Designing the New Windows Server 2003 Active Directory Environment | Migrating from Microsoft Windows NT Server 4.0 to Windows Server 2003

Before you begin your migration process, it is important to design your new Windows Server 2003 domain. This involves creating an Active Directory logical structure design and planning for DNS.

Design the Active Directory Logical Structure

Active Directory allows administrators to organize elements of a network (such as users, computers, devices, and so on) into a hierarchical, treelike structure of containers. The largest Active Directory container is called a forest . Within forests, there are domains . Within domains there are organizational units (OUs). This is called the logical model because it is designed independently from most physical aspects of the deployment, such as the number of domain controllers required within each domain and the network topology.

This book describes how to deploy a single global domain design, which is the easiest to administer and the least expensive to maintain. The single global domain design consists of a forest that contains a single domain. This domain contains all of the user , group , and computer accounts in the forest. In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. You do not need to create a forest or domain design when you upgrade from a single Windows NT 4.0 domain to a single Windows Server 2003 Active Directory domain.

You might want to design a simple OU structure for your single global domain, particularly if you plan to use Group Policy to help manage your environment. You can do this either before the migration, or at a later time. For more information about applying Group Policy to an OU structure, see Migrating to Group Policy “Based Administration in this book.

Plan for DNS

Windows Server 2003 uses DNS for name resolution rather than the Windows Internet Name Service (WINS) NetBIOS name resolution method that Windows NT 4.0 “based networks use. It is still possible to use WINS for applications that require it; however, Active Directory requires DNS. Active Directory uses the name resolution services provided by DNS to enable clients to locate domain controllers and enable the domain controllers hosting the directory service to communicate with each other. To plan for DNS, you need to select a DNS domain name, and determine how to configure the DNS Server service on domain controllers.

Select a DNS Domain Name

Before you begin using DNS on your network, decide on your DNS domain name, based on the following guidelines:

If you have a Web presence (for example, if an ISP hosts your site called www.fabrikam.com), reuse this name and add a prefix to create the DNS name for your Windows Server 2003 Active Directory domain (for example, fabricorp.fabrikam.com).

If you do not have a Web presence, consider whether you plan to have one in the future. If you do plan to have a Web presence, then register the name before you install Active Directory. If you do not have a Web presence, then you do not need to register the name.

Note	To register a name, you must register your second-level domain name (such as fabrikam.com) with an authorized DNS domain name registration authority. Your ISP can often perform this function and obtain a name on your behalf , usually for an additional fee.

Determine How to Configure the DNS Server Service on Domain Controllers

The process for designing DNS to support Active Directory varies according to whether your organization already has an existing DNS service or whether you are deploying a new DNS service. This chapter discusses three starting scenarios:

No existing DNS.
No internal DNS, with DNS services provided by an ISP only.
Internal DNS and DNS provided by an ISP.

If one of the following scenarios describes your current DNS infrastructure, then see Deploying DNS in Deploying Network Services in the Microsoft Windows Server 2003 Deployment Kit (or see Deploying DNS on the Web at http://www.microsoft.com/reskit) for more information:

An internal DNS namespace, used only on your own network.
An internal DNS namespace with referral and access to an external namespace, such as referral or forwarding to a DNS server on the Internet.

No Existing DNS

An organization has no existing DNS infrastructure if the following are true:

The organization does not have any existing DNS servers in the network infrastructure.
The organization does not have any clients that access DNS servers. This means that the organization does not rely on an external source, such as a network service provider, for DNS services.

If this is true for your organization, you can allow the Active Directory Installation Wizard to configure an internal Active Directory-integrated DNS on the PDC automatically. To configure DNS on the PDC and subsequent domain controllers, follow the procedures in the Upgrading to Windows Server 2003 Active Directory chapter in this book.

No Internal DNS, DNS Provided by an ISP Only

If you do not have an internal DNS, but your ISP provides DNS services, then you can allow the Active Directory Installation Wizard to automatically configure an internal Active Directory-integrated DNS on the PDC. Your ISP does not need to make any changes. To configure DNS on the PDC and subsequent domain controllers, follow the procedures in the Upgrading to Windows Server 2003 Active Directory chapter in this book.

After you complete these procedures, you will have both an internal DNS and DNS provided by an ISP. The first domain controller that you deploy will automatically be configured to host the DNS zone that corresponds to the DNS name of the domain. To install and configure DNS in your environment, it is recommended that you do the following:

Install the DNS Server service on every domain controller. This provides fault tolerance in the event that one of the DNS servers is unavailable. In this way, domain controllers do not need to rely on other DNS servers for name resolution. This also simplifies the management environment because all domain controllers have a uniform configuration.
Configure domain controllers that are running DNS to use either forwarding or root hints for recursive name resolution, depending on which method your existing DNS service uses. When you follow the sequence of procedures in the Upgrading to Windows Server 2003 Active Directory chapter, the Active Directory Installation Wizard automatically configures recursive name resolution.

Internal DNS and DNS Provided by an ISP

When creating a DNS server configuration when you integrate Active Directory with an existing DNS namespace, it is recommended that you do the following:

Install the DNS Server service on every domain controller. This provides fault tolerance in the event that one of the DNS servers is unavailable. In this way, domain controllers do not need to rely on other DNS servers for name resolution. This also simplifies the management environment because all domain controllers have a uniform configuration.
Configure domain controllers that are running DNS to use either forwarding or root hints for recursive name resolution, depending on which method your existing DNS service uses. When you follow the sequence of procedures in the Upgrading to Windows Server 2003 Active Directory chapter, the Active Directory Installation Wizard automatically configures recursive name resolution.
Configure the first domain controller that you deploy to host the DNS zone that corresponds to the DNS name of the domain. To do this, you do not need to make any changes to the existing DNS structure. You simply need to create a delegation to your Active Directory zone from your existing DNS hierarchy. For more information about creating this delegation, see Upgrading to Windows Server 2003 Active Directory in this book.