Spent last weekend bringing up Windows 2003 server standard and attaching 10 user workstations and their accounts. Before I forget the pain, I want to get down some random observations. This was an upgrade to the server hardware, and from the Windows NT operating system to Windows 2003 Server Standard.
1. Biggest change is adding Active Directory. AD is an order-of-magnitude increase in complexity from the old NT domain system. It is based in part on LDAP, the Lightweight Directory Access Protocol, which is derived from DNS, the domain naming system used for the internet. The upshot is if you want to manage network user security, you have to have an (NT type) domain on the network, and to do that you have to install Active Directory, and to do that you have install DNS on the server. I’ve installed AD on several servers in the past but it remains a black box to a certain extent. Also, in terms of scale, AD may be great for multi-site companies, but for a single office it is way overkill. Once added there are no native client applications which access all that AD information anyway. What’s all the fuss?
2. The fact that you have to install DNS is a pain. Everyone has an Internet Service Provider, and everyone normally uses their DNS. So why the heck would you need to install it on your small-office local area network? The good news, is, when you do have it, and when it is working properly, your workstations will use the locally stored DNS for DNS look-ups, and that means you’ll get snappier performance when surfing the web, and doing other internet-based things that use DNS.
3. Once the server and DNS are up and running, it makes sense to change the DNS mappings of the local workstations, to include the local DNS as the first DNS server for look-ups. For Windows XP workstations, you have to do this anyway, otherwise, the workstation will take forever to find the server.
4. Attaching Windows XP machines and creating machine accounts works fairly smoothly by using the File and Settings Transfer Wizard at each workstation. Since changing the domain name requires new profiles and security settings at the workstations, the users’ desktops have to be rebuilt, unless…
5. …you don’t create machine accounts, and have the user log into the local account on their local workstation. You can still access resources on the domain, even though you are accessing them from a machine that doesn’t have a server machine account. This is the approach that you have to take anyway with any O/S other than WinXP Professional or Win 2000 Professional.
All the above reminds me of the phrase, “the beatings will stop when morale improves”. I suppose all this is “good for me” in the long run.
A couple of pleasant surprises:
Group Objects. There are dozens of ways to secure and customize desktops. Don’t like “balloon help” that comes up saying you’ve got obsolete desktop icons? You can surpress this and other annoyances. You can turn off user access to the control panel. All these can be adjusted based on group membership.
SharePoint Services. This is among other things, a web-based content and document mangement system. Great for collaborative projects. It reminds me of the old E-Groups system
Service Pack 1 was recently released which includes several new security improvements.