Life Without Active Directory

If you implement Win2K without AD, what will you miss?

If you haven't yet moved to Active Directory (AD), you have a lot of company. People seem to be thinking, "We really want all of Windows 2000's touted features, and we'll go to AD eventually, but implementing AD seems like a big first step in a Win2K rollout. Suppose we adopt Win2K workstations and member servers, then roll out AD later. What would we miss?"

First, let me make one thing clear: The most significant features of Win2K Server require AD, and I don't suggest that you forgo AD altogether. That said, however, I want to illuminate the path for those who choose to delay AD implementation and to point out that implementing Win2K servers, even without AD, has compelling benefits.

One reason to roll out Win2K-based member servers without implementing AD might surprise you. Although Win2K was supposed to do away with WINS, WINS will be with us for a while longer. WINS functionality doesn't require AD, nor will you disturb WINS if you add AD later. And ironically, WINS is one of the first "wins" of a Win2K Server-based network.

Deleting junk records in a WINS database has always been difficult unless you apply Service Pack 4 (SP4) or later to NT 4.0. But Win2K lets you tombstone records right from the GUI. (For information about WINS tombstones, see Alistair G. Lowe-Norris, "Tombstones Mark the Coming of the End for WINS," March 1999.) Many administrators need to dump the WINS database to an ASCII file, which they can then use to build scripts or print the database. But NT 4.0 doesn't offer an easy and reliable way to dump the database. Win2K, in contrast, has not only the familiar GUI-based WINS administration tool but also a command-line tool, Netsh, which acts as a kind of catchall tool not just for WINS but also for DHCP, RAS, and routing. (DNS has its own command-line tool, Dnscmd, as I explain later.)

Under NT 4.0, WINS frequently suffers from database corruption. Microsoft urges administrators to minimize the number of WINS servers in the enterprise because the more servers, the tougher the replication task, and replication sometimes leads to corrupted WINS databases. Under Win2K, WINS database corruption probably is still possible, but it's far less likely because the Win2K WINS server includes features that let WINS servers cross-check one another's database validity.

WINS is only one of the Win2K infrastructure improvements that don't require AD. The DHCP manager is somewhat better than it was before Win2K because Netsh simplifies scripting DHCP and lets you administer it remotely from a low-speed connection over Win2K's built-in Telnet server.

Although DNS is strongly integrated into AD and AD won't work without a DNS server, DNS doesn't need AD to run. And as I mentioned, Microsoft gives the Win2K edition of its DNS server the power of the command line with Dnscmd. However, you'll have to search a little to find the tool: Win2K Setup doesn't install it on your hard disk. You'll find Dnscmd on the Win2K Server CD-ROM in \support\tools\ (Ignore the incorrect Help text that says the program is in \support\enterprise\reskit.) Dnscmd lets you create and modify resource records, dump records, reconfigure the server, and do pretty much anything else you can do from the Microsoft Management Console (MMC), so you can perform simple DNS administrative tasks from a distance—even over a slow connection.

I actually recommend that you get your DNS infrastructure squared away before you start building an AD store. Because AD's special DNS needs will probably force you to upgrade your DNS servers, discard them and replace them with newer ones, or add a new set of DNS servers to support AD, implementing and becoming comfortable with a Win2K-based DNS server before you set up AD seems like a good idea.

Many of you will build your AD forest on a registered DNS domain, which is another reason to implement DNS before AD. By setting up the domain's DNS server first, you can ensure that the worldwide DNS hierarchy can find that server. And when you determine that a Win2K DNS server can resolve names in the domain, you know that the soon-to-come AD can rely on the server. You don't need to use a Win2K-based DNS server for AD, but you'll probably want to so that you can benefit from the integrated security that Win2K's DNS provides.

Some very desirable Win2K infrastructure features come in the area of routing and don't require AD. The Internet Connection Sharing (ICS) feature, which ships with all the Win2K Server flavors, Win2K Professional, Windows Millennium Edition (Windows Me), and Windows 98 Second Edition (Win98SE), will let you take virtually any kind of Internet connection— dial-up, Digital Subscriber Line (DSL), cable modem—and share it with local machines. For a bit more routing control and power, Win2K Server offers a Network Address Translation (NAT) router, which also runs fine without AD (and which you can use Netsh to control).

Microsoft IIS 5.0 is largely deaf to AD and supposedly runs twice as fast as IIS 4.0 on the same hardware. I've been using IIS 5.0 for almost a year, but not because of its speed. I like its support of host header records for virtual Web sites. (As a part-time Web master, I didn't know about host header records—even though IIS 4.0 also supports them—until IIS 5.0's Web Site Creation Wizard exposed them.) For tyro Web masters like me, here's an explanation of what host headers can do and why you should care.

I run two Web sites on the same machine. One,, is a basic professional-presence Web site. My other Web site, www.softwareconspiracy .com, handles a completely different task. I built that site solely to support a book intended for a different audience than my usual one, and I wanted a different site for that audience. Both Web sites sit on the same machine and have the same IP address. But how do I tell IIS to send certain content to people who visit and other content to the www.softwareconspiracy .com visitors? When I used IIS 4.0 (before I learned about host header records), I needed to assign two IP addresses to my Web server. I bound one IP address to and the other to

Does that sound like an insignificant difference? It isn't. For example, Web hosting services might not have enough IP addresses to accommodate hundreds of small personal Web sites. Or, what if you wanted to run more than one Web site on your DSL-connected PC? Most DSL providers won't give you a second IP address, so the IIS 4.0 approach wouldn't work. With IIS 5.0, when a browser contacts my Web server, the Web server asks "Who do you think you're talking to?" If the browser responds "www," IIS sends the book Web site content; if the browser responds "," IIS sends the general-purpose Web site content. The only flaw in this approach is that some old browsers can't support host header records, so IIS directs those browsers to the default Web site regardless of which one they were trying to visit. But few of those old browsers still exist.

So what's the bottom line? If you're one of the many who are considering Win2K but are leery of trusting AD before SP3, you still have a lot of reasons to get your feet wet with Win2K Server today.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.