From NT Domain to Server 2003 Active Directory - Page 2
Yes, thinking. There are three ways to upgrade from NT to Server 2003 AD, and while it's a lot easier to back up in an AD deployment than it used to be, you really don't want to start down the wrong path. You'll end up wasting man-days, not man-hours, if you do.
Your three choices are: 1) upgrade, 2) restructure, or 3) upgrade and restructure. With an upgrade, you basically keep the exact same structure you're already using, but now you have AD at the top so you can better run the whole show. This, as you might guess, is also the easiest path, takes the least amount of time, has the lowest risks, and requires the fewest resources. It also presumes that instead of adding a new Server 2003 server, you're just converting at least one of your existing NT servers to Server 2003.
Your existing structure showing its age? Want better overall server uptime? In either of these cases, you'll want to restructure your network. If you want to retain your existing domain structure but add new Server 2003 machines and implement AD's features now rather than later, you'll want to do both an upgrade and a restructure.
But before charging out there, you also need to consider practical constraints. Even a mere upgrade of a small business network will take up a weekend. Do you have a free weekend? Do you have the budget to pay for people to work that weekend? Do you have working backup servers in place so your company can keep going even if your upgrade doesn't?
And let's not forget that if you're going to bring your application servers over to Server 2003 as well, you have to ask yourself will your applications still work? After all, Server 2003 may be a killer file and Web server, but it has amazingly few applications that will run on it today.
Only make the move once you're 110% certain that you really want to do it and you have the resources to do it right.
Down and Dirty
OK, you now know exactly what you're doing, and you're ready to get the show on the road. Your next step is to head over to the Microsoft website and grab a copy of Active Directory Migration Tool 2.0. It's not just a great tool — it's a must-have tool for NT domain administrators on the AD move. I'd no more try an upgrade without it than I would face the day without brushing my teeth.
You'll also want to read Microsoft's white paper Migrating Windows NT Server 4.0 Domains to Windows Server 2003 Active Directory before making the move.
Once armed with these tools and information, you'll want to start with your PDC. What's that, your PDC can't handle Server 2003? In that case, start with a BDC, then upgrade it to a PDC and downgrade the old NT PDC to a BDC. After that, you can upgrade all the other BDCs. Or if you want, you can decommission them as BDCs and either leave them as NT servers or install Server 2003 on them. In ether case, make them ordinary member servers.
If you haven't done so before, you'll also need to install Domain Name Service (DNS) on at least one of your servers. Active Directory needs DNS to resolve AD domain, site, and service names to IP addresses. You can use NT, W2K, or Server 2003 DNS, but for best results I recommend running Server 2003 AD and DNS on the same machine.
Along the way, you're also going to be creating Containers that will hold your NT users, computers, and groups. These objects are named Users, Computers, and Builtin. No, Builtin isn't just a funny name for groups. NT 4 built-in local groups, like Administrators and Server Operators User accounts, go into the Builtin container. Local and network groups that you've set up in NT 4 – the “jocks from accounting,” for instance – are placed in the Users folder.
As you upgrade your PDC, you'll likely want to set it as the first domain in a new Server 2003 forest. If that's the case – and if you're upgrading from NT to Server 2003 it almost certainly will be – you should set your forest functional level to "Windows interim" — aka Windows 2000's Mixed level. Don't worry about looking for the menu choice to do it; you'll be prompted for it during the upgrade. It gives you all of Windows 2000 's level forest functionality and also includes improved replication capabilities and speed.