Implementing a Migration to the Active Directory for Windows 2000 | Upgrading and Repairing Networks (5th Edition)

As with any major network upgrade project, you should be sure to carefully plan ahead. Develop a written master plan and schedule for the migration and review it on a frequent basis. Some of the items to consider in a migration plan include

Back-out procedures For any big changes you make on a particular server, be sure that you plan a method to back out of the change if it doesn't function as you expect. Always maintain up-to-date backups of key systems that can be used to make a full restoration without seriously impacting the user base.
Alternative plans Sometimes there's more than one way to affect a solution to a problem. If you can make note of more than one method of accomplishing a particular task, such as the capability to schedule users or resources for the project, that flexibility will enable you to adapt to changes in the project schedule.
Assign users and resources carefully When you make decisions about which personnel are going to be used to execute portions of the project plan, be sure to keep in mind the existing workload of the person and how participating in the upgrade migration plan will affect his or her job. Again, it is a good idea to have a backup person or backup resource you can use if unforeseen events limit a person's capabilities.
Nonproduction testing As discussed in other chapters, test your plan in a laboratory setting! Nothing is ever as it seems to be (there goes my existential thought). You should always test any network modification using all the possible usages you can think of before deploying changes to any network, whether it be one based on a Windows network, or another, such as NetWare, Unix, or Linux.
A well-defined team structure There should be a migration team that has a designated leader and assigned duties and areas of responsibility for each member. Nothing makes executing a migration plan more difficult than personality conflicts that can arise from the nonspecific assignment of duties to team members .

Start by Upgrading Primary Domain Controller

When you decide to upgrade your network to a Windows 2000 Active Directorybased network, you'll need to plan the order in which servers and workstations will be upgraded. The Active Directorybased Windows 2000 domain controller is backward compatible with Windows NT 4.0 domain controllers, so upgrading the PDC is transparent to the users and domain controllers that are still operating under Windows NT 4.0. Backup domain controllers in the domain see the new Active Directory domain controller just as if it were a PDC in the Windows NT 4.0 domain. One consideration to keep in mind is that after you upgrade a server to be a Windows 2000 Active Directory domain controller, you can't, in the same domain, promote a Windows NT 4.0 BDC to become a PDC. The new Active Directory domain controller provides this capability as far as Windows NT 4.0 BDCs are concerned , and you can have only one PDC in a Windows NT 4.0 domain.

Upgrade the Domain's PDC and Then Any BDCs

When you upgrade the PDC to become an Active Directory domain controller, you're prompted to either join an existing domain tree or create a new domain tree. If this is the first Active Directory domain controller in the network, you have to create a new domain tree. The operation is a simple, painless oneno complicated setup or configuration is required to create a domain tree.

After you've created the first Active Directory domain controller from the domain's PDC, you'll have a mixed network environment that still can function normally from the user's standpoint. That is, users still can authenticate using the BDCs that remain in the domain. However, because the BDCs do not yet recognize the Active Directory database, but instead see it as a PDC, you still can't create new security principals, such as user accounts, on the BDCs. This is the normal way in which a Windows NT 4.0 network functions. You will have to do so on the new Active Directory domain controller just as you did when it was a PDC.

The new Active Directory domain controller uses the single-master replication method to inform any existing BDCs of changes to the security database. After you promote one or more BDCs to become Active Directory domain controllers in the domain, you can update the security database on any of those new domain controllers because they're all equal peers in the network with other Windows 2000 domain controllers. Multimaster replication is used only between the new Active Directory domain controllers. Existing Windows NT 4.0 BDCs continue to function as if the network were still composed of nothing but Windows NT 4.0 domain controllers.

However, after you've finally converted all your Windows NT 4.0 BDCs to be Active Directory domain controllers and have made the switch to the native-mode Windows 2000 Active Directory, only multimaster replication will occur from that point on. This implies that you will no longer be able to add Windows NT Server 4.0 domain controllers to the domain . If you're uncertain about the migration, leave at least one Windows NT 4.0 BDC in the domain and operate in a mixed environment until you're sure that the changeover is working as you expect, and you have no need to downgrade back to a Windows NT 4.0based network.

Tip

You should always keep a "back door" open when implementing new technology. When you make the final decision to go with the Active Directory and forego the Windows NT PDC/BDC networking method, keeping an old BDC around can be a lifesaver if something goes wrong. To provide this open door using a BDC, you don't have to keep the old BDC online in the new network. Instead, before you make the final switch, take a BDC offline. That is, turn it off or disconnect it from the network. Keep it around for a few months until you're absolutely sure that you don't need to downgrade out of the Active Directory. If some disastrous event occurs that forces you to back out of the upgrade, the BDC will not contain any changes that are made after it is taken offline, but it will be a good place to start when trying to recover your old network.

However, you must consider that that this is a short-term solution. In a large network, computers will change their own computer passwords, and thus render this capability almost useless for the long term . You should also take into consideration your password policy. How often do you require that users change their password? In either of these cases, using this back door can cause more problems than it solves .

After you have made the switch and all domain controllers are based on the Active Directory, all clients, including those down-level nonWindows 2000 clients, will be capable of taking advantage of the transitive trust relationship that's created between all domains in the domain tree. This is because the trust relationship is created between domain controllers, which perform authentication functions, not by the individual workstations or other clients in the network. That means you can proceed to upgrade all your BDCs to Windows 2000 Active Directory domain controllers and then, as you find opportunities to schedule the required downtime, you can upgrade client machines, such as Windows NT 4.0 Workstation clients , at a more leisurely pace.

Adding Other Domains to the Active Directory

In a multidomain network, you'll first create a domain tree using one of the domain controllers in an existing domain or you can even create a new domain from a fresh install to serve as the first domain in a new domain tree.

When you later decide to upgrade other domains in your network to use the Active Directory, you can still create a new domain tree or you can choose to join the existing domain tree. Again, the operation is simple. To join an existing domain tree, you need only supply the name of the parent domain where you'll attach the new domain to the tree.

Several things occur when you join an existing tree:

The domain's current SAM database is migrated to the Active Directory database.
The Kerberos security software is installed and is then used to create a two-way trust relationship with the parent domain to which the domain has been attached in the tree structure.
A domain controller in the parent domain supplies configuration information, such as the Active Directory schema, to the child domain and then informs other domain controllers about the addition of the new child domain.

Upgrade the Master Domain First

In the master domain model, all user accounts reside in the master domain and resources are created in separate resource domains. When you upgrade a network that's based on a single domain, there isn't much choice: first upgrade the PDC and then upgrade the domain's BDCs.

Note

If you're starting from scratchthat is, you're running Windows NT 4.0 in a standalone or workgroup mode and don't have a PDCyou can still create a domain controller for your Windows 2000 network. After you've installed Windows 2000 Server or upgraded a Windows NT 4.0 server to Windows 2000, you can then use the command dcpromo to promote the server to be a domain controller. The process is not as complicated as you might think. Simply bring up the Command Prompt (from the Start menu, choose Programs, Accessories, Command Prompt) and enter the command dcpromo . The Active Directory Installation Wizard pops up to guide you through the process. This command can also be used in Windows 2003 servers.

In the master domain model type of network, you should choose to upgrade the master domain first and then upgrade the resource domains. At the completion of the basic upgrade, you use the Active Directory Installation Wizard to install the Active Directory (see Figure 62.1).

Figure 62.1. The Installation Wizard guides you through the process.

graphics/62fig01.jpg

The next few dialog boxes prompt you to create a new domain tree or create a child domain in an existing tree (see Figure 62.2). If you choose to create a new domain tree, you're prompted to create a new forest or create the domain in an existing forest. Because this is the first server being upgraded to Windows 2000, you should create a new forest.

Figure 62.2. If this is the first controller to be upgraded, you create a new domain tree.

graphics/62fig02.jpg

The wizard then prompts you for the domain name that you want to use. You have to specify it as a fully qualified DNS name, however (see Figure 62.3).

Figure 62.3. Use a fully qualified DNS name when prompted by the wizard.

graphics/62fig03.gif

The wizard then asks you to enter a NetBIOS-compatible name for the new domain. Previous versions of Windows use this name for the domain until you've finished the migration and are running a Windows 2000only network.

The wizard then asks you where you want to create the files that will serve as the database for the directory and for a device to store the log file for the directory (see Figure 62.4). If your domain is large, you should specify a different device for each of these files to improve performance.

Figure 62.4. Enter the paths that will be used to create the Active Directory database and log files.

graphics/62fig04.gif

The next dialog box prompts you to enter a path that will be used to store files that are replicated to other domain controllers in the domain. As you can see in this figure, the path must point to a directory that is located on an NTFS partition. You cannot use a FAT partition for this.

If you are not yet using a DNS server in the domain, the wizard will prompt you to install Microsoft's DNS Server. Click the OK button to dismiss this dialog box. The Configure DNS dialog box pops up and asks whether you want to install DNS now or wait until later. For Active Directory to function correctly, a DNS server is required. It's best to go ahead and elect to install Microsoft's DNS at this time because the Active Directory must register resource records that clients will use to locate domain controllers.

The next dialog box is an important one. If you're planning on a gradual migration where you will keep preWindows 2000 clients on the network for a while, you'll need to run Windows 2000 in mixed mode so that the Windows 2000 domain controller can act as the PDC in the domain for these down-level clients. You can see this dialog box in Figure 62.5.

Figure 62.5. For a gradual upgrade, take the first selection so that down-level clients will have permission to access the Active Directory as if it were a PDC.

graphics/62fig05.jpg

Note

If your network is small and you plan to upgrade all your servers and workstations at the same time, you should select the second option in Figure 62.5.

The wizard then prompts you to enter a password that will be used as an administrator password for this server if you need to start the computer in Directory Services Restore Mode. Finally, you'll see a summary dialog box that shows the options you've selected. Scroll through this dialog box to re-examine your choices and, if they're correct, click Next.

An informational dialog box appears telling you that the wizard is configuring the Active Directory. Depending on your selections and the information stored on the server when it was operating in Windows NT 4.0 PDC mode, this could take some time. Existing data stored in the Windows NT 4.0 Security Accounts Manager (SAM) database needs to be migrated to objects in the new Active Directory. Drink a cup of coffee or two. At the bottom of this dialog box, you'll see the processes that are being performed, such as installing DNS and configuring databases for the Active Directory.

As a last step, the wizard adds shortcuts to several tools in the Administrative Tools folder that you can use to manage the directory and then prompts you to restart the computer.

After upgrading the first server, you should experiment with it to get used to the new tools and review your plans for the other servers in the domain. When you're sure that you want to proceed, upgrading backup domain controllers is done in the same way except that you don't create a new domain for the BDCs. When upgrading servers in other domains that you want to place into the same domain tree, you can choose to create a child domain and construct the fully qualified domain name according to where you want to place the domain in the tree.

Upgrade the BDCs Next

After you've upgraded the Windows NT 4.0 PDC to become a Windows 2000 domain controller, your network will be operating in what is called mixed mode as long as other Windows NT 4.0 (or prior versions) backup domain controllers exist on the network. To continue your migration, use the same steps on each BDC as you did to upgrade and promote the PDC. After you've upgraded all down-level domain controllers to Windows 2000 domain controllers, you can switch the network to native mode.

A domain administrator using the MMC Active Directory Domains and Trusts snap-in must perform this function. This step should not be done until you're absolutely sure that you no longer need to employ Windows NT 4.0 domain controllers in the network. After the switch is made, there's no going back!

To take this final step and make the switch to a native-mode Windows 2000 domain network, follow these steps:

Click Start, Programs, Administrative Tools, and then Active Directory Domains and Trusts.
Right-click the domain name you see in the left pane of the MMC console and select Properties from the menu that appears. Alternatively, click once on the domain name and select Properties from the action menu.
On the General tab of the Properties page, click Change Mode, and then click Yes when prompted.

That's it. There's no going back (unless you've saved a prior Windows NT 4.0 PDC or BDC offline for recovery purposes). You'll now be operating in an allWindows 2000 environment.