Active Directory on Win2k or 2k3? 105
lordbry asks: "I am a Windows admin for a major university in a business computing area (if we have problems, people might not get paid). We have a Windows NT Domain, and are planning to migrate to Active Directory. One of my co-workers is pushing for doing this under Windows 2003. I, however, feel that (as with any M$ product) we should not even consider using 2003 for production anything until there is an SP 2 or 3, and that we should go with AD under Windows 2000. Does anyone have any advice, arguments, or horror stories that could help me make my case to the rest of my group, all of whom are somewhere in the middle? Does anyone think that 2003 is the way to go?"
Don't believe the hype. (Score:5, Insightful)
Don't think of it like a new Windows - it's actually Windows NT 5.2, which is heavily built upon 2000.
Re:Don't believe the hype. (Score:2, Insightful)
Re:Don't believe the hype. (Score:2)
Isn't it also 1000 times the price?
(no joke, isn't it significantly more expensive?)
Re:Don't believe the hype. (Score:4, Informative)
Owning a 2000 WS or XP Pro license no longer counts as a server CAL for 2003 - you need also to buy a CAL for that station, on top of OS price.
That said, 2003 is definitely what 2000 was supposed to be. You are worried about service packs? I would look at 2003 as the 3rd rev of 2000. The directory scales better times 1000 - and is massively more flexible in configuration, especially if you are interoperationg with non-MS Kerberos realms. Plus, you get ADAM, constrained and granular delegation of Kerb IDs, a built-in firewall, etc.
Really, it's hard to know where to start on the advantages.
Re:Don't believe the hype. (Score:1)
That's the way it's been for years (Since NT 4 at least). You pay for Server OS, Client OS and CAL to use Windows server, Windows Professional and connect one to the other.
The difference is in base price )Windows 2003 Standard w/5 CALs retails for about US $100 more than Windows 2000 Server Standard w/5 CALs) and in Terminal Services licensing (Win2k and XP Pro
Don't believe the hype, use Kerberos instead (Score:2)
Go with straight kerberos + ldap authentication. AD still has scalability issues which, though improved over earlier versions of itself, are still behind Novell NDS or Kerberos + LDAP. Interoperability with a heterogeneous set of workstations is historically pretty poor for AD. Kerberos and LDAP clients exist and function quite nicely on what ever platform you have.
Furthermore, if nothing else, pricing in the 2003 ver
Re:Don't believe the hype. (Score:4, Informative)
The problem is that windows 0003 server's kerberos server will use tcp to send out large bits of data, like allegedly when a user is a member of a lot of groups. Kerberos 1.2 only uses udp.
Kerberos 1.3 (used in Fedora) works just fine. We were able to get the Kerberos 1.3 source RPMs to compile under RHEL 3 but also had to get an updated e2fsprogs rpm and hand do a symlink for a library due to a minor version mismatch.
OK, this may not apply to you but maybe someone reading this who has their RHEL boxes auth against AD in 2000 server may benefit.
Kerb / 2003 was Re:Don't believe the hype. (Score:2)
Re:Don't believe the hype. (Score:2)
More expensive? No. (Score:2)
Re:Don't believe the hype. (Score:1)
Re:Don't believe the hype. (Score:4, Informative)
I admit my first reaction was "Global infrastructure on a service pack 0 platform ????" but after spending some time on the system my view changed entirely.
Go with w2k3. You won't regret it.
ps I am personally responsible for finding bugs that some of the hotfixes fix ;-)
I'd go with 2003 (Score:5, Interesting)
There really is no reason not to go with 2003, given the choice.
Re:I'd go with 2003 (Score:1)
We've run AD since a few months after it was released. We have around 30k user accounts in it. We completed an upgrade to 2k3 earlier this year and all of the functionailty that should have been there at the initial release has suddenly appeared. As the parent mentioned, the client tools are a lot better - we no longer need to log into the DCs to do day-to-day administration.
Also important in a large environment, the 5000 peo
Who here has examined the licensing changes? (Score:1)
At my office (Score:5, Informative)
Fot shits and giggles we put it on a pentium 2 300 laptop with 300MB of ram, it was stable, fast, and useful. In all honesty it is a great prduct and a worthy successor to 2k.
Re:At my office (Score:1, Funny)
Nice.
Word of advice.. (Score:3, Interesting)
Re:Word of advice.. (Score:5, Informative)
What type of problems did you encounter?
Re:Word of advice.. (Score:3, Informative)
Re:Word of advice.. (Score:3, Informative)
What this means is that the groups membership will 'loose' members if you change it in different places and wait for replication.
This is one reason that 2k3 is better. It fixes this issue.
Re:Word of advice.. (Score:1)
Tim
Re:Word of advice.. (Score:3, Interesting)
However, another person who replied to you points to a kb article that says it is a problem under 2000 server.
Maybe I was just lucky.
Mass adding users is common in educational institutions at the beginning of a term. Scary that it might have problems...
Windows 2003 - hands down (Score:5, Insightful)
Why not both? (Score:5, Insightful)
I find W2K3 to be quicker and have more nifty options and features. It also depends on your client population, with XP being more easily manages under W2K3 with the stock GPO, copies, and templates provided.
At the same time I've had problems with W2K3 as a DNS/WINS server. And a DFS server. It took a long time and lots of digging to resolve those issues and it looked like it was the first time MS had come across a lot of the issues we had when we got in touch with them. Eventually worked out but it's never fun to be the first to find a bug in a critical service.
The other annoyance we've had with W2K3 is it's control over W2K clients. Things like IE settings that'd be pushed from our old domain controller or from IEAK stuff stopped working or worked oddly in W2K3. It would store security settings in two files, push only one, confuse clients, etc.
If I had to do it all over again ~today~ I'd go W2K3 because I've found the past few months worth of documentaiton and support to be much better than a year ago.
I should note that the first network I deployed W2K3 in was ~80 nodes. It was critical, 24 hour operation, Engineering intense, lots of storage, license servers, etc. So it wasn't trivial but it's not a University sized environment, not that many thousands of clients.
In conclusion.. I don't have a conclusion. I think I'd have to hear what services besides AD you'd want to run off of it. Do you run DNS, DFS, SFU, Licenses, TS, etc. off of the same servers?
Oh, if you do go W2K3, install the Resource Kit bundle right away, it's priceless for administration and scripting.
Anyhow, good luck, Cheers, -Pk
Re:Why not both? (Score:1)
'A' records mysteriously disappearing?
Re:Why not both? (Score:1)
WINS wouldn't seem to flush old entries even when you tried to force it. So if you have/had a netbios alias on a system in the registry, you couldn't ever get rid of it easily. It would linger until some seemingly arbitrary day/time and it'd go a
Re:Why not both? (Score:1)
Seems like the only consistent way is to delete the WINS database and let it rebuild itself. I've seen tombstoned records stick around for weeks in there.
Re:Why not both? (Score:2)
to take advantage of all 2k3's new features require only 2k3 controlers. if you hace a 2k DC then you cant use those features.
note that you can have 2k member servers (not DCs) and both AD modes support nt4 BDC's for any older clients you may have
Re:Why not both? (Score:2)
Re:Why not both? (Score:2)
W2K3 (Score:2)
Go with 2003 (Score:5, Informative)
It's not like they re-wrote it from scratch. Nor is it like AD (using 2000) is entirely new either; it was developed from the backend of Exchange's directory service, if I understand correctly.
Go with 2003, I haven't read of any particular defects of either AD or the server OS features under 2003, compared to 2000. And yes, things like Volume Shadow Copy, or whatever it's called, may make your life as an admin easier. Certainly, if you're running IIS sites, you'll appreciate the security of IIS 6 more than IIS 5.
Re:Go with 2003 (Score:3, Funny)
If you do run IIS sites
I want to
Its been a while, but... (Score:3, Informative)
Win2k3t will run you .NET based apps a little better as .NET runtime binding is built into the way applications are executed on Win2k3 and WinXP.
I only used the betas and release candidates, but they were all very stable and we actually had fewer problems with the than our Win2k machines.
Just my 2 cents...
Re:Its been a while, but... (Score:1)
Windows 2003 Is Amazing!! (Score:2, Interesting)
Thanks, Bill.
If you haven't bought 2000 -- skip it, most of our customers that have 2000 want 2k3, but now have to purchase all new CALs...
Again, thanks, Bill.
New record for lordbry (Score:1, Insightful)
Re:New record for lordbry (Score:2, Funny)
Re:New record for lordbry (Score:1, Offtopic)
Where has the love gone?
Re:New record for lordbry (Score:1)
Re:New record for lordbry (Score:1)
Re:New record for lordbry (Score:2)
Re:New record for lordbry (Score:1)
Re:New record for lordbry (Score:2)
Re:New record for lordbry (Score:1)
Re:New record for lordbry (Score:2)
Re:New record for lordbry (Score:2)
Re:New record for lordbry (Score:2)
Win2k3 is a different animal than Win2k, even if they do share huge portions of the same codebase.
Re:New record for lordbry (Score:1, Funny)
Employee one: "Man, Windows 2000 is pretty good, but using it causes cancer!"
Employee two: "2003 is WAY better. It includes two packets of chemo pills! Thanks Bill!"
Go with 2003 (Score:4, Insightful)
Re:Go with 2003 (Score:1)
2003 (Score:3, Insightful)
If you are worried about stability, we have found 2003 is much more stable than 2000. 2003 is just 2000 with extra features, I don't think much in the core has been changed.
Additionally you if you go with 2000, you have 3 years less support on the product. I assume you are using licencing, so upgrades are free, but the labour in changing over is huge.
Remember work out how much time it is going to take you and triple it. You WILL run into problems. Always have a fall back position for when the shit hits the fan.
Go with 2003 (Score:5, Insightful)
Also make sure you install the resource kit.
Sorry if this is off topic...but... (Score:5, Interesting)
Sorry to sound like a troll or spread flamebait, I just think this talk has to stop because it makes Apple, Linux, etc, users seem like biased morons.
I'd rather this be replied to harshly than modded down if you find what I said to be disagreeable.
Re:Sorry if this is off topic...but... (Score:1, Funny)
"M$" is ju$t @ p@rt of teh l33t sp3ak v3rnacul@r.
And j00@ll kn0w th@t l33t sp3ak impr3$$3s @ll teh h0t chixx0rs!
Re:Sorry if this is off topic...but... (Score:1)
M$ [penny-arcade.com]
It's funny because it's true
Re:Sorry if this is off topic...but... (Score:3, Insightful)
You got lost buddy. (Score:2)
Look pal, there are many people out there that as part of their job they have to do things which do not necessarily please them on extreme.
That does not mean they are not professional.
There was one a musician in one German orchestra that had to perform the first installment of one of Richard Wagner's masterpieces. His pergorming was so superb that Wagner went to thank him personally. When he asked the performer (I
Re:Sorry if this is off topic...but... (Score:1)
I did that partially to convey (in addition to my distrust of new microsoft products) that I AM biased... If I ask something like this again I will try to say that I am slightly biased.
Trolling is generally incoherent. You make a good point.
I think you misunderstand.... (Score:1, Informative)
Windows 2000 - Windows NT 5.0
Windows XP - Windows NT 5.1
Windows 2003 - Windows NT 5.2
Something tells me there is nothing ground breaking going on from version to version! In all seriousness though, go with 2003 or you'll be sorry. I say this because it's only going to be a few years I bet before Microsoft drops support for patches for 2K. You don't want to spend a ton of money only to have
Re:I think you misunderstand.... (Score:4, Informative)
Actually, Windows 2000 life cycle is Jun 30th 2005 for mainstream support and Jun 30 2010 for extended support. (By comparison Windows 2003 mainstream is Jun 30 2008 and extended is Jun 30 2013)
This is from MS.com [microsoft.com]. Difference between Mainstream and Extended support here [microsoft.com].
Re:I think you misunderstand.... (Score:2)
2003 all the way (Score:3, Interesting)
Suggest 2003 and serious design homework (Score:2, Insightful)
I have deployed an extensive AD (60+ domain controllers and 80,000 users) on early (SP2-era) Windows 2000. AD had major bugs and scalability issues in versions before Windows 2000 SP4.
Whatever you do, make sure to do good research, home-work, and design *before* yo
Relying on service pack numbers? (Score:2, Interesting)
I guess this kind of reasoning is why Java 5 is so much better than Java 1.5.
2003 Is Plenty Stable (Score:2)
I'd definitely go with 2003 myself. There's no reason to go to 2000...
Oh, and AD can be very nice to work with, just be sure you know what you're doing. It's a complex, powerful tool, and just like any good tool you can hurt yourself or get mired in misconfigurations.
Another word of advise? Use certified and tested d
Re:2003 Is Plenty Stable (Score:3, Insightful)
Just go with 2003 to begin with and be set with the new schema, finer grained GPOs, better management tools, etc.
Why not use the Best of Breed technology? (Score:4, Interesting)
Re:Why not use the Best of Breed technology? (Score:1)
Re:Why not use the Best of Breed technology? (Score:2)
Re:Why not use the Best of Breed technology? (Score:3, Insightful)
Ok, this has been getting to me throughout the commentary, but people keep on making the same mistake.
LDAP is a prototol. It's not a product. Any product that implements RFC2251 is LDAP.
The Active Directory implements LDAP, as does eDirectory and many other directory services.
Which LDAP did you mean?
Re:Why not use the Best of Breed technology? (Score:2)
Re:Why not use the Best of Breed technology? (Score:2)
I wasn't making a mistake. I know that LDAP is a protocol and not a product. However, there are many implementations of LDAP and many of them are high quality and open source. Any LDAP software is likely to be able to support more transactions per second than one of the big-name products implementing X.500 yet would probably be able to handle the complexity of the j
Horror Stories (Score:1)
Go for it! (Score:2)
Also, as a standard practice, I disable DCOM and install a virus scanner and set all machines to auto-update (both virus signatures and windows updates) in the early morning (say around 05:00 local time). The servers will automatically update and reboot and I've personally never had a problem even though the servers are d
I Just Did this Migration (Score:5, Insightful)
The process went without a hitch.
first we ghosted our pdc, that way we could return things to normal quickly, if the upgrade didnt work. we poped in the 2k3 cd, and went through like a normal install.
AD is tied to dns. chose your dns name now, its best if you control your own dns servers if you want to use your web domain, otherwise its a bit of a pain (but it works)
after the install completed dc promo ran and imported all our user and computer accounts. it might be best to do the housekeeping of unused users, groups etc. before migrating.
Adding additional controlers is easy, just install 2k3 and run dcpromo, and select add an aditional controler to domain. it will automaticly replicate for you.
Design your directory structure prior to migration.
and like all windows systems - when in doubt reboot. 2k3 is rock solid, but i had an issue where dns would not replicate properly, untill i reboted the first DC.
Also i might add that Microsofts Software update services (SUS) works amazingly well. it can be inforced with Group policy, and all your approved updates can be forced to your clients when you want them to be. Patch management is much simpler now.
Re:I Just Did this Migration (Score:3, Informative)
One of my clients with many DNS servers has finally developed some filters to cut out all the AD crap lookups coming from a handful of poorly designed systems. Its not just a little bit of traffic, it was something like a 25x increase in bogus DNS traffic because a handful of his clients thought they could get away with putting their company name as the TLD or some other misunderstanding of AD.
Plan on first building a sandbox version of your network, with a
Go for 2003 - Hands Down (Score:2, Interesting)
Samba! (Score:2)
I'd go with 2003 though -- aside from extremely annoying problems porting apps over from NT due to new security settings (which you wouldn't have as an AD controller) it's been completely trouble free, stable, and quite frankly rock solid. Oh great, now I feel like a microsoft whore.
ughh... dirty. dirty.
Depends on your clients (Score:2, Informative)
2003 all the way (Score:3, Informative)
This one can go to the bank. Do not go to 2000. Even the Microsoft people (from PSS, no less) say 2003 is the way to go. The list of imporvements for AD (not to mention the other 2003 OS improvements) is staggering.
Yes, it's true that a M$ product can generally be considered trash until SP2 or SP3, but there are all sorts of known AD issues in 2000 that have been fixed.
"Duck and cover!" (Score:3, Insightful)
Some time ago, out IT department and an external IT consulting company (recommended by MS) tried to migrate our NT4 Domains (one per office plus some for special purposes) into a single W2k Active Directory. It took more than week full of night shifts and a second IT consulting company to limit the damage caused by scripts of the first IT consulting company. World readable "top secret" documents, completely locked transfer folders, and locked-out users were only the tip of the iceberg.
So here is my advice: Have a verified backup of all working systems, run a lot of tests, and try the migration in a *good* lab environment first (a 1:1 copy of your production systems would be ideal). Repeat several times until everything works smoothly. Run the last tests with recent copies of the production system. DO NOT TRUST SCRIPTS! Verify the result of each script, and make all scripts abort if they find data they can not handle.
Tux2000
My 2.62948 cents Canadian (Score:1)
The company I work for [e-insites.com] recently went from Windows 2000 Server to Windows Server 2003 Standard Edition (mm, Microsoft volume licensing) and the gains have been TREMENDOUS. Servers that were choking on running 1,000 websites (with e-mail, FTP, etc) because of memory issues and problems with website applications are now running like a dream with nearly all RAM free. The new application pool settings are a dream to work with, a
new stuff in win2k3 (Score:1)
http://www.techgalaxy.net/Docs/Win2003/WS03_AD_
You're going to get a lot more flexibility in the long haul this way.. really doesnt make any sense to stay with 2k IMHO.
2003, for sure (Score:1)
The fact is the last two desktop operating systems are definitely on a very similar if not identical kernel. I mean XP is a butt kicking version of Windows 2000 with all the functionality and more, at least for those actually using professional. It was the huge success of 2K outside of
2k3 all the way (Score:2)
That said, one of the reasons it's better is the improved security. If you rely on NTLM for IIS authentication, you may have some fun getting that to work (hint, allow delegation on the IIS server). DOS clients may have some trouble mounting network volumes too (hint, think workstation OS imaging).
However, 2003 definitely cuts the mys
Go to 2K3 (Score:2)