Active Directory on Win2k or 2k3?

lordbry asks: "I am a Windows admin for a major university in a business computing area (if we have problems, people might not get paid). We have a Windows NT Domain, and are planning to migrate to Active Directory. One of my co-workers is pushing for doing this under Windows 2003. I, however, feel that (as with any M$ product) we should not even consider using 2003 for production anything until there is an SP 2 or 3, and that we should go with AD under Windows 2000. Does anyone have any advice, arguments, or horror stories that could help me make my case to the rest of my group, all of whom are somewhere in the middle? Does anyone think that 2003 is the way to go?"

Don't believe the hype.

[sethadam1]

Windows 2003 is 1000 times better than 2000. It's signficantly more stable, it's got the fantastic volume shadow copy (kinda like CVS...kinda), it's got DFS, and it's extremely well supported.

Don't think of it like a new Windows - it's actually Windows NT 5.2, which is heavily built upon 2000.

Re:Don't believe the hype.

[packetknife]

Did you actually get FRS working on large volumes without eating itself? I ended up with problems with permissions and stability of the service. No lost data but it wasn't staying up on our larger volumes (> 100GB). Any pointers? -Pk

Re:Don't believe the hype.

[Jeremiah+Cornelius]

CALs (Client Acces Licenses) are priced differently with 2003.

Owning a 2000 WS or XP Pro license no longer counts as a server CAL for 2003 - you need also to buy a CAL for that station, on top of OS price.

That said, 2003 is definitely what 2000 was supposed to be. You are worried about service packs? I would look at 2003 as the 3rd rev of 2000. The directory scales better times 1000 - and is massively more flexible in configuration, especially if you are interoperationg with non-MS Kerberos realms. Plus, you get ADAM, constrained and granular delegation of Kerb IDs, a built-in firewall, etc.

Really, it's hard to know where to start on the advantages.

Re:Don't believe the hype.

Sorry for posting this anonymously but I cannot legally speak for my company. We are a major worldwide bank and after months of testing (including Microsoft) we went with 2003 and haven't looked back.

I admit my first reaction was "Global infrastructure on a service pack 0 platform ????" but after spending some time on the system my view changed entirely.

Go with w2k3. You won't regret it.

ps I am personally responsible for finding bugs that some of the hotfixes fix ;-)

Re:Don't believe the hype.

[weave]

Just to throw this out, 2003 server doesn't play nice with kerberos 1.2.7 that is under RHEL 3. What makes it weirder is that it sometimes will auth with some people, and not others. So in a small test environment it will probably work well.

The problem is that windows 0003 server's kerberos server will use tcp to send out large bits of data, like allegedly when a user is a member of a lot of groups. Kerberos 1.2 only uses udp.

Kerberos 1.3 (used in Fedora) works just fine. We were able to get the Kerberos 1.3 source RPMs to compile under RHEL 3 but also had to get an updated e2fsprogs rpm and hand do a symlink for a library due to a minor version mismatch.

OK, this may not apply to you but maybe someone reading this who has their RHEL boxes auth against AD in 2000 server may benefit.

I'd go with 2003

[Ummagumma]

I recently upgraded to AD (well, 5 months ago...), and now Im wishing I went with 2003. Its not a big difference, but our test 2003 machines are a joy to use. Additionally, if you want to run the 2000 Server Adminpak on Windows XP, with the Exchange 2000 tools, its not fun to install - the 2003 tools work natively on an XP client.

There really is no reason not to go with 2003, given the choice.

At my office

[secondsun]

We went to 2k3 around the time it was released. The response around the office is more or less, "Fuck chevy this thing's a rock".

Fot shits and giggles we put it on a pentium 2 300 laptop with 300MB of ram, it was stable, fast, and useful. In all honesty it is a great prduct and a worthy successor to 2k.

Word of advice..

[eingram]

I've only used it on Windows 2000, so I can't offer advice on which to pick, but I can tell you that it isn't wise to dump over 2500 users in to Active Directory with a script. AD will not like it, trust me. :)

Re:Word of advice..

[altp]

I've loaded 33,000 into a Windows 2000 AD with some perl scripts I wrote. Takes several hours, but all went well.

What type of problems did you encounter?

Re:Word of advice..

[eingram]

Users and groups permissions started changing randomly for a few hours afterwards. It was not a fun day. I didn't write the script or even execute it, so I don't know why it happened, but I (and a few other IT people) got to clean up the mess.

Re:Word of advice..

[weave]

I've added around 10,000 users at a time using vbscript through ADSI calls without a problem. Did this under 2000 server and 2003 server.

However, another person who replied to you points to a kb article that says it is a problem under 2000 server.

Maybe I was just lucky.

Mass adding users is common in educational institutions at the beginning of a term. Scary that it might have problems...

Re:Word of advice..

[Dibblah]

Duh. Groups in W2k have only one 'member' attribute. When this gets replicated, the last writer wins.
What this means is that the groups membership will 'loose' members if you change it in different places and wait for replication.
This is one reason that 2k3 is better. It fixes this issue.

Windows 2003 - hands down

[mrscott]

I've been through this twice now. Once recently and once about 8 months ago. The first one was an upgrade from NT -> 2003 and the second was an upgrade from a 2000 AD -> 2003 AD. Both times, I ended up MORE than happy that I went to 2003. The tools for 2003 beat the hell out of the tools for 2000. If you decide to add Exchange to the mix, Ex 2003 is more stable and has better features over 2000. All in all, if you're going new, there's no reason to wait for the .2 or .3.

Why not both?

[packetknife]

In AD you don't have a PDC versus BDC concept. Just domain controllers. I'd consider investigating having a W2K and W2K3 server. In the past year I've worked with W2K3 quite a bit and I've had great as well as frightening experiences. In the past ~4 months or so the availability of good W2K3 documentation has increased significantly, the MS support too.

I find W2K3 to be quicker and have more nifty options and features. It also depends on your client population, with XP being more easily manages under W2K3 with the stock GPO, copies, and templates provided.

At the same time I've had problems with W2K3 as a DNS/WINS server. And a DFS server. It took a long time and lots of digging to resolve those issues and it looked like it was the first time MS had come across a lot of the issues we had when we got in touch with them. Eventually worked out but it's never fun to be the first to find a bug in a critical service.

The other annoyance we've had with W2K3 is it's control over W2K clients. Things like IE settings that'd be pushed from our old domain controller or from IEAK stuff stopped working or worked oddly in W2K3. It would store security settings in two files, push only one, confuse clients, etc.

If I had to do it all over again ~today~ I'd go W2K3 because I've found the past few months worth of documentaiton and support to be much better than a year ago.

I should note that the first network I deployed W2K3 in was ~80 nodes. It was critical, 24 hour operation, Engineering intense, lots of storage, license servers, etc. So it wasn't trivial but it's not a University sized environment, not that many thousands of clients.

In conclusion.. I don't have a conclusion. I think I'd have to hear what services besides AD you'd want to run off of it. Do you run DNS, DFS, SFU, Licenses, TS, etc. off of the same servers?

Oh, if you do go W2K3, install the Resource Kit bundle right away, it's priceless for administration and scripting.

Anyhow, good luck, Cheers, -Pk

Go with 2003

[Finni]

Um. AD using Windows 2003 is the service pack for the version of AD using Windows 2000.
It's not like they re-wrote it from scratch. Nor is it like AD (using 2000) is entirely new either; it was developed from the backend of Exchange's directory service, if I understand correctly.
Go with 2003, I haven't read of any particular defects of either AD or the server OS features under 2003, compared to 2000. And yes, things like Volume Shadow Copy, or whatever it's called, may make your life as an admin easier. Certainly, if you're running IIS sites, you'll appreciate the security of IIS 6 more than IIS 5.

Re:Go with 2003

[naden]

Certainly, if you're running IIS sites, you'll appreciate the security of IIS 6 more than IIS 5.

If you do run IIS sites .. can I have the URL ?

I want to .. umm .. view the site .. hehe.

Its been a while, but...

[Omega1045]

As far as applications and security, I would take a serious look at going with Win2k3. It doesn't "turn on" all kinds of services by default like IIS. So after install, you don't have to hunt down as much stuff to turn off (or forget to hunt something down). Also, IIS on Win2k3 lives in something like a sandbox, preventing some of the buffer overflow attacks that have been so common on Windows machines.

Win2k3t will run you .NET based apps a little better as .NET runtime binding is built into the way applications are executed on Win2k3 and WinXP.

I only used the betas and release candidates, but they were all very stable and we actually had fewer problems with the than our Win2k machines.

Just my 2 cents...

Windows 2003 Is Amazing!!

[FlameSnyper]

It lets you do AMAZING THINGS like oh, change properties on multiple users at once... and stuff. Ya know, like you could in frickin' NT, 10 years ago.

Thanks, Bill.

If you haven't bought 2000 -- skip it, most of our customers that have 2000 want 2k3, but now have to purchase all new CALs...

Again, thanks, Bill.

Go with 2003

[darkjedi521]

Windows 2000 is almost EOL'd. Windows 2000 Support Cycle. Non-security updates end 3/31/05 (8 months from now) and security updates end on 3/31/07 - eight months from now. I'd go with 2003 since by the time you are done with the migration, 2000 will probably be at the end of its useful life and you'll be looking at going to 2003 anyways.

Re:New record for lordbry

[pmsyyz]

Mandrake 6 on old Pentium 2 would server the purpose just right and you should contribute money to GNU foundation instead!! UU!!

2003

[droyad]

Use 2003, it is the same as 2000 with added admin features. There are a few issues that we have had, but they have all been patched by now.

If you are worried about stability, we have found 2003 is much more stable than 2000. 2003 is just 2000 with extra features, I don't think much in the core has been changed.

Additionally you if you go with 2000, you have 3 years less support on the product. I assume you are using licencing, so upgrades are free, but the labour in changing over is huge.

Remember work out how much time it is going to take you and triple it. You WILL run into problems. Always have a fall back position for when the shit hits the fan.

Go with 2003

[hrbrmstr]

• fewer security patches (== longer uptime)
• way more flexible schema updates, especially in a large AD environment
• way more secure than Microsoft's pervious iterations right out of the box and in general operation
• generally faster (but that will depend on what else you've got running on it - hopefully just AD)
• much better command line administration (can do most everything from a command window)

Do yourself a favor and also grab ActiveState's perl distribution and, since you're already running a ludicrously expensive OS, buy their PerlNET disdtribution (part of the Perl Dev Kit - http://activestate.com/Products/Perl_Dev_Kit/prici ng_and_licensing.plex). You get the full power of perl for system administration and the .NET crap that makes it easier to integrate with the beast.

Also make sure you install the resource kit.

Sorry if this is off topic...but...

[Stevyn]

I wouldn't bother to listen to your argument if you are calling Microsoft "M$". That's biased, and so that doesn't help make rational decisions that are needed when you're dealing with a project of this magnitude. Leave the M$ WinBlowz speak for the IRC chatrooms.

Sorry to sound like a troll or spread flamebait, I just think this talk has to stop because it makes Apple, Linux, etc, users seem like biased morons.

I'd rather this be replied to harshly than modded down if you find what I said to be disagreeable.

Re:Sorry if this is off topic...but...

[Pantero+Blanco]

Replacing the "S" in something one finds expensive with a "$" isn't just used in "Micro$oft". I've seen it used in context that wasn't even computer related (in discussion of cars, for example)...It's been around longer than MS has. It's not a comment about the quality, it's a comment about the price (though when it's combined with "windoze", "winblows", etc, I agree that it seems childish).

2003 all the way

[CliffH]

Like others have said, it is an upgrade, not a new OS. They have improved AD a good bit. It is more stable than 2000, it's a bit quicker network wise (new BSD stack), handles memory a bit better, and is generally snappier than its predecessor. If you're going to use it for any Terminal Services, you also have the bonus of doing more than 256 color in a terminal session and can easily map all of your drives, printers, sound, etc to the local terminal. 2003 is a good chunk of what 2000, actually, NT4 was supposed to be. Now, if they could get WinFS in there they would have most all of their pre-NT4 technologies in place. :) CliffH

Re:I think you misunderstand....

[Judg3]

I say this because it's only going to be a few years I bet before Microsoft drops support for patches for 2K.

Actually, Windows 2000 life cycle is Jun 30th 2005 for mainstream support and Jun 30 2010 for extended support. (By comparison Windows 2003 mainstream is Jun 30 2008 and extended is Jun 30 2013)

This is from MS.com. Difference between Mainstream and Extended support here.

Suggest 2003 and serious design homework

[dgallina]

You *absolutely* want to user Server 2003 over 2000. If you *must* use 2000, make sure you use the very latest service pack and appropriate hot-fixes. As others have mentioned, 2003 is really a *minor* update to 2000, despite the name change.

I have deployed an extensive AD (60+ domain controllers and 80,000 users) on early (SP2-era) Windows 2000. AD had major bugs and scalability issues in versions before Windows 2000 SP4.

Whatever you do, make sure to do good research, home-work, and design *before* you start deploying the infrastructure, creating organization units, and policies. Good design will pay off as the infrastructure grows. Bad design will create increasingly complex problems as your infrastructure grows. It's no fun to re-design and re-deploy over a large and broken first attempt :-)

Good luck!

Relying on service pack numbers?

[bookemdano63]

As an "admin for a major university" I would hope you are basing upgrade decisions on the service pack numbers. Maybe do some research and check stability statistics and use cases.
I guess this kind of reasoning is why Java 5 is so much better than Java 1.5.

Re:2003 Is Plenty Stable

[nuxx]

Oh, and one other thing? If you go with a Windows 2000 AD structure, then wish to bring in 2003 Domain Controllers, you'll get to extend your AD schema. While it wasn't a problem for us, I really don't think you want to have to go through such a process. After all, at it's core AD is a big-ass database. Do you really want to extend a DB schema if you don't have to?

Just go with 2003 to begin with and be set with the new schema, finer grained GPOs, better management tools, etc.

Why not use the Best of Breed technology?

[Radical+Rad]

Which is, according to the industry rags, NDS, now called eDirectory. I know many people will point out that LDAP could almost certainly handle the job and is basically the de facto standard, but NDS has had more time to mature and is more robust. Either one can run completely on Linux (or even Solaris or NT/2Kx if you enjoy paying needless license fees). Are you stuck using the legacy windows platform or can you make a clean break and migrate to something better?

Re:Why not use the Best of Breed technology?

[LO0G]

"I know many people will point out that LDAP could almost certainly handle the job"

Ok, this has been getting to me throughout the commentary, but people keep on making the same mistake.

LDAP is a prototol. It's not a product. Any product that implements RFC2251 is LDAP.

The Active Directory implements LDAP, as does eDirectory and many other directory services.

Which LDAP did you mean?

I Just Did this Migration

[linuxbert]

I just migrated my workplace form NT4 to 2k3 Active Directory.

The process went without a hitch.
first we ghosted our pdc, that way we could return things to normal quickly, if the upgrade didnt work. we poped in the 2k3 cd, and went through like a normal install.

AD is tied to dns. chose your dns name now, its best if you control your own dns servers if you want to use your web domain, otherwise its a bit of a pain (but it works)

after the install completed dc promo ran and imported all our user and computer accounts. it might be best to do the housekeeping of unused users, groups etc. before migrating.

Adding additional controlers is easy, just install 2k3 and run dcpromo, and select add an aditional controler to domain. it will automaticly replicate for you.

Design your directory structure prior to migration.

and like all windows systems - when in doubt reboot. 2k3 is rock solid, but i had an issue where dns would not replicate properly, untill i reboted the first DC.

Also i might add that Microsofts Software update services (SUS) works amazingly well. it can be inforced with Group policy, and all your approved updates can be forced to your clients when you want them to be. Patch management is much simpler now.

Re:I Just Did this Migration

[anticypher]

Yes, get the DNS correct from the very beginning.

One of my clients with many DNS servers has finally developed some filters to cut out all the AD crap lookups coming from a handful of poorly designed systems. Its not just a little bit of traffic, it was something like a 25x increase in bogus DNS traffic because a handful of his clients thought they could get away with putting their company name as the TLD or some other misunderstanding of AD.

Plan on first building a sandbox version of your network, with an external DNS server simulating the entire internet. Monitor the kinds of lookups escaping your network to make sure close to 100% of your traffic stays local. Your local AD and DNS servers should agree on your structure, and the rest of the world should agree on your chosen (assigned) domain name.

the AC

Go for 2003 - Hands Down

[major.morgan]

I have worked with Active Directory since it's early Beta's, arranged and performed at least a 100 production installs and upgrades over the past few years. And I would say (strongly recommended) that most of my people move over to 2003. I have yet to have a 2003 install fail, while at the same time it works faster and more stable than 2000 - and not that 2000 Server was bad to begin with. As far as service packs, I would agree with other posts that 2003 is pretty much Windows2000 SP6 or so. Keep in mind the MS version numbers:

Windows2000 = NT 5.0
Windows XP = NT 5.1
Windows2003 = NT 5.2 .2 is a minor version upgrade.

Depends on your clients

[outcast36]

Just thought I'd add my 2 cents. Everyone else is right, 2003 has some nicer features than 2000. If you want to take advantage of a lot of the 2003 features, you're going to need a majority of XP machines. If your client base is all NT4 or 2000, you're not going to see the maximum benefits.

2003 all the way

[Bravo_Two_Zero]

Caveat: We haven't moved from NT4 yet, but...

This one can go to the bank. Do not go to 2000. Even the Microsoft people (from PSS, no less) say 2003 is the way to go. The list of imporvements for AD (not to mention the other 2003 OS improvements) is staggering.

Yes, it's true that a M$ product can generally be considered trash until SP2 or SP3, but there are all sorts of known AD issues in 2000 that have been fixed.

"Duck and cover!"

[Tux2000]

Some time ago, out IT department and an external IT consulting company (recommended by MS) tried to migrate our NT4 Domains (one per office plus some for special purposes) into a single W2k Active Directory. It took more than week full of night shifts and a second IT consulting company to limit the damage caused by scripts of the first IT consulting company. World readable "top secret" documents, completely locked transfer folders, and locked-out users were only the tip of the iceberg.

So here is my advice: Have a verified backup of all working systems, run a lot of tests, and try the migration in a *good* lab environment first (a 1:1 copy of your production systems would be ideal). Repeat several times until everything works smoothly. Run the last tests with recent copies of the production system. DO NOT TRUST SCRIPTS! Verify the result of each script, and make all scripts abort if they find data they can not handle.

Tux2000