#




&RQWHQWV##
#
2YHUYLHZ#4
#
,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ##
5HVWUXFWXUH#6WUDWHJ\#5
#
,GHQWLI\LQJ#'RPDLQ#3UH05HVWUXFWXULQJ##
7DVNV#6
#
'HWHUPLQLQJ#WKH#2UGHU#RI#5HVWUXFWXULQJ##
:LWKLQ#D#'RPDLQ#4;
#
,GHQWLI\LQJ#'RPDLQ#3RVW05HVWUXFWXULQJ##
7DVNV#4<
#
/DE#$=#3ODQQLQJ#D#'RPDLQ#5HVWUXFWXUH#57
#
5HYLHZ#73
#
#
Module 6: Developing a
Domain Restructure
Strategy

#

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


2000 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead/Instructional Designer:
Sangeeta Garg (NIIT (USA) Inc.)
Lead Program Manager:

Angie Fultz
Instructional Designer:
Robert Deupree (S&T OnSite)
Subject Matter Expert
: Brian Komar (3947018 Manitoba Inc)
Technical Contributors:
John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads:

Sid Benavente, Keith Cotton
Testing Developer:
Greg Stemp (S&T Onsite)
Testers:
Testing Testing 123
Instructional Design Consultants:
Susan Greenberg, Paul Howard
Instructional Design Contributor:
Kathleen Norton

Graphic Artist:
Kirsten Larson (S&T OnSite)
Editing Manager:
Lynette Skinner
Editors:
Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor:

Shawn Jackson

(
S&T Consulting)

Online Program Manager:
Debbi Conger
Online Publications Manager:
Arlo Emerson (Aditi)
Online Support:
Eric Brandt (S&T Onsite)
Multimedia Development:
Kelly Renner (Entex)
Testing Leads:
Sid Benavente, Keith Cotton

Testing Developer:
Greg Stemp (S&T OnSite)

Courseware Testing:
Data Dimensions, Inc.
Production Support:
Lori Walker (S&T Consulting)
Manufacturing Manager:
Rick Terek (S&T Onsite)
Manufacturing Support:
Laura King (S&T Onsite)
Lead Product Manager, Development Services:
Bo Galford
Lead Product Managers:

Dean Murray, Ken Rosen
Group Product Manager:
Robert Stewart



# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##LLL#


,QVWUXFWRU#1RWHV#
This module provides students with the ability to successfully plan a restructure
strategy. The module provides a step-by-step methodology for creating a
restructure plan.
At the end of this module, students will be able to:
„# Identify and perform the domain pre-restructuring planning tasks.
„# Determine the order of moving objects in a restructuring.
„# Identify and perform the domain post-restructuring planning tasks.

Lab A, Planning a Domain Restructure, is a scenario-based planning lab. The
students review information on the current domain model, Domain Name
System (DNS) infrastructure, and proposed site topology. They will then use
this information to address design decisions when creating a restructure
strategy.
Students should work in small groups to complete this lab. If students are
reluctant to work together, consider leading the class through the first exercise,
encouraging discussion, and then have them work in teams for the remaining
exercises.
Each exercise maps to a step in the restructure planning process. Make sure that
students understand that the scenario at the beginning of the lab applies to all
exercises. The table of questions and answers in each exercise is additional

information that they may require to address the design decisions for that
exercise.
Be sure to save 15 minutes at the end of the lab to review their design decisions
and address any questions that they may have.
0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the materials and preparation tasks that are
needed to teach this module.
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
„# Microsoft
®
PowerPoint
®
file 2010A_06.ppt
„# Module 6, “Developing a Domain Restructure Strategy”

3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„# Read all of the materials for this module.
„# Read all of the delivery tips.
„# Complete the lab.
„# Read the technical white paper, Planning Migration from Microsoft
Windows NT to Microsoft Windows 2000, on the Student Materials compact
disc.
3UHVHQWDWLRQ=#
93#0LQXWHV#
#
/DE=#
93#0LQXWHV#
LY##0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#



„# Read chapter 9, “Planning the Active Directory Structure,” of the Windows
2000 Server Deployment Planning Guide on the Student Materials compact
disc.
„# Read chapter 10, "Determining Domain Migration Strategies,” of the
Windows 2000 Server Deployment Planning Guide on the Student Materials
compact disc.
„# Read the Microsoft Excel spreadsheet, Migration Tool Comparison, on the
Student Materials compact disc.

0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
„# Introduction to Developing a Domain Restructure Strategy
Provide an overview of the restructure planning process. Use the slides and
delivery tips to emphasize the planning steps involved in creating a basic
domain restructure plan. Emphasize to students that if their migration path
involves first upgrading and then restructuring, they must create two plans:
one for the domains that will be upgraded, and one for the domains that will
be restructured.
Clarify for students that this module provides the foundational domain
restructure plan. Organizations will likely add steps to their restructure plans
based on the presence of specific services and applications in their
environments. Postpone discussion of how to plan for these until the next
module. Make the components of each planning step meaningful by relating
them to example scenarios or by describing the impact if the planning step is
not performed. Encourage interaction throughout the module by engaging
students in discussion or asking them how a planning step applies to their
environments or migration situations.
„# Identifying Domain Pre-Restructuring Tasks

Explain the components of the existing Microsoft Windows NT
®
version 4.0
domain structure that should be documented prior to migration. Remind
students that multiple resource domains are no longer needed to separate
administrative control. Delegation can provide the same functionality.
Multiple account domains are no longer needed to provide scalability
because there is no practical limit to the number of accounts that a domain
can hold.
Discuss the methods of restructuring. Emphasize that within each method,
there are many permutations to domain restructuring. Students may be
confused by the different ways that they can perform domain restructuring.
It is important to take the necessary time here to ensure comprehension.
Emphasize that restructuring is possible between Windows NT 4.0 and
Microsoft Windows
®
2000 domains, between Windows 2000 domains in
separate forests, or between domains in the same Windows 2000 forest.
Restructuring instead of upgrading has proven to be the most common
among early adopters.
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##Y#


Explain how to prepare to deploy the target environment. The assumption
made throughout this course is that the Active Directory
™
directory service
design has been completed in an earlier planning stage. This particular
planning step is only applicable to organizations restructuring between a
Windows NT 4.0 source environment and a Windows 2000 target.

Make sure that students understand all of the components of creating a
recovery plan that allows them to roll back to the pre-restructured Windows
NT domain. Be sure to compare the differences between recovering a
Windows NT environment and a Windows 2000 source environment.
Explain the factors to consider when selecting an appropriate migration tool
for your restructuring.
Explain the security principal details that students must document. Make
sure that students understand the impact if this information is not
comprehensively recorded. This topic mentions several Resource Kit
utilities that facilitate this documentation for smaller environments. Ask
students about their knowledge of third-party tools that can help with this
process in enterprise environments.
„# Determining the Order of Restructuring Within a Domain
Explain the recommended order of moving objects in a restructuring. Ask
students what the impact will be if a different order is used.
„# Identifying Domain Post-Restructuring Tasks
Make sure that students understand why they may need to redefine resource
discretionary access control lists (DACLs) and how they can avoid the
unknown user problem. Be sure to mention how the Security Translation
wizard of the Active Directory Migration Tool (ADMT) can be used to
facilitate this process. They will use this wizard in the lab to redefine a
resource DACL. You may also want to demonstrate this wizard during your
lecture on this topic.
Cleaning up sIDHistory is a post-domain restructure step that is applicable
only to companies choosing to migrate security principals with their source
security identifier (SID). Because most organizations are likely to adopt this
process, make sure that students understand that the main reason for doing
this is to minimize the size of access tokens. At this time, there is no tool to
remove the value of the sIDHistory; a simple Active Directory Service
Interfaces (ADSI) script can accomplish this. Remind students that retaining

the sIDHistory is optional during migration. The process of sIDHistory
cleanup is not required if accounts are not migrated with their original SIDs.
Converting the target environment to production is one of the last steps in
domain restructuring. Ensure that students understand the different ways in
which the conversion can occur.
Decommissioning the source environment is something that all
organizations will do. Although this process is fairly straightforward, the
key to planning domain decommissioning is making sure that all of the
objects have been moved to the target environment.



# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##4#


2YHUYLHZ#
„
,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#
6WUDWHJ\
„
,GHQWLI\LQJ#'RPDLQ#3UH05HVWUXFWXULQJ#7DVNV
„
'HWHUPLQLQJ#WKH#2UGHU#RI#5HVWUXFWXULQJ#:LWKLQ#D#'RPDLQ
„
,GHQWLI\LQJ#'RPDLQ#3RVW05HVWUXFWXULQJ#7DVNV


After you have determined the implications that restructuring domains has on
security principals, you can begin planning for domain restructuring.
This module provides a step-by-step methodology for creating a restructure

strategy.
At the end of this module, you will be able to:
„# Identify and perform the domain pre-restructuring planning tasks.
„# Determine the order of moving objects in a restructuring.
„# Identify and perform the domain post-restructuring planning tasks.

6OLGH#2EMHFWLYH#
7R#SURYLGH#DQ#RYHUYLHZ#RI#
WKH#PRGXOH#WRSLFV#DQG#
REMHFWLYHV1#
/HDG0LQ#
,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ#
DERXW#WKH#VWHSV#IRU#
GHYHORSLQJ#D#UHVWUXFWXUH#
VWUDWHJ\1#
5# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#
6WUDWHJ\#
,GHQWLI\#GRPDLQ#SUH0UHVWUXFWXULQJ#WDVNV
,GHQWLI\#GRPDLQ#SUH0UHVWUXFWXULQJ#WDVNV
'HWHUPLQH#WKH#RUGHU#RI#UHVWUXFWXULQJ#ZLWKLQ#D#GRPDLQ
'HWHUPLQH#WKH#RUGHU#RI#UHVWUXFWXULQJ#ZLWKLQ#D#GRPDLQ
,GHQWLI\#GRPDLQ#SRVW0UHVWUXFWXULQJ#WDVNV
,GHQWLI\#GRPDLQ#SRVW0UHVWUXFWXULQJ#WDVNV
1
1
1
2

2
2
3
3
3


The Microsoft
®
Active Directory
™
directory service design defines the ideal
Microsoft Windows
®
2000 domain hierarchy. How you achieve that goal is the
point of restructure planning. When formulating a restructure strategy, the
following are the basic planning steps that all organizations must complete for
the most common restructure scenarios:
1. Identify and perform domain pre-restructure tasks to ensure that security
principal information can be reconstructed after restructure (if necessary), to
roll back to the source environment (if necessary), and to document and
make decisions that will ensure a successful migration.
2. Determine the order of restructuring within a domain to ensure that the
source group membership and resource discretionary access control lists
(DACLs) are migrated intact.
3. Identify and perform domain post-restructure tasks to ensure that the users
retain logon capability and access to resources after the restructure.

Depending on the current network environment, additional planning steps may
be required to ensure continuity in the availability of network services and

applications.
6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#VWHSV#IRU#
SODQQLQJ#D#UHVWUXFWXULQJ1#
/HDG0LQ#
:KHQ#\RX#SODQ#DQG#SUHSDUH#
IRU#D#GRPDLQ#UHVWUXFWXULQJ/#
\RX#KHOS#HQVXUH#WKDW#WKH#
QHWZRUN#FRQWLQXHV#WR#ZRUN#
SURSHUO\#DQG#WKDW#WKH#FKRVHQ#
VWUXFWXUH#VDWLVILHV#WKH#
EXVLQHVV#UHTXLUHPHQWV#RI#
\RXU#RUJDQL]DWLRQ1#
3URYLGH#DQ#RYHUYLHZ#RI#WKH#
RYHUDOO#UHVWUXFWXUH#SODQQLQJ#
SURFHVV1#8VH#WKH#VOLGH#WR#
H[SODLQ#WKH#SODQQLQJ#VWHSV#
LQYROYHG#LQ#FUHDWLQJ#D#EDVLF#
GRPDLQ#UHVWUXFWXUH#SODQ1#
#
'HOLYHU\#7LS
#
7KLV#PRGXOH#IRFXVHV#RQ#WKH#
JHQHUDO#SODQQLQJ#VWHSV#WKDW#
DSSO\#WR#DOO#UHVWUXFWXUH#
VFHQDULRV1#
#
$GGLWLRQDO#SODQQLQJ#VWHSV#
PD\#QHHG#WR#EH#DGGHG#WR#
WKLV#EDVLF#UHVWUXFWXUH#SODQ1#

)RU#PRUH#LQIRUPDWLRQ/#VHH#
PRGXOH#:/#³0LQLPL]LQJ#WKH#
,PSDFW#RQ#1HWZRUN#
2SHUDWLRQV#'XULQJ#D#'RPDLQ#
5HVWUXFWXUH/´#LQ#FRXUVH#
5343$/#'HVLJQLQJ#D#
0LFURVRIW#:LQGRZV#5333#
0LJUDWLRQ#6WUDWHJ\1#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##6#


‹‹
#,GHQWLI\LQJ#'RPDLQ#3UH05HVWUXFWXULQJ#7DVNV#
([DPLQLQJ#H[LVWLQJ#GRPDLQ#HQYLURQPHQW#IRU#UHVWUXFWXUH
([DPLQLQJ#H[LVWLQJ#GRPDLQ#HQYLURQPHQW#IRU#UHVWUXFWXUH
&KRRVLQJ#D#GRPDLQ#UHVWUXFWXUH#PHWKRGRORJ\
&KRRVLQJ#D#GRPDLQ#UHVWUXFWXUH#PHWKRGRORJ\
3UHSDULQJ#WR#GHSOR\#WKH#WDUJHW#HQYLURQPHQW
3UHSDULQJ#WR#GHSOR\#WKH#WDUJHW#HQYLURQPHQW
6HOHFWLQJ#DSSURSULDWH#PLJUDWLRQ#WRROV
6HOHFWLQJ#DSSURSULDWH#PLJUDWLRQ#WRROV
,GHQWLI\LQJ#DQG#GRFXPHQWLQJ#VRXUFH#VHFXULW\#SULQFLSDO#GHWDLOV
,GHQWLI\LQJ#DQG#GRFXPHQWLQJ#VRXUFH#VHFXULW\#SULQFLSDO#GHWDLOV
1
1
1
2
2
2
3

3
3
'HYHORSLQJ#D#UHFRYHU\#SODQ
'HYHORSLQJ#D#UHFRYHU\#SODQ
4
4
4
'HWHUPLQLQJ#KRZ#WR#PLJUDWH#VHFXULW\#SULQFLSDO#GHWDLOV
'HWHUPLQLQJ#KRZ#WR#PLJUDWH#VHFXULW\#SULQFLSDO#GHWDLOV
5
5
5
6
6
6
7
7
7


When planning a restructure strategy, you need to perform the following pre-
restructuring tasks:
1. Examine the existing domain environment to identify obsolete components
in the existing environment, help select a restructure methodology, and
ensure that existing network services and resource access are maintained
during the restructuring.
2. Choose a domain restructure methodology that meets your migration goals
and your Active Directory design goals.
3. Prepare to deploy the target environment in case you select inter-forest
restructuring as the methodology for your migration.

4. Develop a recovery plan to prevent accidental data loss during a restructure
and to allow rollback to the pre-restructured Microsoft Windows NT
®

domain.
5. Select appropriate migration tools for your restructuring.
6. Identify and document source security principal details to ensure that you
can reconstruct them after migration if necessary.
7. Determine how to migrate security principal details.

6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#SUH0
UHVWUXFWXULQJ#WDVNV1#
/HDG0LQ#
3UH0UHVWUXFWXULQJ#WDVNV#
LQFOXGH111#
%ULHIO\#H[SODLQ#WKH#SUH0
UHVWUXFWXULQJ#WDVNV1#
7# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


([DPLQLQJ#([LVWLQJ#'RPDLQ#(QYLURQPHQW#IRU#5HVWUXFWXUH#
„
,GHQWLI\#WKH#&XUUHQW#'RPDLQ#0RGHO
„
,GHQWLI\#DQG#'RFXPHQW#$OO#2QH0 DQG#7ZR0:D\#7UXVW#
5HODWLRQVKLSV
„
,GHQWLI\#$SSOLFDWLRQV#5XQQLQJ#RQ#'RPDLQ#&RQWUROOHUV
„

,GHQWLI\#6HUYLFHV#5XQQLQJ#RQ#'RPDLQ#&RQWUROOHUV#
DQG#7KHLU#&RQILJXUDWLRQ


Examining the current domain model serves the following three purposes:
„# It assists in identifying obsolete components in the existing environment.
Eliminating outdated domains and security principals will simplify domain
management in the new environment.
„# It helps select a restructure methodology. Achieving the ideal forest may
require that existing account domains be upgraded to join a parallel
environment while eliminating obsolete resource domains. Or, it may
require abandoning the whole model and beginning again with an
infrastructure that serves the requirements of the business that it supports.
„# It helps ensure that existing network services remain intact and that resource
access is maintained during the restructure.

When examining the existing domain structure, include the following steps:
„# Identify the current domain model.
Document the number of domains and the function that they serve.
Carefully examine the reasons that a domain was originally created.
Companies that previously required multiple account domains for
scalability, and multiple resource domains for segregating administrative
access, may be able to eliminate those domains in favor of a single Active
Directory domain.
„# Identify and document all one- and two-way trust relationships.
To ensure that migrated users retain access to resources in trusted domains,
you must establish trusts on the target domain that mirror the trusts found on
the resource domain.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#FRPSRQHQWV#

RI#WKH#H[LVWLQJ#GRPDLQ#
PRGHO#WKDW#QHHG#WR#EH#
GRFXPHQWHG#SULRU#WR#
UHVWUXFWXUH1#
/HDG0LQ#
([DPLQLQJ#\RXU#H[LVWLQJ#
GRPDLQ#PRGHO#DOORZV#\RX#WR#
LGHQWLI\#REVROHWH#
FRPSRQHQWV#LQ#WKH#H[LVWLQJ#
HQYLURQPHQW/#VHOHFW#D#
UHVWUXFWXUH#PHWKRGRORJ\/#
DQG#HQVXUH#WKDW#H[LVWLQJ#
QHWZRUN#VHUYLFHV#DQG#
UHVRXUFH#DFFHVV#DU H#
PDLQWDLQHG#GXULQJ#WKH#
UHVWUXFWXULQJ1#
8VH#WKH#VOLGH#WR#SRLQW#RXW#
HDFK#FRPSRQHQW#RI#WKH#
H[LVWLQJ#GRPDLQ#
HQYLURQPHQW#WKDW#VKRXOG#EH#
H[DPLQHG#SULRU#WR#
UHVWUXFWXUH1#
#
'HOLYHU\#7LS
#
$VN#VWXGHQWV#ZKHWKHU#WKH\#
KDYH#GRPDLQ#HQYLURQPHQW#
GRFXPHQWDWLRQ1#
#
.H\#3RLQWV#

(PSKDVL]H#WKDW#WKH#
LQIRUPDWLRQ#JDWKHUHG#DERXW#
WKH#GRPDLQ#HQYLURQPHQW#
KHOSV#HOLPLQDWH#LQHIILFLHQFLHV#
LQ#WKH#QHZ#HQYLURQPHQW#DQG#
VHOHFW#D#UHVWUXFWXUH#
PHWKRGRORJ\1#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##8#


„# Identify applications running on domain controllers.
Applications running on Widows NT version 4.0 domain controllers that are
incompatible with Windows 2000 will prevent the source domain from
being decommissioned unless the application is moved or upgraded.
„# Identify services running on domain controllers and their configurations.
If domain controllers will be migrated to the target environment, the
services that they run will not be available during migration. Before the
domain controllers are migrated, ensure that backups to the services that
they provide are in place.

9# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


&KRRVLQJ#D#'RPDLQ#5HVWUXFWXUH#0HWKRGRORJ\#
„
3RVW08SJUDGH
z
,QYROYHV#XSJUDGLQJ#D#VLQJOH#DFFRXQW#GRPDLQ#DQG#WKHQ#SHUIRUPLQJ#
LQWHU0IRUHVW#UHVWUXFWXULQJ#WR#PHUJH#UHPDLQLQJ#17#713#GRPDLQV#LQWR#LW
„

,QVWHDG#RI#8SJUDGH
z
,QYROYHV#GHVLJQLQJ#DQG#EXLOGLQJ#D#SULVWLQH#IRUHVW#DQG#SRSXODWLQJ LW#
ZLWK#VHFXULW\#SULQFLSDOV#IURP#WKH#H[LVWLQJ#GRPDL Q
„
3RVW00LJUDWLRQ
z
,QYROYHV#SHUIRUPLQJ#DQ#LQWHU0IRUHVW#RU#DQ#LQWUD0IRUHVW#UHVWUXFWXULQJ#


Emphasize the difference between intra- and inter-forest restructuring. The
restructure methodology that you choose will vary depending on your migration
goals, existing domain model, and Active Directory design goals. You may
choose to restructure domains immediately after upgrade, in place of an
upgrade, or as a general domain redesign sometime in the future.
3RVW08SJUDGH#
Some organizations may choose to upgrade a single account domain to gain
quick access to Windows 2000 scalability, and then to perform inter-forest
restructuring to merge the remaining Windows NT 4.0 domains into it. Others
may choose to upgrade all Windows NT 4.0 domains and redesign the Active
Directory forest by performing intra-forest restructuring on selected Windows
2000 domains at a later date; this improves long-term manageability of the
forest hierarchy.

Because performing domain restructuring after upgrading to Active
Directory is a two-phased migration project, this migration scenario will require
a two-part strategy that involves more time to plan.

,QVWHDG#RI#8SJUDGH#
Companies dissatisfied with the number of domains in their current

infrastructure may choose to migrate to a completely redesigned domain model
instead of upgrading their existing model. This type of inter-forest restructuring
is well suited for organizations that cannot risk interruption in the current
production environment or that can only afford a single-step migration.
Restructuring instead of upgrading involves designing and building a pristine
forest, which is an ideal Windows 2000 forest isolated from the current
production environment, and then populating it with security principals from an
existing domain. The existing domains operate normally during migration. The
Windows 2000 pilot project operation parallels the existing environment and
eventually becomes the production environment.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#PHWKRGV#RI#
UHVWUXFWXULQJ1#
/HDG0LQ#
'HSHQGLQJ#RQ#\RXU#
PLJUDWLRQ#JRDOV/#H[LVWLQJ#
GRPDLQ#PRGHO/#DQG#\RXU#
$FWLYH#'LUHFWRU\#GHVLJQ#
JRDOV/#\RX#PD\#FKRRVH#WR#
UHVWUXFWXUH#GRPDLQV#DIWHU#
XSJUDGH/#LQVWHDG#RI#
XSJUDGH/#RU#DV#D#JHQHUDO#
GRPDLQ#UHGHVLJQ1#
'LVFXVV#WKH#PHWKRGV#RI#
UHVWUXFWXULQJ1#
:LWKLQ#HDFK#PHWKRG/#WKHUH#
DUH#PDQ\#SHUPXWDWLRQV#WR#
GRPDLQ#UHVWUXFWXULQJ1#
#
'LVFXVV#WKH#PLJUDWLRQ#JRDOV#

LQ#HDFK#VHFWLRQ#DQG#KRZ#
WKH\#PDS#WR#WKH#
PHWKRGRORJ\1#
#
'HOLYHU\#7LS
#
'R#D#TXLFN#UHYLHZ#RI#WKH#
PLJUDWLRQ#JRDOV#FRYHUHG#LQ#
PRGXOH#5/#³&KRRVLQJ#D#
0LJUDWLRQ#3DWK#WR#:LQGRZV#
5333#$FWLYH#'LUHFWRU\/´#LQ#
FRXUVH#5343$/#'HVLJQLQJ#D#
0LFURVRIW#:LQGRZV#5333#
0LJUDWLRQ#6WUDWHJ\1#
,PSRUWDQW#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##:#


After the new Active Directory forest has been built, security principals are
copied into domains in the new forest. Resources such as file and print servers
are moved to the forest, and the pilot environment can be transitioned to the
production environment. The source domain environment can be
decommissioned, and the remaining servers can be redeployed.

Post-migration domain restructuring is also possible and can be
performed in an inter-forest fashion, known as cut and paste (or sometimes
called prune and graft), to accommodate corporate mergers or acquisitions. It
can also be performed in an intra-forest manner, as in the case of forest redesign
due to extensive organizational change.


1RWH#
;# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


3UHSDULQJ#WR#'HSOR\#WKH#7DUJHW#(QYLURQPHQW#
„
(QVXUH#7KDW#6XIILFLHQW#+DUGZDUH#,V#$YDLODEOH
„
(QVXUH#7KDW#([LVWLQJ#'16#1DPHVSDFH#:LOO#1RW#&RQIOLFW#
:LWK#2QH#5HTXLUHG#E\#3DUDOOHO#(QYLURQPHQW
„
(QVXUH#$FWLYH#'LUHFWRU\#'HVLJQ#'HILQHV 28V
$SSURSULDWH#IRU#0LJUDWHG#$FFRXQWV
„
9HULI\#7KDW#5HSOLFDWLRQ#6FKHGXOHV#%HWZHHQ#6LWHV#:LOO#
)DFLOLWDWH#'RPDLQ#&RQWUROOHU#5HGHSOR\PHQW
„
&UHDWH#DQ#$GPLQLVWUDWLYH#7UDQVLWLRQ#3ODQ
„
'HILQH#3URFHVV#IRU#,PSOHPHQWLQJ#6HFXULW\#DQG#
$GPLQLVWUDWLYH#)HDWXUHV


If you select inter-forest restructuring as the methodology for your migration,
an additional planning step is required: preparing to deploy the target
environment. The target environment is defined by the Active Directory design
and is the blueprint for an organization’s ideal Windows 2000 environment.

If an organization chooses to upgrade all existing domains first, this
planning step is not required.


In inter-forest restructuring scenarios, it is necessary that the forest proposed by
the Active Directory design be created prior to migration. This pristine
environment serves as the target for the domains being restructured. It operates
in parallel and should be kept separate from the production environment. When
all restructure operations are complete, the parallel environment can be
transitioned to production.
To prepare to deploy the target environment:
„# Ensure that sufficient hardware is available.
At a minimum, all domains that will ultimately hold migrated accounts or
resources must be created, requiring more hardware than what is presently
used in the current domain model. Depending on the domain hierarchy
proposed in the Active Directory design, this may require the creation of all
domains. Additionally, a sufficient number of domain controllers should be
installed in each target domain to support fault tolerance during migration.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#WR#SUHSDUH#WR#
GHSOR\#WKH#WDUJHW#
HQYLURQPHQW1#
/HDG0LQ#
7KLV#SODQQLQJ#VWHS#LV#
UHTXLUHG#RQO\#LI#\RX#VHOHFW#
LQWHU0IRUHVW#UHVWUXFWXULQJ#DV#
WKH#PHWKRGRORJ\#RI#\RXU#
PLJUDWLRQ1#
8VH#WKH#VOLGH#WR#SRLQW#RXW#
HDFK#VWHS#LQ#SODQQLQJ#WR#
GHSOR\#WKH#WDUJHW#
HQYLURQPHQW/#DQG#
HPSKDVL]H#ZK\#HDFK#VWHS#LV#

LPSRUWDQW1#
#
.H\#3RLQWV
#
(PSKDVL]H#WKDW#WKH#WDUJHW#
HQYLURQPHQW#LQ#DQ#LQWHU0
IRUHVW#UHVWUXFWXUH#VFHQDULR#LV#
D#SULVWLQH#:LQGRZV#5333#
HQYLURQPHQW#GHILQHG#E\#WKH#
$FWLYH#'LUHFWRU\#GHVLJQ1#
2UJDQL]DWLRQV#PXVW#SODQ#WR#
GHSOR\#WKH#WDUJHW#
HQYLURQPHQW#LI#LQWHU0IRUHVW#
UHVWUXFWXULQJ#LV#FKRVHQ#DV#
WKH#UHVWUXFWXUH#
PHWKRGRORJ\1#
#
6RPH#VHFXULW\#DQG#
DGPLQLVWUDWLYH#IHDWXUHV#
PLJKW#QRW#EH#GHSOR\HG#XQWLO#
VHFXULW\#SULQFLSDOV#DUH#
PLJUDWHG1#$#VHFXULW\#DQG#
DGPLQLVWUDWLYH#SODQ#ZLOO#
HQVXUH#WKDW#DOO#GHVLUHG#
IHDWXUHV#DUH#GHSOR\HG1#
1RWH#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\##<#


„# Ensure that the existing Domain Name System (DNS) namespace or

namespaces will not conflict with the one required by the parallel
environment.
The target DNS deployment must be integrated into the existing DNS
infrastructure to ensure that two primary zones do not exist for any of the
DNS domains.

For more information on how restructuring affects DNS, see module
7, “Minimizing the Impact on Network Operations During a Domain
Restructure,” in course 2010A, Designing a Microsoft Windows 2000
Migration Strategy.

„# Ensure that the Active Directory design defines organizational units (OUs)
appropriate for migrated accounts.
Migrated users may be concentrated in a single container or separated in
multiple containers according to the domain from which the accounts
originated. Verify that suitable OUs are defined so that migrated accounts
do not have to be moved after migration.
„# Verify that the replication schedules between sites will facilitate domain
controller redeployment.
This is particularly important where a single domain spans multiple sites. If
domain controllers from the source domain are redeployed to the target
environment, sites will help control domain replication traffic over slow
links. Prior to migration, place at least one domain controller in each
location. Before the parallel environment is transitioned to production,
ensure that sufficient domain controllers are present in each site to provide
fault tolerance and reliability.


For more information on deployment planning, see module 8, “Planning
to Deploy a Migration Strategy,” in course 2010A, Designing a Microsoft

Windows 2000 Migration Strategy.

1RWH#
1RWH#
43# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


3ODQQLQJ#WR#'HSOR\#6HFXULW\#DQG#$GPLQLVWUDWLYH#)HDWXUHV#
Completely deploying the security and administrative features defined in the
Active Directory design may not be possible until security principals are fully
migrated to the pristine environment. For example, if an organization plans to
delegate at the object level—that is, by computer or use—delegation cannot be
fully deployed until security principals are migrated. To compensate for this
and to ensure that the security and administrative features defined in the Active
Directory design are fully deployed, your restructure plan must include steps to:
„# Create an administrative transition plan.
This plan should identify who will manage what during and after the
domain restructure by defining:
•
New administrative roles and responsibilities.
For example, if Windows NT 4.0 resource domains are being collapsed
into Windows 2000 domains, determine whether resource administrators
will join the Domain Admins group in the destination domain. The
combination of restructuring to reduce the number of domains and the
deployment of time- and labor-saving administrative features in
Windows 2000 may require Information Technology (IT) organizations
to redefine administrative roles and responsibilities.

Changes in IT policies, procedures, support systems, roles, and
responsibilities should be planned and communicated ahead of time and

applied in a way that allows IT to remain focused on the migration without
disruption.

•
When new roles and responsibilities will go into effect.
„# Define a process for implementing any remaining security and
administrative features at the appropriate time as domains are restructured.

For more information on developing a security and administrative
plan for Active Directory, see course 1561B, Designing a Microsoft
Windows 2000 Directory Services Infrastructure.


,PSRUWDQW#
1RWH#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\# # 44#


'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#5HFRYHU\#3ODQ#
Domain
Controller
Domain
Controller
Applications
Applications
Data
Data
Backup
Backup
Backup

Backup
Backup
Backup
Backup
Backup
Backup
41#$GG#D#%'&#WR#D#'RPDLQ#
&RQWDLQLQJ#D#6LQJOH#'RPDLQ#
&RQWUROOHU
51#'RFXPHQW#WKH#&RQILJXUDWLRQ#RI#
6HUYLFHV#DQG#$SSOLFDWLRQV#
5XQQLQJ#RQ#WKH#3'&#DQG#%'&V#
61#%DFN#8S#6HUYLFHV#DQG#
$SSOLFDWLRQV#WR#7DSH
71#%DFN#8S#$FFRXQW#'DWDEDVH#DQG#
3HUIRUP#D#7HVW#5HVWRUDWLRQ#


It is important that you develop a recovery plan to prevent accidental data loss
during restructure. This plan should include details of how you will back up
your domain controllers, applications, and other data before and during the
upgrade.
Although a certain degree of recovery is possible by simply maintaining the
source domain, having a recovery plan is important in migration scenarios
where automatic fallback is not possible:
„# Intra-forest restructure scenarios, where moving objects between domains
deletes the source object, preventing automatic fallback.
„# Inter-forest restructure scenarios, where domain controllers are moved.
Reinstalling or demoting domain controllers prior to redeployment to the
target environment prevents automatic recovery of service configurations,

application information, and Security Accounts Manager (SAM) database
objects.

To ensure that a domain can be fully rolled back to its pre-restructure state, your
recovery plan should, at a minimum, include the following steps:
1. Ensure that all source domains have at least two domain controllers to
prevent a domain from becoming orphaned during the migration process.
2. Document the configuration of any applications or services running on the
domain controllers targeted for redeployment, such as file and print
services, Dynamic Host Configuration Protocol (DHCP), or DNS.
3. Back up these services and applications to tape, and test the backup tapes by
performing a test restoration.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#VWHSV#WR#
SHUIRUP#ZKHQ#GHYHORSLQJ#D#
UHFRYHU\#SODQ1#
/HDG0LQ#
%HIRUH#\RX#SHUIRUP#D#
UHVWUXFWXUH/#\RX#PXVW#
SUHSDUH#D#UROOEDFN#VWUDWHJ\#
WR#HQVXUH#WKDW#\RX#FDQ#
UHFRYHU#IU RP#DQ\#UHVWUXFWXUH#
SUREOHPV1#
'LVFXVV#HDFK#VWHS#LQ#
FUHDWLQJ#D#UHFRYHU\#SODQ#DQG#
HPSKDVL]H#WKDW#WKHVH#DUH#
WKH#PLQLPXP#QXPEHU#RI#
VWHSV#UHFRPPHQGHG#IRU#D#
UHVWUXFWXUH#UHFRYHU\#SODQ1#
#

'HOLYHU\#7LS
#
0DNH#VXUH#WKDW#\RX#GLVFXVV#
WKH#GLIIHUHQFHV#EHWZHHQ#
UHFRYHULQJ#D#:LQGRZV#17#
HQYLURQPHQW#DQG#D#:LQGRZV#
5333#HQYLURQPHQW1#
#
.H\#3RLQWV
#
$#UHFRYHU\#SODQ#LV#
QHFHVVDU\#IRU#UHVWUXFWXUH#
VFHQDULRV#WKDW#GR#QRW#
SURYLGH#DXWRPDWLF#IDOOEDFN#
FDSDELOLWLHV1#
45# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


4. Ensure that the SAM database is current, back up the account database, and
perform a test restoration.
Use the Windows NT Server Manager tool to synchronize Windows NT 4.0
backup domain controllers (BDCs) with the primary domain controller
(PDC). To bring the SAM current on a Windows 2000 domain controller,
you can use the Active Directory Sites and Services administrative tool to
force replication within the source domain.
You can use the Windows NT Backup tool to back up the SAM database on
Windows NT domain controllers. You can use the Windows 2000 Backup
tool to back up the Active Directory and SYSVOL contents on Windows
2000 domain controllers, by including the System State information in the
backup set.


Step four is not necessary if the source domain is Windows NT 4.0. In
this case, one fully synchronized domain controller can be taken offline and
retained until after migration is complete and the production environment is
running smoothly.

5HFRYHULQJ#D#:LQGRZV#17#713#6RXUFH#'RPDLQ#
If any problems arise during migration, you can remove all computers running
Windows 2000 from the production environment, and perform one of the
following steps:
„# Promote the offline domain controller to a PDC and then bring it back into
your network. This new PDC then replicates its data to any remaining
Windows NT 4.0 BDCs, returning the domain to its previous state.
„# Restore the BDC from tape, then promote it to a PDC. This PDC will
replicate its data to any remaining Windows NT 4.0 BDCs, returning the
domain to its previous state.

Carefully consider turning on the protected domain controller to
update its directory information. Although this will prevent loss of any
changes made during the restructure, source accounts may be disabled
during restructure operations.


5HFRYHULQJ#D#:LQGRZV#5333#6RXUFH#'RPDLQ#
If any problems arise during migration, you can restore the pre-restructure
Windows 2000 environment from backup tape by performing an authoritative
restore of the system state.

For more information on performing an authoritative restore, see the
knowledge-base articles Q241594 and Q240363 on the Student Materials

compact disc.

7LS#
&DXWLRQ#
1RWH#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\# # 46#


6HOHFWLQJ#$SSURSULDWH#0LJUDWLRQ#7RROV#
„
7RRO#&DSDELOLWLHV#LQ#$FKLHYLQJ#0LJUDWLRQ#*RDOV
z
%HFRPH#IDPLOLDU#ZLWK#HDFK#WRRO¶V#FDSDELOLWLHV#DQG#
OLPLWDWLRQV
„
$GPLQLVWUDWLYH#3UHIHUHQFHV
z
$'07#LV#HDV\#WR#XVH#DQG#UHT XLUHV#OLWWOH#SUHSDUDWLRQ
z
0RYH7UHH DQG#&ORQH3ULQFLSDO DV#FRPPDQG0OLQH#XWLOLWLHV#
DUH#EHVW#XVHG#LQ#VFULSWV
„
6HFXULW\#5HTXLUHPHQWV
z
$'07#DOORZV#DGPLQLVWUDWRUV#WR#VHW#FORQHG#XVHU#
SDVVZRUGV/#HQDEOH#FORQHG#DFFRXQWV/#DQG#G LVDEOH#WDUJHW#
DQG#VRXUFH#DFFRXQWV
z
&ORQH3ULQFLSDO VHWV#FORQHG#XVHU#SDVVZRUGV#WR#18//



The set of migration tools that you use will be dictated by the domain
restructure methodology that you choose. Use Active Directory Migration Tool
(ADMT) and ClonePrincipal for inter-forest restructuring, and use MoveTree
and ADMT for intra-forest restructuring. You can use Netdom for both types of
restructuring.
The primary tool that you use depends on a number of factors, including:
„# A tool’s capabilities in achieving migration goals.
Each tool varies in the migration features that it provides. You should
become familiar with each tool’s capabilities and limitations.
„# Administrative preferences.
Driven by graphical wizard interfaces, ADMT is easy to use and requires
little preparation. However, MoveTree and ClonePrincipal as command-line
utilities are best used in scripts that enable user accounts, clean up or
populate user attributes, or define closed sets.
„# Security requirements.
Your security requirements may also help to determine your primary
migration tool. ADMT allows administrators to set cloned user passwords,
enable cloned accounts, and disable target and source accounts. By default,
ClonePrincipal sets cloned user passwords to NULL.

When the migration tools are not in use, it is recommended that
you disable TCP Client Support on the source domain. Additionally, if
ClonePrincipal is installed, deregister clonepr.dll by using the Regsvr32 /u
switch.

6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#IDFWRUV#WR#
FRQVLGHU#ZKHQ#VHOHFWLQJ#DQ#
DSSURSULDWH#PLJUDWLRQ#WRRO#

IRU#\RXU#UHVWUXFWXULQJ1#
/HDG0LQ#
$IWHU#WKH#GRPDLQ#UHVWUXFWXUH#
PHWKRGRORJ\#KDV#EHHQ#
FKRVHQ/#\RX#FDQ#VWDUW#WKH#
SURFHVV#RI#VHOHFWLQJ#WKH#
PLJUDWLRQ#WRROV#DSSURSULDWH#
IRU#\RXU#UHVWUXFWXULQJ1#
8VH#WKH#VOLGH#WR#HPSKDVL]H#
HDFK#SRLQW#WKDW#FDQ#EH#XVHG#
WR#VHOHFW#WKH#DSSURSULDWH#
PLJUDWLRQ#WRROV1#
#
.H\#3RLQWV
#
$OWKRXJK#WKH#VHW#RI#WRROV#
XVHG#IRU#GRPDLQ#
UHVWUXFWXULQJ#LV#GLFWDWHG#E\#
WKH#W\SH#RI#UHVWUXFWXUH/#WKH#
SULPDU\#WRRO#XVHG#GHSHQGV#
RQ#DQ#RUJDQL]DWLRQ¶V#QHHGV/#
WKH#WRRO¶V#FDSDELOLWLHV/#DQG#
DGPLQLVWUDWRU#SUHIHUHQFH1#
,PSRUWDQW#
47# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


,GHQWLI\LQJ#DQG#'RFXPHQWLQJ#6RXUFH#6HFXULW\#3ULQFLSDO#'HWDLOV#
„
'RFXPHQW#5HJLVWU\/#6KDUH/#DQG#17)6#)LOH#6\VWHP#

3HUPLVVLRQV#RQ#6RXUFH#'RPDLQ#&RQWUROOHUV
„
'RFXPHQW#WKH#0HPEHUVKLS#RI#(DFK#6RXUFH#*URXS#WR#%H#
0LJUDWHG
„
,GHQWLI\#*OREDO#*URXSV#LQ#6RXUFH#$FFRXQW#'RPDLQV
„
,GHQWLI\#2EVROHWH#DQG#'LVDEOHG#8VHU#$FFRXQWV
„
'RFXPHQW#6SHFLDO#8VHU#5LJKWV#$VVLJQPHQWV#DQG#%XLOW0LQ#
*URXS#0HPEHUVKLS
„
,GHQWLI\#(PSW\#RU#2EVROHWH#*URXSV


Domain restructuring requires significant preparation and documentation to
ensure successful migration. You should record the following security principal
details prior to migrating accounts from the source domain:
„# Document registry, share, and NTFS file system permissions on source
domain controllers.
Whether you choose to migrate the security identifiers (SIDs) or not, this
documentation will ensure that resource permissions for migrated security
principals can be reconstructed if necessary. The Showacls.exe,
Subinacl.exe, and Perms.exe Windows NT 4.0 Resource Kit and Windows
2000 Resource Kit utilities can assist in documenting permissions on a
Windows NT 4.0 or Windows 2000 source domain. If the source domain is
Windows 2000, you can also write a variety of Active Directory Service
Interfaces (ADSI) scripts to collect these permissions.
„# Document the membership of each source group to be migrated.
This information will be useful when validating the membership of cloned

or moved groups and in identifying closed sets for migration operations.
The Global.exe, Local.exe, Findgrp.exe, Showmbrs.exe, and Showgrps.exe
Windows NT 4.0 Resource Kit utilities can assist in documenting groups
and their membership for a Windows NT 4.0 or Windows 2000 source
domain. If the source domain is Windows 2000, you can also write a variety
of ADSI scripts to collect the membership.
„# Identify global groups in source account domains that might be combined in
the target domain.
When multiple account domains exist in a source environment, it is
common for global groups of the same name or function to be defined in
each domain; for example, domainA\SalesReps and domainb\SalesReps.
You can merge groups of the same name or function in the target domain,
allowing you to simplify group management.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#WKH#VHFXULW\#
SULQFLSDO#GHWDLOV#WKDW#PXVW#EH#
GRFXPHQWHG#SULRU#WR#D#
GRPDLQ#UHVWUXFWXUH1#
/HDG0LQ#
'RPDLQ#UHVWUXFWXULQJ#
UHTXLUHV#D#JUHDW#GHDO#RI#
SUHSDUDWLRQ#DQG#
GRFXPHQWDWLRQ#WR#HQVXUH#
VXFFHVVIXO#PLJUDWLRQ1#
8VH#WKH#VOLGH#WR#SRLQW#RXW#WKH#
VHFXULW\#SULQFLSDO#GHWDLOV#WKDW#
PXVW#EH#GRFXPHQWHG#SULRU#
WR#D#GRPDLQ#UHVWUXFWXUH1#
#
'HOLYHU\#7LS

#
)RU#HDFK#SRLQW/#PHQWLRQ#WKH#
XWLOLWLHV#WKDW#DVVLVW#LQ#WKLV#
GRFXPHQWDWLRQ#SURFHVV#DQG#
DVN#VWXGHQWV#DERXW#WKH#WRROV#
WKDW#WKH\#XVH#LQ#WKHLU#
HQYLURQPHQWV#WKDW#PLJKW#
IDFLOLWDWH#WKLV#SODQQLQJ#VWHS1#
#
$V#\RX#GLVFXVV#HDFK#VWHS/#
DVN#VWXGHQWV#ZK\#WKLV#
GRFXPHQWDWLRQ#LV#LPSRUWDQW1#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\# # 48#


„# Identify obsolete and disabled user accounts.
You should delete accounts in the source environment that are no longer
used or are obsolete prior to migration, so that inaccurate data is not
migrated into the new directory service. You can use the Usrstat.exe utility
in the Windows NT 4.0 Resource Kit and Windows 2000 Resource Kit to
determine when a user last logged on.
„# Document special user rights assignments and built-in group membership.
This documentation will ensure that you can construct user rights and
special memberships if necessary.
„# Identify empty or obsolete groups.
Using the Showmbrs.exe tool in the Windows NT 4.0 Resource Kit and
Windows 2000 Resource Kit can identify empty groups. You should delete
these groups prior to migration.

49# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#



'HWHUPLQLQJ#+RZ#WR#0LJUDWH#6HFXULW\#3ULQFLSDO#'HWDLOV#
„
'HWHUPLQH#:KHWKHU#WKH#0HPEHUVKLS#RI#6RXUFH#*URXSV#
6KRXOG#%H#5HGHILQHG#RU#0LJUDWHG#,QWDFW
„
'HWHUPLQH#:KHWKHU#6HFXULW\#3ULQFLSDO·V#V,'+LVWRU\#:LOO#
%H#5HWDLQHG#'XULQJ#0LJUDWLRQ
„
'HWHUPLQH#WKH#6HTXHQFH#IRU#5HVWUXFWXULQJ#6HFXULW\#
3ULQFLSDOV
„
'HWHUPLQH#:KHWKHU#6,'V#RI#:HOO0.QRZQ#5,'#$FFRXQWV#
1HHG#WR#%H#0LJUDWHG
„
,GHQWLI\#8VHUV#LQ#WKH#6RXUFH#'RPDLQ#7KDW#%HORQJ#WR#
0RUH#7KDQ#833#*URXSV


You should use documented information to make decisions about how you will
handle security principal information during the migration to achieve the
desired migrated accounts in the target domain.
„# Determine whether the membership of source groups should be redefined or
migrated intact. The membership of most groups is restored after migration.
Clean up group memberships to avoid migrating inaccurate or obsolete data,
particularly for administrative groups on resource domains that will be
decommissioned.

Global group membership is protected during cloning operations. If

users are cloned before the groups to which they belong are cloned,
membership is restored when the group is migrated. If a global group is
cloned before its members, the users are automatically placed in the group
after they are cloned.

„# Determine whether security principals’ sIDHistory will be retained during
migration. Migrating the sIDHistory ensures that resource access is
maintained while domain controllers and resources are split between source
and target domains. However, access tokens can contain only a fixed
number of SIDs. Migrated users belonging to many groups may be denied
logon if the number of allowable entries in the access token is exceeded.
„# Determine the sequence for restructuring security principals. Users
responsible for performing restructuring will require administrative
credentials in the target domain. Consider migrating these accounts first.
After all administrative accounts exist in the target domain, you can deploy
the Windows 2000 administrative model. You can migrate users and groups
independently of one another or simultaneously, in a single migration
operation.
6OLGH#2EMHFWLYH#
7R#GHWHUPLQH#KRZ#WR#
PLJUDWH#VHFXULW\#SULQFLSDO#
GHWDLOV1#
/HDG0LQ#
<RX#VKRXOG#XVH#GRFXPHQWHG#
LQIRUPDWLRQ#WR#PDNH#
GHFLVLRQV#DERXW#KRZ#\RX#ZLOO#
KDQGOH#VHFXULW\#SULQFLSDO#
LQIRUPDWLRQ#GXULQJ#WKH#
PLJUDWLRQ1#
8VH#WKH#VOLGH#WR#FDOO#

DWWHQWLRQ#WR#HDFK#GHFLVLRQ#
SRLQW1#
#
'HOLYHU\#7LS
#
$VN#VWXGHQWV#ZKDW#WKH#
LPSDFW#ZLOO#EH#LI#WKH\#GR#QRW#
SURYLGH#IRU#WKHVH#SRLQWV#LQ#
WKH#UHVWUXFWXUH#SODQ1#
#
<RX#PD\#ZDQW#WR#UHLWHUDWH#
WKH#GLIIHUHQFH#EHWZHHQ#WKH#
ZD\#WKDW#JOREDO#JURXS#DQG#
VKDUHG#ORFDO#JURXS#
PHPEHUVKLS#LV#KDQGOHG#
GXULQJ#FORQLQJ#RSHUDWLRQV1#
#
%H#VXUH#WR#GLVFXVV#KRZ#
DFFRXQWV#ZLWK#ZHOO0NQRZQ#
5,'V#PXVW#EH#KDQGOHG1#
#
$VN#VWXGHQWV#ZKDW#EXVLQHVV#
QHHGV#PLJKW#GLFWDWH#KRZ#
SDVVZRUGV#DUH#VHW#RQ#
FORQHG#DFFRXQWV1#
1RWH#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\# # 4:#




You could also create new administrative accounts in the target
domain; however, the permissions and user rights associated with these
accounts would not be preserved because there is no sIDHistory attribute for
new accounts.

„# Determine whether SIDs of well-known relative identifier (RID) accounts
need to be migrated.
You can add the SIDs for Domain Admins, Domain Users, and Domain
Guests in the target domain to the sIDHistory of the Domain Admins,
Domain Users, and Domain Guests accounts by using either the Group
Mapping and Merging wizard in ADMT or the Sidhist.vbs ClonePrincipal
script.

If any security assignments that include the Domain Admins,
Domain Users, or Domain Guests global groups are created in the target
domain, you must add the target SID of each group to the sIDHistory for the
matching group in the target domain. Another strategy is to remove all
references to well-known RID accounts in discretionary access control lists
(DACLs) in the source domain.

„# Identify which migrated objects go into which OUs in the target domain.
Some organizations may want to segregate all migrated accounts into a
single OU, whereas others may prefer to place them in the OU hierarchy
according to how they will be administered.
„# Identify users in the source domain that belong to more than 500 groups.
When migration is configured to retain the sIDHistory of cloned or moved
users and groups, the size of a user’s access token doubles.
In domains with complex group structures or environments with many
resource domains, the size of a migrated user’s access token can result in
logon or resource access denial. If authentication and authorization access

tokens contain more than 1,023 SIDs, a user will be unable to log on or will
be denied access to resources.

Identify the number of groups to which a user belongs by running the
Showgrps.exe utility found in the Windows NT 4.0 Resource Kit and
Windows 2000 Resource Kit.

To alleviate the problem of large access tokens, you may choose to:
•
Minimize the number of groups to which a user belongs in the source
domain prior to restructuring.
•
Migrate certain users or groups without retaining the sIDHistory, which
will require the DACLs of resources to be redefined to allow migrated
users to have continued access to resources.
•
Clean up the sIDHistory of these migrated accounts prior to allowing
users to log on in the new environment.

'HOLYHU\#7LS#
$VN#VWXGHQWV#ZKDW#ZD\V#
WKH\#PLJKW#GLVWULEXWH#QHZ#
SDVVZRUGV#WR#XVHUV1#
#
$VN#VWXGHQWV#ZKHWKHU#WKH\#
ZRXOG#VHJUHJDWH#PLJUDWHG#
DFFRXQWV#LQ#WKH#28#
KLHUDUFK\#RU#LQWHUVSHUVH#
WKHP#ZLWK#H[LVWLQJ#DFFRXQWV1#
1RWH#

,PSRUWDQW#
7LS#
4;# # 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\#


'HWHUPLQLQJ#WKH#2UGHU#RI#5HVWUXFWXULQJ#:LWKLQ#D#'RPDLQ#
5HVWUXFWXUH#XVHUV#DQG#JURXSV
5HVWUXFWXUH#XVHUV#DQG#JURXSV
5HVWUXFWXUH#FRPSXWHUV
5HVWUXFWXUH#FRPSXWHUV
5HVWUXFWXUH#PHPEHU#VHUYHUV
5HVWUXFWXUH#PHPEHU#VHUYHUV
0RYH#GRPDLQ#FRQWUROOHUV
0RYH#GRPDLQ#FRQWUROOHUV
1
1
1
2
2
2
3
3
3
4
4
4


You can restructure objects in any order that you prefer, but the recommended
order of restructuring is as follows:

1. Restructure users and groups. It is preferable to restructure users and groups
before other objects to take immediate advantage of improved user
administration, one of the key benefits of a Windows 2000 native-mode
domain. It is also easier to migrate these security principals and provides
good experience for more complex objects.
2. Restructure computers. It is advisable to restructure accounts for computers
running Windows 2000 soon after users so that Group Policy can reduce the
overhead of configuration management. Local groups on computers will be
retained when the account is moved or cloned.
3. Restructure member servers. Member servers running file, print, or other
application services require more attention than computers during a
restructure; you should perform easier migrations to gain experience before
performing more complicated moves. Local groups on member servers are
retained when the account is moved or cloned.
4. Move domain controllers. You should keep a reasonable number of domain
controllers active in the source domain until:
•
No, or very few, users are logging on to the source domain as their home
domain, and
•
No, or very few, services are requiring the source domain to authorize
access requests by users in another domain.

Because BDCs are required for authentication processing while
resources and services in a Windows NT 4.0 source domain are being
accessed, you should retain BDCs until most member servers have been
moved.


6OLGH#2EMHFWLYH#

7R#SUHVFULEH#WKH#RUGHU#RI#
PRYLQJ#REMHFWV#LQ#D#
UHVWUXFWXULQJ1#
/HDG0LQ#
7KH#UHFRPPHQGHG#RUGHU#RI#
PRYLQJ#REMHFWV#LQ#D#
UHVWUXFWXULQJ#LV=#XVHUV/#
FRPSXWHUV/#PHPEHU#
VHUYHUV/#DQG#WKHQ#
DSSOLFDWLRQ#VHUYHUV1#
([SODLQ#WKH#RUGHU#LQ#ZKLFK#
REMHFWV#VKRXOG#EH#PLJUDWHG#
WR#WKH#WDUJHW#GRPDLQ#LQ#D#
UHVWUXFWXULQJ1#
#
'HOLYHU\#7LS
#
$VN#VWXGHQWV#ZKDW#WKH#
LPSDFW#ZRXOG#EH#LI#FRPSXWHU#
DFFRXQWV#IRU#PHPEHU#
VHUYHUV#ZHUH#PLJUDWHG#SULRU#
WR#XVHU#DQG#JURXS#DFFRXQWV1#
#
<RX#PD\#DOVR#ZDQW#WR#XVH#
WKLV#RSSRUWXQLW\#WR#WHVW#
VWXGHQWV¶#NQRZOHGJH#RI#
UHVWUXFWXULQJ1#$VN#WKHP#KRZ#
HDFK#REMHFW#FDQ#EH#PLJUDWHG#
WR#D#WDUJHW#GRPDLQ#LQ#DQ#
LQWHU0IRUHVW#UHVWUXFWXUH1#$VN#

WKHP#KRZ#HDFK#REMHFW#FDQ#
EH#PLJUDWHG#LQ#DQ#LQWUD0
IRUHVW#UHVWUXFWXUH1#
,PSRUWDQW#
# 0RGXOH#9=#'HYHORSLQJ#D#'RPDLQ#5HVWUXFWXUH#6WUDWHJ\# # 4<#


‹‹
#,GHQWLI\LQJ#'RPDLQ#3RVW05HVWUXFWXULQJ#7DVNV#
3ODQQLQJ#IRU#UHGHILQLQJ#'$&/V
3ODQQLQJ#IRU#UHGHILQLQJ#'$&/V
3ODQQLQJ#IRU#FOHDQLQJ#XS#V,'+LVWRU\
3ODQQLQJ#IRU#FOHDQLQJ#XS#V,'+LVWRU\
'HWHUPLQLQJ#ZKHQ#WR#FRQYHUW#WKH#WDUJHW#GRPDLQ#WR#SURGXFWLRQ
'HWHUPLQLQJ#ZKHQ#WR#FRQYHUW#WKH#WDUJHW#GRPDLQ#WR#SURGXFWLRQ
1
1
1
2
2
2
3
3
3
3ODQQLQJ#IRU#GHFRPPLVVLRQLQJ
3ODQQLQJ#IRU#GHFRPPLVVLRQLQJ
4
4
4



The following are the post-restructuring tasks that you need to perform when
planning a restructure strategy:
1. Planning for redefining DACLs to avoid the unknown user problem, which
occurs when the SIDs of the users and groups that have been cloned cannot
be resolved.
2. Planning for cleaning up sIDHistory to minimize the size of access tokens.
3. Determining when the target domain will be converted to production.
4. Planning for decommissioning the source domain infrastructure so that
hardware can be redeployed.

6OLGH#2EMHFWLYH#
7R#LQWURGXFH#WKH#SRVW0
UHVWUXFWXULQJ#WDVNV1#
/HDG0LQ#
3RVW0UHVWUXFWXULQJ#WDVNV#
LQYROYH#UHGHILQLQJ#'$&/V/#
FOHDQLQJ#XS#V,'+LVWRU\/#
GHWHUPLQLQJ#ZKHQ#WKH#WDUJHW#
ZLOO#EH#FRQYHUWHG#WR#
SURGXFWLRQ/#DQG#
GHFRPPLVVLRQLQJ#WKH#
:LQGRZV#17#GRPDLQ#
LQIUDVWUXFWXUH1#