One of the potential benefits of migrating to Active Directory is reducing the number of domains in the enterprise. In this lesson, you investigate how Windows NT domains can be restructured during a migration and how multiple source domains can be consolidated into a single Active Directory destination.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
If you change the organization of accounts, resources, and groups, you're performing a restructure of your existing domain arrangement. The greater capacity of Active Directory, the improved management of replication, and the availability of OUs mean that fewer domains will be required when using Windows 2000. Hence, your migration plan should look at how to replace the existing resource and account domain models with an OU hierarchy.
If the number of domains is reduced, you'll also need to plan for decommissioning and reusing the Windows NT domain controllers. Windows NT member servers might be further consolidated by testing Microsoft Windows 2000 Advanced Server or Windows 2000 Datacenter Server as a replacement for multiple Windows NT Servers.
One migration strategy is to design and build a pristine forest and populate it with objects from migrated Windows NT domains or restructured Windows 2000 domains. The pristine forest design should be based on results from your pilot program and should eventually take on the role of the production environment when migration is complete. Starting from a pristine forest allows you to design an optimal Active Directory hierarchy for your organization.
The tradeoff to this approach is that you might need significant hardware resources during the migration because the new and the old environments must coexist. There might also be problems with naming and accessing resources in the two environments because they'll need to share the same namespace.
While this method is expensive because of the cost of running a duplicate Windows 2000 infrastructure as well as the current Windows NT production environment, it provides for excellent recovery from possible critical failures. Recovery is possible because the original systems can remain available until the migration has been proven to work successfully. If the restructure is phased in over a number of domains sequentially, the hardware from a migrated domain can be decommissioned and re-used to provide new server support for the next group of domains to be migrated, and so on, thereby reducing the quantity of parallel hardware resources required.
To restructure an account domain, you copy users and groups from the source domains into a pristine Windows 2000 forest. The pristine forest operates in parallel with the existing Windows NT environment and represents the final Active Directory design. In this way multiple account domains can be consolidated into a single account domain in the final design. It is also possible to consolidate groups by migrating them into an existing group in the target environment.
There are two major considerations when restructuring Windows NT resource domains. The first is the migration of the resources and the second is the migration of the DACLs on the resources. These DACLs usually consist of a set of groups created in the trusted domains. In most cases, it is not advisable to do a straight one-to-one migration of Windows NT resource domains to Windows 2000 domains. Instead, consider a consolidation methodology by migrating multiple resource domains into one domain and controlling access to the resources via OUs. Then clone the groups listed in the DACLs into the target Windows 2000 domain.
Computer accounts for the workstations and member servers in the source domain can be copied into the target forest, as can shared local groups on the Windows NT domain controller.
When considering the design of an installation, you need to decide whether to use domains or OUs to delegate control. Because management can now be decentralized without having to create the old-style Windows NT account and resource domains, the best practice is to design for OUs wherever possible.
When planning your top-level OUs, design ones that are unlikely to change in the foreseeable future.
For most organizations, one domain is sufficient and will certainly simplify administration. You can handle slow WAN links by placing domain controllers in each physical site and by scheduling replication traffic to occur less frequently.
As OUs have so much power and capability, you might wonder when you should consider migrating to more than one domain in a tree. Here are some reasons:
While domains and OUs each have specific advantages, you should also consider how best to meet other management aims by using one of the following models:
Although you can reach many of the objectives by using domains or OUs, in general, you should keep both hierarchies as flat as possible. For example, if access to Active Directory resources must pass through more than two domain trust referrals because your security principal exists elsewhere, you might find that access to that resource is slow. Consider using shortcut trusts to improve performance, or, if possible, restructure the slow domain into an OU of a domain higher up in the hierarchy.
You should also have as flat an OU arrangement as possible because this will improve the performance of management tasks and user authentication. Deep hierarchies of OUs can slow authentication because Windows 2000 must examine every group policy at the site level, the domain level, and then through the OU tree hierarchy, before it can analyze the type of access a user can have. Thus, the flatter the OU hierarchy, the more responsive the network will be.
In this lesson, you learned that establishing a pristine forest requires a parallel Windows 2000 infrastructure while you're migrating your Windows NT network. Designing for a parallel environment will allow you a fallback position to Windows NT should any serious problem occur during the migration. You learned how to consolidate multiple Windows NT domains into Windows 2000 OUs. Finally, you learned how to evaluate whether you need more than one domain in your Windows 2000 enterprise, and whether multiple domains or multiple OUs provide the best performance and ease of administration.