Reasons to Upgrade
Although there are many circumstances preventing individuals from upgrading to Windows 2000 and Active Directory immediately, several factors will drive individuals and companies to an early adoption of Windows 2000.
A single schema for the entire enterprise is one reason for moving to Windows 2000 and Active Directory. After you upgrade and you have all your down-level servers and clients upgraded into a Windows 2000 schema, you are able to publish printers, resources, and file shares. This is different from publishing in current Windows NT 4.0 environments, because Active Directory provides the users with a direct way to find resources. As an example, if you try to find a local printer in Windows NT 4.0, you need to know that the domain and the server to find the printer to use. With a well-designed Active Directory, you are able to identify printers based on location or attributes.
Active Directory provides a single directory for many of the computing resources. As an example, the next release of Microsoft Exchange does not have a separate directory, but uses Active Directory for its directory.
With Windows 2000 clients available, you have the ability to browse for resources based on key attributes and/or key words.
Delegation of administration is another important reason to upgrade to Active Directory. This does not mean just delegation of administrators, it can also mean consolidation and segmentation in a centralized environment. With Active Directory, you have the ability to delegate responsibility in granular detail using group policies, MMC, and scripting. You might want to pull some administrative responsibilities into your Information Technology (IT) staff.
The Domain Controller (DC) locator service provides more efficient authentication. It is possible in a Windows NT 4.0 environment for users to authenticate to a Backup Domain Controller (BDC) across slow links simply because the BDC is returned by the Windows Internet Naming Service (WINS) server. With the DC locator service, a user is pointed to the closest DC based on response distance and network connectivity. The DC locator service returns the DC that is closest by domain name system (DNS) when querying for a DC. The capability provides the end user with the fastest response time possible. This has an impact on the user's experience with the environment.
Elimination of Windows NT 4.0's 40MB domain size limit provides organizations with the ability to have as many machine and user accounts as you need. Active Directory provides support for millions of objects.
Kerberos security provides for transitive trusts. With Kerberos security, your environment is more secure and standards-based. You are able to provide access and to integrate with third-party organizations. Extranet and vendor integration is possible with Kerberos security.
Kerberos is able to provide two-way authentication. This provides greater security than Window NT 4.0. With Windows NT 4.0, the user is authenticated to access server-based resources. This is still true in Windows 2000. In addition, with Active Directory and Windows 2000, the user is assured that the server you are connecting to is the server you intended. This is accomplished by sending you authentication that lets you, as the user, know that the network server or resource being accessed really is the resource you expect it to be.
Searching for resources across the enterprise is improved with the capability to search for resources based on specific attributes in Active Directory.
Fault tolerant multi-master DC model is part of Active Directory and Windows 2000. If one controller goes out, you still have a read/write copy of a DC available in the enterprise. Because each of the DCs can serve as a master, changes can be accepted and distributed throughout the enterprise. With a single Windows NT 4.0 Primary Domain Controller (PDC) , a BDC must be promoted for changes to be accepted and distributed throughout the enterprise. This takes manual intervention.
Fewer, if any, explicit trusts are a feature of Active Directory and Window 2000. In a Windows NT 4.0 environment, you currently have user and resource domains to create and maintain. With the design of Windows 2000 and Active Directory, you don't need explicit trust relationships to have similar functionality in your environment. This decreases your maintenance costs.
Windows NT 4.0 has a flat model for groups. With Active Directory, hierarchical groups can be implemented. This provides for a more logical representation of the environment, possibly mapping real-world structures in the hierarchical group structures available in Active Directory.
Active Directory has snap-ins available for the MMC. This provides for the capability to create customized tool views and to integrate various snap-ins for a view of the environment that matches the way you want to manage your environment. Also available is ADSI for managing the directory through programs and scripts.
With the use of Lightweight Directory Access Protocol (LDAP) and DNS for name resolution in a Windows 2000 environment, your reliance on less reliable and efficient protocols like WINS can be minimized and eventually eliminated.