Contact US

Creating a Corporation

May

SITE MAP

Class Training For Pc Repair

A Plus Guide

A plus Os

LAPTOPS

X86 Tech

January

February

March

Osi

auto parts

Winserver8

windows7

Virtualization

Cloud Computing

Security

Cash fast

B & I SNOWDEN-Find a Wealth of Products and Services

NT TO Win2003

This guide provides a prescriptive migration path with step-by-step instructions for small and medium-sized organizations planning a migration from Microsoft Windows NT 4.0 to Windows Server 2003.

Chapter 1

Small and medium-sized organizations can migrate from a Microsoft® Windows NT® 4.0 operating system environment to a Windows Server™ 2003 operating system environment to take advantage of Windows Server 2003 features. Careful planning is important to ensuring that the migration proceeds smoothly and quickly. This chapter describes how to assess your current Windows NT 4.0 environment, make decisions about your new Windows Server 2003 environment, and plan the sequence of steps required to perform the migration.

In This Chapter

Overview of Planning the Migration.................................................................................................................... 1

Selecting a Migration Path................................................................................................................................... 3

Assigning Server Roles.......................................................................................................................................... 6

Designing the New Windows Server 2003 Active Directory Environment............................................ 12

Planning for Test and Recovery........................................................................................................................ 15

Additional Resources.......................................................................................................................................... 18

Before you migrate your organization from a Windows NT 4.0 domain to a new Windows Server 2003 Active Directory, it is important to evaluate your existing domain controllers and member servers, plan your migration process, and design your new Windows Server 2003 domain. Planning for a migration to Windows Server 2003 involves the following steps:

·         Selecting a migration path

·         Assigning server roles

·         Designing the new Windows Server 2003 domain

·         Planning for test and recovery

To illustrate the migration process from Windows NT 4.0 to Windows Server 2003, chapters 1 and 2 in this book describe how a fictitious manufacturing company, Fabrikam, Inc., plans and deploys Windows Server 2003 in its environment.

Fabrikam has 300 employees; approximately 270 of these employees work at the Seattle headquarters, and another 30 work in the field. Fabrikam plans to open an office in Boston, which will be part of the Seattle-based network, and relocate 20 employees to that location. The IT department for Fabrikam consists of an IT manager and a network and user support person.

The Fabrikam environment consists of the following:

·         One domain, named Fabricorp, which is running Windows NT 4.0.

·         Three servers: the PDC, which is running on new server hardware purchased six months ago, a BDC, and a member server, both running on older server hardware.

·         The WINS name resolution service on the internal network, and internal DNS as well as DNS services provided by an Internet Service Provider (ISP).

·         Remote Access Service, file service, and print services running on the Windows NT 4.0 servers.

·         Several different client operating systems, including Microsoft® Windows® 98, Windows® 2000 Professional, and Windows® XP.

The Fabrikam IT department established the following goals for their migration:

·         Upgrade the Windows NT 4.0 domain to a Windows Server 2003 Active Directory domain.

·         Consolidate services onto two servers, both running Windows Server 2003.

·         When the Boston office opens, create a new Active Directory site and place a new domain controller in Boston.

Figure 1.1 shows the current Windows NT 4.0 environment.

Figure 1.1   Current Environment for Fabrikam

Server Roles

A server role is a dedicated function that a computer running one of the Windows Server operating systems provides remotely to network clients. Server roles can be combined on a single server. The server roles that are important to small and medium-sized organizations include:

·         Domain controller

·         DHCP and WINS

·         File and print

·         Remote access

·         Web

Before beginning a server migration, it is important to be familiar with the following terminology.

A computer running Windows NT 4.0 or a later Windows server operating system that is connected to a local area network (LAN). Each server is configured to perform one or more services for network clients.

Any computer (workstation or server) that is connected to the LAN and that requests data, files, or account information from a server to complete a function.

A service performed by a server to support network client needs; for example, a server might have a role of file server or Web server. A server can execute one or several server roles.

A server from which a server role is migrated.

A server to which a server role is migrated.

Before you migrate your environment from Windows NT 4.0 to Windows Server 2003, you must select the migration path the best meets the needs of your organization. The size of your organization, your existing hardware, and the operating system that you are currently running impact the migration path that you select.

Organizations that include fewer than 75 network devices might want to consider using the Microsoft® Small Business Server network operating system instead of Windows Server 2003. Small Business Server delivers e-mail, secure Internet connectivity, business intranets, remote connectivity, support for mobile devices, and file and printer sharing on a single server.

For more information about migrating to Small Business Server, see the Small Business Server Web site at http://go.microsoft.com/fwlink/?LinkId=5984.

If you have any domain controller in your current environment that is capable of running Windows Server 2003, then plan to upgrade this domain controller in place to establish your Windows Server 2003 Active Directory domain. To do this, the domain controller must be the PDC; if it is not currently the PDC, you must promote it to be the PDC before you upgrade.

Evaluate your existing hardware to identify which servers you can upgrade to Windows Server 2003 and which servers do not meet the recommended hardware requirements. To do this, first document the RAM, CPU, and disk space on each server in your environment, and then compare this information to the Windows Server 2003 System Requirements link on the Web Resources page at http://go.microsoft.com/fwlink/?LinkId=291.

Based on this evaluation, determine whether you need to purchase new server hardware.

Table 1.1 shows the server hardware configuration information for Fabrikam, Inc.

Table 1.1   Fabrkam Server Hardware Configuration

The PDC, SEA-FAB-DC01, meets the requirements for a Windows Server 2003–based domain controller, so it will be upgraded in place.

The BDC, SEA-FAB-DC02, does not meet the recommended requirements for a Windows Server 2003–based domain controller. Fabrikam will use it as the Windows NT 4.0 rollback server if a problem occurs during the in-place upgrade process. Because two domain controllers at minimum are required, they will plan to deploy a new computer, SEA-FAB-DC03, as a domain controller running Windows Server 2003.

The member server, SEA-FAB-MS01, does not meet the recommended hardware requirements for a member server. The services running on this server will be migrated to SEA-FAB-DC03, and SEA-FAB-MS01 will be retired. Fabrikam’s new environment will consist of two servers, SEA-FAB-DC01 and SEA-FAB-DC03.

If the server that holds the PDC role in your environment does not meet the hardware requirements, you can transfer the PDC role to a BDC that does meet the hardware requirements and upgrade the new PDC to Windows Server 2003. If none of your Windows NT 4.0 domain controllers meet the Windows Server 2003 hardware requirements, in order to upgrade in place, you must install a Windows NT 4.0 BDC on a computer that does meet the hardware requirements for a domain controller that is running Windows Server 2003 and transfer the PDC role to it.

You can also add a Windows Server 2003–based member server to a Windows NT 4.0 domain at any time before you upgrade to Windows Server 2003 Active Directory. Windows Server 2003–based member servers can operate within a Windows NT 4.0 environment. However, you cannot install Active Directory on the member server to make it a domain controller, until after you have upgraded the Windows NT 4.0 PDC.

If the PDC is running other services, such as WINS, DHCP, file and print, or Web server, you must also determine whether to upgrade those services in place or migrate them to other servers before upgrading the PDC. If the PDC is running Remote Access Service, you must migrate the service to a server running Windows Server 2003 before you upgrade the PDC. For more information about assigning server roles to server hardware, see “Assigning Server Roles” later in this chapter.

Figure 1.2 summarizes the process for evaluating your current hardware to determine which server, if any, in your current environment you will upgrade to Windows Server 2003 to establish your new Windows Server 2003 domain.

Figure 1.2   Evaluating Your Existing Hardware

Identify the Windows NT 4.0 platforms that are running in your environment and determine whether an operating system upgrade to Windows Server 2003 is supported, or whether you must perform a clean operating system installation.

You can upgrade the following Windows NT 4.0 platforms to Windows Server 2003, Standard Edition directly:

·         Windows NT 4.0 Server, Standard Edition

·         Windows NT 4.0 Terminal Server

You do not need to reinstall applications on platforms that you can upgrade directly to Windows Server 2003; however, be sure to verify with the vendor of the application that it can run on Windows Server 2003.

If you have computers in your environment that are running operating systems that you cannot upgrade directly to Windows Server 2003, such as the Microsoft® Windows NT® 3.51 operating system, you must do one of the following:

·         If you need to retain applications that are located on those computers, verify that those applications will function on and are supported by Windows Server 2003, and then upgrade the computers to run an operating system that you can upgrade to Windows Server 2003.

·         If you do not need to retain applications that are located on those computers, perform a clean installation of Windows Server 2003 on those computers.

As you plan your migration from a Windows NT 4.0 environment to Windows Server 2003, it is important to plan your future server role assignments. This involves completing the following steps:

·         Documenting the servers in your current environment and the services that each server provides.

·         Assigning the server roles in your new environment, and documenting those assignments.

·         Performing basic capacity planning to verify that you have sufficient capacity on your servers to host the assigned server roles.

·         Evaluating the existing network configuration, including IP address and network adapter information for each server.

Identify the servers in your existing Windows NT 4.0 domain, and document the services that each server provides. Be sure to identify servers that provide the LAN Manager Replication (LMRepl) service, Remote Access Service, and file service, because you will need to perform tasks prior to upgrading to ensure the continued functionality of these services and access to resources for clients.

You can create a simple table to document your servers and services. Table 1.2 shows the servers and services documentation for Fabrikam, Inc.

Table 1.2   Servers and Services in the Current Environment for Fabrikam

For more information about the effect of upgrading to Windows Server 2003 Active Directory on WINS, DHCP, the RAS service, and the LMRepl service, see “Upgrading to Windows Server 2003 Active Directory” in this book.

To assign server roles in your new environment, first assign the domain controllers in your existing environment roles in your new Windows Server 2003 domain. Then, decide where to place other services in the new domain.

Assign the existing Windows NT 4.0–based domain controllers roles that they will assume in the new Windows Server 2003 domain after the upgrade is complete. Assign one of the following three roles to Windows NT 4.0–based domain controllers in a Windows Server 2003 domain:

·         Windows Server 2003–based domain controller. Assign the role of Windows Server 2003–based domain controller to the Windows NT 4.0 PDC and to any BDCs that meet the appropriate hardware and software requirements.

·         Rollback server. Assign the role of rollback server in the Windows Server 2003 domain to a Windows NT 4.0 BDC that does not meet the Windows Server 2003 domain controller hardware requirements.

·         Windows Server 2003–based member server. Assign the role of member server in the Windows Server 2003 domain to a Windows NT 4.0–based BDC that does not meet the Windows Server 2003 domain controller hardware requirements.

It is helpful to document this information in a table. List in the table the Windows NT 4.0–based domain controllers in your domain, whether they meet the hardware requirements for Windows Server 2003, the current role of the domain controller, and the role for the domain controller after you upgrade the domain.

Fabrikam documented their domain controller role assignments as shown in Table 1.3.

Table 1.3   Domain Controller Role Assignments

Decide where to place all services on both domain controllers and member servers after you migrate your environment to Windows Server 2003. This decision depends on whether your existing server hardware meets the requirements to run Windows Server 2003. Generally, if a server on which a service is running meets the hardware requirements, you can either upgrade it in place or migrate it to another server; if the server on which the service is running does not meet hardware requirements, you must migrate the service to or reinstall the service on a different server. You can also choose to migrate services to different servers to consolidate them on fewer servers, or, alternatively, to separate them.

Server Role Assignment if All Windows NT 4.0 Domain Controllers Meet Hardware Requirements

If your Windows NT 4.0–based domain controllers are running other services, such as DHCP, WINS, File and Print, or IIS, then determine whether you want to upgrade these services in place on the existing hardware, or migrate them to one or more separate domain controllers or member servers. If a server is running the Remote Access Service, you must migrate the service to a server running Windows Server 2003 before you upgrade the domain controller. For more information about migrating these server roles to Windows Server 2003, see the following chapters in this book:

·         “Upgrading and Migrating WINS and DHCP Servers to Windows Server 2003”

·         “Migrating File and Print Servers to Windows Server 2003”

·         “Migrating to Dial-up and VPN Remote Access Servers running Windows Server 2003”

·         “Migrating Web Sites from IIS 4.0 to IIS 6.0”

Server Role Assignment if the PDC Does Not Meet Hardware Requirements

If the PDC does not meet hardware requirements, deploy a new Windows NT 4.0 BDC on new server hardware. You can then promote the new BDC to the PDC, and this computer will become your first Windows 2003 domain controller.

If you have other server roles running on the original PDC, such as DHCP, WINS, File and Print, RAS, or IIS, then develop a plan to migrate these roles from the original PDC to the server of your choice in your Windows Server 2003 environment. For more information about migrating these server roles, see the following chapters in this book:

·         “Upgrading and Migrating WINS and DHCP Servers to Windows Server 2003”

·         “Migrating File and Print Servers to Windows Server 2003”

·         “Migrating to Dial-up and VPN Remote Access Servers running Windows Server 2003”

·          “Migrating Web Sites from IIS 4.0 to IIS 6.0”

Server Role Assignment if a BDC Does Not Meet Hardware Requirements

After you deploy your first Windows Server 2003 domain controller, you can install additional new Windows Server 2003 domain controllers and member servers. You can then migrate any services on the original BDC to the first Windows Server 2003 domain controller or to the new server of your choice.

Example: Server Role Assignments for Fabrikam

Fabrikam assigned their server roles as shown in Table 1.4.

Table 1.4   Server Role Assignments

One of the goals for Fabrikam is to consolidate all services on two servers in Seattle. Because two domain controllers are required, both servers were assigned the domain controller role. To achieve both redundancy and standardization, both servers were also assigned the roles of DNS server, WINS server, DHCP server, file server, and print server. On SEA-FAB-DC01, WINS and DHCP were already running, so they will be upgraded in place. The services that were running on servers that will not be upgraded (RAS, file, and print) were assigned to be migrated to SEA-FAB-DC03.

Domain controller capacity planning for smaller organizations is straightforward. For a single domain with up to 2999 users and one location, you will need two domain controllers, each with a Uniprocessor 850 megahertz (MHz) or higher CPU. If you have more than one location, you will need an additional domain controller for each location.

If you have other services running on the domain controllers, you might want to add more CPU, RAM, or disk space to improve performance. File servers have capacity requirements that vary depending on the data in your organization. For information about planning for file server capacity, see “Migrating File and Print Servers to Windows Server 2003” in this book.

Example: Sequence of Migration Tasks for Fabrikam

After they assigned server roles to server hardware and established their capacity requirements, the IT department for Fabrikam listed the sequence of tasks to be performed in order to place the server roles. These include the following:

·         Purchase one new server with sufficient capacity to run the services assigned to SEA-FAB-DC03.

·         Deploy SEA-FAB-DC03 as a new member server running Windows Server 2003 in the Windows NT 4.0 environment. (They will install Active Directory on this server after they upgrade the PDC, making it the second domain controller in the Windows Server 2003 domain.)

·         Migrate the Remote Access Service currently running on SEA-FAB-DC02, and the file and print services currently running on SEA-FAB-MS01, to SEA-FAB-DC03.

·         Upgrade the domain to Windows Server 2003 Active Directory, following the sequence of tasks in the “Upgrading to Windows Server 2003 Active Directory” chapter in this book.

The Fabrikam IT department chose to deploy their new server, SEA-FAB-DC03, as a member server in the Windows NT 4.0 environment, rather than waiting until after the upgrade to deploy it. This allowed them to migrate the Remote Access Service from the BDC, SEA-FAB-DC02, and take the BDC offline as their rollback server. It also enables them to gain experience with the administration tools in Windows Server 2003 before they upgrade their domain.

Evaluate the existing network configuration for your Windows NT 4.0 domain to determine whether it is sufficient for your new Windows Server 2003 domain. Some network adapter drivers that are included with earlier versions of the operating system are not distributed with Windows Server 2003. If you attempt to upgrade a Windows NT 4.0–based server to Windows Server 2003 and a network adapter is installed for which a driver is not provided, your network information might be lost or detected incorrectly during the upgrade.

Identify the type of network adapter that each server in your domain uses. Also, include the TCP/IP configuration information for each server, including IP address, subnet mask, and default gateway. You can run the ipconfig command at the command line to determine IP address, subnet mask, and default gateway. For more information about the ipconfig command, type ipconfig /? at the command line.

To determine whether the network adapter is supported by Windows Server 2003, see the Windows Server Catalog link on the Web Resources page at http://go.microsoft.com/fwlink/?LinkId=291.

Table 1.5 shows the network configuration information for Fabrikam.

Table 1.5   Fabrikam Server Network Configuration

Before you begin your migration process, it is important to design your new Windows Server 2003 domain. This involves creating an Active Directory logical structure design and planning for DNS.

Active Directory allows administrators to organize elements of a network (such as users, computers, devices, and so on) into a hierarchical, treelike structure of containers. The largest Active Directory container is called a forest. Within forests, there are domains. Within domains there are organizational units (OUs). This is called the logical model because it is designed independently from most physical aspects of the deployment, such as the number of domain controllers required within each domain and the network topology.

This book describes how to deploy a single global domain design, which is the easiest to administer and the least expensive to maintain. The single global domain design consists of a forest that contains a single domain. This domain contains all of the user, group, and computer accounts in the forest. In a single domain forest, all directory data is replicated to all geographic locations that host domain controllers. You do not need to create a forest or domain design when you upgrade from a single Windows NT 4.0 domain to a single Windows Server 2003 Active Directory domain.

You might want to design a simple OU structure for your single global domain, particularly if you plan to use Group Policy to help manage your environment. You can do this either before the migration, or at a later time. For more information about applying Group Policy to an OU structure, see “Migrating to Group Policy–Based Administration” in this book.

Windows Server 2003 uses DNS for name resolution rather than the Windows Internet Name Service (WINS) NetBIOS name resolution method that Windows NT 4.0–based networks use. It is still possible to use WINS for applications that require it; however, Active Directory requires DNS. Active Directory uses the name resolution services provided by DNS to enable clients to locate domain controllers and enable the domain controllers hosting the directory service to communicate with each other. To plan for DNS, you need to select a DNS domain name, and determine how to configure the DNS Server service on domain controllers.

Before you begin using DNS on your network, decide on your DNS domain name, based on the following guidelines:

·         If you have a Web presence (for example, if an ISP hosts your site called www.fabrikam.com), reuse this name and add a prefix to create the DNS name for your Windows Server 2003 Active Directory domain (for example, fabricorp.fabrikam.com).

·         If you do not have a Web presence, consider whether you plan to have one in the future. If you do plan to have a Web presence, then register the name before you install Active Directory. If you do not have a Web presence, then you do not need to register the name.

The process for designing DNS to support Active Directory varies according to whether your organization already has an existing DNS service or whether you are deploying a new DNS service. This chapter discusses three starting scenarios:

·         No existing DNS.

·         No internal DNS, with DNS services provided by an ISP only.

·         Internal DNS and DNS provided by an ISP.

If one of the following scenarios describes your current DNS infrastructure, then see “Deploying DNS” in Deploying Network Services in the Windows Server 2003 Deployment Kit (or see “Deploying DNS” on the Web at http://go.microsoft.com/fwlink/?LinkId=4709) for more information:

·         An internal DNS namespace, used only on your own network.

·         An internal DNS namespace with referral and access to an external namespace, such as referral or forwarding to a DNS server on the Internet.

No Existing DNS

An organization has no existing DNS infrastructure if the following are true:

·         The organization does not have any existing DNS servers in the network infrastructure.

·         The organization does not have any clients that access DNS servers. This means that the organization does not rely on an external source, such as a network service provider, for DNS services.

If this is true for your organization, you can allow the Active Directory Installation Wizard to configure an internal Active Directory-integrated DNS on the PDC automatically. To configure DNS on the PDC and subsequent domain controllers, follow the procedures in the “Upgrading to Windows Server 2003 Active Directory” chapter in this book.

No internal DNS, DNS Provided by an ISP Only

If you do not have an internal DNS, but your ISP provides DNS services, then you can allow the Active Directory Installation Wizard to automatically configure an internal Active Directory-integrated DNS on the PDC. Your ISP does not need to make any changes. To configure DNS on the PDC and subsequent domain controllers, follow the procedures in the “Upgrading to Windows Server 2003 Active Directory” chapter in this book.

After you complete these procedures, you will have both an internal DNS and DNS provided by an ISP. The first domain controller that you deploy will automatically be configured to host the DNS zone that corresponds to the DNS name of the domain. To install and configure DNS in your environment, it is recommended that you do the following:

·         Install the DNS Server service on every domain controller. This provides fault tolerance in the event that one of the DNS servers is unavailable. In this way, domain controllers do not need to rely on other DNS servers for name resolution. This also simplifies the management environment because all domain controllers have a uniform configuration.

·         Configure domain controllers that are running DNS to use either forwarding or root hints for recursive name resolution, depending on which method your existing DNS service uses. When you follow the sequence of procedures in the “Upgrading to Windows Server 2003 Active Directory” chapter, the Active Directory Installation Wizard automatically configures recursive name resolution.

Internal DNS and DNS Provided by an ISP

When creating a DNS server configuration when you integrate Active Directory with an existing DNS namespace, it is recommended that you do the following:

·         Install the DNS Server service on every domain controller. This provides fault tolerance in the event that one of the DNS servers is unavailable. In this way, domain controllers do not need to rely on other DNS servers for name resolution. This also simplifies the management environment because all domain controllers have a uniform configuration.

·         Configure domain controllers that are running DNS to use either forwarding or root hints for recursive name resolution, depending on which method your existing DNS service uses. When you follow the sequence of procedures in the “Upgrading to Windows Server 2003 Active Directory” chapter, the Active Directory Installation Wizard automatically configures recursive name resolution.

·         Configure the first domain controller that you deploy to host the DNS zone that corresponds to the DNS name of the domain. To do this, you do not need to make any changes to the existing DNS structure. You simply need to create a delegation to your Active Directory zone from your existing DNS hierarchy. For more information about creating this delegation, see “Upgrading to Windows Server 2003 Active Directory” in this book.

Before you begin your migration process, it is important to have a test plan and a recovery plan in place.

Develop a plan for testing your in-place domain upgrade procedures throughout the in-place domain upgrade process to ensure that they have completed successfully and to determine whether the process of upgrading Windows NT 4.0 domains to Windows Server 2003 Active Directory was successful.

Table 1.6 lists the Active Directory configurations that you must test and the tools that you can use to test each configuration. For more information about the options that are available for these tools, see “Active Directory support tools” in Help and Support Center for Windows Server 2003. For more information about specific configuration and functionality tests that you can perform before and after the Active Directory installation, see the Active Directory link on the Web Resources page at http http://go.microsoft.com/fwlink/?LinkId=291. Search under “Administration and Configuration Guides” and download the Active Directory Operations Guide.

Table 1.6   Active Directory Configuration Test Components

After you confirm that the Active Directory configuration is correct, you need to verify that Active Directory is functioning correctly. Table 1.7 lists the Active Directory functions that you need to test and the methods that you can use to perform the tests.

Table 1.7   Active Directory Functionality Test Components

Create a recovery plan for use if the domain upgrade process does not go as planned. Select a Windows NT 4.0 BDC to be used as a rollback server. Synchronize the BDC with the PDC and take the rollback server offline in the event that it must be promoted to a PDC to restore the domain to its original state. Although you are unlikely to need the offline domain controller, it is recommended that you take one offline as a precautionary step if the Security Accounts Manager (SAM) account database on all domain controllers becomes corrupt.

Include the following in your recovery plan:

·         The steps needed for recovery.

·         The estimated time that can elapse before recovery must take place. When elements of the upgrade process test unsuccessfully, you might spend unanticipated amounts of time identifying and correcting errors. Establish clear guidelines for the time period after which the deployment team must restore operations for end users.

Restoring the Domain to its Original State

If your upgrade process fails, you can roll back a Windows Server 2003 Active Directory domain to its original state as a Windows NT 4.0 domain. You can roll back the deployment to its original state in one of two ways:

1.       Remove (either by disconnecting the network cable or turning off) any Windows Server 2003–based domain controllers from the domain.

2.       Promote a Windows NT 4.0 BDC to become the PDC.

3.       Synchronize all Windows NT 4.0–based domain controllers.

4.       Test Windows NT 4.0 server operations and domain validation.

5.       Resolve the issues that caused the domain upgrade to fail, and begin the upgrade process again.

– or –

1.       If a failure occurs after performing the steps above, remove all Windows Server 2003–based domain controllers from the network and promote the Windows NT 4.0 BDC that is designated as the rollback server to become the PDC.

2.       Perform a full synchronization of all Windows NT 4.0 BDCs.

3.       Test Windows NT 4.0 server operations and domain validation.

4.       Resolve the issues that caused the domain upgrade to fail, and begin the upgrade process again.

These resources contain additional information related to this chapter.

Related Information

·         “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” on the Web at http://go.microsoft.com/fwlink/?LinkId=4728) for more information about restructuring domains when upgrading from Windows NT 4.0 to Windows Server 2003.

·         “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at http://go.microsoft.com/fwlink/?LinkId=4723) for more information about the Active Directory logical structure.

·         “Designing the Site Topology” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Designing the Site Topology” on the Web at http://go.microsoft.com/fwlink/?LinkId=4724) for more information about Active Directory site topology.

·         “Enabling Advanced Windows Server 2003 Active Directory Features” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Enabling Advanced Windows Server 2003 Active Directory Features” on the Web at http://go.microsoft.com/fwlink/?LinkId=6937) for more information about enabling functional levels.

·         “Deploying DNS” in Deploying Network Services in the Windows Server 2003 Deployment Kit (or see “Deploying DNS” on the Web at http://go.microsoft.com/fwlink/?LinkId=4709) for more information about deploying DNS.

If the server hosting the export directory is the PDC, then you can do one of the following:

·        Promote a BDC that meets the Windows Server 2003 domain controller hardware requirements to become the new PDC and demote the existing PDC to serve as a BDC hosting the export server.

– or –

Reconfigure the LMRepl export server on a BDC and remove it from the PDC.

To determine whether the PDC is hosting the export directory, open Server Manager, select the PDC, click Computer, and then click Properties. Click Replication and verify that Export Directories is selected.

To test the new configuration to ensure that LMRepl continues to work correctly, place an empty file on the export server and verify that the file is replicated to the import directories during replication. Next, delete the replicated file from the import directory, and then verify that the file is deleted during the next replication.

Migrate the Remote Access Service

If Remote Access Service (RAS) or Routing and Remote Access Service (RRAS) is running on the PDC, a BDC, or a member server running Windows NT 4.0, you must migrate the service before you upgrade the operating system on that server. Migrating the RAS or RRAS service involves documenting the current service configuration settings, then using those settings to configure Routing and Remote Access on a server running Windows Server 2003. For information about planning to migrate the remote access services, see “Planning the Migration” in this book. For information about performing the migration, see “Migrating to Dial-up and VPN Remote Access Servers Running Windows Server 2003” in this book.

Prepare for File and Print Service Upgrade

If the file service or the print service is running on the PDC, a BDC, or a member server running Windows NT 4.0, it is recommended that you migrate those services to a new server running Windows Server 2003. However, if you want to upgrade these services in place, perform the following steps before upgrading the operating system:

·        If a file server contains multidisk volumes, verify that your backup software and hardware are compatible with both Windows NT 4.0 and Windows Server 2003. Next, back up and then delete all multidisk volumes (volume sets, mirror sets, stripe sets, and stripe sets with parity) before you upgrade, because Windows Server 2003 cannot access these volumes. Be sure to verify that your backup was successful before deleting the volumes. After you finish upgrading to Windows Server 2003, create new dynamic volumes, and then restore the data.

·        If your paging file resides on a multidisk volume, you must use System in Control Panel to move the paging file to a primary partition or logical drive before beginning Setup.

·        When you upgrade a print server in place, you retain your existing print queues, drivers, and ports, minimizing the impact on users. However, you might encounter interoperability issues with your existing printer drivers. Before upgrading your servers, use the command-line utility Fixprnsv.exe, provided with Windows Server 2003, to help you identify any printer driver problems.

For more information about upgrading or migrating the file and print services, see “Migrating File and Print Servers to Windows Server 2003” in this book.

Enable the Windows NT 4.0 Environment Change Freeze

Before you upgrade the PDC in your Windows NT 4.0 domain to Windows Server 2003 Active Directory, you must freeze the Windows NT 4.0 environment to ensure that no other domain changes occur until after the PDC is upgraded. Freeze the Windows NT 4.0 environment when:

·        You have completed all of the updates to the Windows NT 4.0 domain and have replicated them to all domain controllers.

·        You have synchronized a BDC and have taken it offline for recovery purposes.

When you freeze the Windows NT 4.0 environment, no additional domain changes can take place until you upgrade the Windows NT 4.0 PDC to Windows Server 2003. Communicate to all appropriate individuals that changes to the environment, such as password updates, will not be accepted after a specific date.

To upgrade your Windows NT 4.0 environment to a new single domain forest, you must complete some or all of the following tasks:

·        Back up all domain data.

·        Delegate the DNS zone for the new Windows Server 2003 domain, if you have an existing DNS infrastructure.

·        Identify potential upgrade problems.

·        Upgrade the operating system of the Windows NT 4.0 PDC.

·        Install Active Directory.

·        Authorize the DHCP service, if DHCP is running on the PDC.

·        Configure the Windows Time Service.

·        Enable aging and scavenging for DNS.

·        Verify DNS server recursive name resolution.

·        Perform post-upgrade tests.

·        Modify security policies.

To help to illustrate the process for upgrading to a single domain forest, sample data for a fictitious company, Fabrikam, Inc, is provided within the context of the tasks that must be performed.

Back up your Windows NT 4.0 domain data before you begin the upgrade. This task varies according to the operations and procedures that already exist in your environment. It is recommended that you complete the following steps:

·        Back up the PDC.

·        Back up the BDC that you designated as the rollback server.

·        Test all backup media to ensure that the data can be restored successfully.

If your organization has an existing DNS infrastructure, review current network diagrams and DNS domain hierarchy diagrams. Also, review the existing DNS zone configuration, replication, and resource records that are used for delegation and forwarding. To configure the DNS zone for the single domain forest, the DNS administrator of your existing DNS infrastructure delegates the zone matching the name of the new Windows Server 2003 domain to the DNS servers that are running on the domain controllers in the single domain forest.

In preparation for the deployment of the single domain forest, create a delegation for the DNS servers that will be running on the domain controllers in the Windows Server 2003 domain. Create the delegation by adding DNS name server (NS) and address (A) resource records to the parent DNS zone.

To delegate the DNS zone for the Windows Server 2003 domain

1.       Create a name server (NS) resource record in the parent zone. Use the full DNS name of the domain controller, as follows:

forest_root_domain IN NS domain_controller_name

2.       Create a host address (A) resource record in the parent zone. Use the full DNS name of the domain controller, as follows:

domain_controller_name IN A domain_controller_ip_address

For example, Fabrikam’s PDC name is SEA-FAB-DC01, and its IP address is 172.16.12.2. During the Active Directory installation, Fabrikam will install the DNS Server service on this domain controller. In preparation for that step, the DNS administrator for Fabrikam created the following DNS resource records in the parent zone, fabrikam.com:

·        fabricorp IN NS SEA-FAB-DC01.fabricorp.fabrikam.com

·        SEA-FAB-DC01.fabricorp.fabrikam.com IN A 172.16.12.2

Before upgrading the operating system to Windows Server 2003, use the Winnt32.exe command-line tool to identify any potential upgrade problems, such as inadequate hardware resources or compatibility problems.

To identify potential upgrade problems

·        At the command line, connect to the I386 directory located at your installation source and type the following command:

winnt32 /checkupgradeonly

For example, if your installation source is the Windows Server 2003 operating system CD in the D: drive, navigate to D:\I386 and type the following command:

D:\I386>winnt32 /checkupgradeonly

The screen will then display the command prompt while the tool is running. It can take a few minutes for the Microsoft Windows Upgrade Advisor screen to appear.

Resolve reported problems before performing the upgrade.

To install the operating system on the PDC, insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain controller and select the option to install the operating system, or use an automated installation method. If the Windows Server 2003 media is shared on the network, run the Winnt32.exe command.

Complete the operating system installation by doing the following:

1.       Verify that you are using a static IP address.

2.       Use NTFS to convert the partitions if necessary. The installation of Active Directory will not succeed if you do not have at least one NTFS partition available on which to locate the SYSVOL shared folder.

3.       Select Upgrade for the Installation type.

4.       Configure DNS client settings by using the IP address of the closest DNS server for the Preferred DNS Server settings. If you have more than one DNS server, add the IP address of the next closest DNS server to the Alternate DNS server setting. If there are no other DNS servers, leave the alternate setting blank. These DNS client settings are temporary and will be changed during the installation of Active Directory.

5.       Install Windows Support Tools, which are available in the \Support\Tools folder on the Windows Server 2003 operating system CD.

During the operating system upgrade the computer will restart three times. After you upgrade the operating system on a Windows NT 4.0 domain controller to Windows Server 2003, the computer is in an intermediate state, meaning that the computer is no longer a Windows NT 4.0–based domain controller, and it is not a Windows Server 2003–based member server or domain controller until Active Directory is installed. After the computer restarts for the last time, the Active Directory Installation Wizard appears.

Proceed immediately with the installation of Active Directory by completing the Active Directory Installation Wizard. The Active Directory Installation Wizard creates the Active Directory database and moves objects from the Windows NT 4.0 SAM to the Active Directory database. In addition, on the first domain controller in a new domain, the wizard completes the following tasks:

·        Prompts the administrator to verify the installation and configuration of the DNS Server service.

·        Configures DNS recursive name resolution forwarding by adding the IP addresses of the existing entries for Preferred DNS server and Alternate DNS server to the list of DNS servers on the Forwarders tab of the Properties sheet for the domain controller.

·        Configures DNS recursive name resolution by root hints, by adding the root hints that are configured on the Preferred DNS server to the list of DNS servers on the Root Hints tab of the Properties sheet for the domain controller.

·        Configures the Preferred DNS server to point to the DNS server that is running locally on the domain controller, and configures the Alternate DNS server to point to the closest DNS server.

·        Creates two application directory partitions that are used by DNS. The DomainDnsZones application directory partition holds domain-wide DNS data, and the ForestDnsZones application directory partition holds forest-wide DNS data.

·        Prompts the administrator to select the forest functional level.

Table 2.7 lists the actions required to complete the Active Directory installation wizard on a Windows NT 4.0 PDC, and lists sample data for installing Active Directory on the first domain controller in the single domain forest for Fabrikam, SEA-FAB-DC01.

Table 2.7   Information for Installing Active Directory on a Windows NT 4.0 PDC

When you complete the Active Directory Installation Wizard, verify that all information on the Summary page is accurate, and then click Finish. After the Active Directory Installation Wizard finishes, you will be prompted to restart the computer. The installation will not be complete until the computer restarts.

For more information about installing and removing Active Directory, see the Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://go.microsoft.com/fwlink/?LinkID=4549).

After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if necessary.

To enable Remote Desktop for Administration

·        In Control Panel, double-click System, select the Remote tab, and then select Allow users to connect remotely to this computer.

Example: Installing Active Directory on the PDC

Fabrikam completed the Active Directory Installation wizard on the Windows NT 4.0 PDC, SEA-FAB-DC01. Figure 2.1 shows the Active Directory Installation Wizard welcome screen.

Figure 2.1   Welcome to the Active Directory Installation Wizard page

The PDC becomes the first domain controller in a new domain in a new forest. Figure 2.2 shows the selection to create a new domain on the Create New Domain wizard page.

Figure 2.2   Create New Domain Wizard Page

The DNS name of the Fabrikam Windows Server 2003 domain is shown in Figure 2.3

Figure 2.3   New Domain Name Wizard Page

Because Fabrikam does not plan to add any Windows 2000–based domain controllers to their forest at any time, they selected the Windows Server 2003 interim forest functional level, as shown in Figure 2.4

Figure 2.4   Forest Functional Level Wizard Page

It is important to configure the Windows Time Service correctly to meet the needs of your organization. The Windows Time Service provides time synchronization to peers and clients, which ensures that time is consistent throughout an organization.

Configure the first domain controller that is deployed to synchronize from a valid Network Time Protocol (NTP) source. If no source is configured, the service logs a message to the event log, and uses the local clock when providing time to clients. Although Internet NTP sources are valid for this configuration, it is recommended that you use a dedicated hardware device, such as a GPS, or Radio clock to ensure increased security.

If the first domain controller in the new Windows Server 2003 domain is removed at any time, you will need to repeat this operation.

To configure the Windows Time Service on the first domain controller in the domain

1.       Log on to the domain controller.

2.       At the command line, type:

W32tm /config /manualpeerlist:peers /syncfromflags:manual

Where peers is a space-delimited list of DNS and/or IP addresses. When specifying multiple peers, enclose the list in quotation marks.

3.       Update the Windows Time Service configuration. At the command line, type:

W32tm /config /update

– or –

Net stop w32time

Net start w32time

For more information about configuring and deploying the Windows Time Service, see the Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://go.microsoft.com/fwlink/?LinkID=4549).

In a new single domain forest, you need to enable aging and scavenging on Windows Server 2003–based domain controllers running the DNS Server service to allow automatic cleanup and removal of stale , which can accumulate in zone data over time.

With dynamic update, RRs are automatically added to zones when computers start on the network. However, in some cases, they are not automatically removed when computers leave the network. For example, if a computer registers its own host (A) RR at startup, and is later incorrectly disconnected from the network, its host (A) RR might not be deleted. If your network has mobile users and computers, this situation can occur frequently.

If left unmanaged, the presence of stale RRs in zone data might cause problems, including the following:

·        If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.

·        DNS servers loading zones with stale RRs might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.

·        The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness.

To enable the aging and scavenging features, and to configure the applicable server and its Active Directory–integrated zones, perform these tasks:

·        Enable aging and scavenging on two servers that are running Windows Server 2003. These settings determine the effect of zone-level properties for any Active Directory–integrated zones loaded at the server.

·        Enable aging and scavenging for selected zones at the DNS server. When zone-specific properties are set for a selected zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their defaults from comparable settings maintained in server aging and scavenging properties.

To set aging and scavenging properties for the DNS server

1.       Log on to the computer that is running the DNS Server service by using an account that is a member of the local Administrators group.

2.       In the DNS console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

3.       Select the Scavenge stale resource records check box.

4.       Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone

1.       Log on to the computer that is running the DNS Server service by using an account that is a member of the local Administrators group.

2.       In the DNS console tree, right-click the applicable zone, and then click Properties.

3.       On the General tab, click Aging, and then select the Scavenge stale resource records check box.

4.       Modify other aging and scavenging properties as needed.

DNS server recursive name resolution is configured automatically during the Active Directory installation process. If your design specifies a different configuration, you can use the DNS snap-in or Dnscmd.exe to modify these settings. Use the DNS snap-in to verify DNS server recursive name resolution based on the information in Table 2.8.

Table 2.8   Information to Verify DNS Server Recursive Name Resolution

After the Active Directory Installation Wizard completes, verify that the Active Directory installation was successful. Review the Windows Server 2003 event log for any errors.

Next, perform the tests that you defined in your test plan to determine whether the Active Directory configuration is functioning correctly. For more information about developing a test plan, see “Planning the Migration” in this book.

After you verify that the upgrade of the Windows NT 4.0 PDC and the installation of Active Directory succeeded, complete the upgrade process.

To ensure that clients running earlier versions of the Windows operating system can access domain resources in the new Windows Server 2003 domain, you might have to modify default security policies.

In order to increase security, Windows Server 2003–based domain controllers require by default that clients attempting to authenticate to them use SMB packet and secure channel signing. Clients running the Windows 95 operating system without the Directory Service Client Pack or Windows NT 4.0 with Service Pack 2 and earlier do not support SMB packet signing and will not be able to log on or access domain resources on the network. Clients running Windows NT 4.0 with Service Pack 3 and earlier do not support secure channel signing and will not be able to establish communications with a domain controller in their domain.

The most secure way to enable these clients to log on and access domain resources on the network is to apply either the appropriate service pack or the Directory Service Client Pack. If you cannot apply either of these, configure all Windows Server 2003–based domain controllers to not require SMB packet signing and secure channel signing. To do this, disable the following settings in the Default Domain Controllers Policy:

·        Microsoft network server: Digitally sign communications (always)

·        Domain member: Digitally encrypt or sign secure channel data (always)

To make SMB packet and secure channel signing optional on Windows Server 2003–based domain controllers

1.       Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties.

2.       Select the Group Policy tab, and then click Edit.

3.       Under Computer Configuration, navigate to Windows Settings\Security Settings\Local Policies\Security Options.

4.       In the details pane, double-click Microsoft network server: Digitally sign communications (always) and then click Disabled to prevent SMB packet signing from being required.

5.       Click OK.

6.       In the Details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), click Disabled to prevent secure channel signing from being required, and then click OK.

7.       To apply the Group Policy change immediately, either restart the domain controller, or run the gpupdate /force command.

For more information about SMB packet signing and secure channel signing, see “Considerations for Upgrading to Windows Server 2003 Active Directory” earlier in this chapter.

For more information about security policies, see “Security options: Security Setting Descriptions” in Help and Support Center for Windows Server 2003.

After you upgrade the operating system and install Active Directory on the Windows NT 4.0 PDC, add another Windows Server 2003–based domain controller to the domain as soon as possible. This provides redundancy for any clients running in the environment.

You can add additional domain controllers to the Windows Server 2003 domain by upgrading Windows NT 4.0–based BDCs and installing Active Directory, or by adding Windows Server 2003–based member servers to the domain and installing Active Directory on the member servers.

To complete the process for upgrading additional domain controllers, perform the following tasks:

1.       Upgrade the operating system of Windows NT 4.0 BDCs.

2.       Install Active Directory.

3.       Install DNS on additional domain controllers.

4.       Reconfigure the DNS Service.

5.       Add Windows NT 4.0 BDCs to the Windows Server 2003 domain if necessary.

6.       Perform post-upgrade tests.

You can upgrade any Windows NT 4.0 BDC to a Windows Server 2003–based domain controller as long as it meets the hardware requirements for a domain controller running Windows Server 2003. To determine whether your hardware configuration is compatible with Windows Server 2003, see the Windows Server Catalog link on the Web Resources page at http://go.microsoft.com/fwlink/?LinkID=291.

Before upgrading the operating system to Windows Server 2003, use the Winnt32.exe command-line tool to detect any upgrade problems. This tool reports potential upgrade problems, such as inadequate hardware resources or compatibility problems.

To identify potential upgrade problems

·        At the command line, connect to the I386 directory located at your installation source and type the following command:

winnt32 /checkupgradeonly

For example, if your installation source is the Windows Server 2003 operating system CD in the D: drive, navigate to D:\I386 and type the following command:

D:\I386>winnt32 /checkupgradeonly

The screen will then display the command prompt while the tool is running. It can take a few minutes for the Microsoft Windows Upgrade Advisor screen to appear.

Resolve reported problems before performing the upgrade.

To install the operating system on the computer, insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain controller and select the option to install the operating system, or use an automated installation method. If the Windows Server 2003 media is shared on the network, run the Winnt32.exe command.

To complete the operating system installation, perform these tasks:

1.       Verify that you are using a static IP address.

2.       Use NTFS to convert the partitions. The installation of Active Directory will not succeed if you do not have at least one NTFS partition available on which to locate the SYSVOL shared folder.

3.       Select Upgrade for the Installation type.

4.       On the first additional domain controller that is upgraded, configure DNS client settings by using the IP address of the PDC for the Preferred DNS server setting and do not specify an IP address in the Alternate DNS server setting.

On all remaining domain controllers that are upgraded, configure DNS client settings by using the IP address of the PDC for the Preferred DNS server setting and use the IP address of the second domain controller upgraded for the Alternate DNS server setting.

These DNS client settings are temporary and will be changed during the installation of Active Directory.

5.       Install Windows Support Tools, which are available in the \Support\Tools folder on the Windows Server 2003 operating system CD.

During the operating system upgrade the computer will restart three times. After the computer restarts for the last time, the Active Directory Installation Wizard appears.

After upgrading the operating system on a Windows NT 4.0 additional domain controller to Windows Server 2003, the computer is in an intermediate state, meaning that the computer is no longer a Windows NT 4.0–based domain controller, nor is it a Windows Server 2003–based member server or domain controller.

The Active Directory Installation Wizard allows you to create an additional domain controller or a member server in the new domain. If you are installing Active Directory by replicating the directory data over the network or from another media source, select the Member Server option in the Active Directory Installation Wizard. This configures the computer to be a Windows Server 2003–based member server, allowing you to install Active Directory at a later time.

To install Active Directory on a Windows Server 2003–based member server

·        At the command line, type Dcpromo.

– or –

Open Administrative Tools, and then click Configure Your Server Wizard. Select Domain Controller (Active Directory) to configure your domain controller. After the Configure Your Server Wizard finishes, the Active Directory Installation Wizard begins.

For more information about installing and removing Active Directory, see the Directory Services Guide in the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://go.microsoft.com/fwlink/?LinkID=4549).

Table 2.9 lists information for installing Active Directory on additional domain controllers, as well as sample data for installing Active Directory on additional domain controllers in the Fabrikam single domain forest. Fabrikam will use the dcpromo /adv command to install Active Directory on a member server by copying directory data over the network from a domain controller.

Table 2.9   Installing Active Directory on Additional Domain Controllers

Verify that all information on the Summary page is accurate, and then click Finish. After the Active Directory Installation Wizard finishes, you are prompted to restart the computer. The installation is not complete until the computer restarts.

After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if necessary.

To enable Remote Desktop for Administration

·        In Control Panel, double-click System, select the Remote tab, and then select Allow users to connect remotely to this computer.

If the additional domain controller was also a DHCP server, you will need to authorize the server to allow it to continue to lease IP addresses. For more information about authorizing a DHCP server, see “Authorize the DHCP Service” earlier in this chapter.

Install DNS on all Windows Server 2003–based domain controllers that you add to the domain.

To install DNS on additional domain controllers

1.       In Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows Components.

2.       In Components, select the Networking Services check box, and then click Details.

1.       In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next.

2.       If prompted, in Copy files from, type the full path to the distribution files and then click OK. The required files will be copied to your hard disk.

After deploying additional domain controllers in a single domain forest, do the following to reconfigure the DNS service:

·        Configure the DNS client settings of the first and subsequent domain controllers.

After you have deployed an additional domain controller, modify the DNS client settings on the first domain controller. Because no other domain controllers were running when you deployed the first domain controller, modify the DNS client settings on the first domain controller to include the additional domain controller. As you deploy more domain controllers, you might also need to modify the Alternate DNS server setting specified on existing domain controllers to ensure that this setting points to the closest DNS server.

·        Update the DNS delegation.

If you have delegated the DNS zone to an existing DNS server, update the DNS delegation for the domain after you install the DNS Server service on new domain controllers.

·        Enable aging and scavenging for DNS on one additional domain controller.

It is best to enable aging and scavenging for DNS on two servers that are running the DNS Server service in your environment. You enabled aging and scavenging on the PDC when you upgraded the PDC to Windows Server 2003 Active Directory. For information about setting aging and scavenging properties for the additional DNS server, see “Enable Aging and Scavenging for DNS” earlier in this chapter.

If you have applications in your environment that can run only on a Windows NT 4.0–based domain controller, and if you have upgraded all the Windows NT 4.0 BDCs to Windows Server 2003 or if the existing Windows NT 4.0 BDC in your environment becomes unavailable, you might need to add an additional Windows NT 4.0 BDC to your environment. You can do this by installing a new Windows NT 4.0 BDC in the domain. Prior to installing the new Windows NT 4.0 BDC in the domain, you must first add the new computer account to the Windows Server 2003 domain.

To add a Windows NT 4.0 BDC to a Windows Server 2003 domain

1.       In Active Directory Users and Computers, right-click the Domain Controllers folder.

2.       Point to New, and then click Computer.

3.       Type the computer name of the BDC.

4.       Ensure that the check boxes are selected for Assign this computer account as a pre-Windows 2000 Computer and Assign this computer account as a backup domain controller.

5.       Install the BDC in the domain.

After each you upgrade each additional domain controller, verify that the upgrade was successful. Use the same tests and tools that you used to verify that the upgrade of the Windows NT 4.0 PDC was successful. For more information about developing a test plan, see “Planning the Migration” in this book.

Also, verify that DNS recursive name resolution is configured according to your organization’s the DNS design for your organization. For more information about verifying recursive name resolution, see “Verify DNS Server Recursive Name Resolution” earlier in this chapter.

After you upgrade all domain controllers in the domain to Windows Server 2003, complete the following post-upgrade tasks:

·        Eliminate anonymous connections to domain controllers.

·        Raise domain and forest functional levels.

·        Redirect the Users and Computers containers.

·        Complete the upgrade.

After you upgrade all the servers in the domain hosting services that run as Local System and use Anonymous or null credentials when accessing a domain controller, such as Windows NT 4.0 RAS servers, remove the Everyone and Anonymous Logon groups from the Pre-Windows 2000 Compatible Access built-in group. This task increases the security of your domain by preventing anonymous connections to domain controllers.

To remove groups from the Pre-Windows 2000 Compatible Access Group by using the command line

·        At the command line, type:

net localgroup “Pre-Windows 2000 Compatible Access” GroupName /delete

When using the net localgroup command to add or delete any group or group member name that includes spaces, such as the Anonymous Logon group, you must enclose the group name in quotation marks.

Although the Windows Server 2003 domain functional level provides a number of features and advantages, enable this functional level only when you have upgraded all your Windows NT 4.0 BDCs and you are certain that your environment is ready.

After you determine that your environment is ready, use Active Directory Domains and Trusts to enable the Windows Server 2003 domain functional level.

After you upgrade all domain controllers to Windows Server 2003, raise the forest functional level to Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.

For more information about enabling functional levels and the features available at the Windows Server 2003 domain and forest functional levels, see “Enabling Advanced Windows Server 2003 Active Directory Features” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Enabling Advanced Windows Server 2003 Active Directory Features” on the Web at http://go.microsoft.com/fwlink/?LinkID=6937).

Complete the following tasks to finalize the upgrade process:

·        Review, update, and document the domain architecture to reflect any changes that you made during the upgrade process.

·        Review your operating procedures and administrative tasks to determine whether new Windows Server 2003 features, such as Group Policy objects or distributed administration, affect the operations environment. Be sure to document any changes that you identify.

·        After you ensure that your Windows Server 2003 Active Directory environment is operating successfully for a period of time, you can redeploy the rollback server that you reserved for the recovery process. If you do not need the Windows NT 4.0 BDC to achieve the required load balance among your domain controllers, maintain the rollback server for one week. Maintain the backup of the rollback server for a longer period of time for additional security. For information about developing a recovery plan, see “Planning the Migration” in this book.

·        Some Windows NT 4.0 applications, such as Microsoft® Systems Management Server (SMS), can have an unpredictable effect on the domain when installed after the domain has been upgraded to Active Directory. Ensure that you are running SMS 2.0 and have installed Service Pack 4. For more information about SMS, see the SMS Downloads link on the Web Resources page at http://go.microsoft.com/fwlink/?LinkID=291.

After you complete the above tasks successfully, the upgrade process is complete.

If your organization includes users and computers in more than one physical location, you can create Active Directory sites. Active Directory uses site configuration information to manage and optimize the process of replication. Designing a site topology involves determining where you need to create subnets, sites, and site links.

A subnet is a segment of a TCP/IP network to which a set of logical IP addresses are assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory identify the network addresses that are used to map computers to sites. Before you begin to create sites, document the subnets that you created for your routers in your Windows NT 4.0 environment.

Sites are one or more TCP/IP subnets with highly reliable and fast network connections. Sites are represented in Active Directory as site objects. Site objects are a set of subnets, and each domain controller in a forest is associated with an Active Directory site according to its IP address. Sites can host domain controllers from more than one domain, and a domain can be represented in more than one site.

It is recommended that you use legal DNS names when you create new site names; otherwise, your site will only be accessible where a Microsoft DNS server is used. Legal DNS names can contain only the following characters: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and the hyphen (-).

A site link is an object that is stored in Active Directory that represents a set of sites that can communicate at uniform cost through a specified intersite transport. Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, you provide Active Directory with information about what connections are available, which ones are preferred, and how much bandwidth is available. Active Directory uses this information to choose times and connections for replication that provide the best performance.

When you install Active Directory on the first domain controller in the forest, a site object named Default-First-Site-Name is created in the Sites container in Active Directory. The server object for the first domain controller is created in this site.

If no additional sites have been defined in Active Directory, then the server object for all subsequent domain controllers is added to the Default-First-Site-Name site object. However, if additional sites are defined in Active Directory and the IP address of the installation computer matches an existing subnet in a defined site, then the domain controller is added to that site.

To simplify the placement of the domain controller into the appropriate site, configure your site topology before you install Active Directory on additional domain controllers. After all sites are created, a server object for each additional domain controller is created in the appropriate site according to its IP address.

For more information about configuring your site topology, see “Configure site settings: Active Directory” and “Configure replication between sites: Active Directory” in Help and Support Center for Windows Server 2003.

Creating a site topology involves the following steps:

·        Creating Active Directory sites

·        Creating and assigning Active Directory subnets

·        Creating Active Directory site links

·        Moving the domain controller into the new site

To help illustrate the process for creating a site topology, sample data for a fictitious company, Fabrikam, Inc, is provided within the context of the tasks that must be performed. In this example, Fabrikam has users and computers at two physical locations, Seattle and Boston.

Create Active Directory sites by using Active Directory Sites and Services.

To create the Active Directory sites

1.       Log on to the domain controller by using an account that is a member of the Domain Admins group or the Enterprise Admins group.

2.       Open Active Directory Sites and Services.

3.       Right-click the Sites folder, and then click New Site.

4.       In the Name box, type the name of the new site.

5.       Click a site link object, and then click OK.

Fabrikam created the Seattle site, as shown in Figure 2.11 and Figure 2.12.

Figure 2.11   Creating a New Site

Figure 2.12   New Object - Site Creation Page

Create and assign Active Directory subnets by using Active Directory Sites and Services.

To create Active Directory subnets and associate them with sites

1.       Log on to the domain controller by using an account that is a member of the Domain Admins group or the Enterprise Admins group.

2.       Open Active Directory Sites and Services.

3.       In the console tree, right-click Subnets, and then click New Subnet.

4.       In the Address box, type the subnet address.

5.       In the Mask box, type the subnet mask that describes the range of addresses included in this subnet.

6.       Under Select a site object for this subnet, click the site to associate with this subnet, and then click OK.

7.       To associate a subnet with a site, in the console tree, right-click the subnet with which you want to associate the site, and then click Properties.

8.       In the Site box, click the site with which to associate this subnet.

Fabrikam created the subnet 172.16.12.0/22, as shown in Figure 2.13 and Figure 2.14.

Figure 2.13   Creating a New Subnet

Figure 2.14   New Object - Subnet Creation Page

Fabrikam associated the subnet with the Seattle site, as shown in Figure 2.15

Figure 2.15   Subnet Properties Page

Create Active Directory site links and configure the site link by using Active Directory Sites and Services.

To create Active Directory site links

1.       Log on to the domain controller by using an account that is a member of the Domain Admins group or the Enterprise Admins group.

2.       Open Active Directory Sites and Services.

3.       In the console tree, right-click the intersite transport protocol that you want the site link to use (generally IP), and then click New Site Link.

4.       In the Name box, type the name to be given to the link.

5.       Click two or more sites to connect, and then click Add.

6.       Configure the cost, schedule, and replication frequency for the site link.

Fabrikam first created the Boston site and the subnet 172.16.28.0/22, following the same procedures that they used to create the Seattle site. They then created the site link SEA-BOS, as shown in Figure 2.16 and Figure 2.17.

Figure 2.16   Creating a New Site Link

Figure 2.17   New Object - Site Link Creation Page

Move the domain controller from Default-First-Site-Name into the correct site by using Active Directory Sites and Services.

To move the domain controller into a new site

1.       Log on to the domain controller by using an account that is a member of the Domain Admins group or the Enterprise Admins group.

2.       Open Active Directory Sites and Services.

3.       In the console tree, expand Default-First-Site-Name, and then click Servers.

4.       In the Servers pane, right-click the name of the domain controller that you upgraded from Windows NT 4.0, and then click Move.

5.       In the Move Server box, click the site that should contain the server, and then click OK.

Fabrikam moved the domain controller SEA-FAB-DC01 into the Seattle site, as shown in Figure 2.18 and Figure 2.19.

Figure 2.18   Moving a Server

Figure 2.19   Move Server Page

Figure 2.20 shows the site topology for Fabrikam after they created two sites, two subnets, and a site link, and moved the first domain controller into the Seattle site.

Figure 2.20   Fabrikam Site Topology

These resources contain additional information and tools related to this chapter.

Related Information

·        “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” on the Web at http://go.microsoft.com/fwlink/?LinkID=4728) for more information about restructuring domains when upgrading from Windows NT 4.0 to Windows Server 2003.

·        “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at http://go.microsoft.com/fwlink/?LinkID=4723) for more information about the Active Directory logical structure.

·        “Designing the Site Topology” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Designing the Site Topology” on the Web at http://go.microsoft.com/fwlink/?LinkID=4724) for more information about Active Directory site topology.

·        “Enabling Advanced Windows Server 2003 Active Directory Features” in Designing and Deploying Directory and Security Services in the Windows Server 2003 Deployment Kit (or see “Enabling Advanced Windows Server 2003 Active Directory Features” on the Web at http://go.microsoft.com/fwlink/?LinkID=6937) for more information about enabling functional levels.

·        “Deploying DNS” in Deploying Network Services in the Windows Server 2003 Deployment Kit (or see “Deploying DNS” on the Web at http://go.microsoft.com/fwlink/?LinkID=4709) for more information about deploying DNS.

Related Tools

·        Adsiedit.exe

The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that you can use to edit objects in the Active Directory database. For more information about Adsiedit.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.

·        Ldp.exe

Ldp.exe provides an interface to perform LDAP operations against Active Directory. For more information about Ldp.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.

Related Help Topics

For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set search options. Under Help Topics, select the Search in title only check box.

·        “Active Directory” in Help and Support Center for Windows Server 2003.

·        “Windows Support Tools” under “Tools” in Help and Support Center for Windows Server 2003.

·        “Microsoft network server: Digitally sign communications (always)” in Help and Support Center for Windows Server 2003 for more information about SMB packet signing.

·        “Domain member: Digitally encrypt or sign secure channel data (always)” in Help and Support Center for Windows Server 2003 for more information about secure channel signing.

·        “Active Directory support tools” in Help and Support Center for Windows Server 2003 for more information about the options that are available for the Active Directory support tools.

·        “Security options: Security Setting Descriptions” in Help and Support Center for Windows Server 2003 for more information about security policies.

·        “Configure site settings: Active Directory” and “Configure replication between sites: Active Directory” in Help and Support Center for Windows Server 2003 for more information about configuring your site topology.

·        “Understanding aging and scavenging: DNS” in Help and Support Center for Windows Server 2003 for more information about how to configure aging and scavenging of stale resource records.

server2003 OR Server2003 -standard

need other links go to SITE MAP

home B & I SNOWDEN-Find a Wealth of Products and Services

   Bisnowden,3330 Adeline st. Berkeley,Ca94703 or send to bisnowden@yahoo.com Tele 510-595-1332

send mail to bisnowden@yahoo.com with questions or comments

  about this web site.

Last modified: July 07, 2011