Upgrading from a Windows NT Domain

Previous page
Table of content
Next page
   

The Active Directory Installation Wizard simplifies upgrading a Windows NT domain to Windows Server 2003 Active Directory. The Active Directory Installation Wizard installs and configures domain controllers, which provide network users and computers access to the Active Directory directory service. Any member server (except those with restrictive license agreements) can be promoted to domain controllers using the Active Directory Installation Wizard. When promoting member servers to domain controllers, you will define one of the following roles for the new domain controller:

  • New forest (also a new domain)

  • New child domain

  • New domain tree in an existing forest

  • Additional domain controller in an existing domain

The upgrade process involves the following steps:

  • Planning and implementing a namespace and DNS infrastructure

  • Determining forest functionality

  • Upgrading the Windows NT 4.0 Server or earlier primary domain controller

  • Upgrading any remaining backup domain controllers

  • Converting groups

  • Completing the upgrade of the domain

  • Installing Active Directory client software on older client computers

    More Information

    For additional information on using the Active Directory Installation Wizard, see the Windows Server 2003 Help and Support Center.


Planning and Implementing a Namespace and DNS Infrastructure

Namespace refers to the naming convention that defines a set of unique names for resources in a network, such as Domain Name System (DNS), a hierarchical naming structure that identifies each network resource and its place in the hierarchy of the namespace, and Windows Internet Naming Service (WINS), a flat naming structure that identifies each network resource using a single unique name .

DNS is required for Active Directory. DNS is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user -friendly names, and it also enables the discovery of other information stored in the database.

When setting up a namespace, it's recommended that you first choose and register a unique parent DNS domain name that can be used for hosting your organization on the Internet ”for example, microsoft.com. Once you have chosen your parent domain name, you can combine this name with a location or organizational name used within your organization to form subdomain names. For example, if a subdomain is added, such as the itg.example.microsoft.com domain tree (for resources used by the information technology group at your organization), additional subdomain names can be formed using this name. For instance, a group of programmers working on electronic data interchange (EDI) in this division can have a subdomain named edi.itg.example.microsoft.com. Likewise, another group of workers providing support in this division might use support.itg.example.microsoft.com.

Prior to beginning the upgrade from Windows NT 4.0 to the Windows Server 2003 Active Directory service, ensure that you have designed DNS and Active Directory namespaces and either have configured DNS servers or are planning to have the Active Directory Installation Wizard automatically install the DNS service on the domain controller.

Active Directory is integrated with DNS in the following ways:

  • Active Directory and DNS have the same hierarchical structure.

    Although separate and implemented differently for different purposes, an organization's namespaces for DNS and Active Directory have an identical structure. For example, microsoft.com is a DNS domain and an Active Directory domain.

  • DNS zones can be stored in Active Directory.

    If you are using the Windows .NET Server DNS service, primary zone files can be stored in Active Directory for replication to other Active Directory domain controllers.

  • Active Directory uses DNS as a locator service, resolving Active Directory domain, site, and service names to IP addresses.

    To log on to an Active Directory domain, an Active Directory client queries its configured DNS server for the IP address of the Lightweight Directory Access Protocol (LDAP) service running on a domain controller for a specified domain. While Active Directory is integrated with DNS and shares the same namespace structure, it's important to distinguish between them:

    • DNS is a name resolution service.

      DNS clients send DNS name queries to their configured DNS server. The DNS server receives the name query and either resolves the name query through locally stored files or consults another DNS server for resolution. DNS does not require Active Directory to function.

    • Active Directory is a directory service.

      Active Directory provides an information repository and services to make information available to users and applications. Active Directory clients send queries to Active Directory servers using LDAP. To locate an Active Directory server, an Active Directory client queries DNS. Active Directory requires DNS to function.

More Information

For more information about DNS configuration, see the Windows Server 2003 Help and Support Center.


Determining Forest Functionality

Forest functionality determines the type of Active Directory features that can be enabled within the scope of a single forest. Each forest functional level has a set of specific minimum requirements for the version of operating systems that domain controllers throughout the forest can run. For example, the Windows .NET forest functional level requires all domain controllers to be running Windows Server 2003 operating systems.

In the scenario in which you are upgrading your first Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest, it's recommended (you will be prompted during the upgrade) to set the forest functional level to Windows .NET interim. This level contains all of the features used in the Windows 2000 forest functional level and also includes two important advanced Active Directory features:

  • Improved replication algorithms in the intersite topology generator

  • Replication improvements made to group memberships

The Windows .NET interim functional level is an option when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level supports only domain controllers running Windows .NET and Windows NT, not domain controllers running Windows 2000. Servers running Windows 2000 cannot be promoted to domain controller in a forest in which the forest functional level has been set to Windows .NET interim. For more information about forest functionality, see the section "Raising Domain Functional Levels" later in this chapter.

Upgrading the Windows NT 4.0 or Earlier Primary Domain Controller

The first Windows NT 4.0 and earlier server you must upgrade is the primary domain controller (PDC). Upgrading the Windows NT PDC is required for successful upgrade of the domain. During the upgrade, the Active Directory Installation Wizard requires that you choose to join an existing domain tree or forest or start a new domain tree or forest. If you decide to join an existing domain tree, you must provide a reference to the desired parent domain.

Running the Active Directory Installation Wizard installs all necessary components on the domain controller, such as the directory data store and the Kerberos V5 protocol authentication software. Once the Kerberos V5 protocol is installed, the installation process starts the authentication service and the ticket-granting service, and if this is a new child domain, a transitive trust relationship is established with the parent domain. Eventually, the domain controller from the parent domain copies all schema and configuration information to the new child domain controller. The existing Security Accounts Manager (SAM) objects will be copied from the registry to the new data store. These objects are security principals.

During the upgrade, objects are created to contain the accounts and groups from the Windows NT domain. These container objects are named Users, Computers, and Builtin and are displayed as folders in Active Directory Users And Computers. User accounts and predefined groups are placed in the Users folder. Computer accounts are placed in the Computers folder. Built-in groups are placed in the Builtin folder. Note that these special container objects are not organizational units. They cannot be moved, renamed , or deleted.

Existing Windows NT 4.0 and earlier groups are located in different folders depending on the nature of the group. Windows NT 4.0 and earlier built-in local groups (such as Administrators and Server Operators) are located in the Builtin folder. Windows NT 4.0 and earlier global groups (such as Domain Admins) and any user-created local groups and global groups are located in the Users folder.

The upgraded PDC can synchronize security principal changes to remaining Windows NT 4.0 and earlier backup domain controllers (BDCs). It's recognized as the domain master by the Windows NT Server 4.0 and earlier BDCs.

If a domain controller running Windows Server 2003 goes off line or otherwise becomes unavailable and no other Windows Server 2003 domain controllers exist in the domain, a Windows NT BDC can be promoted to a PDC to fill the role for the off line Windows Server 2003 domain controller.

The upgraded domain controller is a fully functional member of the forest. The new domain is added to the domain and site structure, and all domain controllers receive the notification that a new domain has joined the forest.

More Information

For more information, visit the Windows Server 2003 Help and Support Center.


Upgrading Any Remaining Backup Domain Controllers

Once you have upgraded the Windows NT 4.0 and earlier PDC, you can proceed to upgrade all remaining BDCs. During the upgrade process, you might want to remove one BDC from the network to guarantee a backup if any problems develop. This BDC will store a secure copy of your current domain database.

If any problems arise during the upgrade, you can remove all domain controllers running Windows .NET from the production environment and then bring the BDC back into your network and make it the new PDC. This new PDC will then replicate its data throughout the domain so that the domain is returned to its previous state.

The only drawback to this method is that all changes that were made while the safe BDC was off line are lost. To minimize this loss, you can periodically turn the safe BDC on and off again (when the domain is in a stable state) during the upgrade process, to update its safe copy of the directory.

When upgrading Windows NT 4.0 and earlier domains, only one domain controller running Windows Server 2003 can create security principals (users, groups, and computer accounts). This single domain controller is configured as a PDC emulator master. The PDC emulator master emulates a Windows NT 4.0 and earlier PDC.

More Information

For more information about the PDC emulator role, see "Operations Master Roles" in the Windows Server 2003 Help and Support Center.


Converting Groups

When you upgrade a Primary Domain Controller running Windows NT 4.0 Server to a server running Windows Server 2003, existing Windows NT groups are converted in the following ways:

  • Windows NT local groups are converted to domain local groups on servers running Windows Server 2003.

  • Windows NT global groups are converted to global groups on servers running Windows Server 2003.

Domain member computers running Windows NT can continue to display and access the converted groups. The groups appear to these clients as Windows NT 4.0 local and global groups. However, a Windows NT client cannot display members of groups or modify the member properties when that membership violates Windows NT group rules. For example, when a Windows NT client views the members of a global group on a server running Windows Server 2003, it does not view any other groups that are members of that global group.

Converting Groups and Microsoft Exchange

Microsoft Exchange allows users to arrange e-mail addresses in groups and distribution lists. When Exchange servers are upgraded to Active Directory, the Exchange distribution lists are converted to distribution groups with universal scope. The administrator can convert the group to a security group later if desired by using Active Directory Users And Computers to change the group properties. The Messaging Application Programming Interface (MAPI) enables computers running previous version Exchange clients to view the converted distribution group.

Using Converted Groups with Servers Running Windows Server 2003

Client computers that do not run Active Directory client software identify groups with universal scope on servers running Windows Server 2003 as having global scope instead. When viewing the members of a group with universal scope, the Windows NT client can view and access only those group members that conform to the membership rules of global groups on servers running Windows Server 2003.

In a Windows Server 2003 domain that is set to a domain functional level of Windows 2000 native, all the domain controllers must be servers running Windows Server 2003. However, the domain can contain member servers that run Windows NT Server 4.0. These servers view groups with universal scope as having global scope and can assign groups with universal scope rights and permissions and place them in local groups.

In a Windows Server 2003 domain, a Windows NT Server 4.0 member server running Windows NT administrative tools cannot access domain local groups. However, you can work around this limitation by using a server running Windows Server 2003 and using its Windows Server 2003 Administration Tools Pack administrative tools to access the server running Windows NT Server 4.0. You can use these tools to display the domain local groups and assign to them permissions to resources on the server running Windows NT Server 4.0.

After you have upgraded all existing Windows NT 4.0 and earlier primary and backup domain controllers to Windows Server 2003, and you have no plans to use Windows NT 4.0 and earlier domain controllers, you can raise the domain functional level from Windows 2000 mixed to Windows 2000 native. For more information about how to raise the domain functional level, see the section "Raising Domain Functional Levels" later in this chapter.

Several things happen when you raise the domain functional level to Windows 2000 native:

  • Domain controllers no longer support NTLM replication.

  • The domain controller that is emulating the PDC operations master cannot synchronize data with a Windows NT 4.0 and earlier BDC.

  • Windows NT 4.0 and earlier domain controllers cannot be added to the domain. (You can add new domain controllers running Windows 2000 or Windows Server 2003.)

  • Users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory and (with the proper authorization) can access resources anywhere in the forest. Although previous versions of Windows do not support the Kerberos V5 protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users or computers to access resources in any domain in the forest for which they have the appropriate permissions. Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.

Installing Active Directory Client Software on Older Client Computers

Computers running Active Directory client software can use Active Directory features, such as authentication, to access resources in the domain tree or forest and to query the directory. By default, client computers running Windows XP Professional and Windows 2000 Professional have the client software built in and can access Active Directory resources normally.

However, computers running previous versions of Windows (Windows 98, Windows 95, and Windows NT) require installation of the Active Directory client software before access to Active Directory resources is available. Without the client software, previous versions of Windows can access the domain only as if it were a Windows NT 4.0 and earlier domain, finding only those resources available through Windows NT 4.0 and earlier one-way trusts.

When the domain functional level is set to Windows 2000 mixed, the domain controller exposes to clients using previous versions of Windows only resources in domains that have older, established Windows NT 4.0 and earlier explicit trusts. This creates a consistent environment in that the previous- ­version clients can access only resources in domains with explicit trusts, regardless of whether domain controllers are running Windows Server 2003 or Windows NT 4.0 and earlier.

   
Top

Previous page
Table of content
Next page
Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Jerry Honeycutt
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Snort Cookbook
SQL Hacks
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Information Dashboard Design: The Effective Visual Communication of Data
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy