Pros and Cons of Upgrading Active Directory to Windows Server 2003

1
Pros and Cons of Upgrading Active Directory to
Windows Server 2003

• Robbie Allen
• Cisco Systems
• www.rallenhome.com

2
Agenda

• A Word about Windows NT
• Overview of Windows 2000 AD
• Whats missing?
• Overview of Windows Server 2003 AD
• Whats new?
• To Upgrade or To Not
• Upgrade Process
• Q/A

3
A Word about Windows NT

• Jan 1st 2005 end of life for NT (maybe)
• http//www.microsoft.com/lifecycle/
• If you haven't yet, it is time to start looking
  at AD
• What are you missing out on?
• Latest technology (LDAP, Kerberos, Group Policy,
  etc.)
• Scalability, supportability, manageability,
  scriptability
• Third-party product innovation
• All the good books -)

4
Overview of Windows 2000 AD

• Very solid!
• LDAP for the information and naming model
• Kerberos for authentication
• DNS for name resolution
• Multi-master replication
• Group Policy
• Flexible and customizable schema

5
Whats Missing?

• Reversible schema extensions
• Ability to rename DCs (KB 296592)
• Ability to rename domains (KB 292541)
• Support for really large groups (gt 5,000 members)
• Native support for iNetOrgPerson
• Add-on available http//tinyurl.com/2o9na
• GC independence (KB 216970)
• Ability to limit the number of objects created
• Highly scalable KCC/ISTG (KB 244368)

6
Whats Missing? (contd)

• Ability to limit DNS replication
• Transitive forest trusts
• Object expiration
• Ability to find the last logon time for users
  easily
• Robust GPO management tools / interfaces
• Dynamic auxiliary classes
• Ability to bring deleted objects back from the
  dead

7
Overview of Windows Server 2003 AD

• AD 1.5
• Rounds off the rough edges
• Easy upgrade process
• MS focused on three areas
• Manageability
• Scalability
• Security

8
Manageability Enhancements

• Command-line tools
• dsadd, dsmod, dsrm, dsquery, dsget, dsmove
• repadmin and netdom improvements
• ADUC Enhancements
• Better search capability (saved searches)
• Multi-object edit
• Additional Account Info property page (requires
  separate download http//tinyurl.com/a5zj)
• GPMC
• Snap-in
• Command-line tools
• Scripting interface

9
Scalability Enhancements

• Install from media
• Distributed Link Tracking (DLT) service disabled
  by default
• Single-instance Store of Security Descriptors
• ISTG/KCC was reworked
• LDAP query performance improvements

10
Security Enhancements

• LDAP and SMB Signing
• Default ACLs tightened
• Effective Permissions
• Everyone Authenticated Users Guest
• N 2 Password History Check
• Quotas

11
W2K Limitations Addressed in W2K3

• Reversible schema extensions
• Half-way there with schema redefine
• Deactivate -gt Modify -gt Reactivate
• Ability to rename DCs
• Rename using the new netdom
• KB 325354
• Ability to rename domains
• Yeah, but it isnt easy
• For more info http//tinyurl.com/ancv
• Support for really large groups (gt 5,000 members)
• Thanks to linked value replication

12
W2K Limitations Addressed (contd)

• Native support for iNetOrgPerson
• Now you can user either iNetOrgPerson or user
  objectclass
• GC independence
• Universal Group Caching
• Quick GC Removal
• No GC-sync after PAS addition
• Ability to limit the number of objects created
• Object quotas (if you can figure out how to
  manage them)
• DS command-line utilities
• Highly scalable KCC/ISTG
• New algorithms brought to you by Microsoft
  Research

13
W2K Limitations Addressed (contd)

• Ability to limit DNS replication
• Application Partitions
• Transitive forest trusts
• New trust type
• Object expiration
• Dynamic objects
• Ability to find the last logon time for users
  easily
• New attribute lastLogonTimeStamp
• Robust GPO management tools / interfaces
• GPMC need I say more

14
W2K Limitations Addressed (contd)

• Dynamic auxiliary classes
• Just append them to the objectClass attribute
• Ability to bring deleted objects back from the
  dead
• Check out adrestore.exe from Sysinternals

15
To Upgrade or To Not

• Reasons to upgrade
• Running Windows NT domains or wanting to upgrade
  from Exchange 5.5
• Need one or more new features in W2K3
• Does the KCC/ISTG give you trouble?
• Is the 5000 member limit for groups painful for
  you?
• Do you employ multiple forests and could benefit
  from the new forest trust?
• Do you want to rename a domain/DC?
• Do you want GC-independent sites?
• Would application partitions help with your
  replication problems?
• Is the W2K DC promotion process problematic for
  you?

16
To Upgrade or To Not (contd)

• Reasons not to upgrade
• Dont have the time/money/resources
• If it aint broke.
• Can you make a business case?
• Would having certain features save support costs,
  increase productivity, or make your environment
  more secure?
• Upgrade Options
• Wait
• Come back and see us next year
• Gradually or Selectively
• W2K3 upgrade process allows you go as fast or
  slow as you want
• All at once
• Like pulling a band-aid

17
Upgrading to Windows Server 2003

• Run ADPREP
• Once in the forest adprep /forestprep
• Once in each domain adprep /domainprep
• Upgrade the DCs to Windows Server 2003
• When all DCs in a domain are upgraded, raise
  domain functional level
• When all domains in a forest are upgraded, raise
  forest functional level

18
Functional Levels

• Similar to domain modes in W2K
• Used to introduce new features
• Configured with AD Domains and Trusts snap-in
• More on functional levels KB 322692

19
Best Practices

• W2K DCs on SP4
• Run winnt32 /checkupgradeonly (from a W2K3 CD) on
  a DC to check compatibility
• Test applications thoroughly
• New security settings can break things in
  unexpected ways
• For more upgrade info KB 325379
• For more best practices KB 555040

20
Q/A

• Thank you for your time!

21
At a Bookstore Near You

• My Books
• Active Directory Cookbook (Oct 2003)
• Active Directory, 2nd edition (Apr 2003)
• DNS on Windows Server 2003 (Dec 2003)
• Windows Server Cookbook (Summer 2004)
• Windows XP Cookbook (Fall 2004)
• Other OReilly Books Coming Out Soon
• Windows Server 2003 Hacks (Apr 2004)
• Exchange Server Cookbook (Summer 2004)
• Securing Windows Server 2003 (Summer 2004)
• Managing Windows Server 2003 (Summer 2004)