The pitfalls of moving to an Active Directory environment

Most IT consultants have no problem recommending Active Directory for their Microsoft clients. However, there are certain factors that could make Active Directory a difficult pill to swallow for your client.

I like Active Directory and use it within my own organization. I recently wrote an article on all the advantages of implementing an Active Directory environment for your client's organization. In the interest of fairness, I'll cover the disadvantages of moving to an Active Directory environment.

By far, the biggest reason for not recommending a switch to Active Directory is cost. If your client were to switch to an Active Directory environment, they'd have to incur the cost of the necessary Windows 2000 software licenses. There are many other costs too. They may have to upgrade the hardware on their servers if it isn’t already adequate for running Windows 2000. There’s also the cost of paying the IT staff to work overtime to perform the upgrade. They may also have to pay a hefty sum for training their IT staff to work with Active Directory.

You must also take into account whether your client has a compelling reason to upgrade to Windows 2000 or Windows Server 2003. After all, if they're running Windows NT 4.0 and it's getting the job done, why would they want to jeopardize a functional network and spend thousands of dollars just to switch to the latest Microsoft network operating system?

Before suggesting a jump into an Active Directory migration, also consider how Windows 2000 will work with your client's existing hardware and software. When Windows 2000 was initially released, it had lots of compatibility problems with older hardware and software. For example, when I upgraded my own network to Windows 2000, I discovered that my VoIP phone system would no longer work. Eventually, I had to get rid of the phone system because the company that made it refused to release a Windows 2000 patch, and I didn’t want to waste my investment in Windows 2000 by downgrading. I also had problems with one of my scanners and the memory stick reader for my digital camera after upgrading to Windows 2000.

On a more serious note, the Cisco VPN 3000 concentrator did not work with Windows 2000 because the Cisco clients didn’t support dynamic DNS, which Windows 2000 depends on. Many organizations ran into huge problems after upgrading to Windows 2000 because of this compatibility problem. Granted, Windows 2000 has been out for a few years and most of the compatibility issues have been resolved either by Microsoft or by the various hardware and software manufacturers.

If your clients are still running Windows NT Server, however, there’s a good chance they're running other older hardware and software as well. I recommend taking a good look at the potential compatibility issues between their existing hardware and software and Windows 2000 before you even think about recommending an upgrade.

Another reason for not recommending an upgrade to Active Directory involves the complexities associated with such an implementation. The Active Directory structure works nothing like the Windows NT domain structure. You and your clients will have to do a lot of planning for the upgrade.

For example, Windows 2000 relies solely on DNS for name resolution, while Windows NT relied primarily on WINS. Because of reliance on DNS, you'll have to set up a DNS server within your client's organization. Unless one of their existing servers has enough free resources to also act as a DNS server, your client will need to buy an additional server and an additional copy of Windows 2000 Server just to run DNS.

Windows client issues
The client machines must be reconfigured as well. In a Windows NT Server environment, the clients are usually configured with the IP addresses of both a WINS server and a DNS server. In such an environment, the WINS server is typically used for name resolution on the local network and the DNS server is used by the company’s ISP for Internet name resolutions.

When your client makes the upgrade to Windows 2000, you’ll have to remove the references to the WINS servers from the clients and configure the machines to point to a local DNS server rather than to an Internet-based DNS server. This means the Windows client machines won’t be able to surf the Internet unless you also configure the local DNS server to forward unresolved requests to the ISP’s DNS server.

Will the client machine benefit?
Active Directory has some great features that are targeted toward clients, such as the ability to enforce security through group policies and to automatically distribute software to the clients. The problem is that not all clients can take advantage of such features.

All Windows clients are capable of logging into a Windows 2000 domain and accessing shared resources such as files and printers. But only clients that are Active Directory-aware can take advantage of things like group policies and automatic software distribution. This means that unless the client machines are running Windows 2000 or Windows XP, they won’t be able to use Active Directory to its full potential. There is an Active Directory extension available for Windows NT 4.0 and Windows 98. However, these extensions are very limited in scope and won’t allow the machine to take advantage of most Active Directory features.

Can't see the forest for all the trees
One final reason for holding off recommending an upgrade to Active Directory is the time it takes to plan your client's server architecture. As I said, the Active Directory model is nothing like the Windows NT domain model. In Windows NT, servers were organized into domains. Each domain was an independent entity, but domains could be configured to trust each other and share resources.

In Windows 2000, the domain model still exists, but the domains are organized into tree structures. This means that there can be parent and child domains. The domain trees are collectively part of a forest in which each domain trusts every other domain. Because of the way domains work in Windows 2000 and the addition of two new structural components (organizational units and sites), there are now lots of different ways to build a network. You can organize a network geographically, by department, by both geography and job function, or any of a zillion other ways. While the ability to organize your client's network in so many ways gives you great flexibility, some organizational methods are much more efficient than others. And what works well in one organization won’t necessarily work very well in another. So it isn’t a good idea to implement Active Directory on a whim. Take the time to really understand your client's needs before you begin making changes.

Editor's Picks

Free Newsletters, In your Inbox