Migrating from NT 4.0

Migrating Account Domains

When you develop a design that includes migrating accounts from a Windows NT 4 Master User Domain (MUD), the first thing you need to decide is whether the current domain owners retain their control over the accounts. You may discover that the migration might entail defining different administrative personnel. This could be because the migration is collapsing the administrative structure, giving control over objects that define the accounts to a different group. Another reason you may need to define different personnel to manage the objects could be because NT 4 allows users to have too much control when they are added to the default groups. Review the required level of control each of the users will need and base the migration on that.

If the current domain owners will retain the same level of control in the new design, you can create an OU so that you can migrate the accounts directly into it. The new domain owner can then delegate control of the OU to the accounts that were originally the NT 4.0 domain owners, thus making them OU owners. Figure 5.10 shows a representation of this migration.

Figure 5.10: Migrating NT 4 MUD to OU, keeping the same administrative groups

The ability to collapse the NT 4 domain structure is a benefit of Active Directory that many administrators want to take advantage of. Taking multiple MUDs and reducing them into a single domain where the accounts can be organized into OUs makes for a much simpler administrative design. Making the design as simple as possible will reduce the administrative costs, thus allowing the administrators to work with the accounts efficiently with fewer issues pertaining to setting and maintaining permissions.

In our Denver example, during the Active Directory design phase, another company is being acquired . The accounts and resources from this company will be migrated into the new Active Directory design. The designers have decided that the new accounts will fit in nicely with the current design options that they have chosen , user accounts will be migrated into the Users OU, and the groups will migrate to the Groups OU.

Migrating Resource Domains

Resource domains are the repositories for the computer accounts that hold the organization s resources. These resources include databases, e-mail, web servers, file shares, print devices, and management software, to name a few. Within the NT 4 domain structure, resource domains were usually created so the administrators who maintained the systems could control them and be isolated from the user accounts that were managed by other administrators. Other organizations that had a large number of accounts within the organization would divide the resources up into their own domains. Trust relationships would allow user accounts from MUDs the ability to access and maintain the resources.

Design Scenario ”Migrating from Windows NT 4

Kryton Composites has used Windows NT 4 for several years . As the company has grown and added personnel and locations, they have had to change their initial Windows NT 4 domain structure from a single domain model to a multiple-domain model that incorporates two MUDs and four resource domains. The resource domains are based on each of the four factory locations: Tulsa, OK, which is also the corporate headquarters; South Bend, IN; Rebecca, GA; and Herrin, TN. Each of the locations has a single administrative group that is responsible for the resources at that location but does not have control over user and group accounts.

In the new design, the administrative staff from each of the locations should still have the ability to maintain the servers, workstations, shared folders, and printers, but should not have the ability to create or delete user and group objects or OUs.

The administrative staff at the corporate office will have control of all user and group objects and will be responsible for creating and maintaining the domain and OU structure. They want to make administration of the user and group objects as easy as possible.

1. Question: Which accounts should be identified as the OU owners? Answer: The administrative staff at the corporate headquarters will become the OU owners. They will be responsible for creating and maintaining the OU structure for the company.

2. Question: Which accounts should be identified as the OU administrators? Answer: Each of the administrative groups at the factory locations will be the OU administrators because they will be responsible for the objects within their OUs.

3. Question: When migrating the accounts from the MUDs, what type of OU structure would best fit their needs? Answer: Either of two options would work. First, you could create a function-based OU structure with the user and group objects from each of the locations separated into their own OU. Secondly, you could use a location-based design that would take advantage of the factory locations, each with an OU to contain the user or group objects.

4. Question: When you are migrating the resource objects from the resource domains, what type of OU structure would best fit their needs? Answer: Because each of the factory locations has its own administrative staff, the OU structure that will work best is the one that is location based. Using this structure, each of the administrative groups from each location can be delegated the level of control that they need over their own resources within their own OU structure.

5. Question: What OU structure would you suggest Kryton Composites use? Answer: The most efficient design, and the one that will not be affected greatly by any kind of reorganization, would be the location-based design. Because the account and resource OU structures can take advantage of this type of structure, you can create a single OU design that will be the same for all administrators and will not be confusing. At the same time, you can delegate the permissions at the top level of the OU hierarchy, and the inheritance will allow the administrative groups to control and maintain the objects for which they are responsible.

Usually, when a resource domain was created, an account from one of the trusted MUDs would be used to administer the resources. By adding an account to the built-in administrative groups in the resource domain, you could manage the user objects within the MUD where all of the user accounts reside and retain administrative control within the resource domain.

Some of the same options exist for migrating resource domains into resource OUs. You need to decide whether or not the resources will still be controlled by the same groups in the new design. If not, when you migrate the resources, migrate them to an OU where the new administrators have had control delegated to them. This is usually the case when you are merging with another company or your company has just acquired another. The resources from the company that you are now working with may fall under your jurisdiction, or your resources may be controlled by the other company.

If the resources are still under the control of the same administrative staff, you can migrate them to their own OUs within the appropriate OU tree. The decision about which OU tree will be used will be based on which group will be identified as the OU owner. The new OU can be created as a child OU within the OU structure based on who the OU administrators will be and whether the original NT 4 domain structure will be mimicked.

Some organizations will decide to keep the same structure so that the resources are grouped within a child OU of the account OU that has authority over the resources. The inheritance of permissions will allow an administrator at the account OU to have control over the resource OU also. Of course, the permissions inherited will only be those that are set at the parent level. If a group is granted the ability to create and delete user objects in the account OU, they will not have the ability to work with computer objects in the resource OU. If you do not want members of the group to have the ability to affect computer objects in the account OU, you will have to delegate the permission explicitly at the resource OU level.

In keeping with our Denver location scenario, the small company that the organization has recently acquired needs to have the resources moved into the Active Directory structure. Because the OU design for the account domains has been completed, the resource s migration method needs to be determined. Linda has worked with the Active Directory design staff to work out the OU requirements for her Denver OU tree. The manager of IT has decided that the resource domains will no longer fall under the same administrative staff for the original company. Some of the employees of the company that was acquired will stay on with the new company, but many decided to take positions at other companies. Because the resources will all fall under the IT Computer Admins responsibility, the decision is made by the IT manager to migrate the resources to the Computers OU.