The following is a collection of expert responses to reader questions by Laura Hunter.
We are going to rebuild our Windows 2003 Active Directory Servers. Our AD servers are currently being used as SMS and antivirus
servers also. I have talked to others and have been advised that the AD should have AD controllers only. I cannot find anything on the Microsoft Web site to support this comment. Your input is appreciated. Thanks in advance.
Could you briefly outline for me what the major differences are between Windows Server 2003 and Windows Server 2000?
LH: Windows Server 2003 has made a number of improvements over Windows 2000, particularly in the area of security and Active Directory internals. For a detailed look at the new features available in 2003, check out the links on this page from Microsoft's Web site . This is a portal page that will take you to different pages detailing the new features in File & Print Services, security, Active Directory and more.
I need a step-by-step lesson on creating a trust between two AD domains. Lets say I have two domains:
1. web.agni.com (FQDN)Windows 2003 Server
2. web1.jis.com (FQDN)Windows 2000 Server
When I used the dcpromo command in both the servers it created separate domains as well as a separate DNS for each. Right now I want to create a trust relationship between these two domains. Can you help?
LH: To create a trust between a Windows Server 2000 and a Windows Server 2003 domain, you'll need to configure an external trust, as described here.
We are currently using a Windows 2000 server. The Active Directory name is the same name as our Web site that is being hosted elsewhere. This is a problem because in the office when we try to go to our Web site it goes to our server instead and we can't get to our site from there. Can I change the AD name without messing things up? If so how?
LH: There isn't a very good way to rename a Windows 2000 domain. However, you should be able to have a website like www.company.com that is accessible even if it's not being hosted externally from your internal AD network. You should verify how the DNS records for your internal AD domain and the web server are configured, particularly any CNAME records that are referencing the www hostname.
I have a simple NT domain in one location with 60 user accounts configured as shown.
1- PDC (NT4.0 sp6a)
1- BDC (NT4.0 sp6a)
1- 2000 member server.
Here is my question: If I upgrade my PDC to a Windows 2003 server should I create it as a new domain in a new forest? My current domain name is welkernet.com and I am not sure if the new 2003 DC should have the same domain name or a different one.
LH: You can perform an in-place upgrade from NT4 to Windows Server 2003 without needing to create a brand new forest and domain. I would recommend installing a new NT4 server and temporarily configuring it as your PDC so that you are performing the upgrade on a "clean" machine. See the upgrade center here for white papers and details on the NT4-2003 upgrade process.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at firstname.lastname@example.org.
This was first published in March 2006