RE: Windows domains and group policy -- PCTECH

>Get the two domain controllers...

That cannot be emphasized enough! Unlike NT4 there is no concept of a
Primary and Backup Domain controller -- they are all masters. However,
AD is heavily dependent on the domain controller, and you don't want to
try to reconstruct one from scratch (trust me -- experience speaking
here). If you have two and one frags you just reinstall Windows and join
the domain, the other domain contoller has all the recent updates.

Bring up two domain controllers (an old W98 machine hardware would be
fine, BTW) and I'd make both of the Global Catalog servers too -- just
so they have the cross-domain trust information as well (if you have
any) since only GC's have that.  

-Walden

------------
Walden H Leverich III
Tech Software
(516) 627-3800 x11
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)


-----Original Message-----
From: pctech-bounces@xxxxxxxxxxxx [mailto:pctech-bounces@xxxxxxxxxxxx]
On Behalf Of Tom Jedrzejewicz
Sent: Friday, June 24, 2005 1:48 AM
To: PC Technical Discussion for iSeries Users
Subject: Re: [PCTECH] Windows domains and group policy

Win2003 allows some pretty amazing stuff with respect to desktop
security and management through the Group Policy.  However, I strongly
suggest that you get some help in the implementation from an expert.

My answers to the questions ... 

> 1) Does the software deployment and security stuff work as well as 
> advertised?

Security .. absolutely .. if you know what you are doing?
Software deployment .. not sure, haven't gotten there.

> 2) How much of a pain was it going from workgroups to a domain?

Don't know.  Went from NetWare to Win2000 at last job, in the process of
going NetWare to Win2003.

> 3) W98 and NT cannot participate.  If we still have 4 W98 and 1 NT 
> 4.0, what does that do to us?  Do we still need a WINS?

Don't waste the time with W98 and NT, unless you can absolutely avoid
it.  If you can find the $ to buy 5 PC's, do it.  If the W98 and NT have
to remain, isolate them.  I think that NT can join the domain.

No WINS (!) .. DNS fills all of the functions.  BTW, if I remember from
previous posts you use DHCP and DNS on the iSeries.  I would put them
onto Windows, on one (or both) of the domain controllers.
 
> 4) Did you get outside help?

Yes.  Our primary reason for implementing AD was to get to Exchange
2003.  Currently AD and NetWare are coexisting, with NetWare doing file
and print.  We got help to get AD and  eDirectory talking, to work out
the procedure for the the workstations, to help design AD and build the
servers.  Note that we have a newly minted MCSE on staff and he built
the servers.  We brought in some help for the weekend conversion as
well.

> 5) How much outside training was required?

For the users, we did training on Outlook 2003.  You might want to do
some orientation because the signing on looks a bit diferent.

> 6) Was it worth it?

Totally.  We implemented AD so that we could do Exchange, and it has
been completely worth it.  We were on Novell GroupWise, and the change
has been dramatic.

> The whole shebang does not appear to be for the faint of heart, but 
> anything to help admin cost is wonderful to me.

If you do it, don't skimp.  Get the two domain controllers, and spend
the time on setting up AD and planning the conversion.

--
Tom Jedrzejewicz
tomjedrz@xxxxxxxxx

--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing
list To post a message email: PcTech@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/pctech.