Determining Domain Migration Strategies

Previous Topic Next Topic

Domain Restructure Scenarios

The two scenarios described in this section satisfy most requirements for domain restructure. Both scenarios facilitate the movement of users and computers from Windows NT source domains to Windows 2000 target domains. The examples are as follows:

Scenario #1: Migrating Users Incrementally from Windows NT to Windows 2000

In this scenario, you migrate users incrementally to a pristine Windows 2000 environment without impacting the Windows NT production environment. Figure 10.9 illustrates this example. The steps and utilities required for incremental migration are described in this section.

Figure 10.9 Migrating Users Incrementally
Enlarge figure

Figure 10.9 Migrating Users Incrementally


note-icon

Note

Protecting the current production environment from migration changes ensures that it remains untouched during the process. This will allow you to revert back to the old production environment if the need arises.

After the migration is complete, you can decommission the old account domain and reassign the domain controllers. Then perform the following steps:

  1. Create the pristine Windows 2000 forest. Use standard procedure to create a Windows 2000 destination forest that reflects the requirements and structure identified in the namespace planning activities of the organization. The domains you create in the new forest will be native mode Windows 2000 domains.
  2. Establish the trusts required for the forest to maintain resource access. This involves using Netdom to query what trusts currently exist from any resource domains to the Windows NT source domain.

    You can then compare the output from Netdom with the list of trusts that are required to allow resource access to users and groups in the target domain. Then use Netdom to establish any trusts that do not already exist.

  3. Clone all source global groups in the target domain. Most resources are protected using ACLs that reference global groups, usually indirectly through shared or computer local groups. After you have established trusts, you must ensure that the relevant global groups are available in the target domain.

    The simplest way to accomplish this is to clone all global groups using ClonePrincipal.

  4. Identify and clone sets of users. After you have cloned the source global groups to the target domain, you can begin the task of migrating users.

    This is an iterative task, because in most instances you want to move sets of users, which involves identifying user sets to migrate and then using ClonePrincipal to clone the source users in the destination domain.

  5. Decommission the source domain. When all users and groups have been moved permanently to the destination forest, your final task is to decommission the source domain. This involves powering off and removing first the source domain BDCs, and then the source domain PDC. It is recommended that you store the PDC for disaster recovery purposes.

    If you intend for these domain controllers to be reassigned in the new forest, you can upgrade them to Windows 2000 and then either promote them to domain controllers or leave them as member servers.

Particularly during the user migration phase, it might be prudent to test logon for certain users during each migration. If an error occurs at any stage before decommissioning, you can suspend the process and work can continue in the source production domain.

Scenario #2: Consolidating a Resource Domain into an OU

In this example, you consolidate a resource domain into an OU within a native mode Windows 2000 domain. You might do this to reduce the costs of administering complex trusts. Figure 10.10 illustrates this example. The steps and basic utilities required for the incremental migration are described in this section.

Figure 10.10 Consolidating a Resource Domain into a Windows 2000 OU
Enlarge figure

Figure 10.10 Consolidating a Resource Domain into a Windows 2000 OU

In this example, the application servers become member servers in the target OU. It is assumed that the application servers in each domain are making use of shared local groups. It is also assumed that the domains might contain some member servers and clients.

After the domain restructure is complete, you can decommission the old domains. The process to consolidate a resource domain into a Windows 2000 OU is as follows:

  1. Establish any trusts required from the target domain to account domains outside the forest. This involves using Netdom to query what trusts currently exist from the resource domains to the account domains. You can then compare the output from Netdom with the trusts that already exist from the target domain to the account domains. Then use Netdom to establish any trusts that do not already exist.
  2. Clone all shared local groups. Shared local groups have scope only within the domain in which they were created, and are shared only between domain controllers in that domain. It is not necessary for you to move all domain controllers to the target domain immediately. To ensure that resource access is maintained while domain controllers and resources are split between source and target domains, you need to clone shared local groups to the target domain using ClonePrincipal.
  3. Demote application servers to member servers. After you have cloned all the shared local groups, you can start converting the application servers to member servers in the target OU.

    Upgrade the PDC of the resource domain to Windows 2000 and run the domain in mixed mode during the transition period. You can then upgrade each BDC to be demoted. During the BDC upgrade, run Active Directory Installation Wizard and choose to make the BDC a member server.

    If upgrading the PDC is not possible or desired, for each upgrade you need to take the BDC offline and promote it to PDC. After you have promoted the BDC to PDC you can then upgrade to Windows 2000, effectively making the offline domain controller the PDC in a "cloned" Windows 2000 mixed mode domain. After you have upgraded the PDC offline, you can run the Active Directory Installation Wizard to demote the PDC to a member server. You then join the member server to the target domain.

  4. Move member servers (including former BDCs) and clients. During this step you can use Netdom to create a computer account in a destination domain OU for the member server or client to be moved. Join the computer to the destination domain.
  5. Decommission the source domain. When you have permanently moved all groups and computers to the destination forest, your final task is to decommission the source domain. This involves powering off and removing first the source domain BDCs and then the source domain PDC.

    If you plan to reassign the source domain controllers in the new forest, you can upgrade them to Windows 2000. You can then either promote them to Windows 2000 domain controllers or leave them as member servers.


note-icon

Note

For this scenario, when demoting BDCs to member servers, you need to move them over to the target domain as quickly as possible. Unless the domain is in native mode and shared local groups have been converted to domain local groups, resources accessible through these groups will not be available on the member servers.

© 1985-2000 Microsoft Corporation. All rights reserved.