Upgrading a Windows NT Domain
A critical task in upgrading your network to Windows 2000 Server is upgrading the Windows NT Server domain. Domains are an important feature of both Windows NT Server and Windows 2000 Server. A domain is a grouping of accounts and network resources under a single domain name and security boundary. It is necessary to have one or more domains if you want to use domain-based user accounts and other domain security features in Windows 2000 Server. (This was true for Windows NT Server as well.)
With Windows 2000, servers can have one of three roles in relation to domains: domain controllers, which contain matching copies of the user accounts and other Active Directory services data in a given domain; member servers, which belong to a domain but do not contain a copy of Active Directory services data; and stand-alone servers, which do not belong to a domain and instead belong to a workgroup. A domain must have at least one domain controller, and it should generally have multiple domain controllers, each one backing up the user accounts and other Active Directory services data for the others and helping provide logon support to users.
You should plan the roles that your servers will have within domains in Windows 2000 before running Setup; however, if adjustments are necessary to these roles, they can still be made after Setup.
There are several important points to remember about upgrading an existing Windows NT domain to Windows 2000 domain:
You must use the NTFS file system on domain controllers.
Any servers that have any partition formatted with FAT16 or FAT32 will lack local security. On FAT16 or FAT32 partitions, shared folders can be protected only with permissions set on the directories, not on individual files, and there is no access protection against local access to the partition.
When upgrading the domain controllers in a Windows NT domain to Windows 2000, you must upgrade the PDC first.
The roles of the servers in a domain are named somewhat differently with Windows 2000 Server as compared to Windows NT Server. With Windows NT Server, the possible roles were PDC (limited to one per domain), BDC, member server, or stand-alone server. Windows 2000 has only one kind of domain controller (without a "primary" or "backup" designation) and also includes the roles of member server and stand-alone server. The following table illustrates how Windows 2000 Setup assigns server roles when you upgrade:
Role in Windows NT Domain Role in Windows 2000 Domain
Primary domain controller Domain controller
Backup domain controller Your choice of domain controller or member server
Member server Your choice of member server or stand-alone server
Stand-alone server Your choice of member server (if a Windows 2000 domain exists) or stand-alone server
Upgrading a Windows NT domain involves several stages:
Planning for a Windows NT domain upgrade
Preparing for a Windows NT domain upgrade
Upgrading the PDC
Upgrading the BDCs
Upgrading member servers
Planning for a Windows NT Domain Upgrade
The main features to consider as part of a Windows 2000 upgrade planning are the following:
DNS domain name organization Develop DNS structure for the root domain of an enterprise tree or multiple trees in a forest of disjointed DNS domain names. Once the root DNS domain is created, other subdomains can be added to build the tree. For example, microsoft.com is a root domain, and dev.microsoft.com and mktg.microsoft.com are subdomains.
Name space organization within large account domains Determine how to use OUs to structure the people and project resources.
Domain consolidation Rebalance administration and control of centrally managed and distributed network services by merging resource domains into a smaller number of Windows 2000 domains.
New machine accounts added for long-term organization Determine the location of computer accounts in Windows 2000 OUs. This is an important part of deploying Windows 2000 computer security policies.
Deployment of advanced technologies Deploy new advanced technologies such as PKI security for smart card logon and remote access authentication or IP security for secure data transfer over private intranet and public Internet communications.
NOTE
--------------------------------------------------------------------------------
For more information, see the "Windows 2000 Support Tools' Deployment and Planning Guide." The installation program for this guide and other support tools is located in the \support\tools directory on the Windows 2000 Server installation CD-ROM.
Preparing for a Windows NT Domain Upgrade
Whenever you make any major changes to the contents of the hard disks on your servers, you should back up the hard disks before upgrading any of them. Before upgrading, you should also consider disconnecting the network cable of a BDC in your existing Windows NT network. After upgrading your PDC to Windows 2000 Server, this disconnected system is available for promotion to a Windows NT PDC if needed. (In the course of an uneventful upgrade, you would not promote the Windows NT BDC to PDC, but instead continue the upgrade process, eventually reconnecting the disconnected server and upgrading it.)
In addition, for any computer that will be a domain controller in the Windows 2000 domain, you should make sure there is plenty of room on the disk, beyond the space needed for the operating system itself. When the user accounts database is upgraded to the format used by Windows 2000 Server, it can expand significantly.
Preparing to Upgrade the Domain Controller
Before upgrading a domain controller, there are a number of tasks that must be completed:
Disable WINS by using the Services option in Control Panel in Windows NT Server 4.0 so that the WINS database can be converted during the upgrade process.
Disable DHCP by using the Services option in Control Panel in Windows NT Server 4.0 so that the DHCP database can be converted during the upgrade process.
Set up a test environment by creating test user accounts so that you can test the upgrade once it is complete. Create users and groups that are consistent with your implementation of Windows NT Server 4.0.
The following table describes items you might want to include in a test environment and how to implement them:
Item Implementation
User and Group policies Include both user and group policies that are easy to verify after the upgrade. An example is removing the Run command from the Start menu.
User profiles Set up individual user profiles for the test users that are obvious and easy to verify, such as different background wallpaper.
Logon scripts Use logon script commands that are easy to verify after the upgrade, such as mapping network drives with the net use command.
NOTE
--------------------------------------------------------------------------------
It is always a good idea to test any upgrade in a lab environment before implementing it in a production environment. To that end you may remove a BDC from the network and promote it to be a PDC in a private network. Then you can upgrade the PDC to Windows 2000 Server. If that is successful, you can bring that computer back to the production environment.
Upgrading the Primary Domain Controller
The first domain controller to be upgraded in a Windows NT domain must be the PDC. As you upgrade this server, you will be given the choices of creating a new domain or a child domain, and creating a new forest or a domain tree in an existing forest. For upgrading a domain of three to five servers, create a new domain and a new forest. You should also define the domain name space to set up the top-level name space for the organization. Other domains can be added to the tree as child domains.
During the upgrade, you have the opportunity to choose the location of three important files: the database containing user accounts and other Active Directory data, the log file, and the system volume file (SYSVOL). The database and the log file can be on any type of partition (FAT16, FAT32, or NTFS); the previous SAM database can expand significantly from the size it had with Windows NT Server, so allow plenty of room for it. (Initially, the log file will take up very little space.) The system volume file must be on an NTFS partition.
After the first server is upgraded to a Windows 2000 domain controller, it will be fully backward compatible. This means that in a multiple-server environment the domain controller appears as a Windows 2000 domain controller to Windows 2000 servers and clients but emulates a Windows NT 4.0 PDC to other servers and clients.
Upgrading the Backup Domain Controllers
After upgrading your PDC and ensuring that it is functioning to your satisfaction, upgrade any BDCs next. (If possible, it is best to begin the upgrades soon, rather than allowing a long delay.) Be sure that the first server upgraded (the former PDC) is running and available on the network as you upgrade other domain controllers. This server is used as a template for the other domain controllers to copy as they are upgraded.
Upgrade the BDCs one at a time, and ensure that each is backed up before upgrading. Start and test each server on the network to ensure that it is functioning to your satisfaction before upgrading another BDC.
When you have completely upgraded all servers to Windows 2000 domain controllers, you have the option of changing the domain from Mixed mode (where Windows NT domain controllers can exist in the domain) to Native mode (where only Windows 2000 domain controllers can exist in the domain). This is an important decision, because you cannot revert to Mixed mode after changing to native mode. Figure 2.2 shows the transition from a Windows NT domain to a Windows 2000 native mode domain.
Mixed Mode
Mixed mode refers to a domain that contains both Windows 2000 and Windows NT 3.51/4.0 domain controllers. In Mixed mode the PDC is upgraded to Windows 2000 Server and one or more BDCs remain at version Windows NT Server 3.51/4.0. The Windows 2000 domain controller that was the PDC uses the Active Directory store to save objects. It is still fully backward compatible because it exposes the data as a flat store to down-level computers.
The PDC appears as a Windows 2000 domain controller to other Windows 2000 computers, and as a Windows NT 3.51/4.0 domain controller to computers that are not yet upgraded.
The domain still uses a single master replication with a Windows 2000 PDC; it is recognized as the domain master by the Windows NT Server 3.51/4.0 BDCs.
In Mixed mode the domain is limited by the functionality of the Windows NT 4.0 domain controllers. Some of the limitations on Windows 2000 operating in Mixed mode include the following:
No group nesting is available.
Non-Windows 2000 clients cannot benefit from transitive trust; they are limited to the limitations of pre-Windows 2000 trust relationships for access to resources.
Mixed mode is the default mode and is generally an interim step in the implementation of Windows 2000.
Native Mode
Once all domain controllers in a domain are upgraded, the domain can be moved from Mixed mode to Native mode. In Native mode all clients make use of Windows 2000 transitive trust. This means that a user can connect to any resource in the enterprise. Native mode also allows group nesting.
NOTE
--------------------------------------------------------------------------------
Moving to Native mode is a one-way move; once in Native mode, it is not possible to move the domain back to Mixed mode.
Upgrading Member Servers
Upgrade the member servers. Member servers in the domain can be upgraded in any order.
Domain Consolidation
Domain consolidation is a planning process for organizing domain resources to take advantage of new advanced features of the Windows 2000 Active Directory services. Domain reconfiguration is optional; it is not a requirement for deploying Windows 2000. Domain reconfiguration can take place over time as individual machines are upgraded and moved to different domains. Reconfiguration is also a fairly intensive and time-consuming administrator operation, as computers are moved to new domains and access control is verified or updated as needed.
There are two general ways to consolidate domains:
Move user accounts from one domain to another to form a single larger domain.
Move server computers from one resource domain into the OU of another domain.
One advantage to domain consolidation is that the number of master account domains can be reduced because each domain can be scaled to handle a much larger number of user, group, and computer accounts. Combining master account domains can reduce the number of server computers and interdomain trust accounts. However, moving users from one domain to another requires the creation of a new temporary password for the user account in the new domain. User passwords are not preserved when a user account is moved from one domain to another, although the SID for the user is.
Another advantage to domain consolidation is that the number of resource domains can be reduced by moving servers from many small domains into a combined resource domain. The domain controllers of the resource domains become member servers in the larger combined domain. This reduces the number of interdomain trust relationships between resource domains and account domains, saving system resources on domain controllers. Domain consolidation also makes it easier to redeploy server computers from one project or department to another.
Windows 2000 includes the following features that enable domain reconfiguration:
Users and groups can be moved across domain boundaries and preserve security identity. The SID history is kept with the user account, and access tokens will contain both the new and the old SID to preserve access rights.
Domain controllers can be demoted to a member server and moved to another domain.
Security policies can be defined centrally and applied to many systems. These policies can grow in scope and change over time. They are used to deploy new technology, such as public key security and IP security. As new computers join a domain, they can automatically pick up the security policy in effect for the new domain.
Computers can be moved to different domains by using remote administration tools.
Access rights can be updated to reflect changes in organization or philosophy.
