From NT Domain to Server 2003 Active Directory

Finally, an NT Domain to AD upgrade without the pain. Steven J. Vaughan-Nichols discovers that with some prep work, administrators can expertly conquer an upgrade that once left scores of battered IT managers in its wake.

 By Steven J. Vaughan-Nichols
Page 1 of 3
Print Article

If you believed Microsoft a few years back, Active Directory was the answer to all your network users and system resources universal directory prayers. Ha!

Upgrading from NT domains to W2K Active Directory (AD) was as scary a job as a network administrator could ever want to avoid. It was a horror show of tasks that cost many LAN managers their jobs and took many companies over a year to complete. And once it had been completed, you were still stuck with such unlikely and annoying problems as being unable to delete schemas if you had made a mistake in implementing your original design or if you simply wanted to clean up directory clutter.

Is it any wonder then that many companies stuck with NT? Managing a large set of NT domains may have been messy, but at least it worked. Besides, under NT, adding a Samba server or Backup Domain Controller (BDC) was a piece of cake. And if you had W2K Servers, you simply added them to the domain via the "Server Manager" on your NT Primary Domain Controller (PDC) and then joined the new server to the domain. No fuss, no muss.

Today, though, Windows Server 2003 has made AD much more friendly, useful, and faster, as well as much, much easier to upgrade to from NT domains.

First Things First

Easier isn't necessarily the same thing as simple, though. Before you even think about upgrading your domain structure, you need to know exactly what's what on your network. Think you know? I doubt it.

Unless you've been tracking your network's evolution religiously, I suspect you'll find unknown servers and BDCs on your network running everything from early models of Samba to NT4 SP3, not to mention some oddball trust relationships and Security Accounts Manager (SAM) records.

Besides, even if you know exactly what's what, you'll want to spend some time deleting duplicate and unused user, group, and computer accounts. You'll also want to consolidate group accounts that duplicate the same permissions. In other words, take the time to do some spring cleaning on your network — it will help not only with AD, but also with removing potential security issues from your network.

You'll also need to check your current NT server operating system patch level. You shouldn't even think about upgrading if your machines aren't running at least NT4 SP4. The latest shipping version of Samba, v2.2.8a, will also run with Server 2003 as a server, but I'd be wary of using Samba systems as BDCs until there's been a lot more time spent running Samba and Windows Server 2003 on the same networks.

Once you have a handle on these issues and you've cleaned up any gratuitous SAM accounts, demoted any Samba servers from PDC or BDC to server status, resolved any potential security hazards, and all that other fun stuff, you'll finally be ready to start thinking about your upgrade.

Page 2: Thinking!?!

This article was originally published on Jul 24, 2003
Get the Latest Scoop with Networking Update Newsletter