Upgrading a Windows NT domain

By | 2007-04-03
0 Comment

This section explains the recommended steps for upgrading a Windows NT domain to Windows 2000 and Active Directory.




Plan and implement a namespace and DNS infrastructure

Because the Domain Name System (DNS) is required for Active Directory, ensure that you have designed a DNS and Active Directory namespace and have either configured DNS servers or are planning on having the Active Directory Installation wizard automatically install the Windows 2000 DNS service on the domain controller.




Upgrade the Windows NT primary domain controller

The first Windows NT server you must upgrade is the Windows NT primary domain controller (PDC). Upgrading the Windows NT PDC is required for successful upgrade of a Windows NT domain to a Windows 2000 domain.




Install Active Directory on the Windows NT PDC

During the Windows 2000 Server upgrade, the Active Directory Installation wizard requires that you choose to join an existing domain tree or forest, or start a new domain tree or forest. If you decide to join an existing domain tree, you must provide a reference to the desired parent domain.




Running the Active Directory Installation wizard installs all necessary components on the domain controller, such as the directory data store and the Kerberos V5 protocol authentication software.




The existing Security Account Manager (SAM) objects will be copied from the registry to the new data store. These objects are the security principals (user accounts, local and global groups and computer accounts).




Once the Kerberos V5 protocol is installed, the installation process starts the authentication service and the ticket granting service, and if this is a new child domain, establishes a transitive trust relationship to the parent domain. Eventually, the domain controller from the parent domain copies all schema and configuration information to the new child domain controller.




The upgraded domain controller is a fully functional member of the Active Directory forest. The new domain is added to the domain and site structure, and all domain controllers receive the notification that a new domain has joined the forest.




Computers running Active Directory client software (Windows 2000 Professional, Windows 98 and Windows 95) can use Active Directory features, such as authentication, for access to resources in the domain tree or forest, and for directory queries. Clients benefit from the transitive trust relationships that exist within the forest, enabling authorized users to access resources in any domain.




Computers running previous versions of Windows access the domain as if it were a Windows NT domain, finding only those resources available through Windows NT one-way trusts. While the domain is in mixed-mode, the domain controller exposes to clients using previous versions of Windows only resources in domains that have older, established Windows NT explicit trusts. This creates a consistent environment in that the previous version clients can access only resources in domains with explicit trusts, regardless of whether the client is using a Windows 2000 domain controller or a Windows NT back-up domain controller.




After the PDC upgrade, the Windows 2000 domain controller uses the Active Directory data store, which is compatible with any remaining Windows NT backup domain controllers(BDCs).




The upgraded Windows 2000 domain controller can synchronize security principal changes to remaining Windows NT Server 4.0 BDCs. It is recognized as the domain master by the Windows NT Server 4.0 BDCs.




If the Windows 2000 domain controller goes offline or otherwise becomes unavailable and no other Windows 2000 domain controllers exist in the domain, a BDC running Windows NT Server can be promoted to be a Windows 2000 domain controller.




Once you have upgraded the Windows NT PDC, you can proceed to either:




Upgrade all other servers to Windows 2000 Server. During the upgrade process, you should maintain a BDC running your current version of Windows NT Server to guarantee a backup if any problems develop.




Install Windows 2000 Server on only one domain controller, leaving all other domain controllers configured with Windows NT Server.




Implement your domain organization

After upgrading to Windows 2000 and configuring the domain controller using the Active Directory Installation wizard, use the Active Directory administration tools to create the new directory objects, (such as organizational units and Group Policy objects) needed to implement the organization you have planned for the domain.




Upgrade any remaining backup domain controllers

The next stage of the upgrade process is to upgrade any remaining Windows NT backup domain controllers to Windows 2000 Server and Active Directory.




When upgrading Windows NT domains only one Windows 2000 domain controller can create security principals (users, groups, and computer accounts). This single domain controller is configured as a PDC emulator operations master. The PDC operations master emulates a Windows NT PDC.




The domain controller emulating the Windows NT PDC controls unique resource identifiers assigned to security principals. Resource identifiers are used to create the Windows 2000 security identifier that identifies User and Group objects.




The domain controller that is emulating the Windows NT PDC supports two authentication protocols:




the Kerberos V5 protocol

the NTLM protocol




Complete the upgrade of the domain

After you have upgraded all existing Windows NT primary and back-up domain controllers to Windows 2000 Server and Active Directory and have no plans to use Windows NT domain controllers, you can switch the domain from a mixed-mode to native-mode. The change from mixed-mode to native-mode is manually done by an administrator using the Active Directory Domains and Trusts snap-in.




Several things happen when you change to native mode:




Domain controllers no longer support NTLM replication.

The domain controller that is emulating the PDC operations master can not synchronize data with a Windows NT BDC.

Windows NT domain controllers can not be added to the domain. (You can of course add new Windows 2000 domain controllers.)

Users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory and (with the proper authorization) can access resources anywhere in the forest. Although previous versions of Windows do not support the Kerberos V5 protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users or computers to access resources in any domain in the forest for which they have the appropriate permissions.




Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.




Upgrading Active Directory

When a Windows NT PDC or BDC is upgraded to Windows 2000 the upgrade process creates domain and site objects used by Active Directory, as well as creating user and computer accounts and groups from the Windows NT directory (also referred to as the Security Accounts Manager database).




During upgrade, objects are created to contain the accounts and groups from the Windows NT PDC or BDC. These Container objects are named Users, Computers and Builtin, and are displayed as folder in the Active Directory Users and Computers console. These objects contain the users, computers, and groups from the Windows NT directory. User accounts and pre-defined groups are placed in the Users folder. Computer accounts are placed in the Computers folder. Built-in groups are placed in the Builtin folder.




Note




These special Container objects are not organizational units. They cannot be moved, renamed or deleted.




During upgrade the existing Windows NT groups are placed into different containers depending on the nature of the group. Windows NT built-in local groups (such as Administrators and Server Operators) are put into the Builtin container. Windows NT global groups (such as Domain Admins) and any user-created local groups and global groups are placed in the Users container.




Models for conservative upgrade

Two other models exist to allow upgrade flexibility. Both models require upgrading the primary domain controller first.




Model 1: Save a pre-Windows 2000 backup domain controller (BDC)

For this model, you either install a new BDC that runs your current version of Windows NT Server, or, if you currently have more than one BDC, use one of them. This BDC will store a secure copy of your current domain database. Remove the BDC from the network before beginning the process.




If any problems arise during migration, you can remove all Windows 2000 computers from the production environment, then bring the BDC back into your network and make it the new PDC. This new PDC then replicates its data to all BDCs, and the domain is returned to its previous state.




The only drawback of this method is that all changes that were made while the safe BDC was offline are lost. To minimize this loss, you could periodically turn the safe BDC on and off again (when the domain is in a stable state) during the migration process, to update its safe copy of the directory.




Model 2: Remove the primary domain controller (PDC) from the network first

You can also remove the PDC from the network before starting the migration. If you intend to create multiple domains, you can bring all PDCs into an environment that is not part of the production network. You can then upgrade the PDCs and form the domain tree or trees while disconnected from the production environment. The result is the creation of a fully functional forest, without affecting production.




Once a forest is formed, you can add workstations and BDCs to it. If the migration continues smoothly, the PDCs can be returned to the production environment and turned on. The forest continues to work, and the rest of the servers can be updated to Windows 2000 Server; or the new client access software can be installed on the pre-Windows 2000 clients.




If a forest already exists, you can bring one domain controller from the existing forest to the established lab environment and use it to add to the forest all the PDCs being upgraded. The domain controller from the existing forest can replicate the directory schema and configuration data to the new domain controllers.




When you use this method, the production environment remains uninfluenced until the new domain controllers and the forest have proven sufficiently stable. The main disadvantage of this method is that it is not possible to make changes in the directory until the new domain controllers go online in the production environment.

Windows NT
Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.