The first decision to be made when migrating is to determine which type of migration strategy best fits your requirements and Active Directory design. Three migration paths are outlined in this chapter. Each migration path, described in the following list, is unique in characteristics and requires different tasks to complete. Therefore, each migration path should be planned in detail, scripted, and tested before you actually perform any migration tasks.
Each domain migration path offers different characteristics and functionality. Before you continue, review each migration path and perform all preparation tasks to prepare your Windows NT4 environment to be migrated to Active Directory. Begin by determining the specific criteria for your migration, such as the time frame in which to complete the migration and your final Active Directory design. Understanding these key areas will assist you in determining which migration path is best for your organization. Determining the Best Migration Path for Your OrganizationWith each specific migration path, there are different tasks and methods in which to prepare and complete a migration. There are also key business decisions and technical factors that can determine which path is best for your migration. Each of these paths and the benefits associated with them are outlined in the following sections. Conducting an Inplace UpgradeAn inplace upgrade is very effective for organizations that want to maintain their existing Windows NT4 domain or multidomain models. Using this method allows you to effectively migrate from an existing domain or domains to Windows Server 2003 and Active Directory by upgrading the NT4 domain as it exists today into a Windows Server 2003 Active Directory domain. Because you are performing an inplace upgrade of the server operating system, each server system setting such as domain trusts and service accounts is preserved when the upgrade is complete. The most compelling reasons for organizations to use this method are as follows: After the server operating system is upgraded to Windows Server 2003, the Active Directory Installation Wizard will also migrate and upgrade all existing Windows NT4 domain security principles such as domain users, groups, and permissions to Active Directory. This is considered the simplest model because no additional tools or third-party software is required to complete the migration. Also, after the inplace migration, desktops and laptops in the organization do not need to be touched because they will effectively remain in the same Windows domain as they were in NT4. This factor is significant for organizations that want to migrate but do not want to touch every single desktop after the migration. After proper planning and testing, some organizations have actually conducted an upgrade from Windows NT4 to Windows Server 2003 on a Friday night, with no dramatic impact on users or operation of the network. Note The inplace upgrade method of migration from Windows NT4 to Windows 2003 has proven to be the preferred method of migration for most migrations from NT4. Because the inplace upgrade migration maintains user accounts, computer accounts, security principles, user profiles, and other key network information, this migration method has the least (if any) impact on users, thus making it the cleanest migration method. Inplace upgrades do not require existing domain controller hardware to be upgraded, however, it only implies that the domain itself can be upgraded inplace. Migrating an Existing Windows NT4 Domain to a New Windows Server 2003 ForestAs organizations grow or business needs change, many companies are looking for an effective method of changing their existing Windows NT4 domain model. Migrating an existing Windows NT4 domain to a new Windows Server 2003 forest allows administrators to design and install a new Windows Server 2003 Active Directory forest without interrupting existing Windows NT4 network connectivity. When you use the Active Directory Migration Tool (ADMT) to migrate Windows NT4 domain security principles and resources to Active Directory, existing Windows NT4 security principles can then be migrated to organizational units and child domains within the newly structured Active Directory forest, as shown in Figure 16.1. Figure 16.1. Migrating existing domains to a new Windows Server 2003 forest.
By taking advantage of the enhanced functionality of Windows Server 2003, Active Directory can be integrated with Windows NT4 domains by using domain trusts and permissions. This functionality makes this option very effective for larger organizations and enables administrators to migrate security principles incrementally over time while still maintaining connectivity to the same shared network resources. This means users in the Windows NT4 domain can access the same resources as users who have been migrated to Active Directory without interruption to day-to-day operations. This migration path also allows administrators to further organize and structure a new domain by allowing objects to be moved between Active Directory domains and organizational units after they have been migrated. All these tasks can be completed while still maintaining connectivity between Windows NT4 and Windows Server 2003, further enhancing your ability to build a new domain model without the need to create new users and computer accounts as well as new network resources.
Consolidating Multiple Windows NT4 Domains to Active DirectoryThe third migration path allows an organization to migrate to Windows Server 2003 and Active Directory using all the functionality and integration capabilities of the first and second migration paths. When you consolidate domains, your organization can perform an inplace upgrade while maintaining selected existing Windows NT4 domains. Other existing NT domains can then be consolidated into the new Active Directory domain or domains within the forest. Domains can even be migrated and consolidated into organizational units, allowing for more granular administration. When security principles are migrated using the Active Directory Migration Tool, this option allows organizations to consolidate and migrate additional domains incrementally while maintaining selected existing domain infrastructures. This option is effective for organizations that have acquired other companies and their networks and still want to maintain their original domain model. When you consolidate domains, effectively you are upgrading a domain or domains within the existing domain model. After the upgrades are completed, you can then begin consolidating and restructuring domains by migrating security principles into new organizational units with the forest root or child domains in the new Active Directory forest. Additional account and resource domains can then also be consolidated within the newly structured Active Directory forest. |