#




&RQWHQWV##
#
2YHUYLHZ#4
#
,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ##
8SJUDGH#6WUDWHJ\#5
#
$QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ#6
#
3ODQQLQJ#D#'RPDLQ#8SJUDGH#43
#
/DE#$=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH##
6WUDWHJ\#55
#
5HYLHZ#6:
#
Module 3: Developing a
Domain Upgrade
Strategy

#

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2000 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead/Instructional Designer:
Sangeeta Garg (NIIT (USA) Inc.)
Lead Program Manager:
Angie Fultz
Instructional Designer:
Robert Deupree (S&T OnSite)
Subject Matter Expert
: Brian Komar (3947018 Manitoba Inc)

Technical Contributors:
John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads:

Sid Benavente, Keith Cotton
Testing Developer:
Greg Stemp (S&T Onsite)
Testers:
Testing Testing 123
Instructional Design Consultants:
Susan Greenberg, Paul Howard
Instructional Design Contributor:
Kathleen Norton

Graphic Artist:
Kirsten Larson (S&T OnSite)
Editing Manager:
Lynette Skinner
Editors:
Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor:
Shawn Jackson

(
S&T Consulting)


Online Program Manager:
Debbi Conger
Online Publications Manager:
Arlo Emerson (Aditi)
Online Support:
Eric Brandt (S&T Onsite)
Multimedia Development:
Kelly Renner (Entex)
Testing Leads:
Sid Benavente, Keith Cotton

Testing Developer:
Greg Stemp (S&T OnSite)

Courseware Testing:
Data Dimensions, Inc.
Production Support:
Lori Walker (S&T Consulting)
Manufacturing Manager:
Rick Terek (S&T Onsite)
Manufacturing Support:
Laura King (S&T Onsite)
Lead Product Manager, Development Services:
Bo Galford
Lead Product Managers:
Dean Murray, Ken Rosen
Group Product Manager:
Robert Stewart




# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##LLL#


,QVWUXFWRU#1RWHV#
This module provides students with the ability to analyze their Microsoft
®

Active Directory
™
directory service design goals and successfully plan an
upgrade strategy. The module starts by looking at the factors to consider when
examining the Active Directory design and then provides a step-by-step
methodology for creating an upgrade plan.
At the end of this module, students will be able to:
„# Examine the Active Directory design of an organization.
„# Plan a domain upgrade to Active Directory.

Lab A, Developing a Domain Upgrade Strategy, is a scenario-based planning
lab. The students will collect information concerning the current domain model,
DNS infrastructure, and proposed site topology. Based on the information
gathered, the students will then work in groups to design an upgrade strategy
that meets the business needs of the scenario presented.
The instructor will keep discussions and decisions regarding mapping designs
focused on business needs.
0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:

„# Microsoft PowerPoint
®
file 2010A_03.ppt
„# Module 3, “Developing a Domain Upgrade Strategy”

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„# Read all of the materials for this module.
„# Read all the delivery tips.
„# Complete the lab.
„# Read the white paper, “Planning Migration from Microsoft Windows NT to
Microsoft Windows 2000,” on the Student Materials compact disc.
„# Read chapter 9 of the Windows 2000 Server Deployment Planning Guide,
“Planning the Active Directory Structure,” on the Student Materials
compact disc.
„# Read chapter 10 of the Windows 2000 Server Deployment Planning Guide,
“Determining Domain Migration Strategies,” on the Student Materials
compact disc.
„# Read chapter 13 of the Windows 2000 Server Deployment Planning Guide,
“Automating Server Upgrade and Installation,” on the Student Materials
compact disc.
3UHVHQWDWLRQ=#
93#0LQXWHV#
#
/DE=#
93#0LQXWHV#
LY##0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


„# Read the white paper, “Automating the Windows 2000 Upgrade,” on the

Student Materials compact disc.
„# Read the file, “Windows 2000 Operating System Comparison Chart,” on the
Student Materials compact disc.

0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
„# Introduction to Developing a Domain Upgrade Strategy
The module begins with a summary of what a domain upgrade is and what it
accomplishes. Provide an overview of the upgrade planning process.
„# Analyzing an Active Directory Design
The Active Directory design is the goal of the migration project: the final,
ideal infrastructure. In previous migration planning steps, the Active
Directory design was examined to ensure goal alignment. After an
organization selects domain upgrade as a migration path, the plans for
Active Directory should be re-examined to provide focus for the upgrade
planning process and ensure that the goals of that design are incorporated in
the domain upgrade plan. This section serves as a sort of pre-upgrade
planning checklist, because any issues that are uncovered in this
examination must be resolved prior to proceeding with the planning of the
upgrade.
Begin by explaining the need for examining the Active Directory design and
what this examination involves.
Explain the planning considerations involved when examining the forest
design, site design, and administrative and security plan.
Emphasize that a single-forest environment is the simplest to create in an
upgrade scenario. Upgrading to multiple forests, by contrast, is complicated
and requires careful analysis, because multiple-forest environments are
commonly considered to solve politically based administrative issues.
Ensure that students have a clear understanding of a forest and its
components before discussing the impact of upgrading to a single- or

multiple-forest environment.
Remind students that directory-aware applications store information in the
Configuration container that applies forest wide. For example, Active
Directory stores information about the physical network in the
Configuration container and uses the information to guide the creation of
replication connections between domain controllers. The schema defines the
objects that can be created in the forest. Remind students that the cost of
adding a forest includes added domain and hardware maintenance,
maintenance of multiple schemas and configuration containers, explicit trust
maintenance if users require inter-forest access to resources, and end-user
training to locate inter-domain resources.
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##Y#


Explain the need for validating the site design against current environment
and migration goals, and how to resolve any conflicts that arise. Ensure that
students have a clear understanding of sites and how upgrading affects site
implementation (and vice versa). Emphasize that Active Directory–aware
clients use sites to locate the closest domain controller for logon
authentication, resource authorization, and global catalog searches. Explain
that the site-link cost values determine the path that replication will take
through your network.
Make sure that students understand that during the upgrade, there are
essentially two environments to support, administratively. The upgrade plan
must define how Active Directory will be administered during the upgrade
and how the old administrative model will be phased out.
While upgrade preserves permissions and security principals, domain
upgrade can compromise security because transitive trusts allow
administrators more freedom than one-way trusts allow. The upgrade plan
should define transition measures and procedures to protect group

membership and resource access.
„# Planning a Domain Upgrade
This section describes the steps for planning the upgrade from Microsoft
Windows NT
®
version 4.0 to Active Directory.
During this section, students may have many questions about the impact an
upgrade has on network services. Tell them that the next module covers this
information and defer their questions until then.
Begin by introducing the upgrade planning process and then show the video
of Microsoft’s upgrade of their largest domain. The video demonstrates the
ease of performing a domain upgrade, provided that proper planning has
been done. As the video demonstrates, the only issue Microsoft encountered
during upgrade was with accounts that were defined in a secondary
application’s information store. Tell your students that this problem can be
avoided if they follow the recommendations to document user accounts and
information stores.
Explain the upgrade paths for computers running earlier versions of the
Microsoft Windows
®
operating system.
Make sure students understand all the components of creating a recovery
plan that allows them to roll back to the pre-upgraded Windows NT domain.
Next, describe the guidelines for choosing the order of upgrading domains.
Make sure students understand that any domain can be upgraded first, and
subsequent domains can be upgraded in any order. If the domain hierarchy
defined in the Active Directory design does not dictate the order, many
other factors can help organizations determine the appropriate order.
YL##0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#



Explain the order of upgrading domain controllers. Emphasize that the
primary domain controller (PDC) is always the first domain to be upgraded.
If an organization wishes to upgrade a computer designated as a backup
domain controller (BDC) first, they must promote the BDC to the roll of
PDC first. You may wish to explain the upgrade process detailed in this
section and include a brief explanation of the operations master roles that
each upgraded PDC will, by default, be assigned. Make sure students
understand that most computer and domain configurations are preserved
during the upgrade. Remind students that Active Directory requires an
NTFS file system partition. Also remind them that the Domain Name
System (DNS) namespace planning is a part of developing the Active
Directory design, and at least one DNS server is required to complete Active
Directory installation. Tell students that the manner in which BDCs are
upgraded is the same as in PDCs.
Explain the difference between mixed mode and native mode operations,
emphasizing that the mode in which a domain runs does not affect client
functionality. Switching to native mode does not require client computers to
run Windows 2000. A native mode domain can consist of a mixed
environment of many types of client operating systems. Help students
understand the reasons why an organization might choose to stay in mixed
mode, but encourage them to switch to native mode—the final Windows
2000 operational state—as soon as possible to realize the full benefit of
Active Directory. Using the table in the student notes, discuss the Windows
2000 Server features available in mixed mode, and those available only by
switching to native mode.


# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##4#



2YHUYLHZ#
„
,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\
„
$QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ
„
3ODQQLQJ#D#'RPDLQ#8SJUDGH


Upgrading a Microsoft
®
Windows NT
®
version 4.0 domain infrastructure to
Microsoft Windows
®
2000 allows an organization to take advantage of
Windows 2000 features, such as improved security, easier management, and
improved administration. Your upgrade strategy will vary depending on your
migration goals, current network environment, and your Microsoft Active
Directory
™
directory service design goals. This module explains how to analyze
your Active Directory design goals and provides a step-by-step methodology
for creating an upgrade strategy.
At the end of this module, you will be able to:
„# Examine the Active Directory design of an organization.
„# Plan a domain upgrade to Active Directory.


6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#DQDO\]LQJ#WKH#$FWLYH#
'LUHFWRU\#GHVLJQ#JRDOV#DQG#
GHYHORSLQJ#DQ#XSJUDGH#
VWUDWHJ\#IURP#:LQGRZV#17#
713#WR#:LQGRZV#5333#$FWLYH#
'LUHFWRU\1#
5# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#
„
'HWHUPLQH#DQ#$FWLYH#'LUHFWRU\#
'HVLJQ
„
3ODQ#D#'RPDLQ#8SJUDGH
Domain
Upgrade


Domain upgrade can be gradual and performed without interrupting production
operations. Upgrading is a process designed to maintain as much of your
current environment as possible, and it accomplishes the following:
„# Maintains the existing Windows NT 4.0 domain model.
„# Maintains access to Windows NT domains by using existing Windows NT

downlevel trust relationships.
„# Maintains user account passwords so that users log on to the same account
domain by using the same password.
„# Maintains compatibility with Windows NT domain controllers and servers.

The Active Directory design, completed prior to migration planning, is the goal
of a domain upgrade. Before you can develop an upgrade plan, the Active
Directory design must be examined to identify the goals for the future
infrastructure. The goals must be incorporated into the upgrade strategy to
ensure alignment of the Active Directory vision and upgrade goals, to ensure
the desired Active Directory infrastructure will be achieved, and to prevent
deployment conflicts.
6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#LQWURGXFWLRQ#WR#
GHYHORSLQJ#D#GRPDLQ#
XSJUDGH#VWUDWHJ\1#
/HDG0LQ#
$IWHU#\RX#KDYH#FRQVLGHUHG#
WKH#RYHUDOO#LVVXHV#LQYROYLQJ#
\RXU#GRPDLQ#PLJUDWLRQ#DQG#
FUHDWHG#D#SODQ#IRU#UHVROYLQJ#
DQ\#SUREOHPV#WKDW#DULVH/#\RX#
FDQ#EHJLQ#SODQQLQJ#IRU#D#
GRPDLQ#XSJUDGH1#
3URYLGH#D#VXPPDU\#RI#ZKDW#
D#GRPDLQ#XSJUDGH#LV#DQG#
ZKDW#LW#DFFRPSOLVKHV1#*LYH#
DQ#RYHUYLHZ#RI#WKH#XSJUDGH#
SODQQLQJ#SURFHVV1#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##6#



‹‹
#$QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ#
Single vs. Multiple Forest
Site Z
Site Y
Site X
Site Design
&RPSXWHUV
8VHUV
'RPDLQ
Administration and
Security Plans


During the initial stages of developing a migration strategy, you identified your
business and migration goals. If the outcome of this process led you to decide
that upgrading your Windows NT 4.0 domain model is the preferred approach
to achieving the infrastructure in your Active Directory design, you need to
examine the proposed Active Directory structure to:
„# Determine whether the design proposes a single-forest or a multiple-forest
environment, and whether the design will solve any administrative issues.
„# Examine the site design to identify and address any issues that may present
barriers to upgrading your domain model, and ensure that it does not impact
your ability to meet your migration goals.
„# Examine the administration and security plans to determine when to make
the new features available in the upgraded environment so that the upgrade
process is not disrupted, the order in which the features will be deployed,
and what must be validated in the test environment.


During an upgrade, it is critical to protect the business and migration goals in a
way that ensures the successful deployment of the Active Directory design.
6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#
FRQVLGHUDWLRQV#ZKHQ#
DQDO\]LQJ#DQ#$FWLYH#
'LUHFWRU\#GHVLJQ1#
/HDG0LQ#
$#WKRURXJK#DVVHVVPHQW#RI#
$FWLYH#'LUHFWRU\#GHVLJQ#
LQYROYHV#H[DPLQLQJ#IRUHVW#
DQG#VLWH#GHVLJQ/#DQG#VHFXULW\#
DQG#DGPLQLVWUDWLRQ#SODQV1#
([SODLQ#WKH#QHHG#IRU#
DQDO\]LQJ#WKH#$FWLYH#
'LUHFWRU\#GHVLJQ#DQG#ZKDW#LW#
LQYROYHV1#
.H\#3RLQWV#
(PSKDVL]H#WKDW#WKH#$FWLYH#
'LUHFWRU\#GHVLJQ#LV#UH0
H[DPLQHG#EHFDXVH#LW#LV#WKH#
JRDO#RI#DQ#XSJUDGH1#
7# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


6LQJOH#9HUVXV#0XOWLSOH#)RUHVWV#
Upgrading to a
Multiple Forest
„

6LPSOH#WR#
&UHDWH
„
8QLILHG#9LHZ#
RI#'LUHFWRU\
Upgrading to a
Single Forest
„
5HTXLUHV#
$GGLWLRQDO#
&RQILJXUDWLRQ#
DQG#
$GPLQLVWUDWLRQ
„
1HHGV#&DUHIXO#
([DPLQDWLRQ


One of the first tasks in analyzing the Active Directory design is to determine
whether there is a need for a single forest or multiple forests.
8SJUDGLQJ#WR#D#6LQJOH0)RUHVW#(QYLURQPHQW#
A single-forest environment is simplest to create and maintain in an upgrade
migration scenario. The first domain that is upgraded becomes the Active
Directory forest root. As additional domains are upgraded to the forest, no
additional trust configuration is required. Because a global catalog is used to
present users with a unified view, users do not need to be aware of the Active
Directory hierarchy.
8SJUDGLQJ#WR#D#0XOWLSOH0)RUHVW#(QYLURQPHQW#
Because forests have shared elements, such as schemas, it is necessary for all
the administrators of a forest to agree on the content and administration of those

shared elements.
Organizations may require multiple forests in the upgraded environment to:
„# Prevent cross-divisional administration. For example, some organizations
with distinct divisions may require a decentralized administrative model,
which completely separates the administrators of each division.
„# Accommodate the differences in the way administrators want to manage the
forest-wide Active Directory components. For example, if administrators
disagree on how to manage the schemas or forest-wide group membership,
multiple forests may be defined.
„# Restrict resource access and resource assignment provided by transitive
trusts. Within a forest, default transitive trusts between domains allow
resource permissions to be assigned to users from any domain in the forest.
Between forests, the absence of default trusts prevents domain
administrators from assigning resource permissions to security principals
outside their forests.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#
FRQVLGHUDWLRQV#LQ#
GHWHUPLQLQJ#D#IRUHVW#GHVLJQ1#
/HDG0LQ#
$#VLQJOH0IRUHVW#HQYLURQPHQW#
LV#VLPSOHVW#WR#FUHDWH#LQ#DQ#
XSJUDGH#VFHQDULR1#
8SJUDGLQJ#WR#PXOWLSOH#
IRUHVWV/#E\#FRQWUDVW/#LV#PRUH#
FRPSOLFDWHG#DQG#UHTXLUHV#
FDUHIXO#H[DPLQDWLRQ1#
'LVFXVV#WKH#LPSDFW#RI#
XSJUDGLQJ#WR#VLQJOH0#DQG#

PXOWLSOH0IRUHVW#
HQYLURQPHQWV1#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##8#


Upgrading to a multiple-forest environment is more complex because it requires
planning multiple-forest root and child domain hierarchies. While Information
Technology (IT) concerns and needs should be addressed in the Active
Directory design and migration goals, those issues should not obscure or
outweigh the needs of the business it supports.
„# Users stand to lose the most from a multiple-forest environment. They will
not have a single, consistent view of the Active Directory hierarchy, and
accessing resources across forests must be manually configured. These
issues add risk to an upgrade and can lead to unpredictable results when
measuring the success of a migration.


Carefully consider the long-term impact of a multiple-forest upgrade
before deployment. If the forests need to be merged in the future, restructuring
is the only way to move domains and domain objects between forests.

,PSRUWDQW#
9# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


6LWH#'HVLJQ#
„
&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#WKH#&XUUHQW#(QYLURQP HQW
z
7R#SURDFWLYHO\#DGGUHVV#LVVXHV#WKDW#PD\#SUHVHQW#EDUULHUV#WR#SHUIRUPLQJ#

GRPDLQ#XSJUDGHV
„
&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#0LJUDWLRQ#*RDOV
z
7R#HQVXUH#WKDW#WKHUH#LV#QR#LPSDFW#RQ#WKH#DELOLW\#WR#PHHW#PLJUDWL RQ#JRDOV
z
7R#SURDFWLYHO\#UHVROYH#DQ\#LQFRQVLVWHQFLHV
„
3UHYHQWLQJ#6LWH#'HVLJQ#&RQIOLFWV #7R#(QVXUH
z
WKHUH#LV#EXVLQ HVV#QHHG#IRU#WKH SURSVHG VLWH#GHVLJQ
z
%XVLQHVV#QHHG#LV#UHIOHFWHG#LQ#WKH#PLJUDWLRQ#JRDOV
z
$FWLYH#'LUHFWRU\#GHVLJQ#JRDOV#DOLJQ#ZLWK#WKH#PLJUDWLRQ#JRDOV


An important part of analyzing an Active Directory design is to examine the
site design to identify and address any issues that may present barriers to
upgrading your domain model, and ensure that the design does not impact your
ability to meet your migration goals.
The sequence of implementing sites and upgrading domains can also have a
significant impact on the logon and replication traffic during an upgrade.
&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#WKH#&XUUHQW#(QYLURQPHQW#
By comparing the proposed site design with the information gathered about the
current environment, you validate the design and identify opportunities to
proactively address issues that may present barriers to performing domain
upgrades, such as:
„# Proposed site link costs that would saturate a wide area network (WAN)
connection with domain-upgrade-related replication traffic and affect access

to key business applications during hours of peak usage.
„# Presence or planned implementation of site-aware applications, such as
Microsoft Exchange Server 2000 and Distributed file system (Dfs).
„# Insufficient number of current domain controllers in each key site, which
may require the installation of additional domain controllers during the
upgrade to provide fault tolerance.

If circumstances in the current network environment prevent the site design
from being successfully implemented during your upgrade, it is important to
resolve these issues before beginning your upgrade to avoid migration setbacks
or delays.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#
FRQVLGHUDWLRQV#LQ#
GHWHUPLQLQJ#D#VLWH#GHVLJQ1#
/HDG0LQ#
([DPLQH#WKH#VLWH#GHVLJQ#WR#
LGHQWLI\#DQG#DGGUHVV#DQ\#
LVVXHV#WKDW#PD\#SUHVHQW#
EDUULHUV#WR#XSJUDGLQJ#\RXU#
GRPDLQ#PRGHO/#DQG#HQVXUH#
WKDW#WKH#GHVLJQ#GRHV#QRW#
LPSDFW#\RXU#DELOLW\#WR#PHHW#
\RXU#PLJUDWLRQ#JRDOV1#
([SODLQ#WKH#QHHG#IRU#
YDOLGDWLQJ#WKH#VLWH#GHVLJQ#
DJDLQVW#FXUUHQW#HQYLURQPHQW#
DQG#PLJUDWLRQ#JRDOV#DQG#
KRZ#WR#UHVROYH#DQ\#FRQIOLFWV#
WKDW#DULVH1#

# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##:#


&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#0LJUDWLRQ#*RDOV#
Compare the proposed site design to the migration goals to ensure that the
design does not impact your ability to meet the migration goals and proactively
resolve any inconsistencies you discover, for example:
„# If one of the migration goals is to ensure high availability of data stored in
Active Directory during and after migration, but your site design places only
one domain controller in a site.
„# If one of the business goals is to maintain worldwide availability of an
inventory database, but your site design proposes a replication schedule
within a site that conflicts with peak usage on a WAN link required to
access the application.
„# If a business goal is to complete migration in nine months, but the site
topology design will require installation of 10 new high-speed WAN
connections requiring 12 months of negotiation, permits, and installation.

3UHYHQWLQJ#6LWH#'HVLJQ#&RQIOLFWV#
Conflict between the site design and migration goals represents considerable
risk to the migration project and must be resolved before an upgrade begins.
You can prevent conflicts by ensuring that:
„# There is a business need for the proposed site design.
„# The business need is reflected in the migration goals.
„# The Active Directory design goals align with the migration goals.


For more information on planning site topology design, see course
1561B, Designing a Microsoft Windows 2000 Directory Services
Infrastructure.



For information on how to control logon and replication traffic during the
upgrade, see module 4, “Minimizing the Impact on Network Operations During
an Upgrade,” in course 2010A, Designing a Microsoft Windows 2000
Migration Strategy.

1RWH#
1RWH#
;# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


$GPLQLVWUDWLRQ#DQG#6HFXULW\#3ODQV#
„
$GPLQLVWUDWLYH#3ODQ
z
5HIOHFW#WKH#DGPLQLVWUDWLYH#IHD WXUHV#WKDW#ZLOO#EH#DGRSWHG#
DQG#ZKHQ#WKH\#ZLOO#EH#LPSOHPHQWHG
z
'HILQH#D #SURFHVV#WR#WUDQ VLWLR Q #WR#WKH#QHZ#DGPLQLVWUDWLYH#
PRGHO
„
6HFXULW\#3ODQ
z
5HIOHFW#ZKLFK#VHFXULW\#IHDWXUHV#ZLOO#EH#LPSOHPHQWHG#
GXULQJ#GRPDLQ#XSJUDGH
z
'HILQH#D #SURFHVV#WKDW#PDLQWDLQV#DFFHSWDEOH#OHYHOV#RI#
VHFXULW\#GXULQJ#WKH#XSJUDGH



Your Active Directory design is likely to require the adoption of many of the
new Windows 2000 security and administrative features. Examine your existing
security and administrative strategies to decide when to make new features
available in the upgraded environment, in what order they will be deployed
without disrupting the upgrade process, and what must be validated in the test
environment. Make these decisions in a manner that ensures that the Active
Directory design goals and migration goals are met.
7KH#$GPLQLVWUDWLYH#3ODQ#
An Active Directory design that includes the adoption of new administrative
features available in Active Directory may prompt Information Technology (IT)
to reorganize its IT culture to better serve the needs of the business. Any IT
reorganization should be planned ahead of time and applied in a way that allows
IT to keep focused on the upgrade without disruption.
If your Active Directory design defines new administrative functions made
available by Active Directory that must be implemented, your upgrade plan
should:
„# Reflect the administrative features that will be adopted and when they will
be implemented during the upgrade process.
„# Define a process to transition to the new administrative model as the
upgrade proceeds. This interim administrative model should, at a minimum,
identify who is managing what during the upgrade.


Prior to beginning an upgrade, validate the proposed administrative plan
by testing, in a lab environment, the Active Directory design for the
organizational unit (OU) hierarchy, delegation of administration, and Group
Policy deployment, to ensure that the implementation of these features causes
them to complement and support one another in a way that meets the migration
goals.


6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#SODQQLQJ#
VWHSV#WR#EH#DGGHG#WR#WKH#
XSJUDGH#SODQ#ZKHQ#
GHWHUPLQLQJ#WKH#
DGPLQLVWUDWLRQ#DQG#VHFXULW\#
SODQV#RI#WKH#$FWLYH#'LUHFWRU\#
GHVLJQ1#
/HDG0LQ#
([DPLQH#\RXU#H[LVWLQJ#
VHFXULW\#DQG#DGPLQLVWUDWLYH#
SODQV#WR#GHFLGH#ZKHQ#WR#
PDNH#QHZ#IHDWXUHV#DYDLODEOH#
LQ#WKH#XSJUDGHG#
HQYLURQPHQW/#DQG#LQ#ZKDW#
RUGHU#WKH\#ZLOO#EH#GHSOR\HG#
ZLWKRXW#GLVUXSWLQJ#WKH#
XSJUDGH#SURFHVV1#
1RWH#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##<#



For more information on planning a migration test, see The Windows
2000 Server Deployment Planning Guide.

7KH#6HFXULW\#3ODQ#
If your Active Directory design defines new security features made available by
Active Directory that must be implemented, verify that your upgrade plan:

„# Reflects which security features will be implemented during the domain
upgrade.
„# Defines a process for implementing security features that maintains
acceptable levels of security during the upgrade and that does not delay the
migration.

When verifying your security plan during the earlier stages of migration
planning, you may discover security gaps, outdated policies, or redundancies.
Be sure, when comparing the existing security infrastructure with the features
proposed by the Active Directory design, that you resolve these issues in a way
that does not disrupt the upgrade process.

For more information on designing a security plan, see course 2150A,
Designing a Secure Microsoft Windows 2000 Network. For more information
on Active Directory security and administration features, see course 1561B,
Designing a Microsoft Windows 2000 Directory Services Infrastructure.

1RWH#
1RWH#
43# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


‹‹
#3ODQQLQJ#D#'RPDLQ#8SJUDGH#
'HWHUPLQH#DQ#XSJUDGH#SDWK
'HWHUPLQH#DQ#XSJUDGH#SDWK
'HYHORS#D#UHFRYHU\#SODQ
'HYHORS#D#UHFRYHU\#SODQ
'HWHUPLQH#WKH#RUGHU#IRU#XSJUDGLQJ#GRPDLQV
'HWHUPLQH#WKH#RUGHU#IRU#XSJUDGLQJ#GRPDLQV

'HWHUPLQH#D#VWUDWHJ\#IRU#XSJUDGLQJ#GRPDLQ#FRQWUROOHUV
'HWHUPLQH#D#VWUDWHJ\#IRU#XSJUDGLQJ#GRPDLQ#FRQWUROOHUV
1
1
1
2
2
2
3
3
3
4
4
4
'HWHUPLQH#ZKHQ#WR#VZLWFK#WR#QDWLYH#PRGH
'HWHUPLQH#ZKHQ#WR#VZLWFK#WR#QDWLYH#PRGH
5
5
5
,GHQWLI\#SRVW0XSJUDGH#WDVNV
,GHQWLI\#SRVW0XSJUDGH#WDVNV
6
6
6


To ensure a successful domain upgrade, you must plan the upgrade from
Windows NT 4.0 to Active Directory through careful thought. When planning
an upgrade, you need to perform the following steps:
1. Determine if your current operating system can be upgraded directly to

Windows 2000.
2. Develop a recovery plan that will prevent accidental data loss during
upgrade. This will ensure that you can roll back to the original
configuration.
3. Determine the order for upgrading domains. Your choice depends on your
overall upgrade goals. For example, if an existing domain is to become the
forest root, you must upgrade that domain first. The DNS domain names in
use in your organization and the names defined in the Active Directory
design may also impact the sequence of domain upgrades.
4. Determine your strategy for upgrading domain controllers. For example,
after the PDC is upgraded, you may wish to upgrade the BDCs running
applications.
5. Determine when to switch to native mode to take advantage of all Active
Directory features.
6. Identify post-upgrade tasks, such as optimizing memory settings, or
reviewing the Event Viewer.


For more information on the upgrade of the Redmond domain at
Microsoft, see the video on the Student Materials compact disc.

6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#VWHSV#IRU#
SODQQLQJ#DQ#XSJUDGH1#
/HDG0LQ#
:KHQ#\RX#SODQ#DQG#SUHSDUH#
IRU#D#GRPDLQ#XSJUDGH/#\RX#
KHOS#HQVXUH#WKDW#WKH#QHZ#
HQYLURQPHQW#ZRUNV#SURSHUO\#
DQG#WKDW#WKH#FKRVHQ#

VWUXFWXUH#VDWLVILHV#WKH#
EXVLQHVV#UHTXLUHPHQWV#RI#
\RXU#RUJDQL]DWLRQ1#
'HOLYHU\#7LS#
6KRZ#WKH#YLGHR#RI#
0LFURVRIW¶V#XSJUDGH#RI#WKH#
5HGPRQG#GRPDLQ#DIWHU#
LQWURGXFLQJ#WKH#XSJUDGH#
SODQQLQJ#SURFHVV1#7KH#YLGHR#
FDQ#EH#IRXQG#RQ#WKH#7UDLQHU#
0DWHULDOV#FRPSDFW#GLVF1#
#
7KH#YLGHR#GHPRQVWUDWHV#
KRZ#HDVLO\#DQ#XSJUDGH#FDQ#
EH#SHUIRUPHG#ZKHQ#
DGHTXDWH#SODQQLQJ#LV#GRQH1#
#
([SODLQ#WKH#VWHSV#IRU#
SODQQLQJ#DQ#XSJUDGH1#
1RWH#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 44#


'HWHUPLQLQJ#DQ#8SJUDGH#3DWK#
Domain
Controllers
Domain Controller
Windows 2000
Domain Controller
Windows 2000

PDC or BDC
Windows NT 3.51 or 4.0
PDC or BDC
Windows NT 3.51 or 4.0
Windows NT
3.1 or 3.5
Windows NT 3.1 or 3.5
Windows NT 3.1 or 3.5
Windows NT 3.51 or 4.0
Windows NT 3.51 or 4.0
Windows 2000
Windows 2000
Member
Servers
Member Server
Windows NT 3.51 or 4.0
Member Server
Windows NT 3.51 or 4.0
Member Server
Windows 2000
Member Server
Windows 2000
Domain Controller
Windows 2000
Domain Controller
Windows 2000
Optional
Optional
Optional


E
When planning your upgrade, you must determine if your current operating
system can be upgraded directly to Windows 2000. The following table lists the
currently supported upgrade paths.


Operating system
Upgrade to
Windows 2000
Server
Upgrade to
Windows 2000
Advanced Server

Windows NT 3.1 No No
Windows NT 3.1 Advanced Server No No
Windows NT 3.51 Workstation Yes No
Windows NT 3.51 Server No Yes
Windows 98 and Windows 95 Yes No
Windows NT 4.0 Workstation No No
Windows NT 4.0 Server Yes Yes
Windows NT 4.0 Server Enterprise Edition No Yes

If you find that a direct upgrade of your operating system is not supported, you
must perform an interim upgrade to an operating system that is supported, such
as Windows NT 3.51 or Windows NT 4.0. You must reflect any intermediate
upgrade steps in your migration plan.

It is strongly recommended that the latest service pack be installed
on Windows NT 3.51 and 4.0 Server prior to upgrade.



Windows NT 4.0 BDCs can be upgraded to join a Windows 2000 forest
as a member server.

6OLGH#2EMHFWLYH#
7R#GHWHUPLQH#WKH#RSHUDWLQJ#
V\VWHP#XSJUDGH#SDWKV#WR#
:LQGRZV#5333#6HUYHU1#
/HDG0LQ#
$Q#LPSRUWDQW#FRQVLGHUDWLRQ#
LQ#SODQQLQJ#\RXU#XSJUDGH#WR#
:LQGRZV#5333#ZLOO#EH#WKH#
RSHUDWLQJ#V\VWHPV#\RX#KDYH#
DOUHDG\#GHSOR\HG#LQ#\RXU#
HQWHUSULVH/#DQG#ZKHWKHU#LW#LV#
SRVVLEOH#WR#XSJUDGH#WKHP#
GLUHFWO\#WR#:LQGRZV#53331#
8VH#WKH#LOOXVWUDWLRQ#RQ#WKH#
VOLGH#WR#H[SODLQ#WKH#XSJUDGH#
SDWKV#IRU#FRPSXWHUV#UXQQLQJ#
HDUOLHU#YHUVLRQV#RI#WKH#
:LQGRZV#RSHUDWLQJ#V\VWHP1#
,PSRUWDQW#
1RWH#
45# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


'HYHORSLQJ#D#5HFRYHU\#3ODQ#
Domain

Controller
Domain
Controller
Applications
Applications
Data
Data
Backup
Backup
Backup
Backup
Backup
Backup
Backup
Backup
Backup
41#$GG#D#%'&#WR#D#GRPDLQ#FRQWDLQLQJ#D#
VLQJOH#GRPDLQ#FRQWUROOHU
51#'RFXPHQW#WKH#FRQILJXUDWLRQ#RI#VHUYLFHV#
DQG#DSSOLFDWLRQV #UXQQLQJ#RQ#WKH#3'&#
DQG#%'&V#
61#%DFN#XS#V HUYLFHV#DQG#DSSOLFDWLRQV#WR#
WDSH
71#)XOO\#V\QFKURQL]H#DOO#%'&V ZLWK#WKH#
3'&
81#7DNH#RQH#IXOO\#V\QFKURQL]HG#%'&#RIIOLQH
91#.HHS#WKLV#%'&#RIIOLQH#DQG#DYDLODEOH#XQWLO#
DIWHU#PLJUDWLRQ



It is important that you develop a recovery plan to prevent accidental data loss
during upgrade. This plan should include details of how you will back up
domain controllers, applications, and other data before and during the upgrade.
To ensure that a domain can be rolled back to its pre-upgrade state, your
recovery plan should, at a minimum, include the following steps:
1. Add a BDC to any Windows NT domain that contains only a single domain
controller. By doing this, you ensure that the domain does not become
orphaned if the PDC upgrade fails.
2. Document the configuration of any services and applications running on the
PDC and the BDCs of a domain targeted for an upgrade, such as file and
print services, DHCP, or DNS.
3. Back up all services and applications to tape, and then test the backup tapes
by performing a restoration.
4. Use Windows NT Server Manager to fully synchronize all BDCs with the
PDC to ensure the Security Accounts Manager (SAM) database is fully up-
to-date.
5. Take one fully synchronized BDC offline before any upgrades are
performed to preserve the security principals that reside in the SAM
database of the Windows NT 4.0 domain.
6. After the upgrade is finished, keep the BDC online and make it available.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#VWHSV#WR#
GHYHORS#D#UHFRYHU\#SODQ1#
/HDG0LQ#
%HIRUH#\RX#XSJUDGH/#\RX#
PXVW#SUHSDUH#D#UROOEDFN#
VWUDWHJ\#WR#HQVXUH#WKDW#\RX#
FDQ#UHFRYHU#IURP#DQ\#
XSJUDGH#SUREOHPV1#

([SODLQ#WKH#VWHSV#WKDW#WKH#
UHFRYHU\#SODQ#VKRXOG#LQFOXGH#
DQG#HPSKDVL]H#WKDW#WKHVH#
DUH#WKH#PLQLPXP#VWHSV#
UHFRPPHQGHG#IRU#DQ#
XSJUDGH#UHFRYHU\#SODQ1#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 46#


If any problems arise during migration, you can remove all computers running
Windows 2000 from the production environment, promote the offline BDC to a
PDC, and then bring the BDC back into your network. This new PDC will
replicate its data to any remaining Windows NT 4.0 BDCs, returning the
domain to its previous state.

Periodically turn on the protected BDC during the upgrade process
while the domain is still in mixed mode to update its directory information.
Otherwise all changes made to the SAM while the BDC was offline will be lost.

,PSRUWDQW#
47# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


'HWHUPLQLQJ#WKH#2UGHU#IRU#8SJUDGLQJ#'RPDLQV#
Up
g
radin
g
Account Domains
Up

g
radin
g
Account Domains
Up
g
radin
g
Account Domains
ƒ
Domains where you have easiest
access to the domain controllers
ƒ
The smallest domain first
ƒ
Domains that will contain objects
from restructured domains
ƒ
Domains where you have easiest
access to the domain controllers
ƒ
The smallest domain first
ƒ
Domains that will contain objects
from restructured domains
Up
g
radin
g
Resource Domains

Up
g
radin
g
Resource Domains
Up
g
radin
g
Resource Domains
ƒ
Domains in which applications
require Windows 2000 features
ƒ
Domains with many workstations
ƒ
Domains that will contain objects
from restructured domains
ƒ
Domains in which applications
require Windows 2000 features
ƒ
Domains with many workstations
ƒ
Domains that will contain objects
from restructured domains
Upgrading an Existing Domain as the
Forest Root
nwtraders
nwtraders.com

Windows NT 4.0
Domain
Using a Dedicated Domain as Forest Root
europe asia
Contoso.com
Windows
NT 4.0
Domain
Windows
NT 4.0
Domain
europe.contoso.com asia.contoso.com


After you have created a recovery plan, your next step is to determine which
domain to upgrade first, and the upgrade order of subsequent domains.
'HILQLQJ#WKH#)RUHVW#5RRW#
The first domain created in Active Directory is the starting point, or root, of the
Active Directory. All other domains are derived from this initial domain.
Examine the Active Directory design to determine if the forest root requires:
„# Using a dedicated domain as the forest root. If your Active Directory design
requires a dedicated forest root, your upgrade plan must include steps for
creating an additional, dedicated domain to serve solely as the forest root.
The creation of this domain needs to occur before any actual upgrades are
performed.
„# Upgrading an existing domain to the forest root. If the Active Directory
design does not define a dedicated domain, an existing Windows NT 4.0
domain can be upgraded as the forest root.

8SJUDGLQJ#$FFRXQW#'RPDLQV#

As a general rule, you will get the most benefit from upgrading your account
domains first because there are usually more user accounts to administer than
computer accounts. By first upgrading account domains to Windows 2000, you
will realize an immediate benefit from:
„# Improved scalability of Active Directory. Many organizations are pushing
the upper bounds of the recommended SAM size with their existing
numbers of user and group accounts.
„# Delegated user administration. The ability to precisely control
administrative capabilities.

6OLGH#2EMHFWLYH#
7R#SURYLGH#WKH#JXLGHOLQHV#IRU#
FKRRVLQJ#WKH#RUGHU#IRU#
XSJUDGLQJ#GRPDLQV1#
/HDG0LQ#
7KH#QH[W#VWHS#LQ#\RXU#
SODQQLQJ#SURFHVV#LV#WR#
GHWHUPLQH#ZKLFK#GRPDLQ#WR#
XSJUDGH#ILUVW/#DQG#WKH#
XSJUDGH#RUGHU#RI#
VXEVHTXHQW#GRPDLQV1#
8VH#WKH#VOLGH#WR#H[SODLQ#WKH#
JXLGHOLQHV#IRU#FKRRVLQJ#WKH#
RUGHU#IRU#XSJUDGLQJ#
GRPDLQV1#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 48#


If there is more than one account domain, the following guidelines should help
you choose the order in which to upgrade them:

„# Physical access. Though you will have tested your upgrade strategy in a lab,
or through a pilot test, the first live upgrade will be the riskiest because it
directly impacts the production environment. To mitigate risk, you should
upgrade domains where you have the easiest physical access to the domain
controllers.
„# Mitigate risks and disruption. If there is more than one account domain to
upgrade, you may wish to upgrade the smallest first so that you minimize
disruption to the most possible users, particularly while you are gaining
experience with the process.
„# Targets of account domain restructure. If you are planning to restructure
some domains, upgrade the domains that will contain objects from
restructured domains early in the process. You cannot consolidate domains
into a target that does not exist.

8SJUDGLQJ#5HVRXUFH#'RPDLQV#
If you have more than one resource domain, the following guidelines should
help you choose the order in which to upgrade them:
„# Domains in which applications require Windows 2000 features. First, you
should upgrade domains where you are deploying applications that demand
Windows 2000 infrastructure or features, such as the Active Directory
required by Microsoft Exchange 2000.
„# Domains with many workstations. Next, you should upgrade domains with
many workstations, so that you can take advantage of Windows 2000
infrastructure such as Microsoft IntelliMirror
™
.
„# Targets for resource domain restructure. Just as with account domains, if
you are planning restructure of your domains, upgrade domains that will
contain objects from restructured domains early on. You cannot consolidate
domains into a target that does not exist.


49# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


'HWHUPLQLQJ#D#6WUDWHJ\#IRU#8SJUDGLQJ#'RPDLQ#&RQWUROOHUV#
„
8SJUDGLQJ#WKH#3'&
z
3'&#LV#WKH#ILUVW#GRPDLQ#FRQWUROOHU#WR#EH#XSJUDGHG
z
8SJUDGLQJ#WKH#3'&#HVWDEOLVKHV#WKH#IRUHVW#URRW#GRPDLQ
z
([LVWLQJ#VHFXULW\#SULQFLSDOV#DQG#WKHLU#SURSHUWLHV#DUH#
PDLQWDLQHG#GXULQJ#XSJUDGH
„
8SJUDGLQJ#%'&V
z
%'&V FDQ#EH#XSJUDGHG#LQ#DQ\#RUGHU#
z
$SSOLFDWLRQV#UXQQLQJ#RQ#%'&V#VKRXOG#EH#FRPSDWLEOH#ZLWK#
:LQGRZV#5333


In any domain, the PDC is always the first to be upgraded to
Windows 2000 Server. Later, the BDCs can generally be upgraded in any order,
until all domain controllers are running Windows 2000 Server.
8SJUDGLQJ#WKH#3'&#
After the operating system upgrade of a PDC, the Active Directory Installation
wizard automatically starts and requires that you choose to join an existing
domain, tree, or forest, or create a new domain, tree, or forest. When upgrading

the PDC to create a new Windows 2000 domain, you are also required to define
the DNS name of the domain.

You must not randomly choose the DNS name of a new domain.
The Active Directory design defines the DNS namespace that should be used
when creating Windows 2000 domains. For more information on designing a
DNS infrastructure for Active Directory, see course 1561B, Designing a
Microsoft Windows 2000 Directory Services Infrastructure.


If you do not want the existing PDC to be upgraded first, you can select
and promote a more desirable BDC. This demotes the original PDC.

Running the Active Directory Installation wizard installs all the necessary
components on the domain controller, such as the directory data store and the
Kerberos version 5 protocol used in authentication. Upgrading preserves
existing user, group, and computer accounts by copying the existing SAM
security principals from the registry to the new data store. Existing Windows
NT built-in groups are placed into the built-in container, whereas global and
local groups are placed in the Users container. When the PDC of a child domain
is upgraded to create a new domain, transitive trust relationships are
automatically established to the parent domain during the Active Directory
installation.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#RUGHU#RI#
XSJUDGLQJ#GRPDLQ#
FRQWUROOHUV1#
/HDG0LQ#
7KH#EDVLF#SURFHGXUH#IRU#D#
:LQGRZV#17#713#GRPDLQ#

PLJUDWLRQ#LV#WR#ILUVW#XSJUDGH#
WKH#3'&#RI#WKH#GRPDLQ#DQG#
WKHQ#WKH#%'&V1#
([SODLQ#WKH#RUGHU#IRU#
XSJUDGLQJ#GRPDLQ#
FRQWUROOHUV1#
#
.H\#3RLQWV
#
(PSKDVL]H#WKDW#WKH#3'&#LV#
DOZD\V#WKH#ILUVW#GRPDLQ#
FRQWUROOHU#WR#EH#XSJUDGHG1#
#
6HH#PRGXOH#7/#³0LQLPL]LQJ#
WKH#,PSDFW#RQ#1HWZRUN#
2SHUDWLRQV#'XULQJ#DQ#
8SJUDGH/´#LQ#FRXUVH#5343$/#
'HVLJQLQJ#D#0LFURVRIW#
:LQGRZV#5333#0LJUDWLRQ#
6WUDWHJ\/#IRU#LQIRUPDWLRQ#RQ#
WKH#LPSDFW#WKDW#DQ#XSJUDGH#
KDV#RQ#QHWZRUN#VHUYLFHV#
+VXFK#DV#'16,#DQG#
DSSOLFDWLRQV1#+RZ#RQH#
UHVSRQGV#WR#WKH#SURPSWV#LQ#
WKH#$FWLYH#'LUHFWRU\#
LQVWDOODWLRQ#ZL]DUG#GHSHQGV#
RQ#ZKHWKHU#WKH#GRPDLQ#
EHLQJ#XSJUDGHG#LV#WKH#ILUVW#
GRPDLQ#LQ#WKH#IRUHVW#RU#D#

FKLOG#GRPDLQ1#
#
(PSKDVL]H#WKDW#H[LVWLQJ#
VHFXULW\#SULQFLSDOV#DQG#WKHLU#
SURSHUWLHV#DUH#PDLQWDLQHG#
GXULQJ#XSJUDGH1#
,PSRUWDQW#
7LS#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 4:#


Upgrading the first PDC establishes the forest root domain. This computer, by
default, assumes the roles of schema operations master and domain naming
master for the forest. All PDCs that are upgraded assume the role of PDC
emulator, relative identifier (RID) master, and infrastructure master for the
domain in which they reside.

For information on planning the placement of Operations Master
roles in your forest, see course 1561B, Designing a Microsoft Windows 2000
Directory Services Infrastructure.

After the PDC upgrade, the Windows 2000 domain controller uses the Active
Directory data store, which is compatible with any remaining Windows NT
backup domain controllers. The upgraded Windows 2000 domain controller can
synchronize security principal changes to remaining Windows NT 4.0 BDCs.

For more information on Active Directory system requirements, such as
DNS and NTFS, and preparing a server for Active Directory installation, see
course 1560B, Updating Support Skills from Microsoft Windows NT4.0 to
Microsoft Windows 2000.


8SJUDGLQJ#%'&V#
The next stage in the upgrade process is to upgrade Windows NT BDCs to
Windows 2000 Server and Active Directory. BDCs can generally be upgraded
in any order, although it’s important to ensure that applications running on
BDCs are compatible with Windows 2000. You may choose to move
incompatible applications to a member server so that the domain can be fully
upgraded, or you may choose to not upgrade the BDC. Network services that
run on BDCs may also affect the decisions you make regarding BDC upgrade
sequence.
,PSRUWDQW#
1RWH#
4;# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#


'HWHUPLQLQJ#:KHQ#WR#6ZLWFK#WR#1DWLYH#0RGH#
PDC not
upgraded
PDC not
upgraded
PDC upgraded
but not all BDCs
upgraded
PDC upgraded
but not all BDCs
upgraded
PDC and all BDCs
upgraded – native
mode switch not yet set
PDC and all BDCs

upgraded – native
mode switch not yet set
PDC and BDCs
upgraded – native
mode switch set
PDC and BDCs
upgraded – native
mode switch set
Windows
NT
Domain
Mixed
Mode
Domain
Mixed
Mode
Domain
Native
Mode
Domain


Once all domain controllers have been upgraded, you can leave the domain
operating in mixed mode indefinitely; or, you can move it to the final
operational state known as the native mode, which increases functionality and
eases the further consolidation of domains. Understanding your current
environment, your migration goals, and the advantages of native mode will help
you determine when to switch to native mode.
5HPDLQLQJ#LQ#0L[HG#0RGH#
Organizations may choose to remain in mixed mode to accommodate

applications running on Windows NT 4.0 BDCs that are not compatible with
Windows 2000, or to maintain the ability to return to Windows NT 4.0. Some
companies may also choose to delay native mode until the physical security of
BDCs can be ensured after upgrade, when updates can be made at any domain
controller.
A domain is considered to be in mixed mode when one of the following
conditions exists:
„# The PDC has been upgraded but not all BDCs have been upgraded.
„# The PDC and all BDCs have all been upgraded but the native mode switch
has not been set. Until you decide to switch the domain to native mode, the
domain remains in mixed mode even if all the BDCs have been upgraded.


For more information on software compatibility with Windows 2000, go
to:

6OLGH#2EMHFWLYH#
7R#VKRZ#WKH#GLIIHUHQFH#
EHWZHHQ#D#PL[HG#PRGH#
GRPDLQ#DQG#D#QDWLYH#PRGH#
GRPDLQ1#
/HDG0LQ#
$IWHU#\RX#XSJUDGH#DOO#RI#WKH#
GRPDLQ#FRQWUROOHUV#LQ#WKH#
GRPDLQ/#\RX#FDQ#VZLWFK##
WKHP#WR#QDWLYH#PRGH#VR#WKDW#
WKH\#FDQ#WDNH#IXOO#DGYDQWDJH#
RI#:LQGRZV#5333#
IXQFWLRQDOLW\1#
([SODLQ#WKH#GLIIHUHQFH#

EHWZHHQ#PL[HG#PRGH#DQG#
QDWLYH#PRGH1#
(QVXUH#WKDW#VWXGHQWV#GR#QRW#
FRQIXVH#PL[HG#PRGH#ZLWK#
RSHUDWLQJ#LQ#D#PL[HG#
HQYLURQPHQW1#
#
([SODLQ#WKH#UHDVRQV#ZK\#DQ#
RUJDQL]DWLRQ#PLJKW#FKRRVH#
WR#VWD\#LQ#PL[HG#PRGH1#
#
'LVFXVV#WKH#:LQGRZV#5333#
6HUYHU#IHDWXUHV#DYDLODEOH#LQ#
PL[HG#PRGH/#DQG#WKRVH#
DYDLODEOH#RQO\#E\#VZLWFKLQJ#
WR#QDWLYH#PRGH1#5HIHU#WR#WKH#
WDEOH#LQ#WKH#VWXGHQW#QRWHV#IRU#
VXSSRUWLQJ#GHWDLOV1#
1RWH#
# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 4<#



When adding a new Windows NT 4.0 BDC to a Windows 2000
mixed mode domain, the computer account must be pre-created. This can be
accomplished using the NETDOM utility, found on the Windows 2000 Server
CD-ROM.

6ZLWFKLQJ#WR#1DWLYH#0RGH#
After you have upgraded all domain controllers to Windows 2000 Server, you

can then choose to move the domain to native mode. Native mode is the final
operational state of a Windows 2000 Server domain, and is manually enabled
by setting a switch in Active Directory Domains and Trusts. While this mode
enables a user to take full advantage of all Windows 2000 Server features, it is
important to plan its implementation carefully because Windows NT 4.0
domain controllers cannot be added to a native mode Windows 2000 Server
domain.
Several things happen when you switch to native mode:
„# Domain controllers no longer support downlevel NTLM replication.
The domain controller that is emulating the PDC operations master cannot
synchronize data with a Windows NT BDC.
„# Windows NT domain controllers cannot be added to the domain.


After you switch the domain to native mode, it cannot be returned to
mixed mode.

The following table summarizes the Windows 2000 Server features available in
mixed mode, and those available only by switching to native mode. If you are
not sure whether to switch the domain to native mode, review your migration
goals to determine whether remaining in mixed mode compromises your goals,
or if the trade-offs are acceptable.
Feature Available in mixed mode?

Kerberos version 5
authentication
Yes, but only for clients that support the protocol, such
as Windows 2000 Professional and Server.
Active Directory
organizational units (OUs)

Yes, but cannot be administered from Windows NT
4.0 servers.
Active Directory security
groups
Only global and local security groups available.
Universal and domain local groups and nesting of groups
are only available in native mode.
IntelliMirror Yes, but only for client computers running
Windows 2000 Professional or Server.
Microsoft Windows Installer Yes.
Active Directory scalability Yes, but only when all BDCs have been upgraded and
are running Active Directory.
,PSRUWDQW#
,PSRUWDQW#