RIP, Windows 2000!

On Tuesday, Windows 2000 Advanced Server finally reached its end of support. Ten years is a long time for an OS release, and Microsoft’s server operating system has come a long way since then.  W2KAS and AD revolutionized the way the entire Microsoft world approached authentication (authN) and authorization (authZ); everything since then has been evolutionary.

I have fond memories of this OS because it also coincided with my move from Texas Instruments to Intel, and because I was writing a book about it. I clearly remember first learning about Windows 2000 (aka NT 5.0) and its Active Directory at the Professional Developer’s Conference in May of 1997. (I just yesterday ran across the tape set I purchased at the conference to study it.) Much of what seems blindingly obvious to me now was really confusing back then; Mark Minasi and I had some long conversations about it, and I cornered more than one speaker during those PDC evenings to answer my questions. My book was mainly focused on explaining what I’d learned about AD to an audience that had never seen it before.

I suspect that many people working in the IT infrastructure now, 10 years later, don’t realize how much W2KAS and AD shook up the security infrastructure of the day. It was possible to simply upgrade your NT4 domains to Windows 2000, but I believe very few did because Windows 2000, thanks to features like Kerberos, presented an opportunity to vastly simplify the multiple account and resource domains most companies had.

To simplify, however, was a complicated process. Most companies went the route of creating a pristine new AD forest, coming up with an organizational unit (OU) structure, populating it with user accounts and groups, and migrating servers and workstations into this shiny new kingdom. If you had set up a one-way trust between the new AD domain(s) and the NT 4.0 resource domains, when the accounts had been moved (and the smoke-and-mirrors trick of SID History preserved their resource access – thank you Steve Grobman of Intel for selling Microsoft on the idea!) users could logon to the new W2K domains and access their old resources until the resources could be moved into the AD forest.

But it took years to get rid of the NT4 resource domains. Years. And I know we weren’t alone. Since then we’ve hopefully all moved on, first to Windows 2003, and many of us have moved (very slowly) to Windows 2008 or R2.

But you always fondly remember your first AD :).

Follow Sean Deuby on Twitter at @shorinsean.