Oldest Continuous Running Windows Domain
Posted by Random_Hyena3396@reddit | sysadmin | View on Reddit | 95 comments
I had some issues with an AD install recently and ended up fixing it with ADSI. While tiptoeing through AD - I found so many deprecated items left from previous functional levels. It occurred to me - this AD has been continuously running and upgraded since 1994. It's been through a lot and so much has changed. I was thinking maybe I should spin up a new domain and connect via trust and then move stuff to that - start fresh so to speak.
Anyone done this?
jakedata@reddit
Place I used to work you could tell the real old timers because their names were in ALL CAPS after migration from Netware. There are still some ALL CAPS users there today. They EARN A LOT OF MONEY. I expect they like that they are in ALL CAPS and would complain bitterly if someone fixed it. Their phone extensions also start in a different range because only IMPORTANT PEOPLE had DIDs in the mid 90s.
Peter_Duncan@reddit
We used all caps for Sysadmins. Everyone else got lower case. Still do.
PixelSpy@reddit
The company I work for is reaaally old. Like 150+ years. Some of the employees have been here longer than I've been alive.
Based on records I've seen they moved to AD sometime around the very early 2000s. Have no idea what they ran before, if anything. Probably didn't even have a central server and just kept everything on floppy and paper.
Thlom@reddit
Active Directory was introduced in Windows 2000 server (and Windows NT 4.0 via a patch). Windows NT also had both directory and domain services, so chances are they used that before upgrading to AD.
Arudinne@reddit
Maybe Novell Netware?
Cormacolinde@reddit
I’ve seen plenty of domains that dated from Windows 2000 or were NT4 domains upgraded to AD with 2000 or 2003.
A few years back when the November 2022 patches for Kerberos came out, we evaluated all our MSP customers for issues before installing the updates. We found a few krbtgt accounts with a password dating from 2001.
I still see people with some AD artefacts from the BlackBerry Servers, pre-2010. I found some CNF objects in AD the other way related to a Cisco Wireless configuration. The guy who had been working there for 20+ years said they’ve never had Cisco wireless since he’s been there, so that would have been early 2000s.
ErikTheEngineer@reddit
I'm very ashamed to admit that I didn't know the krbtgt user password needed to be manually rotated until I was hardening a domain last year. I knew the account existed and what it was for given that there's a very similar construct in *nix Kerberos....but talk about being able to go through a career missing something critical.
Revelation_Now@reddit
Unbelievable. Literally unbelievable. You have found the only active directory environment running from 5 years before Active Directory was created. Hats off. Novell will be furious
Random_Hyena3396@reddit (OP)
I corrected myself that it was NT4.0 for the first several years. Go fuck yourself.
bg370@reddit
AD came out in 2000 but yes upgrade after upgrade leaves all kinds of crap even if it’s done properly. It would be nice to hear able to factory reset the whole damn network
RusticGroundSloth@reddit
That was a dream of mine at my last job. Especially after we acquired another company. Their network was…interesting. I’m not a network engineer but I worked with them - I remember something about them using BGP routing internally in their single site data center with some really large broadcast domains somehow and multiple internal VPNs. The network lead joked once that it would cost more than the acquisition to fix that mess. They were just starting to plan the redesign when I left for greener(ish lol) pastures.
Cooleb09@reddit
That just soudns liek EVVPN/VXLAN whihc is pretty standrad.
proudcanadianeh@reddit
So you work were I am? I swear the previous network techs were using the production network as a resume builder to get experience and move on to a larger org.
Random_Hyena3396@reddit (OP)
I guess I should say it started as an NT4.0 domain (pre AD)
bg370@reddit
Ugh I got my first MCSE on NT4 and all I remember is an ugly UI and driver problems
mycall@reddit
Looks kinda like ReactOS
homepup@reddit
I recall upgrading our Accounting Manager to NT4 workstation because it was so solid (she was my test before upgrading all the computers) and then I had to downgrade her because it didn't support USB and she was unable to sync her Palm Pilot. :/
w0lrah@reddit
Not that it's anything more than useless trivia now 25ish years later, but all the "classic" (read: pre-iPhone) PDAs with USB support also had RS232 serial which was still more or less ubiquitous on computers of the era so it would have probably been workable with just a new cable/dock.
I had one of the Timex Datalink watches back then that synced using patterns flashed on the screen, and those also didn't work with NT (or LCD displays). You had to buy a RS232 dongle that had a LED to sync the watch with a NT system or laptop.
BatemansChainsaw@reddit
I haven’t thought of those in forever. Nearly forgot about them entirely!
xpxp2002@reddit
I still have my first gen one. Battery’s dead though, and I don’t have the accessory to send data to it so I can’t even do anything much with it since I haven’t had a CRT at home in 20 years.
w0lrah@reddit
Mine was the Ironman Triathlon model, and all the plastic trim around the face was broken after years of abuse before it eventually lost its waterproofness and died after a swim.
In case you get a wave of nostalgia, there are a couple of projects that emulate the dongle using a Raspberry Pi Pico or Arduino.
https://github.com/synthead/timex-datalink-arduino
https://github.com/famiclone6502/DIY_Datalink_Adapter
Shockingly Timex still keeps the Datalink software available online: https://assets.timex.com/html/data_link_software.html
It's a 16 bit application so it won't run natively on 64 bit versions of Windows, but it apparently does work in winevdm and of course emulating an older system and just passing through the virtual COM port is always an option.
techguy_crs@reddit
It installs the service packs…
manderso7@reddit
Or else it gets the bsods again?
fatcakesabz@reddit
SP6 was the BSOD. That took some fixing, can’t even remember how it was so long ago
Kraeftluder@reddit
Wasn't there a 6a to address those issues? It's been 21 years since I supported it in production.
DakotaHoosier@reddit
Oh, yes. The wonderful service pack. Long live SP 6a!
xpxp2002@reddit
Yep
alpha417@reddit
Now it places the CD in the tray.
jakeod27@reddit
Oh wait, was it a great big fat database?
Redemptions@reddit
Except 6, skip 6, got to 6a, especially if you have a Compaq Proliant server with a RAID controller, because, well, bad things happened.
fatcakesabz@reddit
SP6 made me cry, nearly, certainly gave me a number of sleepless nights. It’s what gave me my fear of MS updates and why any automatic patching system I setup had at least a few days between release and application
Redemptions@reddit
It certainly embedded in me the need to test every patch, including Microsoft's. These days people go "duh", but once upon a time, before there was auto patches and everything was always online, there was a pretty heavy trust that by the time something was pressed onto a disc and sent with your monthly MSDN sub, the bugs had been found.
Jeffbx@reddit
Ha I remember that printers are not printers, print devices are printers.
And for some reason, we had to know that the speed of a T1 is 1.544Mbps.
bg370@reddit
And a floppy is 1.44MB
unkmunk@reddit
Gotta press ‘S’ during setup and insert the adaptec SCSI driver disc
DarthPneumono@reddit
Some things never change
Ok_Presentation_2671@reddit
AD in 94 what a riot lol
Huckbean24@reddit
Beta release.
jackburton_79@reddit
The domain in the company I work has started with NT4 too. We migrated to every new version (to 2016)
netsysllc@reddit
AD has only been around since 2000, so 94 would have been NT Directory services
lokzwaran@reddit
Congratulations on turning 30!
AD is just such a beauty - 30+ years of ideas and experience and abandoned plans.
grumpyolddude@reddit
I've run domains updated on every release since Windows 2000. The AD is a database and unless you have unrepairable issues I think you should let it be. Install clean DCs by adding new hardware/VMs with clean installs and promoting them. If you have issues with the data in AD you can fix that. Permissions and delegations can be a little more involved, but are also correctable. Those are maintenance tasks for a long running operational directory. The time and effort to create a new domain and migrate to it depends a lot on how big your directory is. 10 users and 10 computers in small office is a lot different from a corporate domain with thousands of users, groups, computers, delegations, gpos, schema mods, etc. One can be done after work one day and the other might take a year of planning. Obviously most large organizations aren't going to spend that much effort for something that doesn't have a benefit, and run 20+ year old directories without issue. If those directories with all the complexities and history don't need to be "refreshed" then the 10 user domain probably doesn't either. I'm not sure exactly what you are seeing in ADSI, but it sounds to me like you are digging through /windows/system32 and looking for old files you don't need. Leave that alone. :) There are a lot better ways to spend your time. IMHO of course.
KingDaveRa@reddit
I'm pretty sure our domain is on the third generation of DCs. It just continues to evolve.
It is our third domain though, one was dropped due to being a .local suffix (which caused silly issues with Macs back then), and the other was an old NT4 domain with a lot of cruft in it. Starting fresh seemed the easiest route , and it worked well.
xpxp2002@reddit
I still read that .local is discouraged due to Bonjour/mDNS issues, but I have a .local AD domain in my home lab and have never had any issues with Windows or Mac.
reviewmynotes@reddit
That's probably working for you because of one or more of the following:
Not actually using mDNS for Apple products to autodetect each other.
The AD DC is the default DNS resolver on the Apple products.
xpxp2002@reddit
mDNS is in ample use with HomeKit here.
It has to be the second one. AD DCs are providing internal name resolution.
KingDaveRa@reddit
This was some years ago now, probably around Tiger, and I think it was largely resolved in later versions. Caused a LOT of grief at the time!
No-Interaction5957@reddit
I actually built a script in about a week, refined over 4 months, to do exactly this. only about 500 lines long, but migrated existing domains to new ones in 15 minutes. Lotta ldif reformatting and exporting
gmitch64@reddit
Have you posted that anywhere? I'd love to have a read through that.
No-Interaction5957@reddit
Unfortunately it was for a project that I don't own for a company that I don't work for anymore, but you could probably recreate it with the help of chatgpt.
Heres a roadmap of what I remember if you want to try:
Set variables from network storage using token based auth Export Function 1: Ldifde export users with all properties Ldifde export groups with members Ldifde export groups without members Ldifde export ou structure Export Function 2: Command to backup gpos Command to backup sysvol folders Export Function 3: Command to package all into a password enabled zip, set name date Wipe files aside from zip Export Function 4: upload to network location Import Function 1: Read-host to set variables for formatting (new domain name or same as old) Read-host for password if disconnected from env, logic to detect if empty Command to unzip with password Command to format ldif files to be single line (some of the exports with break into multiple lines depending on length, they always start with a space so just remove the space and combine the lines) - all ldifs Command to replace domain name (dc=newdomain, or whatever needs replaced here) - all ldifs Remove any builtin users/groups from ldifs Import Function 2: Import ou ldif Import user ldif Import groups with user ldifs Import groups without users ldif (option) Restore gpos Populate sysvol folders Because they are functions, have some logic at the end to ask if you want and export or import and compile there, can also keep some manual variable setting here.
Note: this doesn't retain passwords or dns, passwords was a custom solution that I can't share anything about or provide a road map for recreating, simply due to being way too complex to recreate without source code and is extremely environment specific
No-Interaction5957@reddit
Oh and set a scheduled task/cron on all your servers to detect a failed domain connection and re-domain join using variables from a network location if you want to keep computers
No-Interaction5957@reddit
Oh and all powershell so you don't need to install any additional software to use it
No-Interaction5957@reddit
you can use different to export most of this, and a backup of GPOs to import into a new ad, then just format any data from the ldif exports to import to new dc's. different exports will be a couple thousand to tens of thousands lines long, so simple replace commands are your friend here. extra spaces might pop-up randomly, so need some logic to take care of that as well. when importing you can export the logs for any failed events and refine your script to work for your environment more. labor of love, but it's great thing to have on hand. throw the export functions in task scheduler with backups to an NAS and you have robust DR
Ok_Presentation_2671@reddit
Well said
De_Oppresso-Liber@reddit
On August 23rd I shut down all of the DC's and turned out the lights on AD for good (went AAD/Intune). I inherited the domain running NT4 with an exchange 5.5 server in May 2000. First i took it to server and exchange 2000, then 2003 before leaping to the cloud to avoid infrastructure needs for exchange 2007. Continued down the server path to 2008, 2016 then 2019. On the desktop it was all NT4 when I got here and I brought then from 2000 to XP, then 7 & 10. Made the jump to 11 as I used autopilot to onboard to AAD/Intune.
tldr recently retired a domain I've run for 24+ years, was likely \~27-28 years old. Intune or bust.
Acrobatic_Fortune334@reddit
My org has been since 2004, we are doing a full Datacenter rebuild on 6 months and standing a new DC up to migrate everyone to, there's so much legacy crap and leftovers in our current AD that we are taking the opertunity to rebuild while we can
Brave_Promise_6980@reddit
I collapsed 400 NT4 domains into one AD three regional one Forrest Root, it’s run non stop since 2001, the closest we came to loosing it were conficker and not Petya, token bloat, aid history, and a ton of depreciation made it a challenge, but it’s still running sweet with 200k users.
Skrunky@reddit
That’s baller
Topphawg@reddit
That sounds eerily familiar - by chance was this for a company w/ initials TK?
SpongederpSquarefap@reddit
Yeah dragging years of old crud through Windows is never nice
That's why any place that scales always goes with cattle infrastructure - you should always be able to rebuild it
StiffAssedBrit@reddit
I took over a site in 1998, that had two NT 4 servers, running a domain that was already 4 years old. Over many years we upgraded, rolled up to AD, and kept upgrading. In hindsight should have built a new forest and AD, rather than upgrading the NT 4 domain, but the potential pitfalls with their LOB software, and the cost of hardware to run new DCs, killed that idea at the time. The domain name is based on the name of the company many years ago, and I've spent many years expecting a call that they want to change the domain name. Fortunately, everything is virtualized now so spinning up a couple of new DCs, building a new AD, and migrating everything to it wouldn't be such a problem now.
Agility9071@reddit
I started my domain in 2003 and upgraded it to every server release since. Exchange as well.
flatvaaskaas@reddit
Really curious about the technical legacy point of view:
Is rc4 still used? Which old configuration of groups (protected users f.e.) is there, are there any groups that have been used for authorization that you dont know of?
How many gpo's are there setting cipher suites? Or setting some weird settings to servers?
zorinlynx@reddit
Where I work we had an NT domain starting around 1994 but then migrated to AD in the early 00s. It's been a while (been there since 1996), but I recall we spun up the AD domain alongside the NT domain and recreated all the users. We didn't have a lot of users at the time (maybe 100?) so it wasn't a big deal. Then migrated individual workstations over, assisting each user with logging into their new account.
I guess we figured this would be more reliable than to try to directly migrate the old domain. Honestly I don't even remember if it was possible to directly migrate from NT to AD.
But our AD has been the same AD since then and has been rock solid, so... no complaints!
WantDebianThanks@reddit
At a previous place the head of IT got ahold of MS and asked what their recommendation was for moving from 2003 to 2019 for a DC. Like, should we update the server release by release, spin up a new server and sync, or something else?
Way he told it, the tech's answer was essentially "we have no official recommendation for upgrading from a depreciated server, you're on your own, fuck off", then hung up.
burner70@reddit
Our domain still has artifacts left over from when it was a Novell Netware group. The AD Groups folder is nested under IRM 3.0 lol
bascule@reddit
Wonder if anyone's got a domain that started out on Banyan VINES
Primary_Program_7325@reddit
VINES....Havent heard that in a coons age!!!!
C2D2@reddit
Was this a Novel domain?
TheFluffyDovah@reddit
I've moved ours from 2012r2 to 2022, clean cut off, no upgrades
cvsysadmin@reddit
Yep. We had a single label domain that had been in service since the mid-late 90s. This past year or two we did a full blown migration to a brand new forest/domain we build from scratch. It took a good while to complete. We did it in phases. New OU structure, GPO migration, users, computers, file servers, database servers, Exchange servers, application servers. It was a whole thing. We were able to do things incrementally while keeping the other domain up. Took about a year total. The new domain honestly turned out great. We used Quest AD migration manager. We also leveraged a consulting service to help with the planning. We did most of the actual migration work ourselves. The Quest stuff was pricey, but it worked really well.
I'm really glad we decided to get a consultant. We have a team that has decades of combined AD experience and we'd done migrations in the past, but having someone that does this exact work for a living helped a ton. A ton. We would have been caught in several pitfalls that we were able to avoid with them. We migrated about 70,000 user accounts, 5,000 Windows computers, a couple hundred server VMs, and a couple dozen Hyper-V hosts. 3 S2D failover clusters. 1 regular server/SAN Hyper-V failover cluster. Exchange hybrid server/smtp.
Some things were a piece of cake. Some totally sucked. But we got there and man our new FQDN domain is so much better. Much more secure. Way easier to manage.
mikecel79@reddit
We had a domain that I built and was running since 2003 that had been upgraded continuously up to 2012. My division was acquired about 2 years ago and I was planning an upgrade to 2022 at the time. As far as I know the upgrade went through and it’s still being run by my old company.
jamesaepp@reddit
I've never found an official source for this, but I remember an instructor once informing me that before AD (or even NT4 domains), Exchange was the ancestor of modern AD, and the Exchange "schema" became the AD schema.
I'm not at all sure if that's true. But if it is, that would imply depending on your exact definition, a company that ran Exchange back in the 90s could still have the same domain today with all the upgrade paths.
merp1991@reddit
i was on a random google dive before i saw your comment and a wiki page or two did suggest that AD originated from Exchange, so you could well be right!
mikecel79@reddit
A lot of the underlying schema for AD did come from Exchange 5 and 5.5. Those versions had full on ldap directories to support email, calendaring, etc. AD itself did not come from Exchange code but they share a lot of similarities.
yParticle@reddit
Still have a domain that the previous admin could never fully extricate from 2003 so there's a ghost 2003 server out there preventing ever raising the domain functional level. It's no big deal at this point as I think the on-prem server is only really used to support a single proprietary app now and everything else is in the cloud.
TheIrruncibleSpoon@reddit
Ntdsutil to clean out the old server traces? Do you know its old hostname?
Gaunerking@reddit
You do not need to. With ntdsutil u can query the Ad Site and it will show which DCs (meta) is their. You just have to know the site this thing was/is on.
Brilliant-Advisor958@reddit
AD DNS can also have some left over crap in it as well that can cause issues. Good to scour that for erroneous entries.
Gaunerking@reddit
Yes, agreed.
My way is to use sites and services to remove the dead DC and then check ntdsutil and DNS to be safe. Usually ntdsutil shows no entry after removal from via sites and services, but I always check (as well as DNS).
cubic_sq@reddit
Have one site i have been doing stuff for since nt 3.51 days.
lugnercity@reddit
10 years windows admin in multiple orgs and all the Directories i worked with were OG from 2001. also at my new workplace its november 2001 :D still going because it was well maintained. functional level is 2016 on server '22
andyr354@reddit
My last job the AD started in 2001 or 2002. I forget now. I was a young man back then. I was laid off January and am no longer there but I'm sure it's still going now.
ciabattabing16@reddit
1-way-trusts should just be renamed "Safe migration plan" by Microsoft
THEoMADoPROPHET@reddit
Wow, 1996 is impressive! It’s fascinating how some of these old domains have managed to adapt and stay operational for so long. I’d be curious to hear about the biggest challenges faced over the years. Anyone have stories of major hurdles they had to overcome?
nl-robert@reddit
We always start completely over when we have a new client. We just build a new network from scratch, new GPO's, new users, etc. and copy just some directories from old profiles, such as the users desktop and Documents. But I have to say we are a bitspeciall because we run every client on Synology high-availability clusters as A/D, DNS and fileserver. Works really great.
R_Work@reddit
How do you handle migrating all the workstations to the new domain without disruption?
nl-robert@reddit
We image those. We test the image in the new "shadow' network and then deploy when we switch. But as MSP we rent hardware as part of our service, so most hardware is replaced anyway and not migrated. Only so fairly new CAD-pcs are migrated. Have to say that our clients typically have smaller networks with 20 to 50 pc's.
havochaos@reddit
I’ve used this in the past with success. https://www.forensit.com/domain-migration.html
stompy1@reddit
I've used admt on one of my customers networks and it worked great. Ensure all computers are online and the pre-tests come back ok. Follow ms documentation.
OrganicSciFi@reddit
aka User and Server Manager for Domains
rthonpm@reddit
Our office domain started on Server 2003 in 2007, bumped to Server 2008 (not R2), then 2012 R2, and now Server 2022. It was renamed in 2013 to remove .local as the TLD and then just some clean up and consolidation of GPOs every few years.
HardRockZombie@reddit
Mine was running as Novell in the mid 90s, eventually converted to AD and upgrade through the years, never really had any issues with anything. Remove things as they’re not needed, redo the GPOs when they have deprecated policies in them, and it’s been fine.
korobo_fine@reddit
how did you handle upgrades and updates?
Abraham_linksys49@reddit
How many users and workstations? What type of business - meaning how much downtime can you handle?