You can upgrade a Microsoft Windows NT version 4.0 domain to the Windows Server 2003 Active Directory directory service in order to improve the security and scalability of your network infrastructure while reducing administrative overhead. This chapter provides step-by-step instructions for upgrading the primary domain controller (PDC) and backup domain controllers (BDCs) in a single Windows NT 4.0 domain to a new Windows Server 2003 Active Directory domain.
Small to medium- sized organizations that are currently running Windows NT 4.0 can take advantage of Active Directory features by upgrading their environment to a Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition Active Directory domain.
When you perform an upgrade of a Windows NT 4.0 domain to Windows Server 2003, Active Directory, you can use your existing server hardware if it meets the requirements to run Windows Server 2003, or you can introduce new server hardware. Whether you use existing or new hardware, upgrading has no adverse effect on your Windows NT 4.0 production environment.
Upgrading a Windows NT 4.0 domain to Windows Server 2003 Active Directory involves the following steps:
Completing pre-upgrade tasks .
Upgrading the PDC.
Upgrading additional domain controllers.
Completing post-upgrade tasks.
If your organization includes more than one physical location, you will also need to create Active Directory sites, and part of your upgrade process will involve configuring the site topology.
If you are consolidating multiple Windows NT 4.0 domains into a single Active Directory domain by using a restructuring tool such as the Active Directory Migration Tool (ADMT), see Restructuring Windows NT 4.0 Domains to an Active Directory Forest in Designing and Deploying Directory and Security Services in the Microsoft Windows Server 2003 Deployment Kit (or see Restructuring Windows NT 4.0 Domains to an Active Directory Forest on the Web at http://www.microsoft.com/reskit).
A single domain design is the easiest to administer and the least expensive to maintain. The single domain design consists of a forest that contains a single domain. This domain contains all of the user , group , and computer accounts. In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. You do not need to create a forest or domain design when you upgrade from a single Windows NT 4.0 domain to a single Active Directory domain.
Before you begin to upgrade your Windows NT 4.0 domain, it is important to become familiar with the factors that can affect the upgrade process.
During the process of upgrading the operating system on the primary domain controller (PDC) from Windows NT 4.0 to Windows Server 2003 and installing Active Directory, client operations such as logon and resource access will continue to function because these services are provided by backup domain controllers. However, because the PDC is offline during most phases of the upgrade process, typically between one and three hours, operations that require data to be written to the domain will not succeed. For example, users will not be able to change their passwords and administrators will not be able to create, delete, or unlock user accounts. Administrative tools, such as User Manager for Domains or Server Manager, can be used only in read-only mode on backup domain controllers in the domain. In addition, you will not be able to create new objects, such as users and groups, while the PDC is offline.
If your organization includes client computers that are running Microsoft Windows 2000 or Windows XP operating systems in the domain, it is recommended that you upgrade all Windows NT 4.0 “based domain controllers as quickly as possible. This is because all Windows 2000 and Windows XP clients will only use Windows Server 2003 domain controllers for logon after you upgrade the PDC.
Until you upgrade all workstations and servers to Windows 2000 or later, continue to run your environment in the pre-Windows 2000 compatible access mode. This mode allows services that run in the context of the Local System account, such as Remote Access Services (RAS), to operate properly. To enable the pre- Windows 2000 compatible access mode, you can do one of the following:
While installing Active Directory on the upgraded Windows NT 4.0 PDC, on the Permissions page of the Active Directory Installation wizard, select Permissions compatible with pre-Windows 2000 Server operating systems .
“ or “
Add the Everyone group and the Anonymous Logon group to the Pre-Windows 2000 Compatible Access built-in group by using Active Directory Users and Computers or the command line.
To add the Everyone group to the Pre-Windows 2000 Compatible Access Group by using the command line, at the command line, type
net localgroup "Pre-Windows 2000 Compatible Access" Everyone /add
To add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access Group by using the command line, at the command line, type
net localgroup "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /add
After this update to the Pre-Windows 2000 Compatible Access group replicates, you must restart the Server service on all domain controllers.
After you upgrade all RAS servers, and when you no longer need backward compatibility with operating systems earlier than Windows 2000, remove the Everyone group and the Anonymous Logon group from the Pre- Windows 2000 Compatible Access built-in group. For more information about removing the Everyone group and the Anonymous Logon group from the Pre- Windows 2000 Compatible Access group, see Eliminate Anonymous Connections to Domain Controllers later in this chapter.
If you have WINS or DHCP running on a domain controller, you need to consider the effect of the upgrade on these services. Both WINS and DHCP are designed to upgrade their databases automatically when you upgrade from Windows NT 4.0 to Windows Server 2003, so you do not need to perform any additional steps to upgrade these services after you upgrade the operating system. However, after you install Active Directory, you must authorize your Windows Server 2003 “based DHCP servers in Active Directory before they will continue to lease IP addresses. For more information about authorizing DHCP servers in Active Directory, see Authorize the DHCP Service later in this chapter.
If your existing WINS services, DHCP services, or both, are on a PDC or BDC that you are upgrading in place, the WINS and DHCP databases are upgrade automatically when the operating system is upgraded. This might cause the upgrade of the domain controller to take additional time.
After you upgrade the server operating system to Windows Server 2003, test the WINS and DHCP services to ensure that performance meets the appropriate standards. If performance is not satisfactory, you can migrate the services to a different computer. For more information about migrating WINS and DHCP services to a different computer, see Upgrading and Migrating WINS and DHCP Servers to Windows Server 2003 in this book.
During the upgrade process, for a period of time one or more domain controllers might be running Windows Server 2003 while others are still running Windows NT 4.0. Windows Server 2003 and Windows NT 4.0 domain controllers use different file replication services. If you have files that are replicated between domain controllers, such as logon scripts, you will need to manage them separately.
Server message block (SMB) packet signing and secure channel signing are security policies that are enabled by default on Windows Server 2003 “based domain controllers. To allow clients running earlier versions of Windows to communicate with domain controllers running Windows Server 2003, you might need to disable these security policies temporarily during the upgrade process.
SMB packet signing is a security mechanism that protects the data integrity of SMB traffic between client computers and servers, and prevents man-in-the- middle attacks by providing a form of mutual authentication. This is done by placing a digital security signature into each SMB packet, which is then verified by the receiving party. Server-side SMB signing is required by default on Windows Server 2003 “based domain controllers, which means that all clients are required to have SMB packet signing enabled.
Clients running Windows NT 4.0 with Service Pack 2 or earlier, and clients running the Microsoft Windows 95 operating system without the Directory Service Client Pack, do not support SMB packet signing. These clients will not be able to authenticate to a Windows Server 2003 “based domain controller. To ensure successful authentication, upgrade these clients to a later version of the operating system or Service Pack. However, if you cannot upgrade your clients, you can allow them to be authenticated by configuring SMB packet signing on all Windows Server 2003 “based domain controllers so that SMB packet signing is preferred but not required.
For more information about SMB packet signing, see Microsoft network server: Digitally sign communications (always) in Help and Support Center for Windows Server 2003.
For more information about configuring SMB packet signing on Windows Server 2003 “based domain controllers, see Modify Security Policies later in this chapter.
For more information about the Directory Services Client Pack, see article 323466, Availability of the Directory Services Client Update for Windows 95 and Windows 98 in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
When a computer becomes a member of a domain, a computer account is created. Each time the computer starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to ensure secure communications between a domain member and a domain controller for its domain. Secure channel signing is required by default on Windows Server 2003 “based domain controllers, which means that all clients must enable secure channel signing and encryption.
Clients running Windows NT 4.0 with Service Pack 3 or earlier installed do not support secure channel signing. These clients will not be able to establish communications with a Windows Server 2003 “based domain controller. To ensure successful communication, upgrade these clients to a later version of the operating system or Service Pack. However, if you cannot upgrade your clients, you must disable secure channel signing on all Windows Server 2003 “based domain controllers so that the traffic passing through the secure channel is not required to be signed or encrypted.
Unlike SMB packet signing, secure channel signing does not affect Windows 95 clients.
For more information about secure channel signing, see Domain member: Digitally encrypt or sign secure channel data (always) in Help and Support Center for Windows Server 2003.
For more information about configuring secure channel signing on Windows Server 2003 “based domain controllers, see Modify Security Policies later in this chapter.