories services can be an important feature in a large enterprise that might have a number of active ID management systems.
- Better domain controller load balancing. Active Directory clients typically authenticate to the first domain controller, which can quickly overload that controller. In Windows 2003 Server, the domain controllers can simulate being a Windows NT domain controller. This is a great advantage because it means you can use your existing Windows NT domain controllers for Windows 2xxx clients and servers until your full AD infrastructure is in place.
“Active Directory Lite”
Active Directory in Application Mode (ADAM) is a new capability of Active Directory in Windows 2003 that addresses certain deployment scenarios related to directory-enabled applications. Popularly nicknamed “Active Directory Lite,” ADAM supports a number of useful features for the smaller shop that does not have the expertise to create a full AD schema for their company. Think of it as the “un-directory” because it does not have to use domains or run as an operating system service.
Having the ability to create a standalone directory can be very useful. You can build an Active Directory “development sandbox” where applications can be tested before production deployment. It also gives you a safe place to test and enable unique schema extensions. This feature allows local control as needed, even allowing construction of an extranet with no connection to the internal Active Directory network. Since application partitions can also replicate to any domain in a forest, this allows support for application dynamic data transfer between domains within the forest, including:
- Deactivation of selected object classes and attributes in the schema. Use this feature to save disk space and speed up some operations.
- Ability to rename domains while maintaining forest integrity. This has been a major problem in NT Domains. Note that this does not apply to the root domain, however.
- Support for Inter-Forest Transitive Trusts. Both one- and two-way trusts are supported.
- Cross-Forest Authorization that allows groups of users to access objects across forests. This feature can be invaluable for department relocations and reorganizations.
Why Active Directory?
Now that you know something about the differences between Active Directory and NT Domains, why should your company even bother with an AD implementation? It seems overly complex and difficult to administer, so what advantages does AD offer over NT Domains or NDS? Active Directory has many significant enhancements and advantages that will reduce the overall administration headache once it is deployed, including:
- Because millions of objects can be stored in a directory, Active Directory provides a scalable solution that can meet future growth requirements.
- Compared to the more primitive NT domains, AD provides a more stable directory infrastructure, and far fewer servers are needed to manage it.
- It has new features that allow improved desktop configuration control.
- Users can administer Windows 2000 and other Microsoft applications from a single point, which can translate into a significant reduction of IT overhead headaches.
- Active Directory supports both centralized and decentralized administration models, an important difference from NT Domain.
- AD provides improved access and identity management with extremely granular rights administration.
- AD provides extensive customization tools through the ADSI programming interface and MMS.
To ensure a painless Active Directory upgrade, there are a few tips to keep in mind:
- Have at least one domain controller at each site, preferably two.
- Keep your DNS and Active Directory in sync.
- Have a change control policy in place for forest changes.
- Limit the number of people who can make administrative changes to Active Directory.
- In addition, learn about the great Active Directory utilities from Microsoft that are designed to make your life easier:
- NDSUTIL – Performs various Active Directory Database tasks, among other things.
- SYSKEY – Offers additional encryption of password information.
- LDIFDFE – Imports LDIF format records [LDAP] into Active Directory.
- ADMT – Migrates user, group, and computer information. A new version was released for Windows Server 2003.
- REdirUSR and REdirCOMP – This Windows Server 2003-only utility allows users and computers to be placed in specific organization units.
While upgrading to Active Directory is definitely a good idea in the short term, there clearly are some shifts in the technology coming up that you should keep in mind for the future. Some technology and standards changes may well make the standalone directory obsolete. Long-term questions to consider include:
- Will all directories be incorporated directly into the Network Operating System, as is the case with Novell’s NDS offering, which could enable the integration of the many identity management technologies into a seamless whole?
- What role will standalone directories play in network provisioning, system configuration, and asset/network management in the future? Will they become pivotal or irrelevant as this functionality is incorporated into larger, more robust integrated systems?
- Will the dream of virtual and federated directories finally become a reality and make standalone directories obsolete?
- Will Active Directory in Application Mode become popular even for those who have no desire for a full-blown Microsoft Active Directory infrastructure?
Third party offerings, especially in the migration and administration areas
A summary of the NT Support retirement plan
Windows Server 2003 resources, including Active Directory and AD/AM
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.
Hallett German is an IT consultant who is experienced in implementing stable IT infrastructures with an emphasis on electronic messaging and directories. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. He is currently seeking challenging opportunities that will expand his directory, networking, and security skills.