When you decide to upgrade your network to a Windows 2000 Active Directory-based network, you'll need to plan the order in which servers and workstations will be upgraded. The Active Directory-based Windows 2000 domain controller is backward compatible with Windows NT 4.0 domain controllers, so upgrading the PDC is transparent to the users and domain controllers that are still operating under Windows NT 4.0. Backup domain controllers in the domain see the new Active Directory domain controller just as if it were a PDC in the Windows NT 4.0 domain. One consideration to keep in mind is that after you upgrade a server to be a Windows 2000 Active Directory domain controller, you can't, in the same domain, promote a Windows NT 4.0 BDC to become a PDC. The new Active Directory domain controller provides this capability as far as Windows NT 4.0 BDCs are concerned, and you can have only one PDC in a Windows NT 4.0 domain.
When you upgrade the PDC to become an Active Directory domain controller, you're prompted to either join an existing domain tree or create a new domain tree. If this is the first Active Directory domain controller in the network, you have to create a new domain tree. The operation is a simple, painless one—no complicated setup or configuration is required to create a domain tree.
After you've created the first Active Directory domain controller from the domain's PDC, you'll have a mixed network environment that still can function normally from the user's standpoint. That is, users still can authenticate using the BDCs that remain in the domain. However, because the BDCs do not yet recognize the Active Directory database, but instead see it as a PDC, you still can't create new security principals, such as user accounts, on the BDCs. This is the normal way in which a Windows NT 4.0 network functions. You will have to do so on the new Active Directory domain controller just as you did when it was a PDC.
The new Active Directory domain controller uses the single-master replication method to inform any existing BDCs of changes to the security database. After you promote one or more BDCs to become Active Directory domain controllers in the domain, you can update the security database on any of those new domain controllers because they're all equal peers in the network with other Windows 2000 domain controllers. Multimaster replication is used only between the new Active Directory domain controllers. Existing Windows NT 4.0 BDCs continue to function as if the network were still composed of nothing but Windows NT 4.0 domain controllers.
However, after you've finally converted all your Windows NT 4.0 BDCs to be Active Directory domain controllers and have made the switch to the native-mode Windows 2000 Active Directory, only multi- master replication will occur from that point on. This implies that you will no longer be able to add Windows NT Server 4.0 domain controllers to the domain. If you're uncertain about the migration, leave at least one Windows NT 4.0 BDC in the domain and operate in a mixed environment until you're sure that the changeover is working as you expect, and you have no need to downgrade back to a Windows NT 4.0-based network.
Tip
You should always keep a "back door" open when implementing new technology. When you make the final decision to go with the Active Directory and forego the Windows NT PDC/BDC networking method, keeping an old BDC around can be
a lifesaver if something goes wrong. To provide this open door using a BDC, you don't have to keep the old BDC online in the new network. Instead, before you make the final switch, take a BDC offline. That is, turn it off or disconnect it from the network. Keep it around for a few months until you're absolutely sure that you don't need to downgrade out of the Active Directory. If some disastrous event occurs that forces you to back out of the upgrade, the BDC will not contain any changes that are made after it is taken offline, but it will be a good place to start when trying to recover your old network.
However, you must consider that that this is a short-term solution. In a large network, computers will change their own computer passwords, and thus render this capability almost useless for the long term. You should also take into consideration your password policy. How often do you require that users change their password? In either of these cases, using this back door can cause more problems than it solves.
After you have made the switch and all domain controllers are based on the Active Directory, all clients, including those down-level non—Windows 2000 clients, will be capable of taking advantage of the transitive trust relationship that's created between all domains in the domain tree. This is because the trust relationship is created between domain controllers, which perform authentication functions, not by the individual workstations or other clients in the network. That means you can proceed toupgrade all your BDCs to Windows 2000 Active Directory domain controllers and then, as you find opportunities to schedule the required downtime, you can upgrade client machines, such as Windows NT 4.0 Workstation clients, at a more leisurely pace.
Adding Other Domains to the Active Directory
In a multidomain network, you'll first create a domain tree using one of the domain controllers in an existing domain or you can even create a new domain from a fresh install to serve as the first domain in a new domain tree.
When you later decide to upgrade other domains in your network to use the Active Directory, youcan still create a new domain tree or you can choose to join the existing domain tree. Again, the operation is simple. To join an existing domain tree, you need only supply the name of the parentdomain where you'll attach the new domain to the tree.
Several things occur when you join an existing tree:
- The domain's current SAM database is migrated to the Active Directory database.
- The Kerberos security software is installed and is then used to create a two-way trust relation‑
ship with the parent domain to which the domain has been attached in the tree structure. - A domain controller in the parent domain supplies configuration information, such as the Active Directory schema, to the child domain and then informs other domain controllers about the addition of the new child domain.
Upgrade the Master Domain First
In the master domain model, all user accounts reside in the master domain and resources are created in separate resource domains. When you upgrade a network that's based on a single domain, there isn't much choice: first upgrade the PDC and then upgrade the domain's BDCs.
Note
If you're starting from scratch—that is, you're running Windows NT 4.0 in a standalone or workgroup mode and don't have a PDC—you can still create a domain controller for your Windows 2000 network. After you've installed Windows 2000 Server or upgraded a Windows NT 4.0 server to Windows 2000, you can then use the command dcpromo to promote the server to be a domain controller. The process is not as complicated as you might think. Simply bring up the Command Prompt (from the Start menu, choose Programs, Accessories, Command Prompt) and enter the command dcpromo. The Active Directory Installation Wizard pops up to guide you through the process. This command can also be used in Windows 2003 servers
No comments:
Post a Comment