Lesson 1: Planning a Migration from Windows NT 4 Directory Services to Windows 2000 Active Directory | MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)

To implement Windows 2000 Active Directory in an organization running Microsoft Windows NT as its primary network operating system and using Windows NT directory services, you must plan how you will make the transition. To plan a Windows NT 4 directory services migration to Windows 2000 Active Directory, you must assess the organization's goals for migration, determine the migration method(s), and plan the migration steps. This lesson discusses how to a plan a migration from Windows NT 4 directory services to Windows 2000 Active Directory.

After this lesson, you will be able to

Identify the factors in an organization's environment that determine its migration strategy
Indicate the reasons for using the domain upgrade method
Indicate the reasons for using the domain restructure method
Explain the steps involved in planning a domain upgrade
Explain the steps involved in planning a domain restructure
Explain the steps involved in planning the consolidation of resource domains into organizational units (OUs)
Analyze an organization's Windows NT 4 directory services environment to plan its migration to Windows 2000 Active Directory

Estimated lesson time: 30 minutes

Understanding Migration

Migration is the process of making existing applications and data work on a different computer or operating system. To migrate to Active Directory directory services, you must migrate a Windows NT Server 3.51 or 4 deployment to Windows 2000 Server. You cannot migrate a pre–Windows NT Server 3.51 deployment or Windows NT Server 4 Enterprise Edition to Windows 2000 Server, and you can migrate Windows NT Server 4 Enterprise Edition only to Windows 2000 Advanced Server. Table 7.1 shows the supported migration paths to Windows 2000 Server.

Table 7.1 Supported Migration Paths to Windows 2000 Server

Server role in Windows NT Server 3.51 or 4	Server role in Windows 2000 Server
Primary domain controller (PDC)	Domain controller
Backup domain controller (BDC)	Domain controller or member server
Member server	Member server
Standalone server	Member server or standalone server

Migration Methods

There are two methods for migrating to Windows 2000 Server:

Domain upgrade
Domain restructure

Domain Upgrade

A domain upgrade is the process of installing an existing Windows NT domain structure and its users and groups intact into the Windows 2000 DNS-based domain hierarchy, as shown in Figure 7.1. This method also retains most Windows NT system settings, preferences, and program installations. A domain upgrade is the easiest way to migrate to Windows 2000 Server and may also be referred to as an "in-place upgrade" or simply an "upgrade."

click to view at full size

Figure 7.1 Domain upgrade

Although a domain upgrade can upgrade the PDC and BDCs in a Windows NT domain from Windows NT Server to Windows 2000 Server, all servers in a Windows NT domain need not be upgraded to take advantage of Windows 2000 features. Your organization can operate in mixed mode to handle the inter-operability of Windows 2000 domain controllers and Windows NT BDCs.

When you use the domain upgrade method to migrate an existing Windows NT deployment, the following are preserved:

Groups, user accounts, and passwords
Access to Windows NT domains using existing Windows NT trust relationships
Access to Windows NT servers, Windows 95, and Windows 98 clients

An upgrade is accomplished in two steps. First, the Windows NT PDC and BDCs are upgraded to Windows 2000 Server. Second, the Active Directory Installation Wizard is used to promote the Windows 2000 servers to Active Directory domain controllers, either as forest root domains, tree root domains, or child domains in a tree. Because member servers are not domain controllers, it is not necessary to install Active Directory on these servers; they need only be upgraded to Windows 2000 Server.

Domain Restructure

A domain restructure is a redesign of the Windows NT domain structure, which often results in fewer, consolidated domains, as shown in Figure 7.2. This method of migration allows organizations to redesign the structure to take full advantage of Windows 2000 features. A domain restructure migrates the existing Windows NT environment into a "pristine" Windows 2000 forest using a nondestructive copy. A pristine forest is an ideal Windows 2000 forest that is isolated from the Windows NT production environment and that operates in native mode. Domain accounts exist in both Windows NT and Windows 2000, and the Windows NT environment is retained until it is ready to be decommissioned. This method requires more administrative overhead, resources, and time. A domain restructure may also be referred to as a "domain consolidation" or simply a "restructure."

click to view at full size

Figure 7.2 Domain restructure

Windows 2000 provides the following functionality to allow domain restructuring:

The ability to move security principals from one domain to another
Because users retain their SIDhistory when moved between domains, they are able to maintain the same access to resources they had before the move. SIDhistory is an attribute of Active Directory security principals that is used to store the former security IDs (SIDs) of moved objects, such as users and groups.
The ability to move domain controllers from one domain to another
Windows 2000 domain controllers can be moved between domains while retaining their settings, applications, and services and without having to completely reinstall the operating system.

A domain restructure is accomplished in several steps:

A pristine forest is created.
Trust relationships are established between the target Windows 2000 domain and the existing Windows NT resource domains to maintaina ccess to resources in the resource domains during restructuring.
Windows NT global and shared local groups are cloned into the pristine forest.
User accounts are cloned into the pristine forest.
Computer accounts are moved to the pristine forest.
After testing and modification, the Windows NT domain is eventually retired.

The upgrade and restructure migration methods can be used separately or combined depending upon the needs of the organization. An organization may find it necessary to upgrade first and then restructure while another organization may recognize a need to restructure from the start. The upgrade strategy depends largely upon the current Windows NT domain model used by the organization.

Migrating Resource Domains

As discussed in Chapter 4, in Windows NT, domains are the smallest units of administrative delegation and additional domains are sometimes created for the purpose of containing the resources over which administrators have control. As discussed in Chapter 5, in Windows 2000, OUs allow you to partition domains to delegate administration, eliminating the need to define domains just for delegation. You can delegate administration for the contents of an OU container (all users, computers, or resource objects in the OU) by granting administrators specific permissions for an OU. By consolidating resource domains into OUs during Windows NT migration to Windows 2000, an organization can take full advantage of the OU feature. You can consolidate resource domains into OUs after a domain upgrade or a domain restructure.

Migration and the Production Environment

Because migration involves the transitioning of domains, groups, and users from Windows NT to the Windows 2000 environment, it's possible that an organization's everyday computing environment, called the production environment, may be affected by the migrations performed using the upgrade method. Possible effects include slowed response times and other interruptions in service. The IT management organization must determine what disruptions to the production environment, if any, are tolerable during the migration process and then take steps to minimize problems. You can take the following steps to minimize problems during an upgrade:

Run tests of the planned upgrade in a test environment and monitor the test results.
Perform upgrades during non-peak hours.
Upgrade small domains first, monitor the effects of the upgrade, and adjust processes when upgrading larger domains.

Despite taking steps to minimize problems, the production environment may still be affected by the upgrade process. The safest way to migrate to Windows 2000 is to use the restructure method and create a parallel, pristine Windows 2000 forest that can be tested before it is actually implemented. Because the restructure method requires a great deal of hardware, testing, and administrative time, the IT management organization must weigh the costs of planning the restructure against the inconveniences to the production environment caused by the migration.

Migration and Windows 2000 Domain Modes

When you migrate a domain controller to Windows 2000 Server, the domain controller is set to run in mixed mode. Mixed mode allows the domain controller to interact with any domain controllers in the domain that are running previous versions of Windows NT. You can allow a domain to run in mixed mode indefinitely, or you can set the mode to native mode.

When all the domain controllers in the domain run Windows 2000 Server, and you do not plan to add any more pre—Windows 2000 domain controllers to the domain, you can switch the domain from mixed mode to native mode.

During the conversion from mixed mode to native mode,

Support for pre—Windows 2000 replication ceases. Because pre—Windows 2000 replication is gone, you can no longer have any domain controllers in your domain that are not running Windows 2000 Server.
You can no longer add pre—Windows 2000 domain controllers to the domain.
The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers act as peers.

NOTE
The change from mixed mode to native mode is one-way only; you cannot change from native mode to mixed mode.

Although all the domain controllers in the domain must be migrated to Windows 2000 Server in order to make the switch to native mode, it is not necessary to upgrade all or any of the member servers to make the switch. As long as all domain controllers have been migrated, you can switch to native mode and still have Windows NT, Windows 95, or Windows 98 computers participating in the domain.

Active Directory Migration Tool

The Active Directory Migration Tool (ADMT) is provided to migrate existing Windows NT 4 and earlier domains into Windows 2000. It can also be used to consolidate multiple Windows 2000 domains (within the same forest or within different forests) into a single domain. ADMT allows you to test the migration settings and analyze the migration impact before and after the migration process.

To assist you in the migration process, ADMT employs the following wizards:

User Migration, to identify and migrate user accounts and migrate roaming profiles
Group Migration, to identify and migrate global and shared local groups
Computer Migration, to identify and migrate workstations and member servers
Security Translation, to migrate local profiles and update service account user rights
Reporting, to generate migration reports
Service Account Migration, to migrate service accounts and identify service accounts not running under local system authority
Exchange Directory Migration, to update Exchange after migrating users
Undo, to undo the last migration operation
Retry Tasks, to retry a task involving a migration agent
Trust Migration, to establish trusts between domains
Group Mapping And Merging, to map a group in the source domain to a different group in the target domain

ADMT is used with the restructure method of migration. To use ADMT, you first design and build a pristine Windows 2000 forest separate from your existing domain structure. Then you use ADMT to migrate user accounts, groups, and computer accounts, in stages, from your production environment to the new Windows 2000 forest. Eventually, you will decommission the old domain structure. ADMT is not used with the upgrade method of migration because this method requires no restructuring of the domain architecture. However, after upgrading your Windows NT domains you may need to restructure. If so, you can create a new Windows 2000 forest and use ADMT to migrate the upgraded domains into the new forest.

How ADMT Works

When migrating objects from computers in a source domain to a target domain, ADMT installs services, called agents, on the source computers. These agents are dispatched from the computer on which ADMT is running and are installed on other computers using the security credentials of the user account used to run ADMT. Once installed, the agents run as a service using the local system security credentials. There is no need to load software on the source computers prior to the migration.

You can download ADMT from the Microsoft Web site. For more information about ADMT, visit http://www.microsoft.com/windows2000/library/planning/activedirectory/admt.asp.

NOTE
A discussion of the actual process of migrating to Active Directory is beyond the scope of this training kit. This lesson covers the tasks necessary to plan a migration from Windows NT 4 directory services to Active Directory. For more information, refer to the Microsoft Windows 2000 Server Deployment Planning Guide volume of the Microsoft Windows 2000 Server Resource Kit.

MORE INFO
For further information on migrating from Windows NT 4 to Windows 2000, view the online seminar "How to Migrate Your Windows NT 4.0 Directory Services to Windows 2000 Active Directory," located on the Supplemental Course Materials CD-ROM (\chapt07\Migration). Click the Portal_Migration file to begin the seminar. You can also read the white paper "Planning Migration from Windows NT to Windows 2000," on the Supplemental Course Materials CD-ROM (\chapt07\PlanningDomainMigration).

Design Step: Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory

To plan a Windows NT 4 directory services migration to Windows 2000 Active Directory, you must complete the following tasks:

Assess the organization's goals for migration.
Determine the migration method(s).
Plan the migration steps.
Plan the consolidation of resource domains into OUs, if applicable.

Assessing Migration Goals

To assess the organization's migration goals, you must first consult the following documents compiled earlier by your design team:

Windows NT Domain Architecture Worksheet. Examine the existing Windows NT domains and trust relationships and determine those that should be included in the Active Directory forest. Examine the existing Windows NT domain controllers and determine the number and location of domain controllers to be upgraded.
DNS Environment Worksheet. Examine the existing DNS namespace and determine whether or how it should be included in Active Directory.

NOTE
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the worksheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure." The Forest Model is discussed in Chapter 3, "Creating a Forest Plan."

In addition to assessing the information in these worksheets, it is imperative that you assess any changes to the domain architecture currently planned to address growth, flexibility, and the ideal design specifications of the organization.

Determining the Migration Method

By asking yourself a few simple questions, you can determine whether to migrate to Windows 2000 by using the domain upgrade method, the domain restructure method, or the domain upgrade followed by the domain restructure method.

Use the domain upgrade method when both of the following are true:
- The current Windows NT domain structure functions well.
- The current production environment can withstand possible negative effects as a result of the migration process.
Use the domain restructure method when one of the following is true:
- The current Windows NT domain structure does not function well and will not function well even with a few simple modifications.
- The current production environment cannot withstand any negative effects as a result of the migration process.
Use the domain upgrade method followed by the domain restructure method when both of the following are true:
- The current Windows NT domain structure would function well with a few simple modifications.
- The current production environment can withstand possible negative effects as a result of the migration process.

Planning the Migration

Depending upon the method(s) selected for the migration, you must plan one or more of the following:

The domain upgrade
The domain restructure
The consolidation of resource domains into OUs

Planning a Domain Upgrade

IMPORTANT
Before planning a domain upgrade, you must first complete the design of your Active Directory infrastructure, which includes a forest plan, domain plan, OU plan, and site topology plan as described in Chapters 3 through 6.

To plan a domain upgrade, you will need to determine a recovery plan, the order for upgrading domains, a strategy for upgrading domain controllers, and when to switch to native mode.

Determining a Recovery Plan A recovery plan helps you prevent accidental data loss during the upgrade process. A recovery plan should include the following steps:

Ensure each Windows NT domain has at least one BDC. If the PDC upgrade fails, the BDC can be promoted and continue to function, preventing the domain from becoming orphaned. Maintaining one BDC also ensures the ability to roll back to Windows NT domains after upgrading.
Back up network services. If services such as file and print services, DHCP, or WINS are running on the PDC or BDCs, back them up and test the backup.
Create a spare BDC. By creating a spare BDC, synchronizing it with the PDC, and taking it offline during the PDC upgrade, you can create an image of the Windows NT domain information as it is before the PDC upgrade.
Synchronize all BDCs with the PDC. Force all BDCs, including the spare BDC, to synchronize with the PDC. Check to be sure all BDCs have the current domain information and that information is being replicated.
Take the spare BDC offline and place it in a secure area. This action provides safe storage of the Windows NT domain information image.
Perform a complete backup. Backup domain-based information immediately before the PDC is upgraded.

Determining the Order for Upgrading Domains You should upgrade domains in the following order:

Forest root domain. If a Windows NT domain is to become the forest root, it should be upgraded first.
NOTE
The forest root domain does not have to be an upgraded Windows NT domain. The Windows NT domains you upgrade can join an existing Windows 2000 forest root domain.
Small account domains. By upgrading small account domains early, you allow users to take advantage of Windows 2000 features as soon as possible while limiting the number of users initially impacted by the upgrade. After the first small account domain is upgraded, you can determine the impact of the upgrade on users, learn from it, and adjust the process to streamline the upgrade of the remaining domains.
Larger account domains and remaining account domains. By upgrading the larger account domains after the small account domains, you allow users to take advantage of Windows 2000 features as soon as possible while incorporating the experience of upgrading the smaller domains first.
NOTE
If you plan to upgrade resource domains, follow Steps 4 and 5. However, if you plan to consolidate resource domains into OUs, refer to the section entitled "Planning the Consolidation of Resource Domains into OUs," later in this lesson, for further information.
Resource domains that require the Windows 2000 platform or features. By upgrading the resource domains that require the Windows 2000 platform or features early, you can take advantage of new applications such as Microsoft IntelliMirror or Remote OS Installation as soon as possible.
Remaining resource domains. If you plan to consolidate resource domains, upgrade those you've identified as target domains early. You must have a target domain in order to consolidate domains. Then upgrade the remaining resource domains that will be consolidated into the target domains.

NOTE
It is not necessary to upgrade all account domains before upgrading resource domains.

Determining a Strategy for Upgrading Domain Controllers You should upgrade domain controllers in the following order:

The PDC in the first domain to be upgraded.
The BDCs in the first domain to be upgraded, except for the spare one you set aside.
The PDC in the second domain to be upgraded.
The BDCs in the second domain to be upgraded, except for the spare one you set aside.
Continue upgrading the PDC followed by the BDCs for each remaining domain to be upgraded, in order.

Determining When to Switch to Native Mode Although you can allow a domain to run in mixed mode indefinitely, it's best to plan the switch to native mode as soon as possible in order to take advantage of all Windows 2000 features. However, once you switch a domain to native mode, you cannot switch it back to mixed mode or to a Windows NT domain. Therefore, you must carefully consider the advantages of operating in native mode and the reasons why you may want to consider operating in mixed mode.

The advantages of operating in native mode are

Universal groups and domain local groups are available; also group nesting is permitted.
Active Directory multimaster replication is enabled between all domain controllers, rather than just the domain controller assigned the PDC emulator role.

The main reasons for remaining in mixed mode are

To maintain a BDC in the domain. Some applications, such as those that must avoid pass-through authentication, may operate only on a Windows NT BDC. For the application to run, the BDC cannot be upgraded and demoted to a member server and can operate only in Windows 2000 mixed mode.
The inability to provide physical security for BDCs. Because of the multi-master directory update capability in Windows 2000, domain controllers require a secured physical environment. Because of the single master directory update capability in Windows NT, BDCs require a less secure physical environment. If the BDC cannot be secured, it should not be upgraded and the domain should continue to operate in mixed mode.
To allow rollback to Windows NT domains. In some organizations, it may be necessary to roll back to Windows NT for technical, administrative, or political reasons. Maintaining at least one BDC in the domain and running in mixed mode allows the domain to roll back to Windows NT.

To plan a domain upgrade

List the steps in your recovery plan.
List the domains to be upgraded, in order.
List the strategy for upgrading domain controllers in each domain.
Indicate when you plan to switch to native mode.

Planning a Domain Restructure

To plan a domain restructure, you will need to establish a restructure timeframe, design a pristine forest, identify the trust relationships for resource domains, and map the groups and users to be migrated.

NOTE
Because a domain restructure migrates the existing Windows NT environment into a pristine Windows 2000 forest using a nondestructive copy, domain accounts exist in both Windows NT and Windows 2000 and the Windows NT environment is retained until it is ready to be decommissioned. Therefore, fallback is possible at any time and a separate recovery plan is not needed.

Establishing a Restructure Timeline Depending on the needs of the organization, you can plan a domain restructure in three different timeframes:

Following a domain upgrade. In situations where the current Windows NT domain structure would function well with a few simple modifications, plan a domain restructure after a domain upgrade. The domain upgrade handles the least complex parts of the migration, such as upgrading domains in which the trust structure remains unchanged and in which there are no administrative issues. The domain restructure handles more detailed aspects of migration, such as restructuring the domains to reduce complexity or bringing the resource domains into the forest in a secure manner. The most likely time for a domain restructure is after a domain upgrade.
In place of a domain upgrade. In situations where the current Windows NT domain structure does not function well and will not function well even with a few simple modifications or when the current production environment cannot withstand any negative effects as a result of the migration process, plan a domain restructure in place of a domain upgrade. A restructure occurring in this timeframe requires the design of a pristine forest followed by the slow migration of users, groups, and resources into the forest to allow the organization to continue normal operations. When the migrations are completed successfully, the restructured environment becomes the production environment.
Post migration. In situations where the current Windows 2000 domain structure becomes unsuitable, such as after organizational changes or acquisitions, a domain restructure may be required. These situations may occur months or years after the initial migration from Windows NT and may require the transitioning of domains or the complete design of a pristine forest.

Designing a Pristine Forest To design a pristine forest you must follow the steps for designing an Active Directory infrastructure, which includes creating a forest plan, domain plan, OU plan, and site topology plan as described in Chapters 3 through 6. After the pristine forest is actually created, switch the domains to native mode.

Identifying the Trust Relationships for Resource Domains To ensure that users can continue to access resources in resource domains during the domain restructure process, you must identify the explicit one-way nontransitive trust relationships that are necessary between Windows NT resource domains and the Windows 2000 domain to which you are transitioning users. These trusts are also necessary to allow administration of the Windows NT source domain from the Windows 2000 domain.

Mapping the Groups and Users to be Migrated To ensure that users can log on to the Windows 2000 domain and access resources in the Windows NT resource domain, you must identify the Windows NT global and domain local groups to be moved into the pristine forest and the location to which they will be moved. Because a global group can contain members only from its own domain, when a user is moved from the Windows NT domain to the Windows 2000 domain, the global groups of which the user is a member are also moved. Similarly, when a global group is moved from the Windows NT domain to the Windows 2000 domain, the members of the global group are also moved.

To plan a domain restructure

Indicate when the restructure should take place.
Create an Active Directory infrastructure plan for the pristine forest.
On the Windows NT Architecture Worksheet, indicate the trust relationships that must be set up in order for users to continue to access resource domains during the migration process.
List the present location of Windows NT users and groups and their location in the pristine forest.

Planning the Consolidation of Resource Domains into OUs

To plan the consolidation of resource domains into OUs, you will need to map the resources to be migrated and identify the trust relationships needed for domains outside the target forest.

To ensure that users can access the appropriate resources, you must identify the Windows NT resources to be consolidated and the OU to which they will be consolidated. If there are Windows NT or Windows 2000 domains outside the target OU's forest and the users in these domains require access to the resources you are consolidating into the target OU, you must establish the appropriate explicit one-way nontransitive trust relationships with those domains.

To plan the consolidation of resource domains into OUs

List the present location of resources in Windows NT and the OUs to which the resources will be consolidated.
Indicate the trust relationships that must be set up in order for users outside of the forest to access resources when they are consolidated in the target OU.

Design Step Example: Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory

You may recall that Windows NT domains can be grouped into one of four domain models based on administrative needs:

Single domain model
Single master domain model
Multimaster domain model
Multiple trust domain model

Each domain model requires a different strategy when migrating to Windows 2000.

Migration Strategies for the Single Domain Model

In the single domain model, all servers, users, and other resources are contained in the domain. The single Windows NT domain is migrated using the upgrade method, and the Windows NT domain simply becomes the forest root domain in the new Windows 2000 tree, as shown in Figure 7.3.

click to view at full size

Figure 7.3 Migrating a Windows NT single domain model

Migration Plan

Because this migration strategy uses the domain upgrade method, the migration plan includes

A recovery plan
A strategy for updating domain controllers
A plan to switch to native mode

Because there is only one domain to be upgraded, there is no need for a list of domains to be upgraded.

Migration Strategies for the Single Master Domain Model

The single master domain model places all user accounts and groups into one master domain, called the account domain, for centralized administration. All printers and servers are grouped into other domains, called resource domains. Users with access rights in the account domain (the trusted domain) can access resources in the resource domain (the trusting domain) through one-way non-transitive trusts.

If the domains in the single master domain model are migrated using the upgrade method, the master account domain becomes the forest root domain in the new Windows 2000 tree. At this point, the forest root domain is running Windows 2000 in mixed mode and the resource domains are still running Windows NT, as shown in Figure 7.4. Functionality, performance, and security continue as normal in the following manner:

The one-way nontransitive trust relationships between the master domain and the resource domains remain valid.
Clients in the network continue to authenticate to the master domain using the Windows NT Net Logon service.
Single master replication occurs between the new domain controller and the Windows NT 4 BDCs in the forest root domain.
The new domain controller appears as a Windows NT 4 PDC to each pre—Windows 2000 client.

click to view at full size

Figure 7.4 Partial migration of a Windows NT single master domain model

To complete the migration to Windows 2000, each of the resource domains can be migrated using the upgrade method to become the child domains of the forest root domain, as shown in Figure 7.5. The resource domains should then be consolidated into OUs, which can be used to organize users and resources within the domains.

click to view at full size

Figure 7.5 Complete migration of a Windows NT single master domain model

Migration Plan

Because this migration strategy uses the domain upgrade method followed by a consolidation of resource domains into OUs, the migration plan includes

A recovery plan
A list of domains to be upgraded
A strategy for upgrading domain controllers in each domain
A list of the present locations of Windows NT resources and the OUs to which the resources will be consolidated
An indication of the trust relationships that must be set up in order for users outside of the forest to access resources when the resources are consolidated in the target OU
A plan to switch to native mode

Multimaster Domain Model Migration Strategy

The multimaster domain model is similar to the single master model, except it groups all user accounts and groups into more than one master account domain for decentralized administration. Printers and servers are grouped into resource domains. Like the single master domain model, users with access rights in the account domains can access resources in the resource domains through one-way nontransitive trusts.

If the domains in the multimaster domain model are migrated using the upgrade method, any one of the master account domains or a new, dedicated domain must become the forest root domain. Then the remaining account domains become the child domains of the forest root domain, and the resource domains become the child domains of the account domains. The resource domains should then be consolidated into OUs to organize users and resources within the domains. Figure 7.6 shows a new dedicated domain as the forest root domain, the placement of the account domains (sales.microsoft.com and development.microsoft.com), and the placement of the resource domains (london.microsoft.com, chicago.microsoft.com, and redmond.microsoft.com).

click to view at full size

Figure 7.6 Migrating a Windows NT multimaster domain model

Migration Plan

Because this migration strategy uses the domain upgrade method followed by a consolidation of resource domains into OUs, the migration plan is similar to the one used for the single master domain model.

Multiple Trust Domain Model Migration Strategy

The multiple trust domain model is a web of independently managed trust relationships set up to accommodate decentralized administration and is extremely difficult to manage. If the multiple trust domain model is migrated using the upgrade method, one of the existing domains or a new, dedicated domain must become the forest root domain. The remaining domains become the child domains of the forest root domain. Domains should then be consolidated into OUs to organize users and resources within the domains. Figure 7.7 shows one of the domains selected to be the forest root domain and the placement of the remaining domains.

click to view at full size

Figure 7.7 Migrating a Windows NT multiple trust domain model

Migration Plan

Lesson Summary

In this lesson you learned how to plan a Windows NT 4 directory services migration to Windows 2000 Active Directory by assessing the organization's goals for migration, determining the migration method(s), and planning the migration steps. You learned how to determine the migration method(s) by analyzing how the current Windows NT domain structure functions and determining whether the current production environment can withstand possible negative effects as a result of the migration process. You learned that to plan a domain upgrade, you will need to determine a recovery plan, the order for upgrading domains, a strategy for upgrading domain controllers, and when to switch to native mode. To plan a domain restructure, you will need to establish a restructure timeframe, design a pristine forest, identify the trust relationships for resource domains, and map the groups and users to be migrated. Finally, you learned that to plan the consolidation of resource domains into OUs, you will need to map the resources to be migrated and identify the trust relationships needed for domains outside the target forest.