If you believed Microsoft a few years back, Active Directory was the answer to all your network users and system resources universal directory prayers. Ha!
Upgrading from NT domains to W2K Active Directory (AD) was as scary a job as a network administrator could ever want to avoid. It was a horror show of a job that cost many LAN managers their jobs and took many companies over a year to complete. And, even once it had been done, you were still stuck with such unlikely, but annoying, problems as being unable to delete schemas if you had made a mistake in implementing your original design or you simply wanted to clean up directory clutter.
Is it any wonder then that many companies stuck to NT? Managing a large set of NT domains may have been messy, but at least it worked. Besides, under NT, adding a Samba server or Backup Domain Controller (BDC) was a piece of cake. And, if you had W2K Servers, you added them to the domain via the “Server Manager” on your NT Primary Domain Controller (PDC) and then joined the new server to the domain. No fuss, no muss.
Today, though, Server 2003 had made AD a lot more friendly, a lot more useful, a lot faster, and last, but far from least, it’s a lot easier to upgrade to from NT domains.
But, First the Prep Work
Easier isn’t necessarily the same thing as simple. Before you even think about upgrading your domain structure, you need to know exactly what’s what on your network. Think you know? I doubt it.
Unless you’ve been tracking your network’s evolution religiously, I suspect you’ll find unknown servers and BDCs on your network running everything from early models of Samba to NT4 SP3 not to mention some oddball trust relationships and Security Accounts Manager (SAM) records.
Besides, even if you know exactly what’s what, you’ll want to spend some time deleting duplicate and unused user, group and computer accounts. You’ll also want to consolidate group accounts that duplicate the same permissions. Take the time to do some spring cleaning of your network, it will help not only with AD, but with removing security threats from your network.
You must also check your current NT server operating system patch level. You shouldn’t even think about upgrading if your machines aren’t running at least NT4 SP4. The latest shipping version of Samba, 2.2.8a, will also run with Server 2003 as a server, but I’d be wary of using Samba systems as BDCs until there’s been a lot more time spent running Samba and Server 2003 on the same networks.
Once you have a handle on that and you’ve cleaned up any unneeded SAM accounts, demoted any Samba servers from PDC or BDC to server status, cleaned up security, and all that fun stuff, you’ll finally be ready to start thinking about your upgrade.
Page 2: Thinking!?
Yes, thinking. There are three ways to upgrade from NT to Server 2003 AD and while it’s a lot easier to back up in an AD deployment than it used to be, you really don’t want to start down the wrong path. You’ll end up wasting man-days, not man-hours, if you do.
Your three choices are: 1) upgrade; 2) restructure and 3) upgrade and restructure. With an upgrade you basically keep the exact same structure you’re already using but now you have AD at the top so you can better run the whole show. This, as you might guess, is also the easiest path that takes the least amount of time, has the lowest risks and requires the fewest resources. It also presumes that instead of adding a new Server 2003 server you’re just converting at least one of your existing NT servers to Server 2003.
Your existing structure showing its age? You want better overall server uptime? In that case, you’ll want to restructure your network. And, if you want to retain your existing domain structure, but add new Server 2003 machines and implement AD’s features now rather than later, you’ll want to do both with an upgrade and a restructure.
But, before charging out there, you also need to consider practical constraints. Even a mere upgrade of a small business network will take up a weekend. Do you have that weekend? Do you have the budget to pay for people to work that weekend? Do you have working backup servers in place so your company can keep going even if your upgrade doesn’t?
And, let’s not forget that, if you’re going to bring your application servers to Server 2003 over as well you have to ask yourself if your applications still work? After all Server 2003 may be a killer file and Web server, but it has amazingly few applications that will run on it today.
Only make the move, once you know you really want to do it and you have the resources to do it right.
Down and Dirty
OK, now you know what you’re doing and you’re ready to go? Your next step is to head over to the Microsoft site and grab a copy of Active Directory Migration Tool 2.0. It’s not just a great tool, it’s a must have tool, for NT domain administrators on the AD move. I’d no more try an upgrade without it than I would face the day without brushing my teeth.
You’ll also want to read Microsoft’s white paper, Migrating Windows NT Server 4.0 Domains to Windows Server 2003 Active Directory before making a move.
Once armed with tools and information, you’ll want to start with your PDC. What’s that your PDC can’t handle Server 2003? Then, in that case, start with a BDC, then upgrade it to a PDC and downgrade the old NT PDC to a BDC. After that, you can upgrade all the other BDCs. Or, if you want, you can decommission them as BDCs, and either leave them as NT servers or install Server 2003 on them and in ether case make them ordinary member servers.
You’ll also, if you haven’t before, need to install Domain Name Service (DNS) on at least one of your servers. Active Directory needs DBS to resolve AD domain, site, and service names to IP addresses. You can use NT, W2K or Server 2003 DNS, but for best results I like to run Server 2003 AD and DNS on the same machine.
Along the way you’re also going to be creating Containers that will hold your NT user, computer and groups. These objects are named Users, Computers, and Builtin. No, Builtin isn’t just a funny name for groups. NT 4 built-in local groups, like Administrators and Server Operators User accounts go into the Builtin container. Local and network groups that you’ve set up in NT 4, the jocks from accounting’ for instance, are placed in the Users folder.
As you upgrade your PDC, you’re likely to want to set it as the first domain in a new Server 2003 forest. If that’s the case, and if you’re upgrading from NT to Server 2003 it almost certainly will be, you should set your forest functional level to “Windows interim” aka Windows 2000’s Mixed level. Don’t worry about looking for the menu choice to do it, you’ll be prompted for it during the upgrade. It gives you all Windows 2000 level forest functionality and also includes improved replication capabilities and speed.
Page 3: Using Server 2003 AD
Using Server 2003 AD
After this change, though you may need to do some client upgrading. Your Windows 98, Windows 95, and Windows NT, both servers and workstations, will need AD client software before they can see AD’s resources. Even with an AD client though, Windows 95 and NT4 running SP3 or lower won’t be able to access resources because the AD upgrade to NT domain controllers default to having Server Message Block (SMB) Protocol packet signing enabled and they can’t handle this change. With packet signing on, they’ll be unable to login, much less access resources. The answer is to go to the Group Policy Object Editor and disabling the “Microsoft network server: Digitally sign communications (always)” setting.
To get the real goodies out of Server 2003 AD, though, you can’t stay at Mixed level. Instead you need to upgrade your Domain Functional Level to first W2K native and then Server 2003. Or, if you’re foolhardy, you can jump all the way to Server 2003.
What happens along the way is that with W2K native you lose the ability to have any NT4 servers in your domains. On the other hand you gain the power to have nested security groups, migrate security principals between domains, and you can convert security groups to distribution groups and vice-versa. Those are nice, but they’re not deal breakers which is another reason why relatively few people went from NT domains to W2K AD.
At the Server 2003 level, while you can no longer have W2K servers in AD, you gain some minor abilities and the big winner, the Domain Rename Tools. This enables you to rename domains and application directory partitions in a deployed Active Directory forest. Doesn’t sound like much? Think again.
With these tools you can rename items without repositioning any domains in the forest structure, create a new domain-tree structure by repositioning domains within a tree, merge domains and create new trees. Trust me; there are W2K AD managers who would have killed for this kind of power.
Of course, the downside is that to get that, you not only have to upgrade your NT Servers, you have to upgrade even your W2K servers to Server 2003. Thus, as useful as this is, I doubt we’re going to see many people using these tools anytime soon. Yes, it’s powerful, but the price of admission is too high for most people.
Living with Server 2003 AD
So, in the end, will it be worth it? If you’re now going crazy trying to administer a horde of NT domains and you have the resources for a major upgrade, the answer is yes. Server 2003 AD makes managing large companies and Microsoft-based server farms much easier. In addition, it’s never been easier to upgrade to AD.
On the down side, Server 2003 itself is half-baked. You can’t run most bread and butter server applications on it like Exchange 5.5. Since to get the full worth out of Server 2003 AD you need to be running nothing but Server 2003, I just don’t see many, if indeed any, companies becoming 100% Server 2003 shops anytime this year.
Is it worth it? The bottom line is that while Microsoft has reset NT 4 Server’s support clock to December 21st 2004, it is finally going to run out of Microsoft service and support in the foreseeable future.
What I’m doing, is running Server 2003, W2K Server, NT4 and Samba machines with AD under mixed mode. No, I’m not getting the full benefits of AD, but I’m retaining all my legacy investment while getting some of AD’s benefits. And, in the future, the experience I’ve gained with AD will help me come the day that I do retire out my NT machines. For me, and I suspect for most of you, this will be the best path to take.