Home

 Guy's eBooks

 Active Directory

 Disaster Recovery

 Group Policy

 Security in Windows

 Windows 2000 Server

 Windows 2000 Migration

 XP Professional

 Windows Pro Migration

 Windows Training

 XP Configuration

 Windows 2003

 Exchange 2003

 Performance Monitor

 General Tips

 Registry Hacks

 Registry Security Tips

 Windows 2000 Tools

 Troubleshooting Tips

 TCP/IP Suite

 Training Home

 Training Needs Analysis

 Windows 2003 Courses

 Exchange 2003 Courses

 SQL Courses

 SharePoint Portal Cse

 Courses Guy Trains

 Exam Advice

 Consultant Advice

 Availability

Migrate to Windows 2000 Active Directory

Introduction

When you move to a new operating system such as Windows 2000, you have to make a crucial decision:

1. Reformat the machines and build from scratch; I have heard this strategy called 'Wipe and Roll'.

2. Decide on an 'In Place' upgrade to the Windows 2000.  Simple, but no rollback, therefore impractical for big organisations.

3. With server migrations, introduce a new server into an existing network.  Plan for a period of coexistence between NT 4.0 and Windows 2000 Active Directory.

'In Place' versus 'Brand New Domain'

Broadly speaking, there are two strategies for a successful migrating to from NT 4.0 to Windows 2000.

1) The simplest strategy is the 'In Place' upgrade of NT 4.0.  Just insert the Windows 2000 Server CD into your NT4.0 PDC and accept the defaults.  Repeat this upgrade strategy for your BDCs.  In my opinion, this 'In Place' method really only works for small networks with 2-50 users.

2) You may have good reason to create a brand new domain.  For example you want your domain name to match your DNS name.  Also you probably do not want all that old baggage in your new domain, so a brand new domain has great appeal.

There are two crucial considerations for a brand new Domain.  Firstly get your naming conventions right before you install the first machine; make a mistake and you will have to start all over again.  This is because you cannot rename a domain in Windows 2000.  Secondly take steps to preserve your existing users.

Consider the following factors before you migrate

• Hardware: New or existing machines?
• Software: Which is the Right version of Windows 2000 for you? Plain, Advanced or Datacenter?
• Clustering: Can you afford a multi-node installation?  Consider linking to your SQL database servers in active / passive nodes with your Windows 2000 Domain controllers.  If you like this clustering solution then review your plan and buy Advanced Server not Plain Windows 2000 server.
• Which databases, configuration settings, do you need to preserve?  Example: NT 4.0 SAM username database.
• Budget, manpower, existing skills.  Do you need to train or buy in Active Directory skills.

DNS naming strategy

The key point is to understand how DNS names relate to Active Directory names, and to see the advantages of using the same convention.  E.g. DNS name = ABC.com, Active domain = ABC.com - including the .com suffix. 

Before deciding on your DNS strategy, a reminder what DNS will do for your Windows 200x domain.

DNS Basics

DCPROMO will create the Forward Lookup Zone for you, or else you can manually create it in the DNS console.  Inside the Zone you will see Host or 'A' records which map IP to Hostname.  Example: Cardiff (Hostname) A  10.54.100.5

DNS is now dynamic - so you do not manually have to update A (Host) records.  Also DNS is fully integrated with DHCP so this reduces boring configuration tasks.  Unlike NT 4.0, DNS now uses IXFR, incremental zone transfer so that only changes will be replicated to DNS partners.

Active Directory Basics

SRV or Service records enables desktops and servers to find machines which are providing specific services, for example Global Catalog, Kerberos for logon authentication.  You can also integrate DNS with Active Directory and reduce replication traffic.

Domains

Keep in mind that the Domain remains the key unit for both administration and security.  Whilst it is interesting to understand the potential of a Forest, the truth is that most companies are better off with just one Domain and lots of Organizational Units.

Use the move to Active Directory a chance to 'squash' or amalgamate NT 4.0 domains; here is a real opportunity to reduce the number of domain controllers, and ease administration.

Trees

Trees are made up of a family of Domains.  The first domain you create is called the Root domain.  If you create more domains with the same basic name then you have a Tree.   The tree concept is called 'contiguous namespace'.

When you create a new domain Active Directory automatically creates two way trusts between the parent and child domains.  Unlike NT 4.0, these trusts are transitive (pass through). If the domains have no common root name they would become separate trees in a forest. Once you have your plan, be ready for the questions that the DCPROMO asks; for example decide if you want a New Domain in a New Tree, or just a Replica domain controller in an existing domain.

Forests

Forests are one or more Trees that agree to share a Schema.  This means that they agree on the same definitions of users and computers.  In practice domains will share the same schema unless you employ a developer.  The time to be aware of changing the Schema is if you install Exchange 2000.  In this situation the Schema need to add mailbox properties to the User object.

The first domain in the forest is called the 'root domain'.  This is significant because the root status cannot be changed and also it has two powerful groups Enterprise Admins and Schema admins which are not present in any of the child domains.

Organisational Units

It is much easier to administer your users and computer when they are in OUs rather than trying to add them to groups across different domains.  To get the best from OUs, rather than keep all your users in the default 'Users' folder, create OUs to reflect your departments.  Both Users and Computer have the 'Move' on their Property sheet so you can always reorganise your resources by creating OUs.  Time spent in creating OUs will also pay back handsomely when you consider Group Policies to control the desktops and to assign software.

Sites

Beginners cannot grasp that physical sites are completely separate from the logical structure of their domains and trees.  Bandwidth will determine the topology of your sites; whereas your administration structure and security needs will decide the logical structure.  In a nutshell, you can have one domain spread over several sites, two different domains in the same site, or simply one domain in one site.

Controlling directory replication within the same site.

Windows 2000 uses a change notification system to keep all the domain controllers synchronised.  When you have more than one domain controller there will be a delay of 5 minutes in changes reaching the other partners at the site.  In a production network you will hardly notice the delay, but in testing it can be irritating and cause you to wonder "Did I really make a change" or "the change I made is not working".  Here is a registry hack that you can use to adjust the 5 minute latency.

Creating a second site

Windows 2000 Active Directory uses multiple master replication.  Unlike NT 4.0 with its PDC and BDC, in Active Directory you can create new objects in Active Directory on any domain controller.  If all servers have fast links then you can keep them all in the same site and replication will happen automatically every 5 minutes.  Where connections between servers are physically slow, create a new site and regulate directory replication through the links.  Speed is relative term and you could use System Monitor to detect a bottleneck; however 28K links would indicate separate sites, where as T1 or E1 links would mean that servers can operate in the same site.

 *