Implementing Active Direcory

[godonga]

Hi

Iam new to the forum and need help. My office has about 4 branches and 1 main office with a total number of 500 PCs (Desktops) . we are still running on NT domain and we now have to migrate to Active Directory 2003. All I ned to know are the things to look out for as we implement this. If there are any people with experience in the implementation of such projects your ideas are useful. The Branches are connected to Head Office through 64K Lines. I do have the Microsoft Software licenses. Thank you for your ideas.

 

[MiniOrganMorgan]

Before picking up any tools or CDs, read the Microsoft papers and test, test, test in an environment totally seperate from your production network.

Also, sit down and read the AD design information available from Microsoft, elements of your design now will be unchangeable and will affect your environment for years to come.

 

[Seaspray0]

Agreed. I suggest you get the MCSE book for server 2003 and read it from cover to cover. Server 2003 is as much like NT server as windows XP is similar to windows for workgroups. Once you have done that, you will be able to ask the forem questions that are more specific to what you want your domain to become.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA

 

[porkchopexpress]

There is also a ton of handy real world info here these page tend to include extra tips for common misconfigs and so on as well as just telling you how to setup Active Directory.

Windows Server 2003 - Installation and Migration (Upgrade from NT 4.0 )

http://www.computerperformance.co.uk/w2k3/w2k3_install_migrate_home.htm

Windows Server 2003 Active Directory

http://www.computerperformance.co.uk/w2k3/w2k3_active_directory_home.htm

Windows Server 2003 Networking

http://www.computerperformance.co.uk/w2k3/index.htm

 

[terrywilson]

Having done this before I would seriously consider starting from scratch. To script creation of 500 user accounts wont be a major and you can tidy up a lot of things along the way. You could create the new domain, setup your infrastructure and just chagne the domain memberships of the workstations as you work your way around.

The reason I suggest a new domain is that a couple of the domains I have struck that have been upgraded from NT4 have had strange problems (permissions not applied correctly on objects etc) that have been quite tricky to solve - especially around implementing Exchange 2003.

 

[godonga]

Thanks guys for your input I thought it would be more useful if I gave you a bit more information and ask some questions currently going through my mind. Here we go

My environment has 4 branches connecting through 64KBit Lines to the main office where Iam currentlly running Exchange 5.5 on Windows 2000, I have a few servers on Windows 2003 and most of the desktops are Windows 2000 and XP professional all licensed through OEM. Two of the branches have a total of 10 users between them and the other two have about 30 users each.

1) Do I need Licenses for Desktops in order for them to partcipate in the AD Network besides the OEM licensing currently running

2) Is 64Kbps Line adequate for me to have AD only at Main Office and not in the Branches ( Central Deployment of AD)

3) I intend to host Exchange 2003, DNS, DHCP and AD on one super Server is that advisable?

4) With the current Windows 2003 Standard Edition Server and Windows 2000 Server and Windows 2000 Advanced Server SERVERS in my Server Farm is there any additional Licensing required for them to participate in AD

5) What is the optimal number of Servers running Active Directory will be required for my small environment

6) Is my assumption to say there is no "PDC" in Active Directory Environment as was the case with NT 4.0 correct.

More questions will be coming as I progress with this task your help is sincerely appreciated

Godonga

 

[SkreeM]

1) Do I need Licenses for Desktops in order for them to partcipate in the AD Network besides the OEM licensing currently running

Desktops are already licenced correctly as long as you have the correct licencing on your server. the licening for the server is no more than needed to have them running in your current enviroment so as long as you are up to date all is ok.

2) Is 64Kbps Line adequate for me to have AD only at Main Office and not in the Branches ( Central Deployment of AD)

If you are running on 64k lines i would suggest you have at least 1 domain controller at each site and you will need to configure AD sites and services to ensure the replication traffic is kept to a minimum

3) I intend to host Exchange 2003, DNS, DHCP and AD on one super Server is that advisable?

With the amount of users you are proposing to support i suggest you split the roles accross multiple servers, the branches could have one server with all roles on but the main site shpuld have at least 2 servers

4) With the current Windows 2003 Standard Edition Server and Windows 2000 Server and Windows 2000 Advanced Server SERVERS in my Server Farm is there any additional Licensing required for them to participate in AD

See Q1

5) What is the optimal number of Servers running Active Directory will be required for my small environment

See Q3

6) Is my assumption to say there is no "PDC" in Active Directory Environment as was the case with NT 4.0 correct.

There is no technical PDC on an active directory network however there are FSMO roles one of which is the PDC emulator.

IMHO you need to either study up on active directory and win2000/3 etc or possibly get an AD consultant in to help planning and implementing your migration. At least set up a test environment and make/break it a few times so you get the idea. If you do AD wrong you can find a problem in 2 years that you didnt forsee and have to re-do the whole thing.

Skr

 

[terrywilson]

I'm afraid that I would be inclined to agree with SkreeM's final comment; I would also strongly advise that you use a consultant to do this work for you; it is very easy to setup an AD network but the future issues if you get something wrong can end up costing you much more in lost productivity and troubleshooting later on.

Regarding your questions

1 I think you will require CALs to take part in the AD for each of your workstations

2 You will want at least one extra DC (for redundancy), I would be inclined to put a DC in your main site and in the other two large sites. You need to think about what you are going to do about File and Print; with links that slow you will need to run local File and print servers in each branch or look at Terminal Services or Citrix

3 Dont use one "super server" you need to split these roles; one reason being that it puts all your eggs in one basket and the other being that its not good practice to have a server with multple roles such as Exchange an dAD

4 I'm not sure if they need CALs; I dont believe so but I would check that with a licensing expert

5 One server would support your environment; however I would say you need a minimum of two to provide fail over

6 As per SkreeM's answer

Good luck

 

[godonga]

Thanks guys for your support.

I here what you guys are saying about engaging an AD consultant. The thing is even before you do that you want to understand what you are getting into and besides that there is the cost containment issue where by you are given a shoe string budget and yet you are still expected to deliver.

The idea of speaking to a licensing expert is really good because at the end of the day I need to provide for licensing adequately. Any leads that I could use?

 

[terrywilson]

I know its hard; especially in small businesses to justify the expense of consultants and the like. Good luck with the project though. Again, post any questions you have and we will try and help you out.