Designing Your Windows 2000 Active Directory - Part 4
Managing Domains
Every Active Directory namespace design includes at least one domain. One domain is sufficient for most organizations, and it is easier to administer and maintain than multiple domains.
Several reasons can justify additional domains:
In Windows NT Server 4.0, resource domains provide the means for delegating administration. Windows 2000 can reduce these administrative and hardware costs by collapsing the resource domains into a hierarchy of OUs. You can use the upgrade to the Active Directory to reduce the number of domains in the environment, thus simplifying the network administration and network structure.
Additional OUs may be necessary to delegate administration, scope the application of policy, scope visibility of objects, or to replace Windows NT Server 4.0 resource domains.
Preparing for Migration
The migration or deployment should be approached with the following goals:
Two basic types of migration scenarios when migrating from a Windows NT Server 4.0 environment to Windows 2000 include domain migration and incremental upgrade or migration.
Domain Migration
Domain migration provides the most rapid path to migrating to Windows 2000 and the Active Directory. This is an in-place upgrade of your domain. Some high-level steps involved in a domain migration include:
Every Active Directory namespace design includes at least one domain. One domain is sufficient for most organizations, and it is easier to administer and maintain than multiple domains.
Several reasons can justify additional domains:
- The domain will contain more than 10 million objects.
- You can control replication if a reliable network connection is unavailable.
- Two or more groups in the organization have unique domain policy and security requirements. The domain boundary constitutes the security boundary.
- The organization responds to political requests for autonomous administration of departments or divisions.
In Windows NT Server 4.0, resource domains provide the means for delegating administration. Windows 2000 can reduce these administrative and hardware costs by collapsing the resource domains into a hierarchy of OUs. You can use the upgrade to the Active Directory to reduce the number of domains in the environment, thus simplifying the network administration and network structure.
Additional OUs may be necessary to delegate administration, scope the application of policy, scope visibility of objects, or to replace Windows NT Server 4.0 resource domains.
Preparing for Migration
The migration or deployment should be approached with the following goals:
- Minimize disruption to the production environment.
- Maintain or improve system performance.
- User access to data, resources, and applications must be maintained during and after the migration.
- The users' familiar environment must be maintained during and after the migration.
- There must be minimal impact on security policy.
- The enterprise must obtain earliest access to key features of the new platform.
- There must be minimal setup of new permissions for resources.
- Administrators should only have to visit the client computer a minimum number of times.
- If possible, users must be able to retain their passwords.
- There must be seamless migration of user accounts.
Two basic types of migration scenarios when migrating from a Windows NT Server 4.0 environment to Windows 2000 include domain migration and incremental upgrade or migration.
Domain Migration
Domain migration provides the most rapid path to migrating to Windows 2000 and the Active Directory. This is an in-place upgrade of your domain. Some high-level steps involved in a domain migration include:
- Take a synchronized backup domain controller (BDC) of the master account domain off-line; this provides a back-out plan.
- Upgrade the primary domain controller (PDC) of the master account domain and at least one BDC.
- Leave at least one BDC as Windows NT Server 4.0 to maintain a mixed-mode environment. Do not switch to native mode (all Windows 2000 domain controllers) until you need some of the replication and scalability that comes with native mode.
- Next, proceed with upgrading all resource domains using the same steps as above.
- Move objects from new Windows 2000 domains to the upgraded account domain and organize as needed. After all objects have been moved out of the Windows 2000 resource domains, retire the resource domains.
