Planning for Active Directory | Windows Server 2003 for Dummies

If you're running some version of Windows NT, you may have multiple domains with several trust relationships between individual pairs of domains. Theoretically, you could just upgrade each domain, keep existing trust relationships, and make no changes. If you did that, however, you'd lose the advantages of Active Directory.

If you're running a Windows 2000 domain, a bit of planning is still necessary. Even though Windows Server 2003 and Windows 2000 can both be domain controllers of the same domain, we generally don't recommend using two versions of a product to perform a single function. In most cases, having the exact same version of operating system (including upgrades and patches) will keep unexpected hiccups from corrupting your domain and bringing down your network.

With that said, you can deploy Windows Server 2003 systems into a domain as domain controllers. You can even perform an upgrade installation on a Windows 2000 domain controller to convert it to a Windows Server 2003 domain controller. Just be careful. Don't upgrade every system at once. Upgrade one or two, and then test everything to make sure your network still performs as you expect it to. Always leave yourself an out the ability to roll back to a previous configuration, when things were working properly.

In most cases, businesses already using Windows 2000 will not be moving to Windows Server 2003 in a hurry. The most likely candidates for Windows Server 2003 migration are Windows NT shops that have been waiting for the second generation of Active Directory servers from Microsoft before jumping on the bandwagon. Therefore, the remainder of the discussion of Windows Server 2003 migration focuses on upgrading from Windows NT. If you need to upgrade from Windows 2000, some of the following applies, but it's almost a no-brainer.

Tip	Before you upgrade a single domain controller, you should create a plan for your domain. Then, you should use this plan to govern the order and method for your migration from Windows NT domains to Windows Server 2003 Active Directory.

What's in a namespace?

A namespace is a logically bounded region that contains names based on a standardized convention to symbolically represent objects or information. Specific rules guide the construction of names within a namespace and how a name can be applied to an object. Many namespaces are hierarchical in nature, such as those used in DNS or Active Directory. Other namespaces, such as NetBIOS, are flat and unstructured.

In Windows Server 2003, domains use full-blown DNS names rather than NetBIOS names. This creates interdomain parent-child relationships where one domain may be created as a child of another that Windows NT could not support. For example, http://sales.dummies.com is a child of the http://dummies.com domain. (A child domain always contains the full parent name within its own name.)

Tip

It's important to remember that parent-child relationships can be created only from within a parent domain using DCPROMO, the Active Directory Installation Wizard. The parent domain must exist before you create a child of that parent. Therefore, the order in which you create or upgrade your domains is crucial!

In the next section, you find out more reasons why it's important to create your domains in a certain order. But even before you concern yourself with site issues, you need to be aware that you should always create an enterprise root domain before creating any other domain. For example, if you begin by creating the http://dummies.com root domain, the http://sales.dummies.com domain and all other dependent domains can then be created as children of the http://dummies.com root domain. This structure helps when searching other domains and enables the possibility of moving domains around in future versions of Windows Server 2003.

Making sites happen

Sites in Active Directory are used to group servers into containers that mirror the physical layout of your network. This organization allows you to configure replication between domain controllers. Actually, sites are primarily used for replication control over slower wide area network (WAN) links between separate sections of the same network. A number of TCP/IP subnets can also be mapped to sites, which allows new servers to join the correct site automatically, depending on their IP address. This addressing scheme also makes it easy for clients to find the domain controller closest to them.

When you create the first domain controller, a default site called Default-First-Site is created, and the domain controller is assigned to that site. Subsequent domain controllers are added to this site, but they can be moved. You can also rename this site to any name you prefer.

Sites are administered and created using the Active Directory Sites and Services Microsoft Management Console (MMC) snap-in. To create a new site, do the following:

Start Active Directory Sites and Services (Start Administrative Tools Active Directory Sites and Services).
right-click the Sites branch and choose New Site.

The New Object Site dialog box appears.
Type a name for the site (for example, NewYork).

The name must be 63 characters or less and cannot contain ˜. or space characters . You must also select a site link from the list. By default, DEFAULTIPSITELINK is created during the DCPROMO process. If you haven't created additional sites manually, this will be the only one listed.
Select a site link to contain the new site, and then click OK.
Read the confirmation creation dialog box, and then click OK.

Now that the site is created, you can assign various IP subnets to it. To do so, follow these steps:

Start Active Directory Sites and Services (Start Administrative Tools Active Directory Sites and Services).
Expand the Sites branch.
right-click Subnets and choose New Subnet.

The New Object Subnet dialog box appears.
4. Type the name of subnet in the form <network>/<bits masked>.

For example, 200.200.201.0/24 is network 200.200.201.0 with subnet mask 255.255.255.0.
Select the Site with which to associate the subnet, for example, New York.
Click OK.

You now have a subnet linked to a site. You can assign multiple subnets to a site if you want. For more information on subnets, see Chapter 14. For even more detailed information, search the Windows Server 2003 Help menu for subnets.

Oh, you organizational unit (ou), you

The organizational unit (OU) is a key component of the X.500 protocol. As the name suggests, organizational units contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control within a domain. Organizational unit containers can contain other organizational units, groups, users, and computers.

OUs can be nested to create a hierarchy that closely matches the structure of your business or organization. Using OUs, you can eliminate the need for the cumbersome domain models developed for Windows NT Server-based domains (the master domain model, for example, in which several resource domains use accounts from a central user domain). Using Active Directory, you can create one large domain and group resources and users into multiple, distinct OUs.

The biggest advantage of OUs is that they allow you to delegate authority. You can assign certain users or groups administrative control of an OU, which allows them to change passwords and create accounts in that OU but does not grant them control over the rest of the domain. This capability is a major improvement over Windows NT domain administration, which was an all-or-nothing situation.