Lesson 5: Consolidating and Restructuring Domains

One of the potential benefits of migrating to Active Directory is reducing the number of domains in the enterprise. In this lesson, you investigate how Windows NT domains can be restructured during a migration and how multiple source domains can be consolidated into a single Active Directory destination.

After this lesson, you will be able to

  • Understand the use of a pristine forest in the performance of a restructure.
  • Understand the reasons for consolidating domains.
  • Decide when to use domains and when to use OUs.

Estimated lesson time: 20 minutes

Restructure and Consolidation

If you change the organization of accounts, resources, and groups, you're performing a restructure of your existing domain arrangement. The greater capacity of Active Directory, the improved management of replication, and the availability of OUs mean that fewer domains will be required when using Windows 2000. Hence, your migration plan should look at how to replace the existing resource and account domain models with an OU hierarchy.

If the number of domains is reduced, you'll also need to plan for decommissioning and reusing the Windows NT domain controllers. Windows NT member servers might be further consolidated by testing Microsoft Windows 2000 Advanced Server or Windows 2000 Datacenter Server as a replacement for multiple Windows NT Servers.

Creating a Pristine Forest

One migration strategy is to design and build a pristine forest and populate it with objects from migrated Windows NT domains or restructured Windows 2000 domains. The pristine forest design should be based on results from your pilot program and should eventually take on the role of the production environment when migration is complete. Starting from a pristine forest allows you to design an optimal Active Directory hierarchy for your organization.

The tradeoff to this approach is that you might need significant hardware resources during the migration because the new and the old environments must coexist. There might also be problems with naming and accessing resources in the two environments because they'll need to share the same namespace.

While this method is expensive because of the cost of running a duplicate Windows 2000 infrastructure as well as the current Windows NT production environment, it provides for excellent recovery from possible critical failures. Recovery is possible because the original systems can remain available until the migration has been proven to work successfully. If the restructure is phased in over a number of domains sequentially, the hardware from a migrated domain can be decommissioned and re-used to provide new server support for the next group of domains to be migrated, and so on, thereby reducing the quantity of parallel hardware resources required.

Restructuring a Windows NT Account Domain

To restructure an account domain, you copy users and groups from the source domains into a pristine Windows 2000 forest. The pristine forest operates in parallel with the existing Windows NT environment and represents the final Active Directory design. In this way multiple account domains can be consolidated into a single account domain in the final design. It is also possible to consolidate groups by migrating them into an existing group in the target environment.

Restructuring a Windows NT Resource Domain

There are two major considerations when restructuring Windows NT resource domains. The first is the migration of the resources and the second is the migration of the DACLs on the resources. These DACLs usually consist of a set of groups created in the trusted domains. In most cases, it is not advisable to do a straight one-to-one migration of Windows NT resource domains to Windows 2000 domains. Instead, consider a consolidation methodology by migrating multiple resource domains into one domain and controlling access to the resources via OUs. Then clone the groups listed in the DACLs into the target Windows 2000 domain.

Computer accounts for the workstations and member servers in the source domain can be copied into the target forest, as can shared local groups on the Windows NT domain controller.

Restructuring Administration in Active Directory

When considering the design of an installation, you need to decide whether to use domains or OUs to delegate control. Because management can now be decentralized without having to create the old-style Windows NT account and resource domains, the best practice is to design for OUs wherever possible.


When planning your top-level OUs, design ones that are unlikely to change in the foreseeable future.

For most organizations, one domain is sufficient and will certainly simplify administration. You can handle slow WAN links by placing domain controllers in each physical site and by scheduling replication traffic to occur less frequently.

When to Create Multiple Domains

As OUs have so much power and capability, you might wonder when you should consider migrating to more than one domain in a tree. Here are some reasons:

  • Decentralized management. You might need multiple domains if totally separate IT departments are responsible for different subsidiaries owned by a corporation and each subsidiary wishes to be responsible for the management of its own users and OU structures but still maintain the corporate Windows 2000 schema. International companies might also require that each country or region be responsible for managing their own users and cultural requirements, such as the administration of the Windows 2000 domain in their own language. In this case you might need to consider deploying separate forests as well.
  • Large number of objects. While Active Directory can handle a vastly greater number of objects than a Windows NT domain can, the tradeoff is a substantial increase in the amount of replication traffic. The word large is subjective because it depends on the technology in use. Many international companies are using the word large to mean roughly a million directory objects.
  • Replication control. If your WAN link is so slow that even scheduled replication causes problems, or if you require maximum control of replication regardless of the extra hardware costs involved, you might need additional domains. Before you implement this solution, bear in mind that many Windows NT single-domain models have functioned more than adequately when backup domain controllers have been connected over slow WAN links.
  • Unique domain policies. If you have several groups that require totally different domain policies, then the only way to handle this situation is to have separate domains. An example is where the user rights or security accounts policies are different, such as password length, password history, and account lockouts.

Achieving Management Aims

While domains and OUs each have specific advantages, you should also consider how best to meet other management aims by using one of the following models:

  • Centralized administrative control. In a multiple-domain environment, you would achieve centralized administration by use of the Global Admins and Enterprise Admins groups being placed in local administrative groups.
  • Decentralized administrative control. In a multiple-domain environment, control would be devolved into each of the domains. In an OU hierarchy, each first-level OU you create would be responsible for a set of user and resource objects.

Although you can reach many of the objectives by using domains or OUs, in general, you should keep both hierarchies as flat as possible. For example, if access to Active Directory resources must pass through more than two domain trust referrals because your security principal exists elsewhere, you might find that access to that resource is slow. Consider using shortcut trusts to improve performance, or, if possible, restructure the slow domain into an OU of a domain higher up in the hierarchy.

You should also have as flat an OU arrangement as possible because this will improve the performance of management tasks and user authentication. Deep hierarchies of OUs can slow authentication because Windows 2000 must examine every group policy at the site level, the domain level, and then through the OU tree hierarchy, before it can analyze the type of access a user can have. Thus, the flatter the OU hierarchy, the more responsive the network will be.

Lesson Summary

In this lesson, you learned that establishing a pristine forest requires a parallel Windows 2000 infrastructure while you're migrating your Windows NT network. Designing for a parallel environment will allow you a fallback position to Windows NT should any serious problem occur during the migration. You learned how to consolidate multiple Windows NT domains into Windows 2000 OUs. Finally, you learned how to evaluate whether you need more than one domain in your Windows 2000 enterprise, and whether multiple domains or multiple OUs provide the best performance and ease of administration.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net