Consolidating Windows NT4 Domains

In the past, when organizations acquired new companies, additional Windows NT4 domains were often added into their existing domain environment using Windows NT4 trust relationships. With these additions, the manageability of domains, domain trusts, and domain resources became difficult. Consolidating Windows NT4 domains into Windows Server 2003 and Active Directory allows organizations to maintain the original Windows NT4 domain structure or domain name. Additional domain structures can be consolidated into organizational units within the Active Directory forest as well. By upgrading domains and migrating additional domains into organizational units, administrators can further enhance security and manageability of Active Directory objects.

Note

Before you begin the domain consolidation process, make sure that all preparation tasks have been completed and your migration script is prepared and tested in a separate lab environment. Using this migration path will copy or clone all Windows NT security principles rather than modify them on the original Windows NT domains.

If you incorporate both an inplace upgrade along with the Active Directory Migration Tool, you can consolidate Windows NT4 domains into Active Directory domains and organizational units within each domain, as shown in Figure 16.5.

This option is designed to allow administrators to downsize any existing Windows NT4 model while increasing administrative functionality by using Active Directory organizational units to maintain old Window NT4 domains.

Upgrading an Existing NT4 Domain to a New Active Directory Forest Root Domain

You begin the domain consolidation process by selecting and upgrading an existing Windows NT4 domain or multiple domains to an Active Directory forest. Depending on your Active Directory design, this inplace upgrade can become the first domain in a new forest or a child domain of a new Active Directory forest root.

Whether you are upgrading a single domain or multiple domains, begin by performing an inplace upgrade of the Windows NT4 domain that will become the Active Directory forest root or a child domain of a new Active Directory forest root. Use the same procedures outlined in the "Performing an Inplace Upgrade" section earlier in this chapter.

Restructuring Existing Account and Resource Domains to Active Directory

The primary purpose for using the domain consolidation migration process is to enable administrators to consolidate Windows NT4 domains into new Active Directory domains and organizational units. When the Active Directory forest is in place, any additional Windows NT4 domains can then be migrated to organizational units within the new Active Directory forest.

Because the original domains have been upgraded, all trust relationships are maintained, and the new Active Directory forest is ready to migrate security principles from Windows NT4. Before you begin, complete any restructuring tasks needed on the upgraded domain structure and create any additional organizational units needed. Use the procedures defined in the "Using Microsoft Active Directory Migration Tool" section to consolidate Windows NT domains to Active Directory organizational units and child domains.