Ever since Windows 2000 was released, along with the much publicised introduction of Active Directory, I read various articles about the complexities and problems of rolling it out.
I have also had numerous companies offering to come in and manage this “difficult” process for me so I had put off the switch, much to the annoyance of my support team who were eager to get their hands on it. Indeed why should I move from a stable NT4 environment (yes they do exist) to this complex new system with all the problems it might bring? My hand was forced last year when the provider of our core business application announced they would withdraw support for their products running on NT as soon as Microsoft stopped supporting it. So, it really was time to look at an Active Directory upgrade.
Soon after this announcement, we started to go over some of the issues the upgrade might cause. I was still concerned about some of them, but a strategy did start to emerge and we began work on rationalising some of our servers and converting them to Windows 2000. What was impressive was how easy it seemed to install and we soon had several of our key machines up and running on the new platform.
In parallel to this we set about building a small network on which to test the upgrade and make sure our broadcast software would continue to run. In an environment where people are producing live television and radio programmes 24 hours a day, no-one can afford to have a server going offline.
To make sure the tests were a fair representation, we used a machine that had been configured as a backup domain controller on our main network as the PDC on the test network. The first test upgrade went well. In fact it went so well that we tried it a couple more times just to be sure it wasn’t a fluke. We also deliberately aborted an upgrade mid way through to see if we could revert back to a non-active directory configuration. Again this seemed to go well, so we ran some additional tests to ensure our broadcast-specific applications were happy to exist in the active directory environment running on NT, Win2K and XP client machines. This turned up a couple of small issues but we soon found fixes for them – and if we couldn’t we discovered ways to work around them.
As soon as we were happy with the basic operations of Active Directory we planned a new security hierarchy both at a user and group level as well as looking at the range of policies offered. This was a good chance to clear out a lot of baggage that had built up over the years (such as out-of -date user policies and file shares that were no longer used) and introduce some new practices. The policies were an area of particular interest as we had spent a lot of time customising the NT offerings in order to get a configuration that gave the sort of control we were looking for.
The new policy configurations offered both at the user and machine level covered the areas that were weak under NT, so we set about doing an implementation that would roughly mirror our current setup. With this complete, we felt comfortable with the upgrade procedure and the workings of active directory so we just had to make sure that everything was in place on our live network to see the upgrade through.
We built a new NT server as a BDC on our existing domain that would be used to upgrade as the first active directory machine. This was complemented by a pair Win2K member servers that would be promoted to run AD services once the initial upgrade was complete.
We were as ready as we would ever be but just as dates were being set, the threat of war in the Gulf started to look a strong possibility so everything was put on hold while we set about nursing our systems through the intense activity associated with any major news event.
Once things had settled down again, we set a date in early May to carry out the upgrade. We choose to work overnight on a Friday so we had the rest of the weekend to sort out any unforeseen problems. The team who were carrying out the upgrade watched as the conversion of the BDC from NT to Win2K took place and as predicted it went smoothly. Active Directory was now on and our end users didn’t even notice. The other key servers were bought online and monitored over the weekend to ensure everything was ok.
We did discover that one server was not running the directory services properly and with no obvious way to cure it, we logged a call with Microsoft. They were very helpful and talked us through checking and rebuilding the active directory databases on the machine. The server that caused problems was promoted from a member server to a domain controller. It’s in Washington and we suspected that the WAN link itself was a contributing factor. Once we identified the problem, we removed the machine from the domain, then re-introduced it again. This was all done within a day, a pretty good taking result taking into account the different timezones.
We now have a working Active Directory setup and from being a sceptic, I am excited about exploiting the functionality this new environment can offer. We are already planning to roll out Exchange 2000 (or possibly even 2003) to get tighter integration and will be investigating other opportunities over the coming months.