Active Directory Upgrade Strategies
Last Updated: 31 Oct 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
There are several approaches you can take to upgrade
from an NT4 Domain environment to a Windows 2000/2003
Active Directory structure. The method you choose will
depend on a number of factors such as TIME, BUDGET and
SIZE of environment in question.
For the most part, migrating or upgrading from an NT4
domain to Active Directory domain running on 2003 is
identical to the process for 2000, except that there are
now much better tools and more documentation for a 2003
migration.
Upgrading from 2000 to 2003 is a mostly painless affair.
Some caveats exist if you have Exchange servers in your
current environment.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: Windows 200x servers (and workstations, of course)
can participate in NT4 domains, as long as they
remain Member Servers. As soon as DCPROMO is
executed, you have either created or joined an
Active Directory domain, regardless of whether or
not any NT4 BDCs exist.
At no time can an NT4 Server be configured as a
PDC of a domain, with Windows 200x systems acting
as "BDCs" of that domain.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The first major question is whether to start with the
servers first, or the workstations. My preference is
workstations first, because it is less disruptive to
the overall environment, and will allow you to gain
some familiarity with Windows 2000 in an isolated
situation (relative to your servers, anyway).
Your approach to installing Active Directory, however,
is pretty much limited to the following:
• Upgrade Current NT4 Domain
• Build New Win2K AD Domain and Migrate Users
If you have rather recent machines, and you are fairly
content with your current domain configuration, then the
first option is easy to do. Actually, even if you have
an older system as your PDC, you can migrate to AD with
very little difficulty (see STRATEGY #1A).
If, on the other hand, your machines are older, and/or
you want to move away from some decisions that were
made during the life of the NT4 domain, then you should
consider starting a brand new Active Directory domain,
setting up a Trust between the Win2K and NT4 domains,
and migrating users and machines as necessary.
=====================================
STRATEGY #1 - UPGRADE EXISTING DOMAIN
=====================================
0. Backup your existing NT4 domain controllers
1. Build a new NT4 BDC for your existing NT4 domain
2. Promote this machine to PDC (NT4)
3. Take one current NT4 BDC offline (as a contingency)
4. Upgrade the new NT4 PDC to Win200x
5. Build additional Win200x Domain Controllers as necessary
6. Upgrade other NT4 Domain Controllers as necessary
PROS: No change necessary for clients.
CONS: You're playing with your only domain.
Your servers will not be clean installations.
UNDO: In case of difficulty, take the Win2K PDC
offline, bring back the BDC you took offline,
and promote it back to PDC.
=======================================================
STRATEGY #1A - UPGRADE EXISTING DOMAIN (CLEAN INSTALLS)
=======================================================
0. Backup your existing NT4 domain controllers
1. Build a new NT4 BDC for your existing NT4 domain
2. Promote this machine to PDC (NT4)
3. Take one current NT4 BDC offline (as a contingency)
4. Upgrade the new NT4 PDC to Win200x
5. Build a new Win200x domain controller
6. Transfer FSMO roles from the "PDC" to this new DC
7. Take the first DC offline (it can be rebuilt)
8. Build additional Win200x Domain Controllers as necessary
9. Rebuild other NT4 DCs into Win200x DCs as necessary
PROS: No change necessary for clients.
Clean installs of Win2K on all servers.
You can use a wimpy box for steps 1-4
CONS: You're playing with your only domain.
More costly in terms of time and machines.
UNDO: In case of difficulty, take the Win2K PDC
offline, bring back the BDC you took offline,
and promote it back to PDC.
===============================================
STRATEGY #2 - BUILD NEW ACTIVE DIRECTORY DOMAIN
===============================================
0. Backup your existing domain controllers
1. Build a new Windows 200x server and setup AD
2. Build some new DCs for this new domain
3. Establish a Trust between the NT4 and Win200x domains
4. Begin moving users and machines into the new domain
5. Finish migration, break trusts, and eliminate NT4
PROS: Old domain still available for fallback purposes.
Less disruptive to admins. Slower pace of migration.
CONS: Requires lots more time and hardware.
Will require migration of User Profiles.
UNDO: As long as you still have the NT4 domain, you can
backout of the entire process.
ACTIVE DIRECTORY IN WINDOWS SERVER 2003
Where AD under Windows 2000 had only Mixed and Native
modes, Windows Server 2003 brings a total of FOUR modes
(now called Domain Functional Levels) to the table.
1. Windows 2000 mixed (default)
2. Windows 2000 native
3. Windows Server 2003 interim
4. Windows Server 2003
Among other things, the various levels allow for domain
controller interoperability with older versions of Windows.
Mode #4 is the one with the most features, but all of your
domain controllers must be running Windows 2003 Server.
There are also THREE Forest Functional Levels:
1. Windows 2000 (default)
2. Windows Server 2003 interim
3. Windows Server 2003
• http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_levels.asp
KEY THINGS TO REMEMBER ABOUT NT DOMAINS & ACTIVE DIRECTORY
• Windows 2003 servers make fine members of 2000 domains.
• Windows 200x servers make fine members of NT4 domains.
• Any NT4 domain that introduces a Windows 200x machine
in the role of Domain Controller, is transformed into
an Active Directory (200x) domain -- in mixed mode by
default.
• A 2000 AD domain that introduces a Windows 2003 machine
in the role of Domain Controller, is transformed into
a 2003 AD domain -- either in "Windows 2000 Mixed Mode"
or "Windows 2000 Native Mode" (or functional level).
• The PDC emulator in 2003 is much better than the one in
2000, so once the domain has been upgraded to 2003, the
PDC emulator role should be moved to the 2003 server.
TRANSFERING FSMO ROLES
Although Active Directory domain controllers are peers,
there are 5 roles which can only exist on one DC at any
given time. They are called Flexible Single Master
Operations (FSMO) roles, and here is how you can transfer
them from one controller to another:
• http://support.microsoft.com/?KBID=255690
• http://support.microsoft.com/?KBID=324801
• http://support.microsoft.com/?KBID=255504
UPGRADING FROM NT4 TO 2003
• http://www.enterpriseitplanet.com/networking/features/article.php/2237741
• http://download.microsoft.com/download/d/a/7/da767448-6875-489c-96e6-2003e036de6d/03_Chapter_2_NT4MigAD.doc
• http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/
• http://techrepublic.com.com/5100-6268-1058251.html
• http://www.computerperformance.co.uk/w2k3/W2K3_ADMT.htm
• http://networking.earthweb.com/netsysm/article.php/10954_3075471_2
• http://support.microsoft.com/?KBID=325851
• http://www.microsoft.com/downloads/details.aspx?FamilyID=e92cf6a0-76f0-4e25-8de0-19544062a6e6&displaylang=en
UPGRADING FROM 2000 TO 2003
• http://support.microsoft.com/?KBID=555040
• http://support.microsoft.com/?KBID=325379
MIGRATIONS & TRANSFERING USERS (via LDIFDE)
• http://support.microsoft.com/?KBID=283791
• http://www.microsoft.com/windows2000/techinfo/administration/redir-ldifde.asp
• http://www.microsoft.com/windows2000/downloads/tools/admt/
• http://builder.com.com/article.jhtml?id=r00220020605low01.htm
• http://www.jsiinc.com/SUBJ/tip4700/rh4795.htm
AD MIGRATION TOOL
• ADMT v2 ................ http://support.microsoft.com/?KBID=326480
• ADMT v3 ................ http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en
AD CLIENT EXTENSIONS
• http://www.microsoft.com/windows2000/downloads/tools/adclient/
• http://support.microsoft.com/?KBID=811497
DOMAIN NAME
• http://support.microsoft.com/?KBID=237675
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=254680
• http://support.microsoft.com/?KBID=296250
• http://www.faqs.org/rfcs/rfc1591.html
SETTING UP DNS IN 2000/2003
• http://www.microsoft.com/downloads/details.aspx?familyid=15d276a5-4bf6-4add-9f67-56b38ccb576b&displaylang=en
• http://www.microsoft.com/windows2000/technologies/communications/dns/
• http://www.microsoft.com/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_zzui.asp
• http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dnsbd_dns_pxsr.asp
• http://support.microsoft.com/?KBID=825036
DNS TROUBLESHOOTING IN 2000/2003
• http://support.microsoft.com/?KBID=291382
• http://support.microsoft.com/?KBID=275278
• http://support.microsoft.com/default.aspx?scid=/support/win2000/dns.asp&FR=1
DISASTER RECOVERY FOR AD
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx
• http://www.microsoft.com/technet/community/events/windows2003srv/tnt1-94.mspx
• http://www.microsoft.com/technet/community/events/windows2000srv/tnt1-76.mspx
• http://support.microsoft.com/servicedesks/webcasts/wc031902/wcblurb031902.asp
• http://www.jsifaq.com/SUBE/tip2300/rh2384.htm
• http://www.4mcts.com/downloads/addisaster.pdf
SIZING AND MAINTENANCE
• http://support.microsoft.com/?KBID=222019
• http://support.microsoft.com/?KBID=229602
• http://www.microsoft.com/windows2000/downloads/tools/sizer/
• http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/adsizer-o.asp
• http://labmice.techtarget.com/ActiveDirectory/AD_replication.htm
WINDOWS SMALL BUSINESS SERVER (SBS) -- UPGRADE FAQs
• http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx
• http://www.microsoft.com/WindowsServer2003/sbs/upgrade/
WHITEPAPERS & TECH DOCUMENTS
• http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/
• http://www.computerperformance.co.uk/dns_dhcp_wins.htm
• http://www.netpro.com/ebook/
• http://www.nalanda.nitc.ac.in/resources/cse/ebooks/Win2k_srvr/Chapter02.pdf
• http://labmice.techtarget.com/ActiveDirectory/
• http://www.ibilce.unesp.br/courseware/win2000/pt5_1.htm
• http://www.serverwatch.com/tutorials/article.php/1474461
• http://www.swynk.com/friends/dinicolo/adquick.asp
• http://msdn.microsoft.com/library/en-us/dnduwon/html/d5activedir.asp
• http://support.microsoft.com/?KBID=237675
• http://support.microsoft.com/?KBID=260362
• http://www.microsoft.com/windows2000/technologies/directory/ad/
• http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/manadsteps.asp
• http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_levels.asp
• http://support.microsoft.com/default.aspx?view/tn.asp?kb=300921
• http://support.microsoft.com/?KBID=197132
• http://support.microsoft.com/?KBID=223787
• http://support.microsoft.com/?KBID=255504
• http://support.microsoft.com/?KBID=260362
• http://support.microsoft.com/?KBID=292541
• http://www.microsoft.com/technet/itsolutions/howto/admhow.asp
• http://www.microsoft.com/technet/win2000/win2ksrv/add.asp
• http://www.microsoft.com/windows2000/en/server/help/sag_ADtopnode.htm
• http://www.microsoft.com/windows2000/guide/server/features/activedirectory.asp
• http://www.microsoft.com/windows2000/library/planning/walkthroughs/
• http://www.microsoft.com/windows2000/library/resources/reskit/dpg/
• http://www.microsoft.com/windows2000/techinfo/planning/incremental/domainup.asp
• http://www.microsoft.com/windows2000/techinfo/planning/pds-cduadtoc.asp
• http://www.windows-expert.net/faq/Active-Directory/upgrade-nt-domain-to-active-directory.asp
• http://www.unisys.com/Windows2000/AssocDocs/migration%20white%20paper.PDF
• http://labmice.net/networking/networkbasics.htm
• http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4692
• http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15922
• http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21422
• http://www.win2000mag.com/Articles/Index.cfm?ArticleID=8958
PERSONAL NOTES
• Sep 2005: ADMT v3 has just been released. Many of the
requested improvements have been provided. For very
large migrations, there are still better 3rd party tools
available, but for small or straight-forward migrations,
ADMT is very effective.
• It's a toss-up between #1 and #1A, unless your servers
have a whole lot of junk installed, and could do with
a clean start.
• Always have good backups, and a good plan from the very
beginning. An Active Directory install/migration is not
time time to play "fly by the seat of your pants".
• Backup the Schema as soon as possible, if not before.
• A domain which has a Windows 2000 machine running in it
as a domain controller, is an Active Directory domain.
You cannot have a Win2K DC act as a BDC for any NT4
domain.
• Any domain which is running Windows 2003 as a domain
controller is a Windows 2003 Active Directory domain,
and has the option of running in one of the following
FOUR Domain Functionality Levels:
Windows 2000 mixed (default)
Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
• The info on Domain & Forest functional levels can also
be found in the Windows 2003 HELP system
• Although NT4 and Win9x machines are supported in 2000
domains via the AD Client, by default, 2003 does not
allow Win9x machines or NT4 pre-SP4 systems to connect
to a 2003 Active Directory domain. See Q811497
• Mastering Windows Server 2003 by Mark Minasi is a great
book for anyone who is new to Active Directory and
Windows 2000/2003
RELATED TOPICS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/?File=ToWin2K.TXT
• http://KB.UltraTech-llc.com/?File=ADNetwork.TXT
• http://KB.UltraTech-llc.com/?File=CopyPerms.TXT
• http://KB.UltraTech-llc.com/?File=CopyProfile.TXT
• http://KB.UltraTech-llc.com/?File=NewServer.TXT
• http://KB.UltraTech-llc.com/?File=Win2000.TXT
• http://KB.UltraTech-llc.com/?File=Windows.TXT
• http://KB.UltraTech-llc.com/?File=TestInstall.TXT
• http://KB.UltraTech-llc.com/?File=Upgrades.TXT
• http://KB.UltraTech-llc.com/?File=ServerSpecs.TXT