After you upgrade all domain controllers in the domain to Windows Server 2003, complete the following post-upgrade tasks:
Eliminate anonymous connections to domain controllers.
Raise domain and forest functional levels.
Redirect the Users and Computers containers.
Complete the upgrade.
After you upgrade all the servers in the domain hosting services that run as Local System and use Anonymous or null credentials when accessing a domain controller, such as Windows NT 4.0 RAS servers, remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access built-in group . This task increases the security of your domain by preventing anonymous connections to domain controllers.
To remove groups from the Pre-Windows 2000 Compatible Access Group by using the command line
At the command line, type:
net localgroup "Pre-Windows 2000 Compatible Access" GroupName /delete
When using the net localgroup command to add or delete any group or group member name that includes spaces, such as the Anonymous Logon group, you must enclose the group name in quotation marks.
Although the Windows Server 2003 domain functional level provides a number of features and advantages, enable this functional level only when you have upgraded all your Windows NT 4.0 BDCs and you are certain that your environment is ready.
If you raise the domain and forest functional levels to Windows Server 2003, this action cannot be reversed and you cannot add Windows NT 4.0 “based or Windows 2000 “based domain controllers to the environment. Any existing Windows NT 4.0 or Windows 2000 “based domain controllers in the environment will no longer function. Before you raise functional levels to take advantage of advanced Windows Server 2003 features, ensure that you will never need to install domain controllers that run Windows NT 4.0 or Windows 2000 in your environment.
After you determine that your environment is ready, use Active Directory Domains and Trusts to enable the Windows Server 2003 domain functional level.
After you upgrade all domain controllers to Windows Server 2003, raise the forest functional level to Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.
For more information about enabling functional levels and the features available at the Windows Server 2003 domain and forest functional levels , see Enabling Advanced Windows Server 2003 Active Directory Features in Designing and Deploying Directory and Security Services in the Microsoft Windows Server 2003 Deployment Kit (or see Enabling Advanced Windows Server 2003 Active Directory Features on the Web at http://www.microsoft.com/reskit).
Complete the following tasks to finalize the upgrade process:
Review, update, and document the domain architecture to reflect any changes that you made during the upgrade process.
Review your operating procedures and administrative tasks to determine whether new Windows Server 2003 features, such as Group Policy objects or distributed administration, affect the operations environment. Be sure to document any changes that you identify.
After you ensure that your Windows Server 2003 Active Directory environment is operating successfully for a period of time, you can redeploy the rollback server that you reserved for the recovery process. If you do not need the Windows NT 4.0 BDC to achieve the required load balance among your domain controllers, maintain the rollback server for one week. Maintain the backup of the rollback server for a longer period of time for additional security. For information about developing a recovery plan, see Planning the Migration in this book.
Some Windows NT 4.0 applications, such as Microsoft Systems Management Server (SMS), can have an unpredictable effect on the domain when installed after the domain has been upgraded to Active Directory. Ensure that you are running SMS 2.0 and have installed Service Pack 4. For more information about SMS, see the SMS Downloads link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
After you complete the above tasks successfully, the upgrade process is complete.