Slashdot Mirror
Active Directory on Win2k or 2k3?
lordbry asks: "I am a Windows admin for a major university in a business computing area (if we have problems, people might not get paid). We have a Windows NT Domain, and are planning to migrate to Active Directory. One of my co-workers is pushing for doing this under Windows 2003. I, however, feel that (as with any M$ product) we should not even consider using 2003 for production anything until there is an SP 2 or 3, and that we should go with AD under Windows 2000. Does anyone have any advice, arguments, or horror stories that could help me make my case to the rest of my group, all of whom are somewhere in the middle? Does anyone think that 2003 is the way to go?"
Windows 2003 is 1000 times better than 2000. It's signficantly more stable, it's got the fantastic volume shadow copy (kinda like CVS...kinda), it's got DFS, and it's extremely well supported.
Don't think of it like a new Windows - it's actually Windows NT 5.2, which is heavily built upon 2000.
I recently upgraded to AD (well, 5 months ago...), and now Im wishing I went with 2003. Its not a big difference, but our test 2003 machines are a joy to use. Additionally, if you want to run the 2000 Server Adminpak on Windows XP, with the Exchange 2000 tools, its not fun to install - the 2003 tools work natively on an XP client.
There really is no reason not to go with 2003, given the choice.
"The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
We went to 2k3 around the time it was released. The response around the office is more or less, "Fuck chevy this thing's a rock".
Fot shits and giggles we put it on a pentium 2 300 laptop with 300MB of ram, it was stable, fast, and useful. In all honesty it is a great prduct and a worthy successor to 2k.
There is nothing wrong with being gay. It's getting caught where the trouble lies.
I've only used it on Windows 2000, so I can't offer advice on which to pick, but I can tell you that it isn't wise to dump over 2500 users in to Active Directory with a script. AD will not like it, trust me. :)
I've been through this twice now. Once recently and once about 8 months ago. The first one was an upgrade from NT -> 2003 and the second was an upgrade from a 2000 AD -> 2003 AD. Both times, I ended up MORE than happy that I went to 2003. The tools for 2003 beat the hell out of the tools for 2000. If you decide to add Exchange to the mix, Ex 2003 is more stable and has better features over 2000. All in all, if you're going new, there's no reason to wait for the .2 or .3.
I find W2K3 to be quicker and have more nifty options and features. It also depends on your client population, with XP being more easily manages under W2K3 with the stock GPO, copies, and templates provided.
At the same time I've had problems with W2K3 as a DNS/WINS server. And a DFS server. It took a long time and lots of digging to resolve those issues and it looked like it was the first time MS had come across a lot of the issues we had when we got in touch with them. Eventually worked out but it's never fun to be the first to find a bug in a critical service.
The other annoyance we've had with W2K3 is it's control over W2K clients. Things like IE settings that'd be pushed from our old domain controller or from IEAK stuff stopped working or worked oddly in W2K3. It would store security settings in two files, push only one, confuse clients, etc.
If I had to do it all over again ~today~ I'd go W2K3 because I've found the past few months worth of documentaiton and support to be much better than a year ago.
I should note that the first network I deployed W2K3 in was ~80 nodes. It was critical, 24 hour operation, Engineering intense, lots of storage, license servers, etc. So it wasn't trivial but it's not a University sized environment, not that many thousands of clients.
In conclusion.. I don't have a conclusion. I think I'd have to hear what services besides AD you'd want to run off of it. Do you run DNS, DFS, SFU, Licenses, TS, etc. off of the same servers?
Oh, if you do go W2K3, install the Resource Kit bundle right away, it's priceless for administration and scripting.
Anyhow, good luck, Cheers, -Pk
W2K3 is faster than W2K in most tasks. It somehow use memory more efficiently, and it does not enable unnecessary services by default. Microsoft claims IIS in W2K3 is re-written to be more secure and faster.
Um. AD using Windows 2003 is the service pack for the version of AD using Windows 2000.
It's not like they re-wrote it from scratch. Nor is it like AD (using 2000) is entirely new either; it was developed from the backend of Exchange's directory service, if I understand correctly.
Go with 2003, I haven't read of any particular defects of either AD or the server OS features under 2003, compared to 2000. And yes, things like Volume Shadow Copy, or whatever it's called, may make your life as an admin easier. Certainly, if you're running IIS sites, you'll appreciate the security of IIS 6 more than IIS 5.
Win2k3t will run you .NET based apps a little better as .NET runtime binding is built into the way applications are executed on Win2k3 and WinXP.
I only used the betas and release candidates, but they were all very stable and we actually had fewer problems with the than our Win2k machines.
Just my 2 cents...
Great ideas often receive violent opposition from mediocre minds. - Albert Einstein
It lets you do AMAZING THINGS like oh, change properties on multiple users at once... and stuff. Ya know, like you could in frickin' NT, 10 years ago.
Thanks, Bill.
If you haven't bought 2000 -- skip it, most of our customers that have 2000 want 2k3, but now have to purchase all new CALs...
Again, thanks, Bill.
Wow, a question that ultimately implies sending money over to Redmond, and not a single post yet claiming Mandrake 6 on old Pentium 2 would server the purpose just right and he should contribute money to GNU foundation instead?
Windows 2000 is almost EOL'd. Windows 2000 Support Cycle. Non-security updates end 3/31/05 (8 months from now) and security updates end on 3/31/07 - eight months from now. I'd go with 2003 since by the time you are done with the migration, 2000 will probably be at the end of its useful life and you'll be looking at going to 2003 anyways.
Use 2003, it is the same as 2000 with added admin features. There are a few issues that we have had, but they have all been patched by now.
If you are worried about stability, we have found 2003 is much more stable than 2000. 2003 is just 2000 with extra features, I don't think much in the core has been changed.
Additionally you if you go with 2000, you have 3 years less support on the product. I assume you are using licencing, so upgrades are free, but the labour in changing over is huge.
Remember work out how much time it is going to take you and triple it. You WILL run into problems. Always have a fall back position for when the shit hits the fan.
- fewer security patches (== longer uptime)
- way more flexible schema updates, especially in a large AD environment
- way more secure than Microsoft's pervious iterations right out of the box and in general operation
- generally faster (but that will depend on what else you've got running on it - hopefully just AD)
- much better command line administration (can do most everything from a command window)
Do yourself a favor and also grab ActiveState's perl distribution and, since you're already running a ludicrously expensive OS, buy their PerlNET disdtribution (part of the Perl Dev Kit - http://activestate.com/Products/Perl_Dev_Kit/pricAlso make sure you install the resource kit.
Mind the gap...
yes, ofcourse u should go with win2k3... wtf is wrong with you ? they should kick u out of your god damn job for just asking this question... ...hey, how about you go back to DOS 6.22 ? it probably is even better for u...
god damn idiots.... u make internet sick.
I wouldn't bother to listen to your argument if you are calling Microsoft "M$". That's biased, and so that doesn't help make rational decisions that are needed when you're dealing with a project of this magnitude. Leave the M$ WinBlowz speak for the IRC chatrooms.
Sorry to sound like a troll or spread flamebait, I just think this talk has to stop because it makes Apple, Linux, etc, users seem like biased morons.
I'd rather this be replied to harshly than modded down if you find what I said to be disagreeable.
Win2k3 is Win2k SP5 :) No, seriously though - have a look at the version number of the OS sometime. You'll laugh.
Windows 2000 - Windows NT 5.0
Windows XP - Windows NT 5.1
Windows 2003 - Windows NT 5.2
Something tells me there is nothing ground breaking going on from version to version! In all seriousness though, go with 2003 or you'll be sorry. I say this because it's only going to be a few years I bet before Microsoft drops support for patches for 2K. You don't want to spend a ton of money only to have to do it again very soon for 2003. Also, 2003 is more stable than 2K out of the box, and that counts for something. Driver support is also much better, the ability to roll back drivers, etc.
Like others have said, it is an upgrade, not a new OS. They have improved AD a good bit. It is more stable than 2000, it's a bit quicker network wise (new BSD stack), handles memory a bit better, and is generally snappier than its predecessor. If you're going to use it for any Terminal Services, you also have the bonus of doing more than 256 color in a terminal session and can easily map all of your drives, printers, sound, etc to the local terminal. 2003 is a good chunk of what 2000, actually, NT4 was supposed to be. Now, if they could get WinFS in there they would have most all of their pre-NT4 technologies in place. :)
CliffH
sigs are like a box of chocolates, they all suck remove the underscores to email me
You *absolutely* want to user Server 2003 over 2000. If you *must* use 2000, make sure you use the very latest service pack and appropriate hot-fixes. As others have mentioned, 2003 is really a *minor* update to 2000, despite the name change.
:-)
I have deployed an extensive AD (60+ domain controllers and 80,000 users) on early (SP2-era) Windows 2000. AD had major bugs and scalability issues in versions before Windows 2000 SP4.
Whatever you do, make sure to do good research, home-work, and design *before* you start deploying the infrastructure, creating organization units, and policies. Good design will pay off as the infrastructure grows. Bad design will create increasingly complex problems as your infrastructure grows. It's no fun to re-design and re-deploy over a large and broken first attempt
Good luck!
As an "admin for a major university" I would hope you are basing upgrade decisions on the service pack numbers. Maybe do some research and check stability statistics and use cases.
I guess this kind of reasoning is why Java 5 is so much better than Java 1.5.
I can tell you that a rather large auto manufacturer is going to a massive 2003-based AD structure for a good part of it's operations throughout the world, and it's all going fairly smoothly.
I'd definitely go with 2003 myself. There's no reason to go to 2000...
Oh, and AD can be very nice to work with, just be sure you know what you're doing. It's a complex, powerful tool, and just like any good tool you can hurt yourself or get mired in misconfigurations.
Another word of advise? Use certified and tested drivers. There's good reason to listen to the Windows Hardware Quality Labs. WHQL approval means the driver isn't going to blow up, and a machine full of solid, approved drivers will run solidly (barring hardware problems).
After all, you can't expect an untested third party kernel module to never misbehave, can you?
Which is, according to the industry rags, NDS, now called eDirectory. I know many people will point out that LDAP could almost certainly handle the job and is basically the de facto standard, but NDS has had more time to mature and is more robust. Either one can run completely on Linux (or even Solaris or NT/2Kx if you enjoy paying needless license fees). Are you stuck using the legacy windows platform or can you make a clean break and migrate to something better?
once, I took the business advice of someone who abbreviated Microsoft as "M$". As a direct result, millions of Americans lost their lives in one of the bloodiest displays I have ever heard a first-hand account of.
-- 'The' Lord and Master Bitman On High, Master Of All
I agree that Windows 2003 is much better than 2000. I've used both and am about to rename a domain.. something not even supported under 2000... and can recommend 2003 with full confidence.
Also, as a standard practice, I disable DCOM and install a virus scanner and set all machines to auto-update (both virus signatures and windows updates) in the early morning (say around 05:00 local time). The servers will automatically update and reboot and I've personally never had a problem even though the servers are directly on the Internet. Granted, I don't run the web server.
Ouch! The truth hurts!
It's priced exactly the same as 2000 server. Even per CAL.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I just migrated my workplace form NT4 to 2k3 Active Directory.
The process went without a hitch.
first we ghosted our pdc, that way we could return things to normal quickly, if the upgrade didnt work. we poped in the 2k3 cd, and went through like a normal install.
AD is tied to dns. chose your dns name now, its best if you control your own dns servers if you want to use your web domain, otherwise its a bit of a pain (but it works)
after the install completed dc promo ran and imported all our user and computer accounts. it might be best to do the housekeeping of unused users, groups etc. before migrating.
Adding additional controlers is easy, just install 2k3 and run dcpromo, and select add an aditional controler to domain. it will automaticly replicate for you.
Design your directory structure prior to migration.
and like all windows systems - when in doubt reboot. 2k3 is rock solid, but i had an issue where dns would not replicate properly, untill i reboted the first DC.
Also i might add that Microsofts Software update services (SUS) works amazingly well. it can be inforced with Group policy, and all your approved updates can be forced to your clients when you want them to be. Patch management is much simpler now.
I have worked with Active Directory since it's early Beta's, arranged and performed at least a 100 production installs and upgrades over the past few years. And I would say (strongly recommended) that most of my people move over to 2003. I have yet to have a 2003 install fail, while at the same time it works faster and more stable than 2000 - and not that 2000 Server was bad to begin with. As far as service packs, I would agree with other posts that 2003 is pretty much Windows2000 SP6 or so. Keep in mind the MS version numbers:
.2 is a minor version upgrade.
Windows2000 = NT 5.0
Windows XP = NT 5.1
Windows2003 = NT 5.2
This is /. , your Economist, Forbes, BusinessWeek or whatever you normally read is not here.
Look pal, there are many people out there that as part of their job they have to do things which do not necessarily please them on extreme.
That does not mean they are not professional.
There was one a musician in one German orchestra that had to perform the first installment of one of Richard Wagner's masterpieces. His pergorming was so superb that Wagner went to thank him personally. When he asked the performer (I belive it was a french horn player) if he had liked the music he replayed that it was the most hideous thing he had ever played.
Wagner, surprised of course, said then how he managed to play it so sell. The musician replyed that he was a professional and he would do his utmost to perform to the best of his abilities any music given to him.
In other words, get off your high horse because you look pathetic.
IANAL but write like a drunk one.
Go with straight kerberos + ldap authentication. AD still has scalability issues which, though improved over earlier versions of itself, are still behind Novell NDS or Kerberos + LDAP. Interoperability with a heterogeneous set of workstations is historically pretty poor for AD. Kerberos and LDAP clients exist and function quite nicely on what ever platform you have.
Furthermore, if nothing else, pricing in the 2003 version will kill you, even if managing all the licenses doesn't. Of the two, 2000 is the way to go, but the third option (real kerberos) is probably the way to go in your case.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sorry. Had to say it.
I'd go with 2003 though -- aside from extremely annoying problems porting apps over from NT due to new security settings (which you wouldn't have as an AD controller) it's been completely trouble free, stable, and quite frankly rock solid. Oh great, now I feel like a microsoft whore.
ughh... dirty. dirty.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
I do a lot of junior support on 2K3 SBS networks and find it exceptionally easy to deal with in most cases(not all, I still like linux for easy modification of configurations, everything seems more logical and documented there, but that's just me, I do work for an MS shop). I personally love the new tools to join a system to the domain, and there are other features that either make life easier or just a little more logical.
Our SBS 2000 clients are already looking out of date, even when we only installed 1 year ago.
Anyway...
Enjoy!
On Arrakis: early worm gets the bird. Magister mundi sum!
Just thought I'd add my 2 cents. Everyone else is right, 2003 has some nicer features than 2000. If you want to take advantage of a lot of the 2003 features, you're going to need a majority of XP machines. If your client base is all NT4 or 2000, you're not going to see the maximum benefits.
Technology Consulting & Free Downloads
The university i work in recently upgraded to windows 2003. I am assured by those in the kinow that it is much better than 2000.
However when authenticating unix kerberos clients against it there are problems. Firstly kerb clients that aren't near bleeding edge (e.g. the default in Redhat A.S. 3.0) tend to fail when authenticating. I think this has something to do with windows switching from udp to tcp earlier than older clients expect, newer kerb auto negotiates better i think. (tracking kerberos erros is tricky and this one only turns up when users are in many groups forcing packet size to get too large).
Second kerb.keytab files are by default des-cbc-crc in 2000 and des-crc-md5 encrypted in windows 2003 meaning you will have to change keytab files and alter you kerberos configuration (krb5.conf) if you use keytabs. Saying that i haven't had time to test that this actually works. Changing keytabs and encryption types is relatively easy but still a PITA when previously working authentication suddenly drops when you upgrade to 2003.
Caveat: We haven't moved from NT4 yet, but...
This one can go to the bank. Do not go to 2000. Even the Microsoft people (from PSS, no less) say 2003 is the way to go. The list of imporvements for AD (not to mention the other 2003 OS improvements) is staggering.
Yes, it's true that a M$ product can generally be considered trash until SP2 or SP3, but there are all sorts of known AD issues in 2000 that have been fixed.
Amateurs discuss tactics. Professionals discuss logistics.
gotta love these "admins" who put so much faith in version numbers. win2ksp4 isnt magically more stable than win2k3 cause its got more service packs
these morons go in the same box as the people who think that all of a sudden firefox will change dramatically and become stable (as if it wasnt already!) when it hits 1.0, but NO WAY AER WE INSTALLING FIREFOX BETAZ 0.9.2!!!1 THAT CANT BE STABLE CAUSE ITZ NTO 1.0!!!!!1111
I tried to install Active Directory once on my Sony Walkman, but all I could receive after that was broadcasts from the Nevada test site.
(get it? Radio Active Directory? Nevada test site?)
Some time ago, out IT department and an external IT consulting company (recommended by MS) tried to migrate our NT4 Domains (one per office plus some for special purposes) into a single W2k Active Directory. It took more than week full of night shifts and a second IT consulting company to limit the damage caused by scripts of the first IT consulting company. World readable "top secret" documents, completely locked transfer folders, and locked-out users were only the tip of the iceberg.
So here is my advice: Have a verified backup of all working systems, run a lot of tests, and try the migration in a *good* lab environment first (a 1:1 copy of your production systems would be ideal). Repeat several times until everything works smoothly. Run the last tests with recent copies of the production system. DO NOT TRUST SCRIPTS! Verify the result of each script, and make all scripts abort if they find data they can not handle.
Tux2000
Denken hilft.
Sorry if this is a me-too, but as a web host, I wanted to throw my two cents in..
:) but the general upgrade goes very smoothly. Put the CD in, wait an hour, fiddle with a few settings (ODBC, the .NET stuff, change IIS from 5.0 mode to 6.0 mode) and voila, you have a bigger, better, badder server.
The company I work for recently went from Windows 2000 Server to Windows Server 2003 Standard Edition (mm, Microsoft volume licensing) and the gains have been TREMENDOUS. Servers that were choking on running 1,000 websites (with e-mail, FTP, etc) because of memory issues and problems with website applications are now running like a dream with nearly all RAM free. The new application pool settings are a dream to work with, and the server just feels more robust now.
2003's stability is amazing just on its smarter handling of memory. It also helps that it's smarter on handling rogue applications that decide not to run right, and the fact it doesn't install everything under the sun by default helps as well.
If you are upgrading from 2000 to 2003, you do need to look for a few minor things (the ASP.NET user changes from ASPNET to NETWORK SERVICE, and you need to make sure ODBC updates completely - I had a few servers that couldn't connect to SQL Servers anymore and required me to install SQL Server and uninstall to fix it; I'm sure Microsoft had a solution for it but I was under a deadline
There's no reason to go with 2000 now that 2003 is available - there may be no service pack yet but it's running like a champ. Go with it.
Mike
Thank you. This s very usefull!
"Flyin' in just a sweet place,
Never been known to fail..."
Win2k3 more or less has AD 2.0 (or 1.1 if you must). You can now actually rename a domain, and establish cross-forest trust designs, speed enhancements, better sync, etc. Here's a basic overview of the diffs:
i mp rovements.htm
http://www.techgalaxy.net/Docs/Win2003/WS03_AD_
You're going to get a lot more flexibility in the long haul this way.. really doesnt make any sense to stay with 2k IMHO.
This is one of the most amazing features that no one seems to have mentioned ...
Not needing VNC/pcanywhere installed is a great thing
Being able to manage the servers that have console applications running from any Windows XP client on the LAN has been a life saver.
oh and AD management tools (saved queries!!) are sw33t!
Why do so many users and occassional admins fear the "new" thing? Think about the operating systems you are comparing, the thing that really matters in any operating system is the core of it, or the kernel for the geeks.
The fact is the last two desktop operating systems are definitely on a very similar if not identical kernel. I mean XP is a butt kicking version of Windows 2000 with all the functionality and more, at least for those actually using professional. It was the huge success of 2K outside of the business world that helped result in the death of 9x (ME was BAD) and the complete usual of the NT-esque kernel that 2K used.
A similar thing can be said with 2003. It is server 2000 with a few extra things here and there and is as such more stable, cleaner, and offers a load more features then 2000 did, or ever will. There is no point in waiting for tons of Service Packs, cause otherwise you will be using 2003 when the server post-longhorn comes out. The fact is Windows isn't quick with Service Packs not so much because they are lazy as they aren't as needed as they were in Win 2K in prior. Use 2003 and keep up with the rest of the pack, if you fall behind now your company will be playing catch up for years.
"Some days you just can't get rid of a bomb."
Aside from some mention of price, the discussion has stayed reasonably technical, but it would be essential to know what has changed in regard to the licensing.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I work with both on a regular basis at customer sites and in my own vmware-based test and demo environments. 2k3 is a lot better as a server OS and as a AD domain controller.
That said, one of the reasons it's better is the improved security. If you rely on NTLM for IIS authentication, you may have some fun getting that to work (hint, allow delegation on the IIS server). DOS clients may have some trouble mounting network volumes too (hint, think workstation OS imaging).
However, 2003 definitely cuts the mysterious breakages down to a minimum. I see a lot less of machines falling out of the domain, for instance.
"Nothing was broken, and it's been fixed." -- Jon Carroll
2K3 without any service packs is more stable than 2K SP4.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman