Upgrading from a Windows NT domain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Upgrading from a Windows NT domain

See the following recommended steps for upgrading from a Windows NT domain.

Plan and implement a namespace and DNS infrastructure

Because Domain Name System (DNS) is required for Active Directory, ensure that you have designed a DNS and Active Directory namespace and have either configured DNS servers or are planning to use the Active Directory Installation Wizard to automatically install the DNS service. For more information, see DNS integration and Namespace planning for DNS.

Determine forest functionality

Forest functionality determines the type of Active Directory features that can be enabled within the scope of a single forest. Each forest functional level has a set of specific minimum requirements for the versions of operating systems that domain controllers throughout the forest can run. For example, the Windows Server 2003 forest functional level requires that all domain controllers run a product in the Windows Server 2003 family.

When you are upgrading your first Windows NT domain to become the first Windows Server 2003 domain, it is recommended that you set the forest functional level to the Windows Server 2003 interim forest functional level, which you will be prompted to set during the upgrade. This level contains all of the features used in the Windows 2000 forest functional level, including the following two important Active Directory replication enhancements:

  • Improved replication efficiency and scalability. For more information, see Replication overview.

  • Linked value replication for more efficient replication of group memberships. For more information, see How replication works.

For more information, see New features for Active Directory.

The Windows Server 2003 interim functional level is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. For more information about how to manually set this functional level, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003" at the Microsoft Windows Resource Kits Web site. The Windows Server 2003 interim forest functional level only supports domain controllers running Windows Server 2003 and Windows NT, not domain controllers running Windows 2000. You cannot install Active Directory on servers running Windows 2000 in a forest with the functional level set to Windows Server 2003 interim. For more information about forest functionality, see Domain and forest functionality.

Upgrade the primary domain controller

The first server you must upgrade is the primary domain controller (PDC) running Windows NT 4.0 or earlier. During the upgrade, the Active Directory Installation Wizard requires that you choose to join an existing domain tree or forest or create a new domain tree or forest. If you decide to join an existing domain tree, you must provide a reference to the desired parent domain. For more information, see Checklist: Creating a new forest, Checklist: Creating a new child domain, or Checklist: Creating a new domain tree.

The Active Directory Installation Wizard installs all the necessary components on the domain controller, such as the directory data store and the Kerberos V5 protocol authentication software. Once the Kerberos V5 protocol is installed, the installation process starts the authentication service and the ticket granting service.

If this is a new child domain, then a transitive trust relationship is established with the parent domain. Eventually, the domain controller from the parent domain copies all schema and configuration information to the new child domain controller. The existing Security Accounts Manager (SAM) objects will be copied from the registry to the new data store. These objects are security principals.

During the upgrade, container objects are created to contain the accounts and groups from the Windows NT domain. The container objects are named Users, Computers, and Builtin and are displayed as folders in Active Directory Users and Computers. User accounts and predefined groups are routed to the Users container. Computer accounts are routed to the Computers container. Built-in groups are routed to the Builtin container.

Existing Windows NT 4.0 and earlier groups are located in different folders depending on the nature of the group. Windows NT 4.0 and earlier built-in local groups (such as Administrators and Server Operators) are located in the Builtin container. Windows NT 4.0 and earlier global groups (such as Domain Admins), any user-created local groups, and global groups are located in the Users container.

The upgraded PDC can synchronize security principal changes to remaining backup domain controllers (BDCs) running Windows NT 4.0 or earlier. The upgraded PDC is recognized as the domain master by BDCs running Windows NT Server 4.0 or earlier.

The upgraded domain controller is a fully functional member of the forest. The new domain is added to the domain and site structure and all domain controllers receive the notification that a new domain has joined the forest.

Upgrade any remaining backup domain controllers

Once you have upgraded the PDC running Windows NT 4.0 or earlier, you can proceed to upgrade all remaining BDCs. During the upgrade process, you might want to remove one BDC from the network to guarantee a backup if any problems develop. This BDC will store a secure copy of your current domain database.

If any problems arise during the upgrade, you can remove all domain controllers running Windows Server 2003 from the production environment, and then bring the BDC back into your network and make it the new PDC. This new PDC will then replicate its data throughout the domain so that the domain is returned to its previous state.

The only drawback to this method is that all changes that were made while the safe BDC was offline are lost. To minimize this loss, you could periodically turn the safe BDC on and off again (when the domain is in a stable state) during the upgrade process to update its safe copy of the directory.

If a domain controller running Windows Server 2003 becomes unavailable and no other domain controllers running Windows Server 2003 exist in the domain, a BDC running Windows NT can be promoted to a PDC to fill the role for the offline domain controller running Windows Server 2003.

When upgrading Windows NT 4.0 and earlier domains, only one domain controller running Windows Server 2003 can create security principals (users, groups, and computer accounts). This single domain controller is configured as a PDC emulator master. The PDC emulator master emulates a Windows NT 4.0 or earlier PDC. For more information about the PDC emulator role, see Operations master roles.

Complete the upgrade of the domain

After you have upgraded all existing Windows NT 4.0 and earlier primary and backup domain controllers to a Windows Server 2003 operating system, and you have no plans to use Windows NT 4.0 and earlier domain controllers, you can raise the domain functional level from Windows 2000 mixed to Windows 2000 native. For more information about how to raise the domain functional level, see Raise the domain functional level.

Several things happen when you raise the domain functional level to Windows 2000 native:

  • Domain controllers no longer support NTLM replication.

  • The domain controller that is emulating the PDC operations master cannot synchronize data with a BDC running Windows NT 4.0 or earlier.

  • Domain controllers running Windows NT 4.0 and earlier cannot be added to the domain. You can add new domain controllers running Windows 2000 or Windows Server 2003.

  • Users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory and can access resources anywhere in the forest with the appropriate permissions. Although previous versions of Windows do not support the Kerberos V5 protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users or computers to access resources in any domain in the forest for which they have the appropriate permissions.

Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.

After upgrading a Windows NT 4.0 domain to an Active Directory domain, it is recommended that you delete and recreate all previously existing trusts with Active Directory domains. Even though the domain has been upgraded, the trust remains a Windows NT 4.0 trust. Internet protocol security (IPSec) does not work over a Windows NT 4.0 trust.

Install Active Directory client software on older client computers

Computers running Active Directory client software can use Active Directory features, such as authentication, to access resources in the domain tree or forest and to query the directory. By default, client computers running Windows 2000 Professional and Windows XP Professional have the client software built in and can access Active Directory resources normally.

Computers running previous versions of Windows (Windows 95, Windows 98, and Windows NT) require installation of the Active Directory client software before access to Active Directory resources is available. Without the client software, previous versions of Windows can only access the domain as if it were a Windows NT 4.0 and earlier domain, finding only those resources available through Windows NT 4.0 and earlier one-way trusts. For more information about the Active Directory client software, see Active Directory clients.