Upgrading a Windows NT Domain to Windows 2000 Active Directory
Scenario Guide and Walkthrough
This scenario guide outlines the steps to upgrade a Microsoft Windows NT 4.0 primary domain controller (PDC) to a Windows 2000 domain controller. Specifically, it focuses on a simple upgrade-in-place of a Windows NT 4.0 PDC in a single domain environment, and describes the deployment of the Active Directory service, as well as the DNS and DHCP services.
On This Page
Active Directory Upgrade Tasks
Post Upgrade Tasks
For More Information
Active Directory is the widely touted new directory service integrated into Windows 2000, and is one of the most significant new features of the operating system. Before proceeding with this walkthrough, which leads you through the process of upgrading to a Windows 2000 domain controller and installs Active Directory, take a minute to analyze what a directory service is, how Active Directory works, and how implementing Active Directory in your organization can help you accomplish your business goals.
A directory service stores information about all network resources and makes that information available to administrators, users, and applications. Many companies have multiple directory services that they must manage, such as one for sending e-mail, one for managing users accounts, and one for storing information about applications. The complexity of administering and using multiple accounts has a negative affect on the productivity of everyone involved.
Using Active Directory, administrators manage a directory service that is completely integrated with the operating system, which means that it provides one management interface for many directory service tasks. In addition, Active Directory significantly strengthens network security by acting as the central authority for governing access control and user authentication.
And in addition to strengthening the internal security of your network, implementing the Active Directory service also lets you take advantage of advanced security features, such as support for Kerberos, smart cards, public key infrastructure (PKI), and x.509 certificates, which are especially useful for companies that do business over the Internet or want to share information with business partners over an extranet.
Active Directory builds on the familiar architecture of the Windows NT operating system with the addition of standards-based technologiesDNS and the Lightweight Directory Access Protocol (LDAP)to access Active Directory features. Active Directory uses DNS as a locator service, resolving domain names to IP addresses and LDAP, the industry standard, protocol for directory service access, for accessing data. For example, when an Active Directory client wants to log on to an Active Directory domain, the client queries its DNS server for the IP address of the LDAP service running on the domain controller.
To simplify managing your network, enhance network security, and make use of open standards that allow you to extend and interoperate your directory service with other applications, directory services, and devices, take a look at how to install Active Directory when upgrading to Windows 2000.
Active Directory Upgrade Requirements
Note that this document makes the assumption that you have no external or internal DNS server established in your current environment.
The administrative tools are installed by default on all Windows 2000 domain controllers. On Windows 2000-based standalone servers or workstations, the Active Directory Administrative Tools are optional and can be installed from the Optional Windows 2000 Components package.
Active Directory Upgrade Tasks
In this walkthrough you will perform the following tasks.
Gathering Information: Gather information about your existing environment including network infrastructure, file/print/Web servers, applications, directory services architecture, administrative model, and security.
Back up of Current Infrastructure
Backup Current Infrastructure: Backup of existing system including; PDC, WINS, and any other file/print server affected by a PDC upgrade.
Start Upgrade Process
Start upgrade process: Installation of Windows 2000 on your PDC and promotion of your PDC to Windows 2000 domain controller.
Install and Configure DHCP
Verify Upgrade: Testing that the upgrade to Windows 2000 Active Directory was successful including migration of users and groups, replication, user logon.
Client Installations: Deciding to install the Active Directory client on Windows 95, Windows 98, and Windows NT workstations.
Post Upgrade Tasks
Future Expansion: Includes installing Administrative Tools, switching to native mode.
Active Directory Upgrade Tasks
Before installing the Windows 2000 operating system, gather information about your current network infrastructure. This includes WINS, domain controllers, file and print servers, and Web servers.
You can collect information about your servers by using the Windows NT Diagnostics utility, also known as WinMSD, to gather configuration information into a report that you can print and store in a binder. A WinMSD report should cover all data about your WINS setup. Make sure you have documentation that covers your current WINS topology, and also include information such as Service Packs and hotfixes that may apply to your servers.
To run a diagnostic report
Click Start, then click Run, and type WinMSD.
On the File menu, click Print Report.
Verify that All Tabs is selected, and set Detail Level at Complete.
Note all the applications that you currently use in your company. Verify that they are compatible with Windows 2000. Thoroughly test each application prior to installation on Windows 2000-based servers or workstations. A plan of action for application verification would be to upgrade a workstation to Windows 2000. After a few weeks of constant use, if no issues arise, then you would feel confident that your applications are compatible.
It is also recommended that you go over the checklist below before installing Windows 2000 to verify that your systems meet the requirements for upgrading.
Make sure your computer can run Windows 2000
Check your hardware specifications to see if they meet the system requirements for Windows 2000 at the Microsoft Windows 2000 Web site at http://www.microsoft.com/windows2000/server/evaluation/sysreqs/default.asp.
The current requirements for windows 2000 Server are:
133 MHz or higher Pentium-compatible CPU.
256 MB of RAM recommended minimum. (128 MB minimum supported; 4 GB maximum.)
2 GB hard disk with a minimum of 1 GB of free space. (Additional free hard disk space is required if you are installing over a network.)
Windows 2000 Server supports up to four CPUs on one machine.
Windows 2000 Advanced Server supports up to eight CPUs on one machine.
Check to see if your hardware and software are compatible with Windows 2000
To find out if your hardware and software are compatible with Windows 2000, visit the Windows 2000 Product Compatibility Web site at http://www.microsoft.com/windows2000/upgrade/compat/search/default.asp
Setup generates a list of incompatible software and hardware, but the tools available in the compatibility area will let you know ahead of time if you need updates.
Install hardware and software updates, if necessary
Get hardware and software updates from your hardware or software manufacturer. Check the Windows 2000 Product Compatibility Web site for tools to help you determine if you need updates. It is particularly important to make sure you have the latest BIOS (basic input output system) available from your computer manufacturer.
Back up your files
Back up your files to a disk, a tape drive, or another computer on your network. More information on this is included in the "Backing up Current Infrastructure" section.
Get rid of viruses
Use anti-virus software to perform a virus scan on your hard disk. Then, if viruses are found to be present, cleanse your environment of all viruses.
Uninstall power management or disk management tools
If you are running power management or disk management tools provided by your computer manufacturer, you should uninstall these programs before you upgrade.
Read your readme
Read the applications section of the Readme.doc (in the root directory of the Windows 2000 Server CD-ROM), for information about programs that need to be disabled or removed before running Setup.
Uncompress any DriveSpace or DoubleSpace volumes before upgrading to Windows 2000. Do not upgrade to Windows 2000 on a compressed drive unless the drive was compressed with the NT file system (NTFS) compression feature.
Disconnect UPS devices
If you have an uninterruptible power supply (UPS) connected to your target computer, disconnect the connecting serial cable before running Setup. Windows 2000 Setup attempts to automatically detect devices connected to serial ports, and UPS equipment can cause problems with the detection process.
After you have gone through the above checklist you will be ready to insert the Windows 2000 CD and begin the upgrade. You also might want to use the Windows 2000 Readiness Analyzer, which can be found on the Microsoft Web site at http://www.microsoft.com/windows2000/upgrade/compat/default.asp
Backing up the Current Infrastructure
Back up your system including the primary domain controller (PDC), WINS server, and any other file and print server affected by a PDC upgrade.
When you complete a full backup of your PDC also perform a full restore of your PDC to verify that the backup was successful. If your PDC is a file and print server as well, then back up all files on the PDC. At this point you have a couple of choices.
Install a new back up domain controller (BDC) prior to Windows 2000 installation. This computer can be a low end machine, as long as it meets the minimum Windows NT 4 Server requirementsPentium or higher with 24 megabytes (MB) of RAM). Take the new BDC off-line right before installation.
Leave your current environment alone and rely on the Backup/Restore process to restore your domain should failure occur or you wish to revert to your previous system.
You might consider removing a backup domain controller temporarily from the network to safeguard your existing network integrity, as outlined in option one above. To do this, in your existing Windows NT network, choose a backup domain controller, ensure that it has a current copy of the user accounts database, and back it up. Then disconnect its network cable. After upgrading your primary domain controller, this disconnected system is available for promotion to a Windows NT primary domain controller if needed. However, in the course of an uneventful upgrade, you would not and could not promote the Windows NT backup domain controller to primary domain controller. Instead, you would continue the upgrade process, eventually reconnecting the disconnected server and upgrading it.
During and upgrade, you can maintain a mixed environment of Windows NT BDCs and member servers operating with Windows 2000 domain controllers. Because Windows 2000 Server does not support LAN Manager Replication Service (LMRepl), you need to create a bridge between LAN Manager Replication Service and Windows 2000 File Replication Service so that both services can operate. The Windows 2000 Server Deployment Planning Guide, Chapter 10, Determining Domain Migration Strategies, has information on how to configure this option.
Starting the Upgrade Process
As you upgrade this server, you will be given the choices of creating a new domain or a child domain, and creating a new forest or a domain tree in an existing forest. The easiest domain structure to administer is a single domain. This walkthrough is based on a single domain structure. In planning your network structure, you should start with a single domain and only add additional domains when the single domain model no longer meets your needs.
One domain can span multiple sites and contain millions of objects. You do not need to create separate domain trees merely to reflect your company's organization of divisions and departments. Within a domain, you can use organizational units for this purpose. You can then assign Group Policy settings and place users, groups, and computers into the organizational units
Before installing Windows 2000 Server on the PDC, make sure that data is synchronized between the PDC and the BDC. Although this occurs automatically, if you are an administrator, you can invoke synchronization.
To synchronize the domain
On the Start menu, point to Programs, then point to Administrative Tools, and then click Server Manager.
In the Server Manager dialog box, select PDC, and click Synchronize Entire Domain on the Computer menu.
The process of synchronization begins. To see if the procedure was successful, check the Event Viewer when prompted.
Now that the BDCs are completely updated with any recent changes made at the PDC and information is up-to-date across all domain controllers in the domain, you can start the account domain upgrade by upgrading the PDC.
Keep a Windows NT Server 4.0 CD-ROM present and the appropriate Service Pack CD-ROM. In case of disaster, you will want to upgrade a BDC to PDC. Also make sure that you have your backup in a secure location, yet available if required. Note your current user environment in User Manager for Domains. Then compare that to your Active Directory environment after the upgrade with Active Directory Users and Computers Snap-in.
For the upgrade, take your PDC off the network and unplug its network card. This ensures that
No password changes can occur during this process.
If the upgrade is unsuccessful, there is no affect on your Windows NT 4 Backup Domain Controllers.
Log on as an Administrator or an account with administrative privileges. Insert the CD-ROM and click Yes to Upgrade Now.
Note that the Active Directory Installation wizard asks if you want to upgrade to NTFS if your PDC is currently using a FAT partition. Windows 2000 Domain Controllers require NTFS, so you must convert a FAT partition to continue. It is important again to make sure that you have a valid backup of all your data files. In case of any corruption, you can always revert to your backup.
The Active Directory Installation wizard prompts you to create a new domain or a child domain and create a new forest or a domain tree in an existing forest. Since you have a single domain environment, you will choose to
Click Create a New Domain and click Next.
Click Create a New Forest and click Next.
At this point, you are notified that DNS is not installed on your computer, and asked if you want to install DNS on this server, click Yes. The Active Directory Installation wizard installs and configures DNS on this computer. Now it will ask you for the Fully Qualified Domain Name (FQDN) of your domain. For more information on Internet domain name registration and how to establish your name, go to the InterNIC Web site at http://www.internic.net. This should match your Internet name space, such as Litware-10.com.
It will now ask you for where you would like to place the Active Directory files and Sysvol files (the system files of domain controllers).
You might want to choose to install the Database files and Log files together on a separate physical Disk and install the Sysvol folder on another separate disk. This is to help with read and write access and paging to the folders. This will also increase performance. The file size requirement for the Active Directory database and log files is dependent on the number and type of objects in the domain database. The Active Directory Installation wizard allocates 200 MB for the database (Ntds.dit) and 50 MB for the log file(s), or 250 MB if they are placed on the same logical drive. Rounding and size calculation errors may result in errors even when 250 MB of free space is available, requiring even more free drive space to be available.
You will now be prompted for a choice about permissions.
To summarize: When you connect a remote Windows-based client to a Windows NT 4.0 Remote Access Services (RAS) or Routing and Remote Access Services (RRAS) server that is a member of a Windows 2000 domain, authentication may not succeed if you log on with a Windows 2000 domain account. If you log on with a local account to Windows NT 4.0 RAS or RRAS servers, or Windows 2000, the connection may succeed. If you think you will have any issues we recommend using Pre-Windows 2000 permissions.
At this point you will be prompted to enter in a Local Administrator password.
This is the password that will be used to log on to the computer when it is started in Active Directory Restore Mode. This must be the Local Administrator password. If your Administrator account was renamed, then it will be the renamed account's password. Store this password in a safe place. If you must boot in Restore Mode, you need this password.
Note: This password is not your domain Administrator password. It is only used when logging on to the domain controller when in Active Directory Restore Mode. This mode does not load Active Directory into memory. Therefore, the domain Administrator password will not work.
Finally, click Next and start the DCPROMO process. When completed, click Finish and restart your computer.
When the Windows 2000 installation is complete, click Finish and the server restarts with an Upgrade Account.
Verifying Upgrade Success
It is now important that you test and verifying that the upgrade to Windows 2000 Active Directory was successful including verifying that users and groups were migrated properly, testing directory service replication, and verifying that users can successfully log on to the network.
To test the new domain controller
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.
Click Users, and you should find all of the users and groups (resource accounts if applicable) that were present in your Windows NT Server domain, as illustrated in the figure below.
To verify replication
Make changes to an account, or create a new account.
After a few minutes during which replication will occur, open User Manager for Domains on a Windows NT-based backup domain controller.
Check for the change to the Account/New Account.
To verify client authentication in Active Directory from a client computer
Log on to the domain.
Click Start, point to Search, then click For People.
Select Active Directory from the list.
Enter the username for logon, and click Search, and note that the name is listed.
Installing and Configuring DHCP
We can now talk about installing and using Dynamic Host Configuration Protocol (DHCP) in your network.
Although in certain environments it may be advantageous to install DNS and DHCP on separate computers, this walkthrough points out how to install and configure the DHCP service on a the same server we upgraded to a Windows 2000 domain controller. DHCP is a standard designed to reduce the complexity of administering IP address configurations by using a server computer to centrally manage IP addresses used on your network. Windows 2000 Server provides the DHCP service, which enables the server to perform as a DHCP server and configure DHCP-enabled client computers on your network.
To install DHCP
The following steps will guide you through installing and configuring the DHCP service for Windows 2000.
When the computer is started up again, log on as an Administrator. The Windows 2000 Configure Your Server wizard automatically starts.
To configure DHCP, select Networking in the left pane and then select DHCP. Click Start in the Windows Components wizard.
Click Networking Services, and then click Details.
In the Subcomponents of Networking Services list, click Dynamic Host Configuration Protocol (DHCP), and then click OK.
Click Next to install the DHCP service, then Finish to complete.
Or you may choose to do this configuration through the DHCP snap-in from the Microsoft Management Console. For the purposes of this paper, we will do the configuration of the DHCP service using the wizard.
Like other Windows 2000 components, DHCP is administered using an MMC snap-in. Once DHCP has been installed, the Microsoft Management Console (MMC) will be available on the Administrative Tools menu. To open the DHCP snap-in, click Start, point to Administrative Tools, and click DHCP.
To enable DHCP, it must be explicitly authorized to run by a member of the Enterprise Administrators group. This prevents the unauthorized activation of other Windows 2000 DHCP servers on a Windows 2000 network. To avoid problems in Windows 2000, DHCP servers are verified as legal in the network before they can service clients. This avoids most of the accidental damage caused by running DHCP servers with incorrect configurations or correct configurations on the wrong network. The DHCP service will also notify you when an unknown DHCP server has been brought online.
Note: This does not prevent Windows NT 4 DHCP servers from being authorized. It only prevents multiple Windows 2000 DHCP servers from being authorized in that subnet.
To authorize a DHCP server
Open the DHCP snap-in.
On the Action menu, click Authorize. (You'll notice that the server has a red dot before this action, which indicates that the server is not authorizedyou'll also see a message in the right pane if you select the server.)
On the Action menu, click Refresh.
After about 30 seconds, the operation completes and the red dot turns green when it is successful: the DHCP server is now authorized to perform DHCP services on the network.
The next step in configuring the DHCP service is to create and configure scopes for each physical subnet. A scope is an administrative grouping of computer for a subnet that uses the DHCP service. DHCP scope options let you automatically set many common network options when issuing leases.
A scope has the following properties:
A range of IP addresses from which to include or exclude addresses used for DHCP service lease offerings.
A unique subnet mask, which determines the subnet for a given IP address.
A scope name assigned when it is created.
Lease duration values, which are assigned to DHCP clients that receive dynamically allocated IP addresses.
To create a scope
Right click the server object in the DHCP snap-in, and then click New Scope.
Click Next on the Welcome page. Then enter a descriptive name for the DHCP scope, such as Main Scope.
Fill in a range of IP addresses that you will use on your network.
To balance DHCP server usage, a good practice is to use the 80/20 rule to divide the scope addresses between the two DHCP servers. If Server 1 is configured to make available most (approximately 80%) of the addresses, then Server 2 can be configured to make the other addresses (approximately 20%) available to clients.
When creating a new scope, the IP address used to create it should not include addresses of existing statically configured computers. Either these static addresses should be outside the range for the scope, or they should be immediately excluded from the range. Because Windows 2000 Server requires that a computer running the DHCP service have its IP address statically configured, be sure that the server computer has its IP address either outside of, or excluded from, the range of the scope.
The IP subnet mask number is automatically calculated. The next wizard page asks you to specify an exclusion range for the IP scope. Enter an exclusion range if desired.
On the next page, specify the lease duration for IP addresses within this scope. In this case, the lease duration is set to 8 days.
Click Yes when asked to configure scope options, and then click Next.
Enter an IP Address in the space provided, and click Add. You can attain this information from your network administrator. The Gateway address defines the default router for IP clients. In this case, we have entered an address that defines our server as the router.
Enter Litware-10.com as the domain name, and specify the IP address for the DNS Server.
For WINS information, enter your WINS server IP address. In this case, enter an address that defines the server as the WINS server.
When prompted to Activate the new scope, click Yes, and then Finish to complete the creation and configuration of the scope.
The new scope appears directly beneath the DHCP Server object in the DHCP snap-in. All information about the scope, including current leases and scope options, is available under the scope. Click the scope to expand it and view the various subfolders.
One other feature of Windows 2000 DHCP is the ability to perform dynamic client registration with DNS on behalf of DHCP client computers. DNS dynamic updates provide dynamic registration of client IP address and host names on a DNS server. This information is then used to further locate and manage computers from Active Directory. The settings related to this option are located on the DHCP server property page.
In the DHCP snap-in, right-click the DHCP server, and click Properties.
In the DHCP Properties dialog box, click the DNS tab.
Select Enable updates for DNS clients that do not support update, as illustrated below, and click Next.
After specifying options, click OK, and then close the DHCP snap-in.
Active Directory Client Installation
You can now choose to install the add-on Active Directory client software on workstations running Windows 95, Windows 98, or Windows NT.
The Active Directory client is network client software for computers connecting to Active Directory networks. A computer configured with the Active Directory client can log on to the network by locating a domain controller. The client can then fully benefit from the features of Active Directory.
The Active Directory client is provided in a single upgrade pack in a Clients folder on the Windows 2000 Server CD-ROM.
Because Windows 95, Windows 98, and Windows NT 4-based clients alone lack many of the features provided by the Windows 2000 Professional operating system, you might want to install the Active Directory client to take advantage of the following Active Directory features:
Capability to log on to a domain controller closest to the client
Ability to change password on any Windows 2000 domain controller, rather than having to relegate all such requests to a Windows NT PDC.
Active Directory Services Interface (ADSI)
Allows scripting to Active Directory to make it easier for administrators to automate their work.
Active Directory Windows Address Book property pages
Allows the user to change properties on their user object (for example, a phone number or address) that they have the permission to change from the user object pages accessible from by clicking Start, pointing to Search, and clicking For People.
In Windows 2000, NTLMv2 provides improved encryption for user passwords.
This choice should be thought of in this fashion: At what point do you think you will install Windows 2000 Professional on your client computers? The Active Directory client software should be used when the rollout will occur over an extended period of time. But, if you feel that the rollout will be quick, do not install the Active Directory client software and just complete your rollout.
Post Upgrade Tasks
Installing the Administrative Tools
Administrators who want to deploy Windows 2000 Professional in their environment still need to administer their network. The Windows 2000 Server CD-ROM includes an Administrative Tools setup file located in the \I386\AdminPak.msi file, which will install the administrative tools on your Windows 2000-based workstation.
After you have upgraded all existing Windows NT primary and back-up domain controllers to Windows 2000 Server and Active Directory and have no plans to use Windows NT domain controllers, you can switch the domain from a mixed-mode to native mode. The change from mixed mode to native mode is done manually by an administrator using the Active Directory Domains and Trusts snap-in. Several things happen when you change to native mode:
Windows 2000 domain controllers no longer support replication Windows NT backup domain controllers.
Windows NT domain controllers cannot be added to the domain. (You can of course add new Windows 2000 domain controllers.)
There is also an effect on groups. The following table shows the differences between native and mixed mode domains.
Both security and distribution groups can have universal scope.
Only distribution groups can have universal scope.
Full group nesting is allowed.
For security groups, group nesting is limited to groups with domain local scope having as their members groups with global scope (Windows NT 4.0 rule). Full group nesting is allowed for distribution groups.
Groups can be converted freely between security groups and distribution groups. Groups having global or domain local scope can be converted to groups with universal scope.
No group conversions are allowed.
Domain local groups can be used on any system within the domain.
Domain local groups can only be used only on domain controllers and back up domain controllers within the domain.
To change the domain mode
Click Start, point to Administrative Tools, and click Active Directory Domains and Trusts.
Right-click the domain node for the domain you want to administer, and then click Properties.
On the General tab, click Change Mode, and then click Yes.
Caution: Do not change domain mode if you have or will have any Windows NT 4.0 domain controllers. You can only change the mode from mixed mode to native mode. Once a domain is running in native mode, it cannot be changed back to mixed mode.
Windows 2000 Active Directory provides excellent backwards compatibility with your existing Windows NT-based environment. For example, you can continue to run Windows NT member servers. You can even add new Windows NT member servers to your environment after you've switched to native mode. And, the domain controllers you've upgraded will continue to support your existing clients, such as those based on Windows 95, Windows 98, and Windows NT.
How well you organize your directory service and use your networking infrastructure can be a pivotal part of your company's growth. By implementing Active Directory, your company can manage users, resources, and the relationships between them from one point of management and strengthen network security. Active Directory increases the value of your existing network because it supports interoperability with a variety of applications and devices.
Windows 2000 provides an ideal platform for the deployment of a directory service. With the integration of standards-based DNS and LDAP directory services in Active Directory and the underlying distributed security infrastructure of Windows 2000, companies can extend their networks faster than ever before.
For More Information
For the latest information on the Windows 2000, visit the Microsoft Web site at http://www.microsoft.com/windows2000 and the Windows 2000/NT Forum at http://www.microsoft.com/windows2000/community/default.mspx .
Windows 2000 Web Site Resources
Exploring Active Directory
Windows 2000 Planning and Deployment Guide