To upgrade your Windows NT 4.0 environment to a new single domain forest, you must complete some or all of the following tasks :
Back up all domain data.
Delegate the DNS zone for the new Windows Server 2003 domain, if you have an existing DNS infrastructure.
Identify potential upgrade problems.
Upgrade the operating system of the Windows NT 4.0 PDC.
Install Active Directory.
Authorize the DHCP service, if DHCP is running on the PDC.
Configure the Windows Time Service.
Enable aging and scavenging for DNS.
Verify DNS server recursive name resolution.
Perform post-upgrade tests.
Modify security policies.
To help to illustrate the process for upgrading to a single domain forest, sample data for a fictitious company, Fabrikam, Inc., is provided within the context of the tasks that must be performed.
Back up your Windows NT 4.0 domain data before you begin the upgrade. This task varies according to the operations and procedures that already exist in your environment. It is recommended that you complete the following steps:
Back up the PDC.
Back up the BDC that you designated as the rollback server.
Test all backup media to ensure that the data can be restored successfully.
Before you begin the upgrade process, store the backup media in a secure offsite location.
If your organization has an existing DNS infrastructure, review current network diagrams and DNS domain hierarchy diagrams. Also, review the existing DNS zone configuration, replication, and resource records that are used for delegation and forwarding. To configure the DNS zone for the single domain forest, the DNS administrator of your existing DNS infrastructure delegates the zone matching the name of the new Windows Server 2003 domain to the DNS servers that are running on the domain controllers in the single domain forest.
If you do not have a DNS infrastructure, or if your DNS services are provided by an ISP, you do not need to complete this step. Proceed to the next step, Upgrade the Operating System of the Windows NT 4.0 PDC later in this chapter.
In preparation for the deployment of the single domain forest, create a delegation for the DNS servers that will be running on the domain controllers in the Windows Server 2003 domain. Create the delegation by adding DNS name server (NS) and address (A) resource records to the parent DNS zone.
The delegation that occurs in this step references the first Windows Server 2003 “based domain controller, which does not currently exist. The DNS service is installed and configured on the first Windows Server 2003 “based domain controller in a later step. However, it is Important to add this record before you install Active Directory on the PDC, because the Active Directory Installation Wizard will use the record to configure the new DNS zone that Active Directory uses.
To delegate the DNS zone for the Windows Server 2003 domain
Create a name server (NS) resource record in the parent zone. Use the full DNS name of the domain controller, as follows :
forest_root_domain IN NS domain_controller_name
Create a host address (A) resource record in the parent zone. Use the full DNS name of the domain controller, as follows:
domain_controller_name IN A domain_controller_ip_address
For example, Fabrikam s PDC name is SEA-FAB-DC01, and its IP address is 172.16.12.2. During the Active Directory installation, Fabrikam will install the DNS Server service on this domain controller. In preparation for that step, the DNS administrator for Fabrikam created the following DNS resource records in the parent zone, fabrikam.com:
fabricorp IN NS SEA-FAB-DC01.fabricorp.fabrikam.com
SEA-FAB-DC01.fabricorp.fabrikam.com IN A 172.16.12.2
Before upgrading the operating system to Windows Server 2003, use the Winnt32.exe command-line tool to identify any potential upgrade problems, such as inadequate hardware resources or compatibility problems.
To identify potential upgrade problems
At the command line, connect to the I386 directory located at your installation source and type the following command:
For example, if your installation source is the Windows Server 2003 operating system CD in the D: drive, navigate to D:\I386 and type the following command:
D:\I386 > winnt32 /checkupgradeonly
The screen will then display the command prompt while the tool is running. It can take a few minutes for the Microsoft Windows Upgrade Advisor screen to appear.
Resolve reported problems before performing the upgrade.
To install the operating system on the PDC, insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain controller and select the option to install the operating system, or use an automated installation method. If the Windows Server 2003 media is shared on the network, run the Winnt32.exe command.
Complete the operating system installation by doing the following:
Verify that you are using a static IP address.
Use NTFS to convert the partitions if necessary. The installation of Active Directory will not succeed if you do not have at least one NTFS partition available on which to locate the SYSVOL shared folder.
Select Upgrade for the Installation type.
Configure DNS client settings by using the IP address of the closest DNS server for the Preferred DNS Server settings. If you have more than one DNS server, add the IP address of the next closest DNS server to the Alternate DNS server setting. If there are no other DNS servers, leave the alternate setting blank. These DNS client settings are temporary and will be changed during the installation of Active Directory.
Install Windows Support Tools, which are available in the \Support\Tools folder on the Windows Server 2003 operating system CD.
During the operating system upgrade the computer will restart three times. After you upgrade the operating system on a Windows NT 4.0 domain controller to Windows Server 2003, the computer is in an intermediate state, meaning that the computer is no longer a Windows NT 4.0 “based domain controller, and it is not a Windows Server 2003 “based member server or domain controller until Active Directory is installed. After the computer restarts for the last time, the Active Directory Installation Wizard appears.
Proceed immediately with the installation of Active Directory by completing the Active Directory Installation Wizard. The Active Directory Installation Wizard creates the Active Directory database and moves objects from the Windows NT 4.0 SAM to the Active Directory database. In addition, on the first domain controller in a new domain, the wizard completes the following tasks:
Prompts the administrator to verify the installation and configuration of the DNS Server service.
Configures DNS recursive name resolution forwarding by adding the IP addresses of the existing entries for Preferred DNS server and Alternate DNS server to the list of DNS servers on the Forwarders tab of the Properties sheet for the domain controller.
Configures DNS recursive name resolution by root hints, by adding the root hints that are configured on the Preferred DNS server to the list of DNS servers on the Root Hints tab of the Properties sheet for the domain controller.
Configures the Preferred DNS server to point to the DNS server that is running locally on the domain controller, and configures the Alternate DNS server to point to the closest DNS server.
Creates two application directory partitions that are used by DNS. The DomainDnsZones application directory partition holds domain- wide DNS data, and the ForestDnsZones application directory partition holds forest-wide DNS data.
Prompts the administrator to select the forest functional level.
Table 2.1 lists the actions required to complete the Active Directory installation wizard on a Windows NT 4.0 PDC, and lists sample data for installing Active Directory on the first domain controller in the single domain forest for Fabrikam, SEA-FAB-DC01.
Wizard Page or Dialog Box
Create New Domain
Select Domain in a new forest .
New Domain Name
Type the full DNS name of the domain.
Forest Functional Level
Choose Windows Server 2003 interim .
This is the preferred level because replication is more efficient when you are operating at the Windows 2003 interim functional level than when you are operating at the Windows 2000 functional level.
Because Fabrikam does not plan to add any Windows 2000 “based domain controllers to their forest at any time, they chose the Windows Server 2003 interim forest functional level.
Database and Log Folders
Type the folder locations specified by your design.
The design for Fabrikam domain controllers specifies that the database folder and log folder remain in the default location: C:\Winnt\NTDS .
Shared System Volume
Confirm or type the location specified by your design.
DNS Registration Diagnostics
DNS Registration Diagnostics will indicate that it cannot find the name and address of the DNS server with which this domain controller will be registered. This is because the pre- created delegation record points to the local computer and DNS has not been installed on the domain controller at this point.
Select the option to Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server.
Select the security level specified by your design:
Because Fabrikam currently has services running on Windows NT 4.0 “based servers under the context of the Local System account, they selected Permissions compatible with pre- Windows 2000 server operating systems .
Directory Service Restore Mode Administration Password
In the Password and Confirm password boxes, type any strong password.
When you complete the Active Directory Installation Wizard, verify that all information on the Summary page is accurate, and then click Finish . After the Active Directory Installation Wizard finishes, you will be prompted to restart the computer. The installation will not be complete until the computer restarts.
For more information about installing and removing Active Directory, see the Directory Services Guide of the Microsoft Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).
After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if necessary.
To enable Remote Desktop for Administration
In Control Panel, double-click System , select the Remote tab, and then select Allow users to connect remotely to this computer .
Fabrikam completed the Active Directory Installation wizard on the Windows NT 4.0 PDC, SEA-FAB-DC01. Figure 2.1 shows the Active Directory Installation Wizard welcome screen.
The PDC becomes the first domain controller in a new domain in a new forest. Figure 2.2 shows the selection to create a new domain on the Create New Domain wizard page.
The DNS name of the Fabrikam Windows Server 2003 domain is shown in Figure 2.3.
Because Fabrikam does not plan to add any Windows 2000 “based domain controllers to their forest at any time, they selected the Windows Server 2003 interim forest functional level, as shown in Figure 2.4.
The design for Fabrikam domain controllers specifies that both the database and log folders remain in the default location: C:\Winnt\NTDS , as shown in Figure 2.5. Smaller organizations can place both folders in the same location without affecting performance.
The design for Fabrikam domain controllers specifies that the SYSVOL folder remain in the default location: C:\Winnt\SYSVOL , as shown in Figure 2.6.
DNS Registration Diagnostics indicates that none of the DNS servers used by this computer responded. Fabrikam selected the option to Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server , as shown in Figure 2.7.
Because Fabrikam currently has services running on Windows NT 4.0 “ based servers under the context of the Local System account, they selected Permissions compatible with pre-Windows 2000 server operating systems, as shown in Figure 2.8.
Fabrikam set a strong Directory Services Restore Mode password, as shown in Figure 2.9.
The Active Directory domain controller has been created in a site called Default-First-Site-Name, as shown in Figure 2.10. For organizations that have a single physical location, no changes to this site assignment need to be made. Organizations that include more than one physical location can create sites, and move the domain controller to one of the new sites. For more information about creating sites, see Configuring the Site Topology later in this chapter.
If your PDC was also a DCHP server, you must authorize the server in Active Directory to allow it to lease IP addresses after the upgrade to Windows Server 2003 Active Directory.
To authorize a DHCP server in Active Directory
Log on to the domain controller by using an account that is a member of the Enterprise Admins group .
In the DHCP snap-in, right-click DHCP .
Click Manage authorized servers .
In the Manage Authorized Servers dialog box, click Authorize .
In the Authorize DHCP Server dialog box, type the name or IP address of the DHCP server, and then click OK .
It is important to configure the Windows Time Service correctly to meet the needs of your organization. The Windows Time Service provides time synchronization to peers and clients , which ensures that time is consistent throughout an organization.
Configure the first domain controller that is deployed to synchronize from a valid Network Time Protocol (NTP) source. If no source is configured, the service logs a message to the event log, and uses the local clock when providing time to clients. Although Internet NTP sources are valid for this configuration, it is recommended that you use a dedicated hardware device, such as a GPS, or Radio clock to ensure increased security.
If the first domain controller in the new Windows Server 2003 domain is removed at any time, you will need to repeat this operation.
To configure the Windows Time Service on the first domain controller in the domain
Log on to the domain controller.
At the command line, type:
W32tm /config /manualpeerlist:peers /syncfromflags:manual
where peers is a space-delimited list of DNS and/or IP addresses. When specifying multiple peers, enclose the list in quotation marks.
Update the Windows Time Service configuration. At the command line, type:
W32tm /config /update
“ or “
Net stop w32time Net start w32time
When specifying a manual peer, do not use the DNS name or IP address of a computer that uses the forest root domain controller as its source for time, such as another domain controller in the forest. The time service does not operate correctly if there are cycles in the time source configuration.
For more information about configuring and deploying the Windows Time Service, see the Directory Services Guide of the Microsoft Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).
In a new single domain forest, you need to enable aging and scavenging on Windows Server 2003 “based domain controllers running the DNS Server service to allow automatic cleanup and removal of stale resource records (RRs), which can accumulate in zone data over time.
With dynamic update, RRs are automatically added to zones when computers start on the network. However, in some cases, they are not automatically removed when computers leave the network. For example, if a computer registers its own host (A) RR at startup, and is later incorrectly disconnected from the network, its host (A) RR might not be deleted. If your network has mobile users and computers, this situation can occur frequently.
If left unmanaged, the presence of stale RRs in zone data might cause problems, including the following:
If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.
DNS servers loading zones with stale RRs might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.
The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness.
By default, the aging and scavenging mechanism for the DNS Server service is disabled. Enable aging and scavenging only after you understand all parameters. Otherwise , the server can accidentally be configured to delete resource records that need to remain. If a resource record is accidentally deleted, users will fail to resolve queries for that resource record, and any user is able to create the resource record and take ownership of it, even on zones configured for secure dynamic update.
For more information about how to configure aging and scavenging, see Understanding aging and scavenging: DNS in Help and Support Center for Windows Server 2003.
To enable the aging and scavenging features, and to configure the applicable server and its Active Directory “integrated zones, perform these tasks:
Enable aging and scavenging on two servers that are running Windows Server 2003. These settings determine the effect of zone-level properties for any Active Directory “integrated zones loaded at the server.
Enable aging and scavenging for selected zones at the DNS server. When zone-specific properties are set for a selected zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their defaults from comparable settings maintained in server aging and scavenging properties.
To set aging and scavenging properties for the DNS server
Log on to the computer that is running the DNS Server service by using an account that is a member of the local Administrators group.
In the DNS console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones .
Select the Scavenge stale resource records check box.
Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone
Log on to the computer that is running the DNS Server service by using an account that is a member of the local Administrators group.
In the DNS console tree, right-click the applicable zone, and then click Properties .
On the General tab, click Aging , and then select the Scavenge stale resource records check box.
Modify other aging and scavenging properties as needed.
DNS server recursive name resolution is configured automatically during the Active Directory installation process. If your design specifies a different configuration, you can use the DNS snap-in or Dnscmd.exe to modify these settings. Use the DNS snap-in to verify DNS server recursive name resolution based on the information in Table 2.2.
Recursive name resolution by root hints
No additional configuration is necessary. When the DNS server specified as the Preferred DNS server during the installation process is correctly configured, the root hints are automatically configured. To verify the root hints by using the DNS snap-in:
Root hints are the recommended method to use for recursive name resolution in a Windows Server 2003 environment.
Recursive name resolution by forwarding
Forward unresolved queries to specified DNS servers. To verify forwarding by using the DNS snap-in:
Use forwarders only if that is what your organization s design specifies. Root hints are the recommended method to use for recursive name resolution in a Windows Server 2003 environment.
No existing DNS infrastructure
No additional configuration is necessary.
In this environment, if you want to configure internal DNS servers to resolve queries for external names , then configure this DNS server to forward unresolved queries to an external server, such as one in your perimeter network, or one hosted by an Internet service provider.
After the Active Directory Installation Wizard completes, verify that the Active Directory installation was successful. Review the Windows Server 2003 event log for any errors.
Next, perform the tests that you defined in your test plan to determine whether the Active Directory configuration is functioning correctly. For more information about developing a test plan, see Planning the Migration in this book.
After you verify that the upgrade of the Windows NT 4.0 PDC and the instllation of Active Directory succeeded, complete the upgrade process.
To ensure that clients running earlier versions of the Windows operating system can access domain resources in the new Windows Server 2003 domain, you might have to modify default security policies.
In order to increase security, Windows Server 2003 “based domain controllers require by default that clients attempting to authenticate to them use SMB packet and secure channel signing. Clients running the Windows 95 operating system without the Directory Service Client Pack or Windows NT 4.0 with Service Pack 2 and earlier do not support SMB packet signing and will not be able to log on or access domain resources on the network. Clients running Windows NT 4.0 with Service Pack 3 and earlier do not support secure channel signing and will not be able to establish communications with a domain controller in their domain.
The most secure way to enable these clients to log on and access domain resources on the network is to apply either the appropriate service pack or the Directory Service Client Pack. If you cannot apply either of these, configure all Windows Server 2003 “based domain controllers to not require SMB packet signing and secure channel signing. To do this, disable the following settings in the Default Domain Controllers Policy:
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)
If you modify these policies, the default security policies in your environment are weakened. However, this is necessary to ensure that some clients running earlier versions of Windows can access domain resources. After all the clients in your environment are running versions of Windows that support SMB packet and secure channel signing, you can re-enable these security policies to increase security. It is recommended that you upgrade your Windows clients as soon as possible.
To make SMB packet and secure channel signing optional on Windows Server 2003 “based domain controllers
Open Active Directory Users and Computers , right-click the Domain Controllers container, and then click Properties .
Select the Group Policy tab, and then click Edit .
Under Computer Configuration , navigate to Windows Settings\Security Settings\Local Policies\Security Options.
In the details pane, double-click Microsoft network server: Digitally sign communications (always) and then click Disabled to prevent SMB packet signing from being required.
Click OK .
In the Details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK .
To apply the Group Policy change immediately, either restart the domain controller, or run the gpupdate /force command.
Modifying these settings in the Domain Controllers container will change the Default Domain Controllers Policy. Policy changes that are made here are replicated to all other domain controllers in the domain, requiring you to modify these policies only one time.
For more information about SMB packet signing and secure channel signing, see Considerations for Upgrading to Windows Server 2003 Active Directory earlier in this chapter.
For more information about security policies, see Security options: Security Setting Descriptions in Help and Support Center for Windows Server 2003.