Lesson 2: Planning the Pristine Environment

When setting out to perform the restructure of a domain, you must consider a number of planning issues prior to the actual migration. This lesson identifies some of these issues and begins the process of planning the pristine environment.

After this lesson, you will be able to

• Plan the pristine environment.
• Install the pristine environment.

Estimated lesson time: 30 minutes

Considerations for Planning the Restructure

Figure 8.1 shows a sample flowchart of a restructure process.

Figure 8.1 Flowchart of the restructure process

The entire restructure depends on the design phase. Prior to any migration taking place, you'll need to have a comprehensive document detailing the site, domain, and OU structure of your pristine environment. The document should also include in-depth information on the following:

• Your Active Directory structure and the attributes that will be replicated
• Which servers will hold the various flexible single master operation roles such as schema master, domain naming master, PDC emulator, RID master, and infrastructure master
• The location of global catalog servers
• Which servers will hold TCP/IP services such as DNS, DHCP, and WINS
• Which servers will be running application services such as line of business applications and Internet services
• Which servers will be running security services such as certificate services, IPSec, and so on
• Group policies, logon scripts, profiles, and where file replication (if any) should take place
• The times when account information should be replicated across site links
• Whether components such as system policy files should be included for Windows NT and Windows 9.x clients

This list isn't exhaustive. The MCSE Training Kit—Microsoft Windows 2000 Active Directory Services covers planning and building your Active Directory in greater depth.

Order of Migration for Domains

Chapter 5 covered issues that might affect the order of migration of domains. From a restructure perspective, you'll need to know the order of migration for your existing domains and where each of the Windows NT objects will be relocated. In an upgrade, you're more likely to tackle the largest accounts domain first. In a restructure, you're advised instead to begin with the smallest accounts domain. Should any problems occur, you can then modify how you handle the larger accounts domains.

Active Directory Pollution

One final point when planning and building your pristine environment: decide beforehand whether a domain in the pilot pristine environment will become your forest root, or whether you'll be scrapping it after the pilot and starting over with your newfound experience. If you're planning for this domain to become the root of your Active Directory forest, you'll need to plan and protect your schema from Active Directory pollution (attributes being filled with unnecessary information). This can occur if, after your first trial migration, you decide that an attribute isn't required either for legal or other reasons, yet it remains in the Active Directory until you remove it.

TIP

---

A method to protect against problems such as Active Directory pollution is to create an image copy of each server prior to each domain restructure performed. You can then quickly and efficiently reset your pristine environment at any time.

Installing Windows 2000 for a Pristine Environment

To install a server version of Windows 2000, you will need a machine that meets its minimum hardware requirements as listed in "Getting Started." Active Directory will install only onto a partition formatted with NTFS, so a suitable drive must be set up during installation. If you have proprietary hardware, you'll need to obtain the associated drivers to work with a Windows 2000 installation.

A server version of Windows 2000 can be installed by booting the target system from the Windows 2000 CD-ROM or by preparing a set of boot floppies. Further details on the Windows 2000 deployment process can be obtained from the MCSE Training Kit—Microsoft Windows 2000 Server. An evaluation copy of Microsoft Windows 2000 Advanced Server is included with this book.

Once you've installed a server version of Windows 2000, the next step is to install Active Directory. The first machine in a network to have Active Directory installed on it will become the root of the forest. It will also create a site called Default-First-Site-Name. You can rename this to reflect the nature of the actual site and then create and populate other sites as appropriate.

Installing the Windows 2000 DNS

As discussed in Lesson 3, "Assessing DNS," of Chapter 4, DNS is the TCP/IP service that performs the mapping of host names to IP addresses. To review, it's possible that you will already have DNS servers on your network, which might not be based on Windows NT. To support Active Directory, these DNS servers must support the following:

• SRV resource record. DNS servers that are authoritative for the locator records need to support the Service Location(SRV) resource record type. For further information, consult the section "Introduction to DNS" in the Microsoft Windows 2000 TCP/IP Core Networking Guide volume of the Microsoft Windows 2000 Server Resource Kit.
• Dynamic update standard. Primary DNS master servers must support the DNS dynamic update standard as defined in RFC 2136.

The DNS server that is provided with Windows 2000 is suitable and has the extra benefit that it integrates the DNS zone storage into Active Directory. This integration enables it to perform zone replication without the need for a DNS replication topology. Windows 2000 DNS has the additional advantage that it can implement security on the DNS data.

DNS Namespaces

The first Windows 2000 system that you install must be the root of the name-space to be created. If you want to migrate users into domains that exist below the root of the namespace, you must create a placeholder domain first and then install other servers in domains below the root domain. The issue of DNS servers and namespace support should have been addressed as one of the aspects of migration planning.

Installing a Windows 2000 OU Hierarchy

The Windows 2000 OU hierarchy is one of the deliverables of the Active Directory design process. As part of the creation of the pristine environment, the hierarchy that was designed for it must be implemented so that users and resources can be migrated into it.

Practice: Create and Configure a Pristine Environment

You've seen that a key component of the migration is a pristine environment. This environment will serve as the basis of the migration and the destination of the migrated objects during a restructure. In this practice, you'll totally rebuild both your servers. A pristine environment will be created on PC1. This pristine environment will be a forest root domain named trainkit.microsoft.com and have a fully qualified domain name of trainkit1.trainkit.microsoft.com and a host name of TRAINKIT1. On PC2, you'll create a Windows NT PDC called MIGRATE1 in a domain named MIGRATE.

You will be reformatting both of your existing systems; however, if you have a sufficiently large hard disk and are able to work with multiple operating systems, you might want to try installing a second copy of Windows 2000 on PC1. Unfortunately, with PC2, you can't install Windows NT on a system booting from version 5 of NTFS, the version used by Windows 2000. Even though Windows 2000 NTFS version 5 is supported via the new Ntfs.sys driver in Windows NT Service Pack 4 and higher, Windows NT Setup doesn't recognize it. When you convert to Active Directory, your NTFS file system is automatically upgraded to NTFS version 5.

To install Windows 2000 on PC1

1. Shut down PC2 and leave it off throughout this practice.
2. Reformat PC1 and install a copy of Windows 2000 Advanced Server.

   You can use Windows 2000 Setup to reformat your hard disk if you want.

3. Follow the on-screen prompts and accept all the default settings presented at every screen by clicking on Next.
4. When asked the name of the computer, use the name TRAINKIT1. Type and confirm secret as the Administrator password.
5. When you reach the Workgroup Or Computer Domain screen, select No (the first option), and then type TRAINKIT in the Workgroup Or Computer Domain box.
6. When the Windows 2000 Setup Wizard completes, remove the CD and click Finish to restart the computer.
7. After the computer restarts, log on as Administrator with the password secret.

To install Active Directory

1. After a period of disk activity, the Windows 2000 Configure Your Server screen appears, as shown in Figure 8.2. If it doesn't appear, open the Start menu, select Programs, Administrative Tools, and then click Configure Your Server.

   

   Figure 8.2 Windows 2000 Configure Your Server screen

2. Select the first option, This Is The Only Server In My Network, and click Next.

   The next screen will ask whether you want to proceed and install Active Directory, DHCP, and DNS.

3. Click Next.
4. In the first box of the next screen, where you're asked to name your domain, type trainkit.
5. In the second box, where you're asked to type your Internet name, type microsoft.com.

   You can type your own Internet name if you want to adapt this practice for your company; however, all the illustrations and references in the book will be using trainkit.microsoft.com.

6. Press the Tab key once on your keyboard.

   The next two boxes will automatically update and display the Active Directory domain name, trainkit.microsoft.com, and the downlevel or NetBIOS version of the domain name, trainkit, as shown in Figure 8.3.

   

   Figure 8.3 Selecting the Active Directory and NetBIOS domain names

7. Click Next to accept these names, and click Next again on the next screen.

   In a few moments, the Windows Components Wizard starts and proceeds to install files.

   Then the Configuring Active Directory page appears and shows the progress of the Active Directory installation, as shown in Figure 8.4.

   

   Figure 8.4 Configuring Active Directory page

8. If prompted, insert the Windows 2000 CD-ROM.

   Depending on the speed of your machine, it might take a while for this task to complete. When the installation is complete, the system will restart.

9. Log on as Administrator with the password secret.
10. If Configure Your Server appears, clear the check mark at the bottom of the window, Show This Screen At Startup, and then close the window.
11. Right-click My Network Places on the desktop and select Properties from the shortcut menu.
12. Right-click the Local Area Connection icon and select Properties from the shortcut menu.
13. Select Internet Protocol (TCI/IP) and select Properties to see the dialog box shown in Figure 8.5.

    

    Figure 8.5 Setting the IP address and subnet mask

14. Change the IP Address to 192.168.0.105 and the Subnet mask to 255.255.255.0.
15. Repeat the IP address (192.168.0.105) in the Preferred DNS Server box.
16. Click OK in each dialog box and close the Network And Dial-Up Connections window.

To switch the trainkit.microsoft.com domain to native mode

1. Open the Active Directory Domains And Trusts administrative tool.
2. Right-click trainkit.microsoft.com and select Properties.
3. Click the Change Mode button.
4. Confirm your choice and then click OK.

   A message box will appear telling you that you are now running in native mode.

5. Close Active Directory Domains And Trusts.

To create an OU to hold the objects to be migrated

1. Open the Active Directory Users And Computers administrative tool.
2. Expand the trainkit.microsoft.com domain.

   You should see the default containers for your domain.

3. Right-click the trainkit.microsoft.com root entry in the tree.
4. Select New from the shortcut menu that appears.
5. Click Organizational Unit, as shown in Figure 8.6.

   

   Figure 8.6 Creating a new OU

6. Give the new OU the name Migrate. Users from the MIGRATE Windows NT domain to be created on PC2 will be migrated here later.
7. Create the additional OU structure as diagrammed in Figure 8.7.

   This OU structure will be used by the practices in Chapter 9, "Restructure Tools."

   

   Figure 8.7 OU structure for trainkit.microsoft.com domain

8. When you're finished, check that the OU hierarchy matches the one shown in Figure 8.8, and then close Active Directory Users And Computers.

   

   Figure 8.8 OU hierarchy as displayed in Active Directory Users And Computers

To complete the pristine environment setup

1. Insert the Supplemental Course Materials CD in your CD-ROM drive.
2. Open My Computer or Windows Explorer, and find the Tools folder on the CD.
3. Drag the Tools folder and drop it on the Drive C: icon to copy all files and subfolders to drive C:.

This completes the creation of a pristine Windows 2000 forest on PC1. You'll use this pristine forest to perform an inter-forest and an intra-forest restructure migration in Chapter 9. In a working environment you would also have created several OU structures, assigned GPOs, created users and groups, and migrated logon scripts and other planned activities.

Throughout Chapter 9, you will come across a variety of scripts, some of which do the same task. Please try to use or adapt whichever seems appropriate for your environment. All of them are useful for rebuilding and recreating test systems.

Lesson Summary

In this lesson, you learned that when planning a pristine environment, you need to consider the following: the roles that need to be identified for the domain controllers, whether the pristine environment will become the root domain, the issue of Active Directory pollution, and the importance of DNS. You also created and configured the pristine environment, including creating a hierarchy of OUs into which resources and users can be migrated.