Migrating Existing NT4 Domains to a New Windows Server 2003 Forest

 < Day Day Up > 

In many instances, it might be more ideal to simply abandon a badly designed or inefficient NT domain structure and migrate the accounts into a new Active Directory forest. This process can be streamlined through the use of a tool included on the Windows Server 2003 CD: Microsoft Active Directory Migration Tool (ADMT) 2.0 (ADMT v2).

By installing and configuring a new Windows Server 2003 Active Directory domain with preWindows 2000 permissions and creating a domain trust between source and target domains, the ADMT can then be used to migrate any Windows NT4 security principle to Active Directory Domains and Organizational Units. By using this tool, organizations can then migrate security principles incrementally and still maintain shared resources located on each domain.

When using the ADMT to restructure domains, all NT4 security principles are copied or cloned from the Windows NT 4 domain and placed into Active Directory in the form of what is called SIDHistory . By cloning NT4 security principles, the source domain is left completely in place and uninterrupted, enabling administrators to easily roll back to the previous domain if required.

Installing and Configuring a New Windows Server 2003 Forest and Domain

Installing a new domain requires the installation of a new AD structure. One of the biggest advantages to this approach is that best-practice AD design can be used, and efficient, effective, and secure AD forests can be constructed . For more information on the best ways to design AD, specifically regarding deployment of Exchange Server 2003, refer to Chapters 4, "Exchange Server 2003 Design Concepts," and 5, "Designing an Enterprise Exchange Server 2003 Environment."

Configuring a Domain Trust Between Source Windows NT4 and Target Windows Server 2003 Domains

When migrating existing NT4 domains to a new Active Directory forest root or child domain, the trust relationships must be created between the existing Windows NT4 domains. The existing Windows NT4 domains are referred to as the source domains , and the newly created Windows Server 2003 Active Directory domains are the target domains . Follow these steps:

  1. Begin by first configuring a trust on the target domain. On the Windows Server 2003 domain controller, open the administrator tools and launch Active Directory Domains and Trust Manager. From the Action menu option, open the Properties page for the Active Directory domain and select the Trust tab. This opens the Domain Trust configuration page.

  2. Windows Server 2003 and Active Directory trusts are created using the New Trust Wizard. Select New Trust to start the wizard and be guided through the creation of a domain trust. Select Next at the Welcome to the New Trust page. On the Trust Name page, type the name of the Windows NT4 source domain. This enables Active Directory to establish connectivity with the source Windows NT4 domain. Select Next to continue.

    NOTE

    When configuring a domain trust, each domain must have the capability of resolving the domain name to a domain controller's TCP/IP Address. Install the Windows Internet Naming Service (WINS) on the target domain controller and configure the TCP/IP properties on the target and source domain controllers to use the newly installed WINS.

  3. Select the type of trust to be established. On the Direction of Trust page, select Two-way, allowing connectivity and access to resources in both the target and source domains when migrating; select Next to continue.

  4. To configure outgoing trust properties, select Allow authentication for all resources in the local domain. This option allows Windows NT4 security principles access to all resources within the Active Directory target domain. Windows Server 2003 will automatically authenticate existing NT4 security principles within the target domain; this allows required administrator accounts access to each domain and domain group memberships. Select Next to continue.

  5. The trust password is a password other than the domain administrator password. The trust password is unique to the trust being created and will be used by both the source and target domains to authenticate the trust. The same trust password must be used on both the Windows NT4 target domain and Windows Server 2003 source domain trust configurations. Enter a password for this trust to use and select Next to continue.

  6. At this point, review the trust configuration; select Back to modify any setting that needs to be changed or select Next to complete creating the trust and view the configuration changes created by the Trust Wizard. Click the Next button to continue.

  7. A dialog box will appear asking for confirmation of the ongoing trust. Before continuing, create and establish a trust relationship on the Windows NT4 source domain's Primary Domain Controller. At the Confirm Outgoing Trust page, select No, do not confirm the outgoing trust and click Next to continue.

  8. Choose No, do not confirm the incoming trust option from the Confirm Incoming Trust page. Choose Next to complete the trust configuration. Review the trust configuration and select Finish to close the Trust Wizard.

  9. To successfully establish a trust on the Windows NT source domain, the trusted domain must first be configured. To add the target domain to the Windows NT4 trusted domains, open the User Manager for Domains on the Windows NT4 Primary Domain Controller. Click Policies from the menu options and select Trust Relationships. This opens the Windows NT4 Trust Relationship page.

  10. Begin by selecting the Add button under Trusted Domains. Enter the name of the target domain and a password that will be used by both domains to authenticate the trust. As mentioned earlier, this password is unique to the trust configuration and should be different from the domain administrator account password. This password will be used only to authenticate the domain trust between the source and target domains.

  11. After the trusted domain has been established successfully, select Add under the Trusting Domain section of the page. Enter the name of the target domain and the password used to establish the trust. This adds the target domain to the Windows NT4 trusting domains and completes the configuration of the Windows NT4 trust. Click Close to close the Trust Relationships Dialog screen.

  12. When the trust is created successfully, the New Trust Wizard can now confirm the trust settings. If choosing to validate the trust, use the administrator account name and password of the source domain to test access for both incoming and outgoing connectivity of the domain trust. Click OK to close the open dialog box.

Migrating Account and Resource NT Domains to Active Directory Domains

Using this option enables administrators to restructure existing Windows NT4 accounts and resources into newly created Windows Server 2003 Active Directory domains and organizational units (OUs).

Migrating account domains and resource domains to Active Directory Organizational Units allows enhanced security and ease of delegation within the Active Directory domain tree. When the Active Directory domain organizational unit (OU) structure is configured, the domain resources and security principles can be migrated by using the ADMT shown in Figure 14.2.

Figure 14.2. Consolidating NT domains into AD.

graphics/14fig02.gif

Implication of Migrating Security Principles

When security principles are created in a Windows NT4 domain, each individual object is assigned a unique security identifier or (SID). SIDHistory is a record of each security principle's previous Windows NT4 group and domain membership, and each SID is unique.

When these types of security principles are migrated to Windows Server 2003 and Active Directory, each security principle is assigned a new SID with information about its new domain and group membership. Because the new SID does not contain information about the security principle's previous domain membership, when a user or group accesses domain resources on the old Windows NT4 domain, such as files, users might find that they no longer have permission to specific resources.

To avoid these issues during and after the migration, use the Microsoft ADMT to migrate a security principle's SIDHistory. The ADMT can migrate the security principles SIDHistory for each object, maintaining previous information and avoiding permissions issues later in the migration.

 < Day Day Up > 


Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net