Now that Microsoft has had the official launch ceremony for Windows Server 2003, Windows NT's days are numbered. Since Microsoft will soon be discontinuing support for Windows NT, now is a good time to suggest to clients that they take a look at Windows 2000 or 2003 Server. The biggest difference between these two server operating systems and Windows NT is the addition of Active Directory. Although there is a bit of a learning curve associated with implementing an Active Directory environment, the benefits of doing so far outweigh the negatives. A better representation of the network
Centralisation sums up my primary reason for implementing Active Directory. The Active Directory structure makes it possible for you to achieve truly centralised management of users, regardless of how big your client's network has become. If you've worked with Windows NT before, you know that in Windows NT a domain is a completely independent entity. While it's possible to create a trust relationship between domains that exist on a common network, the domains are never truly integrated with each other because there is no higher authority that manages the domains. Seeing through the forest
The situation is different with Active Directory. Whereas the domain level was the highest level of abstraction in Windows NT, the highest level of abstraction in Windows 2000 and 2003 Server is the forest, which is basically a collection of domains. Microsoft chose to call this unit a forest because you can place domains into the forest, and you can place entire trees of domains into it. A domain tree consists of a parent, child, grandchildren, and great grandchildren domains. You can have as many layers of subdomains within a domain tree as is necessary to achieve the desired organisational structure. The Active Directory domain structure is handy to have whether your client's network is big or small. As you may recall, in Windows NT, each domain had its own Administrator account and its own Domain Admin group that was responsible for managing that domain. In Windows 2000 and 2003 Server, the domain Administrator account and the Domain Admin group still exist and can be used the same way that you were used to using them in Windows NT. There is also an Enterprise Admin group. Members of this group can manage any object within the entire Active Directory, regardless of what domain it exists within. Managing trust relationships
The first time that someone tried explaining the concept of parent and child domains, forests, and trees to me, my head was spinning. All I could think about was that managing trust relationships for an organisation that made use of all of these structures must be a real chore. However, managing trust relationships in Windows 2000 and 2003 Server is much easier than in Windows NT because there are essentially no trusts to manage. Within a forest, every domain trusts every other domain automatically. The only time you'd really have to worry about managing trust relationships would be if you had a relationship between domains residing within different forests. The only time that you would likely have to set up an interforest relationship would be if you needed to set up a trust relationship with a domain in another company's network. These enhanced management capabilities make Windows 2000 and 2003 Server more scalable than Windows NT. This is especially true for larger organisations. Windows NT has a limit of about 40,000 objects within a domain. Windows 2000 Server expands this limit to over 10 million objects. I have not yet seen the object limit figures for Windows 2003 Server, but I'm sure that it's possible to have over 10 million objects.