In a restructure, users and resources are moved from source domains to destination domains. Once everything has been successfully migrated to Windows 2000 and the production environment is working correctly, it's time to decommission the source domains. In this lesson, you'll learn the sequence and tasks to be performed in the decommissioning of a source domain.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
During the migration, the source domain will usually be retained as a fallback until all the migration operations have been completed successfully. However, at some point, you'll decommission it. The decommissioning can take place only when all the users and resources in the source domain have been moved or copied into the destination and are working successfully in it.
The target domain should be tested extensively to prove that all services are available and function correctly before the source is decommissioned. Beware of applications or tasks that are used or performed infrequently, such as monthly payrolls or annual reviews, and make sure that all such tasks have been performed successfully before the source domain is removed.
The source domain should be backed up completely prior to decommissioning. It's important to be able to quickly restore the source domain in the event of a serious problem with the destination environment.
A shared local group resides on a Windows NT primary domain controller and is shared between the PDC and the BDCs in the Windows NT domain. The membership of this group can be made up of accounts from any trusted Windows NT or Windows 2000 domain. If the domain containing the shared local group is decommissioned, members of the group will be denied access to resources because its SID value is no longer recognized in the trusted domains.
To resolve this issue, the shared local group should be cloned into the target domain and the new group given appropriate permissions on resources. The Active Directory Migration Tool (ADMT) is recommended for this task because it will copy the local group and populate its membership automatically if member accounts are migrated at the same time. Once the group has been migrated, it must be given permissions on resources as required.
If an inter-forest restructure has been performed, the original user accounts will have been copied into the destination domain. However, they will still exist in the source domain. Before the source domain is decommissioned, these user names should be disabled in case some users are still using the accounts. If any problems are reported, an account can be re-enabled and the migration completed for that user with minimal disruption. Once all the accounts have been disabled, the source domain can be decommissioned.
Before the domain is decommissioned, a complete backup of the system should be performed and verified.
The first step in the decommission process is to remove the trust relationships between the source and target domains. Once the trust relationships have been broken, the SID values from destination domains will no longer be valid on resources in the source domains. You can use the Netdom tool to remove trusts between domains. Once the trust relationship has been broken, BDCs can be shut down and redeployed. The PDC should be shut down last.
You can decommission a domain controller in the source domain by installing Windows 2000 on the machine (assuming the hardware platform is compatible with Windows 2000). You would then make the upgraded machine a member server of the destination domain. The migration plan should cover the redeployment of controllers from a source domain.
Once you've migrated all your resources either via an inter-forest or intra-forest migration, you'll be left with the source domain controllers. As you've seen in previous chapters, there are no tools to move domain controllers to another domain. Because no users or resources are left in the source domain, you can either decommission the domain controllers for other purposes or migrate them into the Windows 2000 pristine forest either by an upgrade/reinstall (necessary for Windows NT systems) or by demoting and then repromoting if it's a Windows 2000 domain controller. In the following practice, you'll attempt the latter method.
In this practice, you've decided that the resources of the migkit.trainkit. microsoft.com domain have been fully migrated and consolidated into the trainkit.microsoft.com domain. You've made all necessary backups and ensured that all users, data, and applications are working as expected under Windows 2000. You would now like to migrate the MIGKIT1 server from migkit.trainkit. microsoft.com to serve as a domain controller in the trainkit.microsoft.com domain.
You're going to remove Active Directory on the MIGKIT1 server and reduce the computer to a member server. You'll then repromote MIGKIT1 into the trainkit.microsoft.com domain.
The opening screen will explain that MIGKIT1 is already an Active Directory domain controller and that continuing with the program will demote the machine to a member server.
Figure 10.13 Removing Active Directory from MIGKIT1
The Configuring Active Directory message box will appear and will show the progress in deleting everything that was in Active Directory. This might take 20 minutes or so, so now is a good time to take a break.
When Windows 2000 finishes loading, the Configure Your Server window should appear. You can use Configure Your Server to reinstall Active Directory, or you can run the Dcpromo utility again to begin the Active Directory installation wizard.
Figure 10.14 Configuring the member server
Figure 10.15 Specifying an additional domain controller
When you log on, notice that the only domain available now is TRAINKIT.
When recommissioning domain controllers in this way, you'll need to clean up the DNS database. Active Directory DNS will correctly locate and report the IP address of your migrated domain controller, but it won't delete the original entries from its database. For example, you can verify that MIGKIT1 is now in the trainkit.microsoft.com DNS zone by opening the DNS administrative tool and looking in trainkit.microsoft.com. However, note that the migkit.trainkit.microsoft.com zone still exists. This setting will be ignored, but it can be quite confusing for other administrators if they're unaware that the migration has taken place.
In this lesson, you learned the sequence of steps to follow to decommission a Windows NT domain. You saw the importance of ensuring that the source domain is not required by any migrated applications or accounts in the destination domain before it is decommissioned. The need for a comprehensive backup of both the source and destination domains was also emphasized. Finally, the servers in the domain are shut down and possibly redeployed in the destination domain if needed and if their hardware complement is suitable for Windows 2000.