Why Windows 2000 Will Unify Your World

Part 3 in ENT's feature series Rebuilding Your Infrastructure: Active Directory's Role in Enhancing Network Management.

How many Windows NT 4.0 domains are in your organization? If you work in a reasonably large company, it's likely that nobody really knows. With NT 4, anybody can install a domain controller or two, hook up some clients and member servers, and have his own domain.

With Windows 2000, this kind of unfettered expansion of independent domains is less likely to occur. In fact, deploying Windows 2000 will allow the connecting together of existing domains, and quite coalescing them into fewer domains than you have today.

Windows 2000 brings technical changes that make combining existing Windows NT 4 domains an appealing prospect. Having lots of connected NT 4 domains can be an enormous pain, as anybody who administers this kind of environment can tell you. Accordingly, Windows 2000 allows larger domains and allows granting administrative authority at the Organizational Unit (OU) level within those domains. This makes it possible to turn existing NT 4 domains into OUs within a single Windows 2000 domain without completely centralizing administrative control over the users and machines in those OUs. This is a good thing, and it’s bound to motivate some chunk of existing domains to come together.

Just as important is that some aspects of Windows 2000 allow a centrally run administrative group within an organization to all but force that organization’s domains to be connected together. To see why, remember that Windows 2000 domains must have Domain Name System (DNS) names such as hq.qwickbank.com. In most organizations, domains will want to have names ending in the top-level domain name owned by that organization, a name such as qwickbank.com. Yet rational companies control the namespace below this name -- they don’t let just anybody in the organization grab and use any name they like. Also, many organizations run a centralized DNS service for that top-level name and the names below it. This can also make it problematic for groups in the organization to give their Windows 2000 domain a DNS name that doesn’t end in this top-level domain name.

The point is that an organization can control what Windows 2000 domains will exist by controlling the DNS names it gives out. While some current NT 4 administrators may disagree, this is a good thing. Given the complexity of Windows 2000 -- with Active Directory, Kerberos, group policy, and so much more -- a profusion of independent domains becomes a stunningly bad idea. Having a centralized group that knows how to manage this mass of new technology will make a move to Windows 2000 more likely to succeed. And forcing existing NT 4 domains to become OUs in a larger Windows 2000 domain, if you choose to do it, should decrease costs by requiring fewer domain controllers and increase reliability and security by providing a staff of presumably better trained administrators for this domain.

Even if it makes sense for an existing NT 4 domain to remain separate in the Windows 2000 world, controlling DNS names can at least force that domain to join the same forest as the others in that organization. Having all domains in a single forest greatly simplifies the management of trust relationships -- since all domains in a forest trust each other -- and it also enforces a single directory schema across an entire organization.

Prepare yourself for the great coming together. One way or another, Windows 2000 is likely to unify your organization. The political battles that take place during this process won’t be much fun, but the end result should be a better, more cohesive world than the one you live in today.