#




&RQWHQWV##
#
2YHUYLHZ#4
#
,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ#5
#
8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\#6
#
,QWHU0)RUHVW#5HVWUXFWXULQJ#8
#
&ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ##
DQ#,QWHU0)RUHVW#6FHQDULR#43
#
,QWUD0)RUHVW#5HVWUXFWXULQJ#49
#
'RPDLQ#5HVWUXFWXUH#7RROV#59
#
/DE#$=#3HUIRUPLQJ#,QWHU0)RUHVW##
'RPDLQ#5HVWUXFWXULQJ#65
#
5HYLHZ#8;
#
#
Module 5: Restructuring
Domains

#

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2000 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead/Instructional Designer:
Sangeeta Garg (NIIT (USA) Inc.)

Lead Program Manager:
Angie Fultz
Instructional Designer:
Robert Deupree (S&T OnSite)
Subject Matter Expert
: Brian Komar (3947018 Manitoba Inc)
Technical Contributors:
John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads:

Sid Benavente, Keith Cotton
Testing Developer:
Greg Stemp (S&T Onsite)
Testers:
Testing Testing 123
Instructional Design Consultants:
Susan Greenberg, Paul Howard
Instructional Design Contributor:
Kathleen Norton

Graphic Artist:
Kirsten Larson (S&T OnSite)
Editing Manager:
Lynette Skinner
Editors:
Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)

Copy Editor:
Shawn Jackson

(
S&T Consulting)

Online Program Manager:
Debbi Conger
Online Publications Manager:
Arlo Emerson (Aditi)
Online Support:
Eric Brandt (S&T Onsite)
Multimedia Development:
Kelly Renner (Entex)
Testing Leads:
Sid Benavente, Keith Cotton

Testing Developer:
Greg Stemp (S&T OnSite)

Courseware Testing:
Data Dimensions, Inc.
Production Support:
Lori Walker (S&T Consulting)
Manufacturing Manager:
Rick Terek (S&T Onsite)
Manufacturing Support:
Laura King (S&T Onsite)
Lead Product Manager, Development Services:
Bo Galford

Lead Product Managers:
Dean Murray, Ken Rosen
Group Product Manager:
Robert Stewart



# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##LLL#


,QVWUXFWRU#1RWHV#
This module provides students with knowledge and ability to restructure
domains.
At the end of this module, students will be able to:
„# Describe the components of domain security and resource access.
„# Describe inter-forest restructure scenarios.
„# Examine the implications of inter-forest restructuring on security principals.
„# Describe intra-forest restructure scenarios.
„# Examine the implications of intra-forest restructuring on security principals.
„# Describe and compare the various domain restructure tools.

0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
„# Microsoft
®
PowerPoint
®

file 2010A_05.ppt
„# Module 5, “Restructuring Domains”

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„# Read all of the materials for this module.
„# Complete the lab.
„# Read all of the delivery tips.
„# Read the white paper, Planning Migration from Microsoft Windows NT to
Microsoft Windows 2000, on the Student Materials compact disc.
„# Read chapter 9, “Planning the Active Directory Structure,” of the Windows
2000 Server Deployment Planning Guide on the Student Materials compact
disc.
„# Read chapter 10, "Determining Domain Migration Strategies,” of the
Windows 2000 Server Deployment Planning Guide on the Student Materials
compact disc.
„# Read the Microsoft Excel spreadsheet, Migration Tool Comparison, on the
Student Materials compact disc.

3UHVHQWDWLRQ=#
93#0LQXWHV#
#
/DE=#
<3#0LQXWHV#
LY##0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
„# Introduction to Domain Restructuring

The module begins with a summary of what a domain restructure is. Give a
brief explanation of what inter-forest and intra-forest restructuring are and
when students can perform them. In your introduction, you may want to
review the reasons why an organization might choose domain restructure
and the benefits of this migration path.
„# Understanding Domain Security
Explain what a security identifier (SID) is.
Students may ask what credentials are required for logon authentication. A
user provides the system with the following set of credentials: the user
name, the domain to be logged on to, and a password (or smart card).
Remind students that discretionary access control lists (DACLs) exist on
files, shares, the registry, and Active Directory
™
directory service objects.
Emphasize that the authorization process is automatic and transparent to
users.
Students may ask what the difference is between SIDs, relative identifiers
(RIDs), object identifiers, and globally unique identifiers (GUIDs). Be
prepared to define these terms for them.
Explain sIDHistory.
Emphasize that sIDHistory is not known to cause any performance
problems by making the access token larger, but that it is still good practice
to remove unwanted sIDHistory values when the original domain is
decommissioned. This is discussed later in this module.
„# Inter-Forest Restructuring
Describe the inter-forest restructure scenarios. Provide enough detail so that
students understand the difference between restructuring an account and a
resource domain. Mention that restructuring between two Microsoft
Windows
®

2000 forests would occur in corporate merger situations, but that
such a scenario is outside the scope of this course.
Emphasize that in an inter-forest scenario, user, global, and shared local
group accounts are cloned by using the ClonePrincipal utility or the Active
Directory Migration Tool (ADMT), while computer accounts are moved by
using Netdom or the ADMT.
Explain the requirements and restrictions that apply for inter-forest
restructuring. The lab takes students through each of the steps in preparing
the environment for restructuring.
„# Cloning Security Principals
On each page, explain the process and implications of cloning users, global
and universal groups, computers and local group accounts, and local groups
on domain controllers. Students may find this section more interesting if
you use the ADMT to demonstrate cloning operations for each type of
security principal.
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##Y#


„# Intra-Forest Restructuring
Describe the intra-forest restructure scenarios. Make sure that students
understand that objects are moved between domains of the same forest.
Objects cannot be cloned in this scenario.
Explain the requirements for intra-forest restructuring. Intra-forest
restructuring is not covered in the hands-on lab, and you will not be able to
demonstrate these operations.
„# Moving Security Principals
Explain the implications of using closed sets to move users and global
groups, domain local groups, computers and local accounts, and domain
controllers. Computers, local accounts, and domain controllers are moved in
the same way in an intra-forest scenario as they are in an inter-forest

scenario.
Emphasize that moving a security principal between domains has the effect
of changing the security principal’s SID, just as cloning an account does.
„# Domain Restructure Tools
Describe and compare the tools for domain restructuring.
This section is an overview of the migration tools that Microsoft provides.
The characteristics and functionality of each tool differ widely. Encourage
students to thoroughly investigate and test each tool prior to beginning their
migrations.
Students may have questions about the details and specific functionality of
each tool. Tell them that they can refer to the migration tools comparison
table on the Student Materials compact disc. Be sure also to point students
to the Help files, where they can obtain additional information on the tools.
Consider demonstrating the ADMT interface, showing the list of wizards
available.
You may want to mention third-party migration tools that Microsoft
endorses, which can be found on the Microsoft Web site.



# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##4#


2YHUYLHZ#
„
,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ
„
8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\
„
,QWHU0)RUHVW#5HVWUXFWXULQJ

„
&ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ#DQ#,QWHU0)RUHVW#6FHQDULR
„
,QWUD0)RUHVW#5HVWUXFWXULQJ
„
0RYLQJ#6HFXULW\#3ULQFLSDOV
„
'RPDLQ#5HVWUXFWXUH#7RROV#


Domain restructuring implies a redesign of the existing domain environment
and is usually undertaken because the existing model is outdated or no longer
supports business needs.
The purpose of this module is to explain how to restructure domains and to
discuss the implications that restructuring domains has on security principals.
The module also explains some restructure scenarios that facilitate the
movement of users and resources from a Microsoft
®
Windows NT
®
version 4.0
source domain to a Microsoft Windows
®
2000 target domain, or from a
Windows 2000 domain in one forest to a Windows 2000 domain in another
forest. The remainder of this module describes the various tools that assist you
in restructuring your domains during migration.
At the end of this module, you will be able to:
„# Describe the components of domain security and resource access.
„# Describe inter-forest restructure scenarios.

„# Examine the implications of inter-forest restructuring on security principals.
„# Describe intra-forest restructure scenarios.
„# Examine the implications of intra-forest restructuring on security principals.
„# Describe and compare the various domain restructure tools.

6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW=#WKH#LPSOLFDWLRQV#RI#
UHVWUXFWXULQJ#RQ#VHFXULW\#
SULQFLSDOV/#UHVWUXFWXULQJ#
VFHQDULRV/#UHTXLUHPHQWV#DQG#
VWHSV#IRU#PLJUDWLQJ#VHFXULW\#
SULQFLSDOV#DQG#UHVRXUFHV/#
DQG#UHVWUXFWXUH#WRROV1#
5# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ#
„
'RPDLQ#5HVWUXFWXULQJ#$OORZV#<RX#WR#5HGHVLJQ#WKH#
)RUHVW#$FFRUGLQJ#WR#WKH#1HHGV#RI#<RXU#2UJDQL]DWLRQ
„
'RPDLQ#5HVWUXFWXULQJ#&DQ#,QYROYH=
z
,QWHU0IRUHVW#FRS\#RSHUDWLRQV#
z

,QWUD0IRUHVW#PRYH#RSHUDWLRQV#


Where domain upgrade maintains the existing domain structure, domain
restructuring as a migration path allows you to redesign the domain
environment according to the needs of your organization.
Domain restructuring can involve inter-forest copy operations or intra-forest
move operations. In inter-forest restructuring, security principals are copied
from a Windows NT 4.0 domain to a Windows 2000 domain, or from a
Windows 2000 domain in one forest to a Windows 2000 domain in another
forest. Intra-forest restructuring involves moving security principals from one
Windows 2000 domain to another in the same forest.

There are specific issues with restructuring security principals from a
Windows NT 3.51 domain. For more information, refer to the white paper,
Planning Migration from Windows NT to Windows 2000, which is located on
the Student Materials compact disc.

6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#LQWURGXFWLRQ#WR#
UHVWUXFWXULQJ#GRPDLQV1#
/HDG0LQ#
'RPDLQ#UHVWUXFWXULQJ#DV#D#
PLJUDWLRQ#SDWK#DOORZV#\RX#WR#
UHGHVLJQ#WKH#IRUHVW#
DFFRUGLQJ#WR#WKH#QHHGV#RI#
\RXU#RUJDQL]DWLRQ1#
.H\#3RLQWV#
:LQGRZV#17#YHUVLRQ#6184#
GRPDLQ#UHVWUXFWXULQJ#LV#

RXWVLGH#WKH#VFRSH#RI#WKLV#
FRXUVH/#EXW#VWXGHQWV#PD\#
KDYH#TXHVWLRQV#DERXW#WKH#
LVVXHV#LQYROYHG#LQ#VXFK#D#
VFHQDULR1#(QFRXUDJH#
VWXGHQWV#WR#UHDG#WKH#ZKLWH#
SDSHU/#3ODQQLQJ#0LJUDWLRQ#
IURP#0LFURVRIW#:LQGRZV#17#
WR#0LFURVRIW#:LQGRZV#5333/#
RQ#WKH#6WXGHQW#0DWHULDOV#
FRPSDFW#GLVF1#
#
'RPDLQ#UHVWUXFWXULQJ#DOORZV#
DQ#RUJDQL]DWLRQ#WR#UHGHVLJQ#
WKH#GRPDLQ#HQYLURQPHQW1#
#
'RPDLQ#UHVWUXFWXULQJ#PD\#
LQYROYH#FRS\LQJ#RU#PRYLQJ#
VHFXULW\#SULQFLSDOV1#
1RWH#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##6#


8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\#
Access Token
User: S-1-5-21-397955417-626881126-188441444-2812048
Groups: S-1-5-21-645522239-1957994488-725345543-1108
S-1-5-21-397955417-626881126-188441444-101018
S-1-5-21-645522239-1957994488-725345543-1109
. . . .

Access Token
User: S-1-5-21-397955417-626881126-188441444-2812048
Groups: S-1-5-21-645522239-1957994488-725345543-1108
S-1-5-21-397955417-626881126-188441444-101018
S-1-5-21-645522239-1957994488-725345543-1109
. . . .
Allow R W S-1-5-21-645522239-1957994488-725345543-1108
SIDhistory grants access for moved user
User’s
primary SID
User’s
primary SID
sIDHistory of
user
sIDHistory of
user
SIDs of
groups to
which user
belongs
SIDs of
groups to
which user
belongs
ACL on source shared folder


Windows NT 4.0 and Windows 2000 domain security depends on security
identifiers (SIDs). SIDs are domain-specific identifiers that the operating
system uses to distinguish security principals, such as users, groups, and

computers. While the user interface displays security principals as names, the
operating system maps these names to SIDs for logon authentication,
permissions assignment, and resource authorization.
When logging on, authenticating users present to the system a set of credentials,
including their display user names. If the credentials match those that the
system has on record, the user is authenticated and granted an access token. The
access token is a key that enables access to network resources. It consists of a
list of SIDs that identify the user and the groups of which he or she is a
member, in addition to the various system rights granted to the user.
Discretionary access control lists (DACLs), which administrators use to define
access permissions on resources, contain user and group SIDs and the access
permissions granted to each security principal. When a user attempts to access a
resource, his or her access token (granted at logon), together with the type of
access requested (read, write, and so on), is compared with the SIDs in the
DACL of the resource being requested. If the SIDs match, the user is granted
the permissions defined in the DACL.

5HVROYLQJ#6,'V#$IWHU#5HVWUXFWXULQJ#
SIDs are specific to domains. The only way to move or copy a security
principal between domains is to create a new object in the target domain.
Creating a new security principal in the target domain assigns a new SID to the
object. Prior to Windows 2000, granting resource access to the new security
principal required searching the source domain and trusting domains looking
for references to the old SID, and then adding the new SID to resource DACLs.
6OLGH#2EMHFWLYH#
7R#GHVFULEH#VRPH#
FRPSRQHQWV#WKDW#FRQWURO#
GRPDLQ#VHFXULW\#DQG#
UHVRXUFH#DFFHVV1#
/HDG0LQ#

:KHQ#PRYLQJ#VHFXULW\#
SULQFLSDOV#LQWR#$FWLYH#
'LUHFWRU\/#RQH#FULWLFDO#
FRQFHUQ#LV#WKH#HIIHFW#WKDW#
WKLV#PRYH#KDV#RQ#GRPDLQ#
VHFXULW\#DQG#DFFHVV#WR#
UHVRXUFHV1#
'HILQH#6,'V#DQG#H[SODLQ#
KRZ#WKH\#DUH#UHIHUHQFHG#LQ#
DFFHVV#WRNHQV#IRU#ORJRQ#
DXWKHQWLFDWLRQ#DQG#UHVRXUFH#
DXWKRUL]DWLRQ1#
.H\#3RLQWV#
([SODLQ#WKDW#PLJUDWLQJ#D#
VHFXULW\#SULQFLSDO#FUHDWHV/#LQ#
WKH#WDUJHW#GRPDLQ/#D#QHZ#
REMHFW#WKDW#LV#DVVLJQHG#D#
QHZ#6,'1#
#
([SODLQ#WKDW#WKH#QHZ#
V,'+,VWRU\#DWWULEXWH#IRU#
:LQGRZV#5333#VHFXULW\#
SULQFLSDOV#DOORZV#XVHUV#
PLJUDWHG#WR#:LQGRZV#5333#
WR#UHWDLQ#DFFHVV#WR#
UHVRXUFHV#LQ#WKH#VRXUFH#
HQYLURQPHQW1#
7# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#



A Windows 2000 Active Directory
™
directory service attribute called
sIDHistory makes this situation considerably easier. sIDHistory is an attribute
of security principal objects that is used to store the former SIDs of restructured
security principals. The sIDHistory value ensures that appropriate access is
granted after restructuring, even on systems that predate Windows 2000 or
Active Directory.
The sIDHistory attribute of a migrated object is updated with its former SID as
part of the migration operation. When the user logs on to the system with a
migrated account, the system retrieves the user’s primary SID and the entries in
the user’s sIDHistory and adds them to the user’s access token. Because groups
are security principals with a sIDHistory attribute, the sIDHistory of all the
groups of which the user is a member is also added to the user’s access token
when he or she logs on.

The value of the sIDHistory attribute can be populated only in
native-mode Windows 2000 domains, which has the effect of requiring all
migration operations relying on sIDHistory to have a native-mode target
domain for restructure.

,PSRUWDQW#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##8#


‹‹
#,QWHU0)RUHVW#5HVWUXFWXULQJ#
„
,QWHU0)RUHVW#5HVWUXFWXUH#6FHQDULRV
„

5HTXLUHPHQWV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ
„
5HVWULFWLRQV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ


Inter-forest restructuring is a migration path that involves copying accounts
from a Windows NT 4.0 domain to a Windows 2000 domain, or from a
Windows 2000 domain in one forest to a Windows 2000 domain in another
forest.
Inter-forest restructuring is sometimes referred to as prune and graft, a more
complex migration scenario used to relocate security principals between two
Windows 2000 forests in cases of corporate mergers or acquisitions.
6OLGH#2EMHFWLYH#
7R#GHILQH#LQWHU0IRUHVW#
UHVWUXFWXULQJ1#
/HDG0LQ#
,QWHU0IRUHVW#UHVWUXFWXULQJ#LV#
XVHG#WR#PLJUDWH#D#:LQGRZV#
17#713#GRPDLQ#HQYLURQPHQW#
WR#D#:LQGRZV#5333#IRUHVW1#
'HILQH#LQWHU0IRUHVW#
UHVWUXFWXULQJ#DQG#WKH#
VFHQDULRV#WKDW#LW#
HQFRPSDVVHV1#
9# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


,QWHU0)RUHVW#5HVWUXFWXUH#6FHQDULRV#
Account
Domain

Target
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
OU
Resource
Domain
Target OU
Source
Source
„
5HVWUXFWXULQJ#
D#:LQGRZV#17#

713#$FFRXQW#
'RPDLQ#
„
5HVWUXFWXULQJ#
D#:LQGRZV#17#
713#5HVRXUFH#
'RPDLQ
„
5HVWUXFWXULQJ#
%HWZHHQ#7ZR#
:LQGRZV#5333#
)RUHVWV


The inter-forest restructure scenarios include Windows NT or Windows 2000 to
Windows 2000 account migration, and Windows NT or Windows 2000 to
Windows 2000 resource migration.
5HVWUXFWXULQJ#D#:LQGRZV#17#713#$FFRXQW#'RPDLQ#
Restructuring a Windows NT 4.0 account domain involves incrementally
copying users and groups from a Windows NT 4.0 account domain to a parallel
Windows 2000 Active Directory environment. This environment operates in
tandem with the existing Windows NT 4.0 network and reflects the forest
proposed by the Active Directory design.
In this scenario, Windows NT 4.0 user, global, and shared local group accounts
are copied from the source domain to the pristine environment. While this
migration path is more expensive because of the hardware requirements of
creating a duplicate environment, it ensures that you can recover from problems
during migration because the original accounts remain untouched during the
process. This scenario can also preserve existing security until cloned account
access is fully tested by migrating the sIDHistory. After the users and groups

have all been copied to Active Directory, the environment has been tested, and
the new accounts are in use, the Windows NT 4.0 domain can be
decommissioned.
5HVWUXFWXULQJ#D#:LQGRZV#17#713#5HVRXUFH#'RPDLQ#
An inter-forest scenario may also involve restructuring resources. Collapsing a
Windows NT 4.0 resource domain into an organizational unit (OU) in a
destination Windows 2000 domain reduces the number of domains and the
administrative cost of managing trust relationships.
In this scenario, a combination of copying and moving techniques is used to
restructure the resource domain. Computer accounts for workstations and
member servers are moved or copied to the destination domain. Shared local
groups residing on a Windows NT 4.0 domain controller must also be cloned to
the target domain.
6OLGH#2EMHFWLYH#
7R#GHVFULEH#WKH#LQWHU0IRUHVW#
UHVWUXFWXUH#VFHQDULRV1#
/HDG0LQ#
7KH#LQWHU0IRUHVW#UHVWUXFWXUH#
VFHQDULRV#LQFOXGH#:LQGRZV#
17#RU#:LQGRZV#5333#WR#
:LQGRZV#5333#DFFRXQW#
PLJUDWLRQ/#DQG#:LQGRZV#17#
RU#:LQGRZV#5333#WR#
:LQGRZV#5333#UHVRXUFH#
PLJUDWLRQ1#
8VH#WKH#VOLGH#WR#GLVFXVV#WKH#
WKUHH#LQWHU0IRUHVW#UHVWUXFWXUH#
VFHQDULRV/#SURYLGLQJ#DQ#
RYHUYLHZ#RI#WKH#VWHSV#LQ#
HDFK#VFHQDULR¶V#PLJUDWLRQ#

SURFHVV1#0HQWLRQ#WKDW#
PLJUDWLRQ#WRROV#IDFLOLWDWH#
HDFK#VWHS#LQ#WKH#SURFHVV1##
'HOLYHU\#7LS#
'R#QRW#VSHQG#WRR#PXFK#WLPH#
H[SODLQLQJ#WKH#VSHFLILFV#RI#
WKH#WRROV#DW#WKLV#SRLQW1#7KLV#
ZLOO#EH#FRYHUHG#LQ#PRUH#
GHWDLO#ODWHU#LQ#WKH#PRGXOH1#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##:#


You can redeploy Windows NT 4.0 domain controllers to the target domain by:
„# Upgrading to Windows 2000 server, whereupon they can join the Active
Directory forest as a member server or domain controller, or
„# Demoting to a member server, which requires reinstalling Windows NT 4.0.
Then the member server account can be moved to the Active Directory
forest.

After all accounts have been migrated and resource servers have joined the
forest, you can completely decommission the Windows NT 4.0 resource
domain.
5HVWUXFWXULQJ#%HWZHHQ#7ZR#:LQGRZV#5333#)RUHVWV#
You may use inter-forest restructuring to cut the accounts and resources from
one Active Directory forest and paste them into another; perhaps a pilot forest
to a production environment, for example, or the forests of two separate
organizations. In this scenario, users, groups, computers, and resources are
migrated to a target domain in an Active Directory forest. Domain controllers
can be demoted out of the source domain and promoted to domain replicas in
the target forest.


You cannot truly combine forests because there is currently no way
to merge the schemas of separate Active Directory forests.

,PSRUWDQW#
;# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


5HTXLUHPHQWV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ#
„
7DUJHW#'RPDLQ#0XVW#%H#D#1DWLYH#0RGH#:LQGRZV#5333#
'RPDLQ
„
6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#+DYH#WKH#)ROORZLQJ#
5HJLVWU\#(QWU\
HKEY_LOCAL_MACHINE | System |
CurrentControlSet | Control | Lsa
TcpipClientSupport:REG_DWORD:0X1
„
8VHU#3HUIRUPLQJ#WKH#5HVWUXFWXUH#0XV W#+DYH#
$GPLQLVWUDWRU#3ULYLOHJHV#LQ#WKH#6RXUFH#DQG#7DUJHW#
'RPDLQV
„
$XGLWLQJ#0XVW#%H#(QDEOHG#RQ#%RWK#6RXUFH#DQG#7DUJHW#
'RPDLQV
„
$#/RFDO#*URXS#0XVW#%H#&UHDWHG#LQ#WKH#6RXUFH#'RPDLQ


Because cloning is a security-sensitive operation, the following must be in place

before using the migration tools to perform inter-forest restructuring:
„# The target domain must be a native-mode Windows 2000 domain if
sIDHistory will be migrated.
„# The source domain controller’s registry must contain the following non-
default registry entry:
HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Lsa
TcpipClientSupport: REG_DWORD:0X1

Be sure to restart after making this change to the server.

„# The user performing the restructure operation must be a member of Domain
Admins in the target domain and have administrative privileges in the
source and target domains.
„# Account auditing must be enabled on both the source and target domains.
For a Windows NT 4.0 domain, success and failure Group Management
auditing must be enabled on the primary domain controller (PDC). For a
Windows 2000 domain, Audit account management must be enabled on the
Default Domain Controllers Policy.
„# A local group, sourcedomainname$$$, must be created in the source
domain; for example, Contoso$$$. This group is used for auditing and must
be empty.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#UHTXLUHPHQWV#
IRU#SHUIRUPLQJ#DQ#LQWHU0IRUHVW#
UHVWUXFWXULQJ1#
/HDG0LQ#
%HFDXVH#FORQLQJ#LV#D#
VHFXULW\0VHQVLWLYH#RSHUDWLRQ/#
\RX#PXVW#SUHSDUH#DQ#

DSSURSULDWH#HQYLURQPHQW#
EHIRUH#SHUIRUPLQJ#LQWHU0
IRUHVW#UHVWUXFWXULQJ1#
([SODLQ#WKH#UHTXLUHPHQWV#IRU#
SHUIRUPLQJ#DQ#LQWHU0IRUHVW#
UHVWUXFWXULQJ1#
'HOLYHU\#7LS#
,Q#WKH#ODE/#VWXGHQWV#ZLOO#
IROORZ#HDFK#RI#WKH#VWHSV#
UHTXLUHG#WR#SUHSDUH#WKH#
WDUJHW#DQG#VRXUFH#GRPDLQV#
IRU#UHVWUXFWXULQJ1#
,PSRUWDQW#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV##<#


5HVWULFWLRQV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ#
„
6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#%H#3'&#RU #3'&#
(PXODWRU#RI#:LQGRZV#5333#'RPDLQ
„
6RXUFH#'RPDLQ#0XVW#1RW#%H#LQ#6DPH#)RUHVW#DV#7DUJHW#
'RPDLQ
„
6RXUFH#2EMHFW#0XVW#%H#D#8VHU#RU#6HFXULW\0(QDEOHG#
*URXS
„
6,'#RI#WKH#6RXUFH#2EMHFW#0XVW#1RW#$OUHDG\#([LVW#LQ#
7DUJHW#)RUHVW
„

7RROV#0XVW#%H#5XQ#RQ#7DUJHW#'RPDLQ#&RQWUROOHU


Some of the restrictions that apply when performing an inter-forest
restructuring are:
„# The source domain controller must be the PDC (Windows NT 4.0) or PDC
Emulator of a Windows 2000 native- or mixed-mode domain.
„# The source domain must not be in same forest as the target domain.
„# The source object must be a user account or security-enabled group.
„# The SID of the source object must not already exist in the target forest,
either as a primary account SID or in the sIDHistory of an account.

Certain objects, such as built-in groups and accounts that have
well-known SIDs or well-known relative identifiers (RIDs), cannot be
migrated. For details on these accounts, see the white paper, Planning
Migration from Microsoft Windows NT to Microsoft Windows 2000, on the
Student Materials compact disc.

„# The migration tools must be run on the target domain controller. Physical
access to the target computer is required unless Windows Terminal Services
are used to run tools remotely.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#ZKDW#UHVWULFWLRQV#
DSSO\#ZKHQ#SHUIRUPLQJ#DQ#
LQWHU0IRUHVW#UHVWUXFWXULQJ1#
/HDG0LQ#
6HYHUDO#UHVWULFWLRQV#DSSO\#
ZKHQ#SHUIRUPLQJ#DQ#LQWHU0
IRUHVW#UHVWUXFWXULQJ1#

8VH#WKH#VOLGH#WR#GLVFXVV#
HDFK#RI#WKH#UXOHV#WKDW#PXVW#
EH#IROORZHG#ZKHQ#
SHUIRUPLQJ#LQWHU0IRUHVW#
UHVWUXFWXULQJ1#
'HOLYHU\#7LS#
,I#VWXGHQWV#DVN#ZKDW#
VHFXULW\0HQDEOHG#JURXSV#DUH/#
H[SODLQ#WKDW#WKHVH#LQFOXGH#
JOREDO#JURXSV/#:LQGRZV#
5333#GRPDLQ#ORFDO#JURXSV/#
DQG#:LQGRZV#17#713#VKDUHG#
ORFDO#JURXSV1#
,PSRUWDQW#
43# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


‹‹
#&ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ#DQ#,QWHU0)RUHVW#6FHQDULR#
&ORQLQJ#8VHUV
&ORQLQJ#8VHUV
&ORQLQJ#*OREDO#*URXSV
&ORQLQJ#*OREDO#*URXSV
&ORQLQJ#8QLYHUVDO#*URXSV
&ORQLQJ#8QLYHUVDO#*URXSV
&ORQLQJ#'RPDLQ#/RFDO#*URXSV
&ORQLQJ#'RPDLQ#/RFDO#*URXSV
&ORQLQJ#/RFDO#*URXSV
&ORQLQJ#/RFDO#*URXSV
0RYLQJ#&RPSXWHU#$FFRXQWV

0RYLQJ#&RPSXWHU#$FFRXQWV


Cloning, or copying security principals, is the most common inter-forest
migration operation. A clone is an account in a native-mode Windows 2000
domain containing properties that have been copied from a source account. The
source account may reside in a Windows NT 4.0 domain or a Windows 2000
domain in a separate forest.

Cloning is not possible between domains in the same forest.

Although a clone has a different primary SID than the source account, the
sIDHistory attribute retains the SID of the source account. Populating the
sIDHistory attribute with the SID of a source account allows the clone the same
access to network resources available to the source account, provided that
appropriate trusts exist from the resource domains to the clone’s account
domain.
One advantage to cloning is that it does not disrupt the existing production
environment. Users are cloned to a parallel environment, allowing them to log
on by using their cloned account in Active Directory while maintaining the
ability to fall back to the source account from the production environment, if
necessary, until the target domain is decommissioned.

Cloning is only possible between domains in different forests (inter-
forest). Moving objects while updating sIDHistory is only possible between
domains in the same Windows 2000 forest (intra-forest).

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#FORQLQJ#XVHUV/#JOREDO#DQG#

XQLYHUVDO#JURXSV/#FRPSXWHUV#
DQG#ORFDO#JURXS#DFFRXQWV/#
DQG#ORFDO#JURXSV#RQ#GRPDLQ#
FRQWUROOHUV1#
/HDG0LQ#
$#FORQH#LV#DQ#DFFRXQW#LQ#D#
QDWLYH0PRGH#:LQGRZV#5333#
GRPDLQ#IRU#ZKLFK#:LQGRZV#
17#713#DFFRXQW#SURSHUWLHV#
DQG#JURXS#PHPEHUVKLSV#
KDYH#EHHQ#FRSLHG#IURP#D#
VRXUFH#DFFRXQW1#
'HILQH#WKH#WHUP#FORQH#DQG#
LWV#FKDUDFWHULVWLFV1#
#
'HVFULEH#WKH#EHQHILWV#RI#
FORQLQJ1##
.H\#3RLQWV#
7KLV#VHFWLRQ#GHVFULEHV#WKH#
ZD\V#WKDW#VHFXULW\#SULQFLSDOV#
DUH#PLJUDWHG#LQ#DQ#LQWHU0
IRUHVW#PLJUDWLRQ#VFHQDULR1#
#
&ORQLQJ#LV#XVHG#WR#PLJUDWH#
VHFXULW\#SULQFLSDOV#LQ#DQ#
LQWHU0IRUHVW#UHVWUXFWXUH#
VFHQDULR1#
#
0LJUDWLQJ#WKH#6,'#RI#DQ#
DFFRXQW#LV#RSWLRQDO#ZKHQ#

XVLQJ#WKH#$'071#
#
0HQWLRQ#WKDW#$'07#DQG#
&ORQH3ULQFLSDO#DUH#XVHG#WR#
FORQH#VHFXULW\#SULQFLSDOV1#
1RWH#
1RWH#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV# # 44#


&ORQLQJ#8VHUV#
„
&ORQHG#8VHUV#$UH#$XWRPDWLFDOO\#0DGH#0HPEHUV#RI#
'RPDLQ#8VHUV
„
8VHU·V#0HPEHUVKLS#LQ#*URXSV#,V#$XWRPDWLFDOO\ #5HVWRUHG


When you clone a user, you can add the SID of the original account to the target
account’s sIDHistory attribute to retain access to resources in the source
environment. Cloned users are automatically made members of Domain Users.
Global or universal groups of which the source account was a member are
restored in the target domain if those groups have been previously copied. If the
source groups are cloned after the user, the cloned user membership is restored
automatically at this time.
You use ClonePrincipal and the Active Directory Migration Tool (ADMT) to
clone user accounts for inter-forest restructuring.

When you clone user accounts with the ClonePrincipal utility, the source
accounts are automatically disabled. You can configure the ADMT to disable

either the source or target account.


Not all source account properties are copied during cloning operations.
For more information on the properties that are copied during migration, see the
white paper, Planning Migration from Microsoft Windows NT to Microsoft
Windows 2000, on the Student Materials compact disc.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#FORQLQJ#XVHUV1#
/HDG0LQ#
&ORQHG#XVHUV#DUH#
DXWRPDWLFDOO\#PDGH#
PHPEHUV#RI#'RPDLQ#8VHUV1#
.H\#3RLQWV#
&ORQHG#XVHUV#UHWDLQ#DFFHVV#
WR#VRXUFH#UHVRXUFHV#WKURXJK#
WKH#V,'+LVWRU\#DWWULEXWH1#
#
&ORQHG#XVHUV#EHFRPH#
PHPEHUV#RI#WKH#WDUJHW#
'RPDLQ#8VHUV#JURXS1#
#
8VHUV#WKDW#DUH#PHPEHUV#RI#
DQ\#JURXSV#ZLOO#UHWDLQ#WKHLU#
PHPEHUVKLS#DIWHU#ERWK#WKH#
XVHU#DQG#JURXS#DFFRXQWV#
DUH#FORQHG1#
#

'HOLYHU\#7LS#
<RX#PD\#ZDQW#WR#
GHPRQVWUDWH#FORQLQJ#XVHUV#
ZLWK#WKH#$'071#
#
6WXGHQWV#PD\#KDYH#
TXHVWLRQV#DERXW#ZKDW#
SURSHUWLHV#DUH#FORQHG#ZLWK#
WKH#XVHU1#:KHQ#FORQLQJ#
XVHUV#LQ#WKH#ODE/#WKH\#ZLOO#
VHH#VRPH#RI#WKH#SURSHUWLHV#
WKDW#DUH#PLJUDWHG1#)RU#D#
FRPSOHWH#OLVW/#UHIHU#WKHP#WR#
WKH#ZKLWH#SDSHU#PHQWLRQHG#
RQ#WKLV#SDJH1#
1RWH#
1RWH#
45# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


&ORQLQJ#*OREDO#DQG#8QLYHUVDO#*URXSV#
„
&ORQLQJ#*OREDO#DQG#8QLYHUVDO#*URXSV#3RSXODWHV#WKH
V,'+LVWRU\ 9DOXH#RI#WKH#1HZ#&ORQHG#$FFRXQW
„
&ORQHG#*URXS#0HPEHUVKLS#,V#$XWRPDWLFDOO\#5HVWRUHG#WR#
5HIOHFW#7KDW#RI#WKH#6RXUFH#$FFRXQW


When cloning global or universal groups, the primary SID of the source group

is retained as the sIDHistory value of the new cloned account. The membership
of the target group is restored to reflect that of the source account if member
clone accounts exist. If the member accounts are cloned after the group,
membership is restored at that time. This is also true for nested groups when
cloning from a Windows 2000 source domain.
You use ClonePrincipal and the ADMT to clone group accounts for inter-forest
restructuring.

During the cloning operation, you can merge multiple source groups into a
single target group. When collapsing multiple Windows NT account domains
into the same Windows 2000 domain, this feature has the advantage of allowing
global groups to be combined.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#FORQLQJ#JOREDO#DQG#
XQLYHUVDO#JURXSV1#
/HDG0LQ#
:KHQ#FORQLQJ#JOREDO#RU#
XQLYHUVDO#JURXSV/#WKH#
SULPDU\#6,'#RI#WKH#VRXUFH#
JURXS#LV#UHWDLQHG#DV#WKH#
V,'+LVWRU\#YDOXH#RI#WKH#QHZ#
FORQHG#DFFRXQW1#
.H\#3RLQWV#
&ORQLQJ#JOREDO#DQG#XQLYHUVDO#
JURXSV#SRSXODWHV#WKH#
V,'+LVWRU\#YDOXH#RI#WKH#QHZ#
FORQHG#DFFRXQW1#
#

*URXS#PHPEHUVKLS#LV#
UHVWRUHG#DIWHU#WKH#JURXS#DQG#
LWV#PHPEHUV#DUH#FORQHG1#
#
'HOLYHU\#7LS#
,Q#WKH#ODE/#VWXGHQWV#ZLOO#
FORQH#JURXSV#ZLWK#DQG#
ZLWKRXW#WKHLU#PHPEHUV#WR#
VHH#KRZ#WKH#PHPEHUVKLS#LV#
SRSXODWHG#DIWHU#FORQLQJ#
RSHUDWLRQV1#
#
<RX#PD\#ZDQW#WR#
GHPRQVWUDWH#KRZ#JURXSV#
DUH#FORQHG#XVLQJ#WKH#$'071#
7LS#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV# # 46#


0LJUDWLQJ#&RPSXWHUV#DQG#/RFDO#*URXS#$FFRXQWV#
„
/RFDO#*URXSV#RQ#0RYHG#&RPSXWHUV#$UH#8QDIIHFWHG#E\#
0LJUDWLRQ
„
'$&/V#5HIHUHQFLQJ#/RFDO#*URXS#$UH#8QDIIHFWHG


In an inter-forest restructure scenario, workstation and member server computer
accounts are migrated to the target domain. Computer accounts are not cloned;
they must be moved to the target domain. You can accomplish this remotely by

moving the account to the target domain by using the ADMT or Netdom
migration tools. You can also manually configure each computer to join the
target domain.
As a part of the local Security Accounts Manager (SAM) database, local group
accounts and their properties are migrated when the computer on which they
reside joins the target domain. This means that local groups are unaffected by
migration, so their SIDs do not need to be changed.
Local groups provide access to resources on the computer on which they reside.
Permissions granted to local groups in resource DACLs on the moved computer
will be maintained. Resource access will continue to function properly,
provided that appropriate trusts to the target domain exist.

If local groups contain members from trusted domains, trusts must
exist between the target domain and any domains from which local group
members reside.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#PLJUDWLQJ#FRPSXWHUV#DQG#
ORFDO#JURXS#DFFRXQWV1#
/HDG0LQ#
/RFDO#JURXSV#DUH#RQO\#
UHODWLYH#WR#WKH#FRPSXWHU#RQ#
ZKLFK#WKH\#UHVLGH#DQG#DUH#
PLJUDWHG#ZKHQ#WKH#FRPSXWHU#
RQ#ZKLFK#WKH\#UHVLGH#LV#
MRLQHG#WR#WKH#WDUJHW#GRPDLQ1#
.H\#3RLQW#
&RPSXWHU#DFFRXQWV#DUH#QRW#
FORQHG1#7R#PLJUDWH#D#

FRPSXWHU/#\RX#PXVW#PRYH#
DFFRXQWV#E\#XVLQJ#D#
PLJUDWLRQ#WRRO#RU#PDQXDOO\#
FRQILJXUH#WKHP#WR#MRLQ#D#
GLIIHUHQW#GRPDLQ1#
#
'HOLYHU\#7LS#
%HFDXVH#WKH#FODVVURRP#
GRHV#QRW#FRQWDLQ#D#PHPEHU#
VHUYHU#RU#ZRUNVWDWLRQ/#\RX#
FDQQRW#GHPRQVWUDWH#FORQLQJ#
FRPSXWHUV1#
,PSRUWDQW#
47# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


&ORQLQJ#/RFDO#*URXSV#RQ#'RPDLQ#&RQWUROOHUV#
„
7KH V,'+LVWRU\ $WWULEXWH#,V#E\#'HIDXOW#3RSXODWHG#IRU#
&ORQHG#6KDUHG#/RFDO#*URXSV
„
6KDUHG#/RFDO#*URXSV#$UH#&RQYHUWHG#WR#'RPDLQ#/RFDO#
*URXSV#LQ#WKH#7DUJHW#'RPDLQ#


Shared local groups reside on Windows NT 4.0 PDCs and are shared between
the PDC and all backup domain controllers (BDCs) in the same domain. The
membership of this type of account can consist of accounts from any trusted
Windows NT or Windows 2000 domain.
When a shared local group is cloned, the sIDHistory of the former account is

retained, and a domain local group is created in the target domain. Shared local
groups are converted to domain local groups when cloned because the target
domain is in native mode.
To clone shared local groups, the ADMT tool is recommended because it is the
easiest and most comprehensive way to migrate local groups. The ADMT will
copy the local group and populate its membership automatically if the member
accounts are migrated at the same time.

Retaining membership in cloned shared local groups is more
complex when using ClonePrincipal, as opposed to using the ADMT. See the
Windows 2000 Support Tools Help files located in the support folder on the
Windows 2000 Server compact disc for more information.

To ensure that resource permissions granted to the cloned local group still
function, you must establish appropriate trusts. If the shared local group
contained members from trusted domains, you must establish a trust between
the target domain where the clone account resides and the domain where the
group members reside.

The Netdom and ADMT utilities can assist in identifying and
establishing the appropriate trusts when cloning shared local groups.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#LPSOLFDWLRQV#
RI#FORQLQJ#ORFDO#JURXSV#RQ#
GRPDLQ#FRQWUROOHUV1#
/HDG0LQ#
7KH#PLJUDWLRQ#WRROV#KDQGOH#
ORFDO#JURXS#FORQLQJ#
GLIIHUHQWO\1#

.H\#3RLQWV#
'HILQH#VKDUHG#ORFDO#JURXS1#
#
,W#LV#HDVLHVW#WR#FORQH#VKDUHG#
ORFDO#JURXSV#ZLWK#WKH#$'071#
#
7R#HQVXUH#WKDW#UHVRXUFH#
SHUPLVVLRQV#DVVLJQHG#WR#
ORFDO#JURXSV#FRQWLQXH#WR#
DFFHVV#UHVRXUFHV#LQ#WKH#
VRXUFH#HQYLURQPHQW/#\RX#
PXVW#HVWDEOLVK#DSSURSULDWH#
WUXVWV1#
,PSRUWDQW#
1RWH#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV# # 48#


0RYLQJ#'RPDLQ#&RQWUROOHUV#
„
7R#0RYH#:LQGRZV#17#713#'RPDLQ#&RQWUROOHUV=
z
8SJUDGH#WKH#GRPDLQ#FRQWUROOHU#WR#:LQGRZV#5333#6HUYHU#
DQG#WKHQ#FRQILJXUH#LW#WR#MRLQ#WKH#WDUJHW#GRPDLQ
25
z
5HLQVWDOO#WKH#VHUYHU#DV#D#:LQGRZV#17#713#PHPEHU#
VHUYHU#DQG#WKHQ#FRQILJXUH#LW#WR#MRLQ#WKH#WDUJHW#GRPDLQ
„
7R#0RYH#:LQGRZV#5333#'RPDLQ#&RQWUROOHUV=

z
'HPRWH#WKH#GRPDLQ#FRQWUROOHU#WR#D#PHPEHU#VHUYHU
z
&RQILJXUH#WKH#VHUYHU#WR#MRLQ#WKH#WDUJHW#GRPDLQ


Once you clone user, group, and computer accounts to the target domain, you
can migrate domain controllers. Domain controllers, like other computer
accounts, cannot be cloned in any migration scenario. Domain controllers must
be moved. Moving domain controllers is one of the final steps in inter-forest
domain restructuring and, in effect, decommissions the source domain.
If the domain controller is a Windows NT 4.0 PDC or BDC, there are two ways
to move the computer:
„# Upgrade the domain controller to Windows 2000 Server. When the Active
Directory Installation wizard runs, you can configure the computer to join
the target domain.
„# Reinstall the server as a Windows NT 4.0 member server, at which point the
server’s computer account can be moved in the same way that other
computer accounts are moved. Once the server is a member of the target
domain, it can be maintained as a member server or be promoted as a replica
domain controller to support the target domain.

When upgrading domain controllers, you must always upgrade the
PDC first.


If you are moving a BDC that is also an application server and you
select to reinstall it as a member server, make sure that all application data is
backed up prior to the upgrade and then restored after the operating system
re- installation is completed.



The only one way to move Windows 2000 domain controllers is to demote the
domain controller to a member server, whereupon the member server can join
the target domain, or the account may be moved by using the Netdom or
ADMT utility in the same way that other computer accounts are moved.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#UHTXLUHPHQWV#
IRU#PRYLQJ#GRPDLQ#
FRQWUROOHUV1#
/HDG0LQ#
0RYLQJ#GRPDLQ#FRQWUROOHUV#LV#
RQH#RI#WKH#ILQDO#VWHSV#LQ#
LQWHU0IRUHVW#GRPDLQ#
UHVWUXFWXULQJ#DQG/#LQ#HIIHFW/#
GHFRPPLVVLRQV#WKH#VRXUFH#
GRPDLQ1#
.H\#3RLQWV#
'RPDLQ#FRQWUROOHUV#DUH#
PRYHG/#QRW#FORQHG1#
#
7R#PRYH#D#:LQGRZV#17#713#
GRPDLQ#FRQWUROOHU/#\RX#PXVW#
HLWKHU#XSJUDGH#LW#WR#:LQGRZV#
5333#RU#UHLQVWDOO#LW#DV#D#
:LQGRZV#17#713#PHPEHU#
VHUYHU1#$IWHU#\RX#SHUIRUP#
RQH#RI#WKHVH#VWHSV/#WKH#
VHUYHU#FDQ#MRLQ#WKH#WDUJHW#
GRPDLQ1#

#
7R#PRYH#D#:LQGRZV#5333#
GRPDLQ#FRQWUROOHU/#\RX#PXVW#
ILUVW#GHPRWH#LW#WR#D#PHPEHU#
VHUYHU1#
&DXWLRQ#
7LS#
49# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


‹‹
#,QWUD0)RUHVW#5HVWUXFWXULQJ#
„
,QWUD0)RUHVW#5HVWUXFWXULQJ#6FHQDULRV
„
5HTXLUHPHQWV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ
„
5HVWULFWLRQV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ


Intra-forest restructuring involves moving security principals between two
Windows 2000 domains in the same Active Directory forest. Intra-forest
restructuring is most common in two-phased migrations where organizations
choose to restructure after fully upgrading the existing Windows NT 4.0
domain model. Some organizations may also require intra-forest restructuring
to perform the more complex Active Directory redesigns required by a
corporate reorganization.
6OLGH#2EMHFWLYH#
7R#GHILQH#LQWUD0IRUHVW#
UHVWUXFWXULQJ1#

/HDG0LQ#
,QWUD0IRUHVW#UHVWUXFWXULQJ#LV#
GRQH#ZKHQ#DFFRXQWV#PXVW#
EH#PRYHG#EHWZHHQ#GRPDLQV#
LQ#WKH#VDPH#IRUHVW1#5HDVRQV#
IRU#GRLQJ#WKLV#PLJKW#EH=#WR#
FDUU\#RXW#WKH#VHFRQG#SKDVH#
RI#DQ#XSJUDGH0WKHQ0
UHVWUXFWXUH#PLJUDWLRQ#
VWUDWHJ\/#RU#WR#FDUU\#RXW#D#
FRUSRUDWH#UHRUJDQL]DWLRQ1#
0HQWLRQ#WKH#UHDVRQV#ZK\#DQ#
RUJDQL]DWLRQ#PLJKW#QHHG#WR#
SHUIRUP#LQWUD0IRUHVW#
UHVWUXFWXULQJ1#
.H\#3RLQW#
,QWUD0IRUHVW#UHVWUXFWXULQJ#
RFFXUV#EHWZHHQ#WZR#
:LQGRZV#5333#GRPDLQV#LQ#
WKH#VDPH#IRUHVW1#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV# # 4:#


,QWUD0)RUHVW#5HVWUXFWXULQJ#6FHQDULRV#
Source Tar
g
et


Over time, accounts may need to be moved between domains when a user

transfers from one division of an organization to another. Changes in business
needs may influence more dramatic changes in the forest design (such as
merging domains to create a smaller Active Directory), prompting
postmigration intra-forest restructuring.
Moving is the only migration operation in an intra-forest scenario. Moving
security principals between Windows 2000 domains imposes a certain amount
of risk to the production environment and does not provide fallback, because in
a move operation the source account is deleted.
6OLGH#2EMHFWLYH#
7R#GHVFULEH#DQ#LQWUD0IRUHVW#
UHVWUXFWXUH#VFHQDULR1#
/HDG0LQ#
,QWUD0IRUHVW#UHVWUXFWXULQJ#
LQYROYHV#PRYLQJ#VHFXULW\#
SULQFLSDOV#EHWZHHQ#WZR#
GRPDLQV#LQ#WKH#VDPH#$FWLYH#
'LUHFWRU\#IRUHVW1#
.H\#3RLQW#
(PSKDVL]H#WKDW#PRYLQJ#
VHFXULW\#SULQFLSDOV#GRHV#QRW#
SURYLGH#HDV\#IDOOEDFN#
EHFDXVH#WKH#VRXUFH#DFFRXQW#
LV#GHOHWHG#GXULQJ#WKH#PRYH#
RSHUDWLRQ1#
#
'HOLYHU\#7LS#
'HPRQVWUDWLQJ#LQWUD0IRUHVW#
PLJUDWLRQ#RSHUDWLRQV#LV#QRW#
SRVVLEOH#ZLWK#WKH#GHIDXOW#
FODVVURRP#VHWXS1#

4;# # 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV#


5HTXLUHPHQWV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ#
„
7DUJHW#'RPDLQ#0XVW#%H#D#1DWLYH#0RGH#:LQGRZV#5333#'RPDLQ
„
6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#+DYH#WKH#)ROORZLQJ#5HJLVWU\#(QWU\
HKEY_LOCAL_MACHINE | System |
CurrentControlSet | Control | Lsa
TcpipClientSupport:REG_DWORD:0X1
„
8VHU#3HUIRUPLQJ#WKH#5HVWUXFWXUH#0XVW#+DYH#$GPLQLVWUDWLYH#
3ULYLOHJHV#RQ#6RXUFH#DQG#7DUJHW#'RPDLQV
„
$XGLWLQJ#0XVW#%H#(QDEOHG#LQ#%RWK#WKH#6RXUFH#DQG#7DUJHW#'RP DLQV


Because moving is a security-sensitive operation, the following must be in
place before performing intra-forest restructuring:
„# The target domain must be a Windows 2000 native-mode domain.
„# The source domain controller’s registry must contain the following registry
entry:
HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Lsa
TcpipClientSupport: REG_DWORD:0X1
„# The user performing the restructure operation must have administrative
privileges in the source and target domains.
„# Auditing must be enabled in both the source and target domains.

6OLGH#2EMHFWLYH#

7R#H[SODLQ#WKH#UHTXLUHPHQWV#
IRU#SHUIRUPLQJ#DQ#LQWUD0IRUHVW#
UHVWUXFWXULQJ1#
/HDG0LQ#
%HFDXVH#PRYLQJ#LV#D#
VHFXULW\0VHQVLWLYH#RSHUDWLRQ/#
\RX#PXVW#SUHSDUH#DQ#
DSSURSULDWH#HQYLURQPHQW#
EHIRUH#SHUIRUPLQJ#LQWUD0
IRUHVW#UHVWUXFWXULQJ1#
([SODLQ#WKH#UHTXLUHPHQWV#IRU#
SHUIRUPLQJ#DQ#LQWUD0IRUHVW#
UHVWUXFWXULQJ1#
# 0RGXOH#8=#5HVWUXFWXULQJ#'RPDLQV# # 4<#


5HVWULFWLRQV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ#
„
6RXUFH#'RPDLQ#0XVW#%H#LQ#6DPH#)RUHVW#DV#7DUJHW#
'RPDLQ
„
6RXUFH#2EMHFWV#0XVW#%H#8VHU#RU#6HFXULW\0(QDEOHG#
*URXSV#RU#&RPSXWHUV
„
6RXUFH#2EMHFW#0XVW#1RW#%H#D#%XLOW0,Q#$FFRXQW
„
6,'#RI#WKH#6RXUFH#2EMHFW#0XVW#1RW#$OUHDG\#([LVW#LQ#
7DUJHW#'RPDLQ
„
$GPLQLVWUDWLYH#6KDUHV#0XVW#([LVW#RQ#&RPSXWHU#:KHUH#

WKH#$'07#,V#([HFXWLQJ


Some of the restrictions that apply when performing an inter-forest
restructuring are:
„# The source domain must be a Windows 2000 domain in same forest as
target domain.
„# Source objects must be user or security-enabled groups, computers, or
organizational units.
„# Source object must not be a built-in account.

Because built-in groups have well-known SIDs and RIDs, they
cannot be moved.

„# The SID of the source object must not already exist in the target domain,
either as a primary account SID or in the sIDHistory of an account.
„# Administrative shares must exist on the computer where the ADMT is
running and any computer where the ADMT must install an agent.


In intra-forest scenarios, you may run the migration tools on a target or
source domain controller.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#ZKDW#UHVWULFWLRQV#
DSSO\#ZKHQ#SHUIRUPLQJ#DQ#
LQWUD0IRUHVW#UHVWUXFWXULQJ1#
/HDG0LQ#
6HYHUDO#UHVWULFWLRQV#DSSO\#
ZKHQ#SHUIRUPLQJ#DQ#LQWUD0

IRUHVW#UHVWUXFWXULQJ1#
8VH#WKH#VOLGH#WR#GLVFXVV#
HDFK#RI#WKH#UXOHV#WKDW#PXVW#
EH#IROORZHG#ZKHQ#
SHUIRUPLQJ#LQWHU0IRUHVW#
UHVWUXFWXULQJ1#
1RWH#
1RWH#