Migration Paths to Windows Server 2003 | Microsoft Windows Server 2003 Unleashed (R2 Edition)

The first decision to be made when migrating is to determine which type of migration strategy best fits your requirements and Active Directory design. Three migration paths are outlined in this chapter. Each migration path, described in the following list, is unique in characteristics and requires different tasks to complete. Therefore, each migration path should be planned in detail, scripted, and tested before you actually perform any migration tasks.

The first migration option is an inplace upgrade. This migration path is a direct upgrade of the Windows NT4 server operating system and domain to Windows Server 2003 and Active Directory.
The second option is to migrate the NT4 objects from an existing NT4 domain to a brand-new Windows Server 2003 forest and Active Directory.
The third option is to consolidate multiple existing Windows NT4 domains into a single Active Directory domain configuration.

Each domain migration path offers different characteristics and functionality. Before you continue, review each migration path and perform all preparation tasks to prepare your Windows NT4 environment to be migrated to Active Directory. Begin by determining the specific criteria for your migration, such as the time frame in which to complete the migration and your final Active Directory design. Understanding these key areas will assist you in determining which migration path is best for your organization.

Determining the Best Migration Path for Your Organization

With each specific migration path, there are different tasks and methods in which to prepare and complete a migration. There are also key business decisions and technical factors that can determine which path is best for your migration. Each of these paths and the benefits associated with them are outlined in the following sections.

Conducting an Inplace Upgrade

An inplace upgrade is very effective for organizations that want to maintain their existing Windows NT4 domain or multidomain models. Using this method allows you to effectively migrate from an existing domain or domains to Windows Server 2003 and Active Directory by upgrading the NT4 domain as it exists today into a Windows Server 2003 Active Directory domain. Because you are performing an inplace upgrade of the server operating system, each server system setting such as domain trusts and service accounts is preserved when the upgrade is complete.

The most compelling reasons for organizations to use this method are as follows: After the server operating system is upgraded to Windows Server 2003, the Active Directory Installation Wizard will also migrate and upgrade all existing Windows NT4 domain security principles such as domain users, groups, and permissions to Active Directory. This is considered the simplest model because no additional tools or third-party software is required to complete the migration. Also, after the inplace migration, desktops and laptops in the organization do not need to be touched because they will effectively remain in the same Windows domain as they were in NT4. This factor is significant for organizations that want to migrate but do not want to touch every single desktop after the migration. After proper planning and testing, some organizations have actually conducted an upgrade from Windows NT4 to Windows Server 2003 on a Friday night, with no dramatic impact on users or operation of the network.

Note

The inplace upgrade method of migration from Windows NT4 to Windows 2003 has proven to be the preferred method of migration for most migrations from NT4. Because the inplace upgrade migration maintains user accounts, computer accounts, security principles, user profiles, and other key network information, this migration method has the least (if any) impact on users, thus making it the cleanest migration method. Inplace upgrades do not require existing domain controller hardware to be upgraded, however, it only implies that the domain itself can be upgraded inplace.

Migrating an Existing Windows NT4 Domain to a New Windows Server 2003 Forest

As organizations grow or business needs change, many companies are looking for an effective method of changing their existing Windows NT4 domain model. Migrating an existing Windows NT4 domain to a new Windows Server 2003 forest allows administrators to design and install a new Windows Server 2003 Active Directory forest without interrupting existing Windows NT4 network connectivity.

When you use the Active Directory Migration Tool (ADMT) to migrate Windows NT4 domain security principles and resources to Active Directory, existing Windows NT4 security principles can then be migrated to organizational units and child domains within the newly structured Active Directory forest, as shown in Figure 16.1.

Figure 16.1. Migrating existing domains to a new Windows Server 2003 forest.

By taking advantage of the enhanced functionality of Windows Server 2003, Active Directory can be integrated with Windows NT4 domains by using domain trusts and permissions. This functionality makes this option very effective for larger organizations and enables administrators to migrate security principles incrementally over time while still maintaining connectivity to the same shared network resources. This means users in the Windows NT4 domain can access the same resources as users who have been migrated to Active Directory without interruption to day-to-day operations.

This migration path also allows administrators to further organize and structure a new domain by allowing objects to be moved between Active Directory domains and organizational units after they have been migrated. All these tasks can be completed while still maintaining connectivity between Windows NT4 and Windows Server 2003, further enhancing your ability to build a new domain model without the need to create new users and computer accounts as well as new network resources.

Is a New Forest Cleaner than an Inplace-Upgraded Forest?

One of the reasons why organizations put forth the effort of building a brand-new Active Directory forest (instead of doing an inplace upgrade of their existing Windows NT4 domain) is that they believe the brand-new forest will be cleaner than an inplace upgrade. Although no old objects are migrated to the new Active Directory forest, there are ways to clean up an inplace-upgraded domain so that it ends up being just as clean as a brand-new forest. The big advantage to performing an inplace upgrade is that it minimizes the need to manually create each user and computer object in the new forest, and eases the process of ensuring that user profiles, favorites, security settings, and other unique settings are copied to the new forest.

The process of cleaning up an inplace-upgraded domain simply involves deleting all unused migrated objects. The administrator then builds a brand-new global catalog server and moves the FSMO roles to the new global catalog server. Only existing objects will be migrated to the new server as old objects are not moved. This creates a new global catalog server that has no legacy objects, making it just as clean as if a global catalog server was created from scratch with objects manually added to the server.

Another argument against an inplace upgrade is the resultant forest name. Many administrators incorrectly believe that when they do an inplace upgrade, they are stuck with the same forest name as their existing Windows NT4 domain name. When an inplace upgrade is conducted on a primary domain controller, the administrator is asked for a fully qualified DNS name for the new forest. An organization with a Windows NT4 domain name of CompanyX can do an inplace upgrade to a Windows 2003 Active Directory forest name of something completely different, such as companyabc.com. The old CompanyX is a NetBIOS name, whereas forests in Active Directory use DNS names.

Organizations need to consider whether the real benefits of building a new forest outweigh the extreme cost, effort, time, and user interruption that a clean forest build creates. Most arguments against an inplace upgrade can be cleared up as misperceptions of what can and cannot be done in the upgrade process, giving an organization better options for migrating its networks.

Consolidating Multiple Windows NT4 Domains to Active Directory

The third migration path allows an organization to migrate to Windows Server 2003 and Active Directory using all the functionality and integration capabilities of the first and second migration paths. When you consolidate domains, your organization can perform an inplace upgrade while maintaining selected existing Windows NT4 domains. Other existing NT domains can then be consolidated into the new Active Directory domain or domains within the forest. Domains can even be migrated and consolidated into organizational units, allowing for more granular administration. When security principles are migrated using the Active Directory Migration Tool, this option allows organizations to consolidate and migrate additional domains incrementally while maintaining selected existing domain infrastructures.

This option is effective for organizations that have acquired other companies and their networks and still want to maintain their original domain model. When you consolidate domains, effectively you are upgrading a domain or domains within the existing domain model. After the upgrades are completed, you can then begin consolidating and restructuring domains by migrating security principles into new organizational units with the forest root or child domains in the new Active Directory forest. Additional account and resource domains can then also be consolidated within the newly structured Active Directory forest.