Using Server 2003 AD
After this change, though you may need to do some client upgrading. Your Windows 98, Windows 95, and Windows NT, both servers and workstations, will need AD client software before they can see AD's resources. Even with an AD client though, Windows 95 and NT4 running SP3 or lower won't be able to access resources because the AD upgrade to NT domain controllers default to having Server Message Block (SMB) Protocol packet signing enabled and they can't handle this change. With packet signing on, they'll be unable to login, much less access resources. The answer is to go to the Group Policy Object Editor and disabling the "Microsoft network server: Digitally sign communications (always)" setting.
To get the real goodies out of Server 2003 AD, though, you can't stay at Mixed level. Instead you need to upgrade your Domain Functional Level to first W2K native and then Server 2003. Or, if you're foolhardy, you can jump all the way to Server 2003.
What happens along the way is that with W2K native you lose the ability to have any NT4 servers in your domains. On the other hand you gain the power to have nested security groups, migrate security principals between domains, and you can convert security groups to distribution groups and vice-versa. Those are nice, but they're not deal breakers which is another reason why relatively few people went from NT domains to W2K AD.
At the Server 2003 level, while you can no longer have W2K servers in AD, you gain some minor abilities and the big winner, the Domain Rename Tools. This enables you to rename domains and application directory partitions in a deployed Active Directory forest. Doesn't sound like much? Think again.
With these tools you can rename items without repositioning any domains in the forest structure, create a new domain-tree structure by repositioning domains within a tree, merge domains and create new trees. Trust me; there are W2K AD managers who would have killed for this kind of power.
Of course, the downside is that to get that, you not only have to upgrade your NT Servers, you have to upgrade even your W2K servers to Server 2003. Thus, as useful as this is, I doubt we're going to see many people using these tools anytime soon. Yes, it's powerful, but the price of admission is too high for most people.
Living with Server 2003 AD
So, in the end, will it be worth it? If you're now going crazy trying to administer a horde of NT domains and you have the resources for a major upgrade, the answer is yes. Server 2003 AD makes managing large companies and Microsoft-based server farms much easier. In addition, it's never been easier to upgrade to AD.
On the down side, Server 2003 itself is half-baked. You can't run most bread and butter server applications on it like Exchange 5.5. Since to get the full worth out of Server 2003 AD you need to be running nothing but Server 2003, I just don't see many, if indeed any, companies becoming 100% Server 2003 shops anytime this year.
Is it worth it? The bottom line is that while Microsoft has reset NT 4 Server's support clock to December 21st 2004, it is finally going to run out of Microsoft service and support in the foreseeable future.
What I'm doing, is running Server 2003, W2K Server, NT4 and Samba machines with AD under mixed mode. No, I'm not getting the full benefits of AD, but I'm retaining all my legacy investment while getting some of AD's benefits. And, in the future, the experience I've gained with AD will help me come the day that I do retire out my NT machines. For me, and I suspect for most of you, this will be the best path to take.