Chapter 8: Domain Upgrade

Section 2:
Migration Scenarios

The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

On This Page

Upgrade of the HB-ACCT-ROW Accounts Domain

Upgrade of the HB-ACCT-ROW Accounts Domain

Overview

Managers of the fictitious Hay Buv Toys Company decided to migrate its two biggest account domains, HB-ACCT and HB-ACCT-ROW, in two different ways. Because the users in Europe and Asia voted for a fast track to Microsoft Active Directory, the managers decided that HB-ACCT-ROW will serve as a proof of concept for the information technology (IT) department. The goal is to bring this domain and all users and groups to Active Directory as quickly as possible. Therefore, an in-place upgrade is the best solution. For the second big account domain, HB-ACCT, a secure migration path with fallback is necessary. Managers decided not to upgrade this domain, but instead to migrate all users and groups to a new domain.

Before a domain upgrade can start, IT administrators have to make one decision: Will this domain be a root domain for a new forest, or will it be an additional domain in an existing forest? Hay Buv Toys decided to implement a single domain model with a domain that will carry a new Domain Name System (DNS) name, hay-buv.tld. The HB-ACCT-ROW Windows NT 4.0 domain could be used as the new domain, and the DNS name of the domain could be different from the NetBIOS name, which cannot be changed as part of an upgrade.

In order to have a clean environment with regards to naming, the IT department decided to absorb the higher costs first and create a new domain hay-buv.tld, in-place upgrade HB-ACCT-ROW, and migrate all users and groups later. Therefore, the hay-buv.tld domain had to be installed first.

Bb727132.ckch0801(en-us,TechNet.10).gif

Figure 8.1

After the upgrade, the HB-ACCT-ROW domain will join the forest and become a child domain of hay-buv.tld. All trust relationships with the pre-Active Directory resource domains will also be upgraded in place.

Bb727132.ckch0802(en-us,TechNet.10).gif

Figure 8.2

In addition to the earlier version trusts to the resource domains, hb-acct-row will now have a bidirectional, transitive trust to its parent domain, hay-buv.tld.

Checklist

Leveraging experiences from the test lab and a pilot deployment, the planning team assisted the deployment team in creating checklists for the production deployment. The purpose of the list is to make sure that steps happen in the right order and to prevent any oversights. Besides the order of steps, the list defines specific checkpoints.

Here is a high-level summary of the checklists:

Pre-upgrade work

  • Determine domain controller hardware

  • Can the primary domain controller (PDC) be upgraded?

  • Can all domain controllers be upgraded?

  • Create machine assignment table

  • Secure domain data

  • Back up the PDC

  • Take the backup domain controller (BDC) offline

  • New or existing BDC

  • If the PDC cannot be upgraded, purchase new machine, install as a BDC, promote to PDC, and take old BDC offline (ensures full sync)

  • Install Microsoft Windows 2000 member server in domain (second replica later)

  • If the PDC cannot be upgraded, install new computer as Windows NT 4.0 BDC

  • Promote new Windows NT 4.0 BDC to PDC (guarantees full synch)

  • Take old PDC offline and secure

  • Create test matrix

Upgrade PDC (mixed mode domain)

  • Configure remaining Windows NT 4.0 BDC as LMRepl export server for logon scripts

  • Upgrade PDC -> Microsoft Windows 2000

  • Verify DNS configuration on Windows 2000 server

  • Promote former Windows NT 4.0 PDC to domain controller (as child of root domain)

  • Test environment (create user, create logon script, check access, check trusts)

  • Synchronize file replication services

  • Standard operations validation

Install additional domain controllers

  • Promote Windows 2000 member server to domain controller

  • Upgrade Windows NT 4.0 BDCs, decide whether to decommission, and keep as member server or dcpromo

Switch to native mode

When all domain controllers are Windows 2000, switch to native mode.

Checkpoints

  • Freeze environment

  • Post-dcpromo validation

  • Standard operations procedures in effect

  • Standard operations procedures in effect after switch to native mode

Preupgrade Work

During the preupgrade phase, administrators determine what hardware is currently used as domain controllers in the HB-ACCT-ROW domain and whether these domain controllers can be used as Microsoft Windows 2000 Active Directory domain controllers. They also secure data before the environment is frozen (checkpoint No. 1).

Determine Domain Controller Hardware

The hardware requirements on Windows 2000 Active Directory domain controllers are higher than those of Windows NT 4.0. The minimum requirements for domain controllers are Pentium 200 servers with at least 64 megabytes (MB) of memory. If many users are logging on to this domain controller, more powerful hardware should be chosen.

If administrators decide that new hardware is required, the new computers can be installed in the preupgrade phase and added to the existing domain.

For the HB-ACCT-ROW domain, the following domain controllers exist:

Server name

Server role

Server hardware

Upgradable?

HB-ACCT-ROW-DC1

PDC

Pentium 500

Yes

HB-ACCT-ROW-DC2

BDC

Pentium 500

Yes

HB-ACCT-ROW-DC3

BDC

Pentium 133

No

HB-ACCT-ROW-DC4

BDC

Pentium 133

No

Create Computer Assignment Table

The inventory of the Windows NT 4.0 domain controllers shows that only two of the four domain controllers can be upgraded to Windows 2000 Active Directory domain controllers. However, in order to guarantee reliability and performance of logon operations, the IT department decided that it needs at least three domain controllers. Another goal is to find new roles for the Windows NT 4.0 domain controllers that cannot be upgraded.

To ensure that the domain can be reverted completely to Windows NT 4.0 without the influence of Windows 2000 and Active Directory, one computer will be separated from the network before the upgrade begins and stored in a safe location. In case of any problems during or after the upgrade of the domain, this computer can be brought back to the domain and promoted to the new PDC in the domain. This will reset the state of the domain to where it was before the migration began.

Since HB-ACCT-ROW-DC3 cannot be upgraded to a Windows 2000 domain controller, this computer is used as the backup computer.

HB-ACCT-ROW-DC4 is the second computer that cannot be used as a Windows 2000 domain controller, but it can still work as a file and print server. There are two options to convert this computer to a member server: Either reinstall Windows NT 4.0 and configure the computer as a member server during setup, or upgrade the computer to Windows 2000 and keep it as a member server. Because the computer will be used mostly for network access and not for intensive user-interface operations, the computer will be upgraded. This provides the easiest migration path to a member server. If the computer is reinstalled, all resources must be re-ACLed again on the computer.

Lastly, another requirement is to have three domain controllers in the Active Directory domain. The IT department decided to install a new server with the Windows 2000 operating system and add this computer as a member server to the domain before starting the upgrade. This ensures that the computer is immediately available to be promoted to a second replica after the PDC is upgraded. However, the computer also can be installed after the PDC upgrade and then promoted to a domain controller.

The following table shows the computers and role assignment before and after the upgrade:

Server name

Role before upgrade

Role after upgrade

HB-ACCT-ROW-DC1

PDC

Domain controller (PDC operations master)

HB-ACCT-ROW-DC2

BDC

Domain controller

HB-ACCT-ROW-DC3

BDC

Decommissioned (member server)

HB-ACCT-ROW-DC4

BDC

Decommissioned

HB-ACCT-ROW-DC5

Member

Domain controller

Install a New Member Server

Windows 2000 member servers can be installed into Windows NT 4.0 domains at any time and without any special considerations. As members in a Windows NT 4.0 domain, Windows 2000 member servers behave like Windows NT 4.0 member servers. They have their own Security Accounts Manager (SAM) database that can be used to create local users and local groups. Domain users and domain global groups from either this domain or any domain that is trusted by this domain can be added as members to the local groups.

When the Windows 2000 server is installed, the domain membership can be set either during the installation process or later by changing the network identification of the server.

To change the network identification, right-click on the My Computer icon on the desktop and select Properties.

After you restart the computer, the Windows 2000 member server will appear in the Windows NT 4.0 Server Manager. Because the server manager is running on a Windows NT 4.0 machine, the operating system version is read as Windows NT 5.0 Server.

Figure 8.3:

Figure 8.3

Secure Domain Data

Before upgrading the first computer, administrators must save the domain database with all user and group accounts as well as domain-specific security settings. They can do this in one of two ways:

  • Back up the PDC and at least one BDC.

  • Synchronize one domain controller with the PDC, remove the computer from the network, and store the computer.

Before administrators secure the domain database, they should make sure that the domain is stable and apply all pending changes first. If, for example, new users have joined the company, administrators should create the users now and add them to groups. It is important to realize that if the domain has to be reset to Windows NT 4.0 and later backup tapes do not work, this will be the state of the domain.

The IT department decided to back up the PDC plus at least one BDC. Therefore, administrators create backup tapes of HB-ACCT-ROW-DC1 and HB-ACCT-ROW-DC2, label them as preupgrade domain backups, and store them in a safe location.

After the upgrade, two domain controllers will be decommissioned: HB-ACCT-ROW-DC3 and HB-ACCT-ROW-DC4. While one computer, HB-ACCT-ROW-DC3, will be substituted for a new Windows 2000 Active Directory domain controller and kept as a member server, the other computer will be used as fallback domain controller. If anything goes wrong in the new Active Directory domain, all Windows 2000 domain controllers can be removed and HB-ACCT-ROW-DC3 can be brought back into the domain and promoted as a new PDC. As long as the domain has not been switched back into native mode, all Windows NT 4.0 domain controllers will now accept the HB-ACCT-ROW-DC4 as PDC again and will replicate changes. This will bring the domain back to the state where it was before the upgrade was started.

To synchronize HB-ACCT-ROW-DC4 with the PDC:

  1. Open the User Manager for Domains on any domain controller.

  2. Select HB-ACCT-ROW-DC4.

  3. In the Computer menu, select Synchronize with Primary Domain Controller.

  4. You will see a dialog box displayed by the server manager that warns you that this action might take some minutes. Select Yes to perform the synchronization.

  5. A new dialog box will appear that confirms the action. Select OK.

    Bb727132.ckch0804(en-us,TechNet.10).gif

    Figure 8.4

  6. Verify that the following entry appears in the event viewer: system logon HB-ACCT-ROW-DC4:

    Bb727132.ckch0805(en-us,TechNet.10).gif

    Figure 8.5

Now that HB-ACCT-ROW-DC4 is in sync with the PDC, it should be removed from the network and moved to a secure location, like a storage room. The administrators should label it as the replica of the original HB-ACCT-ROW domain and warn that it must not be touched.

At this point, the administrators should make no further changes to the domain database until the PDC is upgraded, and they should create no new users or groups.

Now you have reached checkpoint No. 1, freeze of the Windows NT 4.0 environment.

Create a Test Matrix

Hay Buv Toys strictly follows the master/resource domain model: Only user and group accounts are located in the account domains; all workstations and resources such as file and print servers are in the resource domains. Local groups are used to grant access to resources.

To test a successful migration, tests need to include logon operations in the resource domain using accounts from the domain that was upgraded.

The hb-reswc domain was chosen as test field:

Four computers are in the hb-reswc domain:

Computer name

Domain

Role

HB-RESWC-PDC

HB-RESWC

PDC
File server

HB-RESWC-MEM1

HB-RESWC

Member server
File server
Internet Information Services (IIS) Server

HB-RESWC-WS1

HB-RESWC

User workstation

Bb727132.ckch0806(en-us,TechNet.10).gif

Figure 8.6

Among others, the following accounts were created:

Domain/computer

Name

Account type

Group members

HB-ACCT-ROW

FrankK

User

N/A

HB-ACCT-ROW

EvaL

User

N/A

HB-ACCT-ROW

Development

Global group

HB-ACCT-ROW\FrankK

HB-RESWC

Test

Local group

HB-ACCT-ROW\Development

HB-RESWC-MEM

Marketing

Local group

HB-ACCT-ROW\Development

Additional properties have been assigned to user FrankK through User Manager for Domains. These properties are:

  1. Home Directory: mapped to X:\ is share \\HB-RESWC-PDC\FrankK.

  2. Logon Hours: Allowed any day except Saturday and Sunday.

  3. Dial-in permission: granted.

    The same attributes have been assigned to user EvaL. In addition, another property has been assigned to user EvaL using the User Manager for Domains:

  4. Profiles Path: \\HB-ACCT-ROW-DC1\Profiles

Only EvaL has access to the directory \\HB-ACCT-PDC\Profiles\EvaL. Ensure that the appropriate file permissions are set to the directory and files.

These attributes will be verified after FrankK is migrated. In addition, for user EvaL, the roaming profile attribute will be verified after this account is migrated.

For access checks after the various upgrade steps, the following access restrictions were created:

Resource

Access rights

\\HB-RESWC-PDC\Sources

HB-RESWC\Test: FC

\\HB-RESWC-PDC\RankK

HB-ACCT\FrankK: FC

\\HB-RESWC-MEM\Specifications

HB-RESWC-MEM\Marketing: FC

FC = Full control

After groups and users are migrated, the access to resources must be checked.

Test

Success/fail

User HB-ACCT\FrankK can logon to workstation HB-RESWC-WS1

 

User HB-ACCT\FrankK can access \\HB-RESWC-PDC\Sources

 

User HB-ACCT\FrankK can access \\HB-RESWC-MEM\Specifications

 

User HB-ACCT\FrankK can NOT access \\HB-RESWC-PDC\EvaL

 
   

User HB-ACCT\EvaL can logon to workstation HB-RESWC-WS1

 

User HB-ACCT\EvaL can NOT access \\HB-RESWC-PDC\Sources

 

User HB-ACCT\EvaL can NOT access \\HB-RESWC-MEM\Specifications

 

User HB-ACCT\EvaL can access \\HB-RESWC-PDC\EvaL

 

Upgrade PDC (Mixed Mode Domain)

As soon as the PDC is upgraded to Windows 2000 and promoted to a domain controller again, the domain will be a Windows 2000 Active Directory mixed mode domain. For earlier version clients, this change will be transparent. For domain controllers, however, some restrictions require preparation work:

  • If the new Active Directory is not a forest root domain, the PDC must be able to locate either a parent domain or the forest root using DNS.

  • Windows 2000 domain controllers do not replicate files using the LMRepl file replication service to Windows NT 4.0 domain controllers.

Configure LMRepl File Replication Service

Because the PDC won't be able to play the role as LMRepl export server after the operating system upgrade, another computer must be configured to play this role until all Windows NT 4.0 domain controllers have disappeared from the domain. Ideally, this should be the last Windows NT 4.0 domain controller that will be upgraded or decommissioned.

In the case of the HB-ACCT-ROW domain, the domain controller HB-ACCT-ROW-DC3 cannot be upgraded to a Windows 2000 domain controller. Therefore, this domain controller is selected as the computer that is kept as the last Windows NT 4.0 domain controller.

The following instructions assume that the directory replication service is used and correctly configured in the HB-ACCT-ROW domain. The PDC, HB-ACCT-ROW-DC1, serves as the export server, while all other domain controllers serve as import servers. For more information on how to configure the Windows NT 4.0 directory replication service, please check the Windows NT 4.0 help files.

To configure the LMRepl file replication service on HB-ACCT-ROW-DC3:

  1. Open the Server manager on any domain controller (or workstation where the administration tools are installed).

  2. Select HB-ACCT-ROW-DC1.

  3. In the Computer menu, select Properties.

  4. In the Properties dialog box, select the Replication button. The dialog should show that the PDC HB-ACCT-ROW-DC1 serves as both LMRepl export and import server.

    Figure 8.7:

    Figure 8.7

  5. Disable the export functionality by selecting Do Not Export.

  6. Click OK, and then click OK again to close all dialogs. Now the PDC is only an import server.

  7. To configure the new LMRepl export server, select HB-ACCT-ROW-DC3.

  8. Open the Properties dialog box again, and then open the Replication dialog box. HB-ACCT-ROW-DC3 is configured as import server only.

    Figure 8.8:

    Figure 8.8

  9. Select Export Directories.

  10. Click the Add button, and select the HB-ACCT-ROW domain as target domain.

    Figure 8.9:

    Figure 8.9

  11. Click OK. HB-ACCT-ROW-DC3 is now configured as the export server.

  12. Click OK and then click OK again to close all dialog boxes.

  13. Restart the directory replication service on all domain controllers.

To test the configuration, create an empty file called test2.bat in the <system>\system32\repl\expor\scripts folder on HB-ACCT-ROW-DC3. Wait approximately 5 minutes and check whether the file has been copied to \\HB-ACCT-ROW-DC1\netlogon, \\HB-ACCT-ROW-DC2\netlogon, and \\HB-ACCT-ROW-DC3\netlogon. If so, delete the file from HB-ACCT-ROW-DC4 again. This will also remove the files from HB-ACCT-ROW-DC3 and HB-ACCT-ROW-DC2 again.

After the PDC is upgraded, a script will be added to synchronize the logon scripts created on the Windows 2000 PDC operations master role owner and the Windows NT 4.0 LMRepl export server (see below).

Upgrade PDC to Windows 2000

The next step is to upgrade the operation system on the Windows NT 4.0 PDC. This can easily be done by inserting the Windows 2000 Server or Advanced Server domain controller and following the instructions presented by the wizard, or by upgrading over a network share by executing Winnt32.exe.

Note: Before Active Directory is installed on the server, the TCP/IP needs to be configured so that the machine points to a DNS server that fulfills the Active Directory requirements. This can be achieved in one of two ways:

  • DNS is installed on the server and a new zone is created in DNS that matches the name of the Active Directory domain. In that case, a delegation entry has to be added to the DNS server that is higher in the hierarchy.

  • The server can point to a domain controller in the future parent domain hay-buv.tld that runs the DNS server. Then the necessary DNS entries can be created on that DNS server.

Since the child domain will live only during a transition time and be restructured into the parent domain later, the IT team selected the second choice.

  1. To upgrade the PDC, insert the Windows 2000 Server or Advanced Server CD-ROM in the CD-ROM drive on HB-ACCT-ROW-DC1.

  2. The Windows 2000 installation wizard will start automatically and present a dialog that asks whether you want to upgrade the system to Windows 2000.

  3. Select Yes to upgrade the system.

  4. The Windows 2000 installation wizard then will present a dialog box that allows you to either upgrade the system or create a new install. Select Next to upgrade to Windows 2000.

  5. Accept the license agreement in the next dialog box, and click Next.

  6. In the next dialog box, select Upgrade the file system (to NTFS5), and click Next.

  7. The system now starts copying files and will restart after some necessary system files are on the boot partition.

  8. The rest of the upgrade process runs automatically and requires no user input. After the server restarts, the Active Directory Installation Wizard starts automatically.

    Bb727132.ckch0810(en-us,TechNet.10).gif

    Figure 8.10

Make sure that the DNS entries are correct before you run the wizard.

Verify DNS Configuration

In order to find Active Directory domains, the TCP/IP configuration on the server must point to at least one DNS server that is authoritative for the zone that stores the DNS domain for the new parent domain or the forest root. Because the Net Logon service on Active Directory domain controllers publishes SRV records in DNS, it is good practice to use a fixed IP address for the domain controller and no Dynamic Host Configuration Protocol (DHCP) address.

To configure the DNS settings on the PDC:

  1. On the desktop*,* right-click My Network Places and select Properties. The Network and Dial-up Connections window will appear.

    Bb727132.ckch0811(en-us,TechNet.10).gif

    Figure 8.11

  2. Select the icon that is used for your network connection (typically, the Local Area Connection), right-click, and select Properties.

  3. In the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP), and click Properties.

  4. In the Internet Protocol (TCP/IP) dialog box, make sure there is at least one entry for a DNS server that holds the DNS domain of either the parent domain, and/or the root domain. If there is no entry, add the IP address of the DNS server(s).

    Figure 8.12:

    Figure 8.12

  5. Close all dialog boxes.

To test the configuration, open a command prompt, and use the ping utility on the domain name of the future Active Directory domain (not a server name). In this example, the future parent domain is hay-buv.tld.

Bb727132.ckch0813(en-us,TechNet.10).gif

Figure 8.13

If the search turns up a domain controller, the child domain can be installed.

To install the child domain, switch back to the wizard. Then follow these steps:

  1. In the Active Directory Installation Wizard, select Next.

  2. In the next dialog box, select To create a new child domain in an existing domain tree, and click Next.

  3. In the next dialog box, provide credentials that have administrator rights in the new parent domain. This account must have Enterprise Admin rights to create a new child domain. Click Next.

    Bb727132.ckch0814(en-us,TechNet.10).gif

    Figure 8.14

  4. The next dialog box asks for the name of the new parent domain. Click the Browse button and select the parent domain hay-buv.tld, then click OK to return to the domain name dialog box.

    Figure 8.15:

    Figure 8.15

  5. Enter the name of the new domain. In this case, this is hb-acct-row. Note that the DNS name of the domain can be identical to the network basic input/output system (NetBIOS) name, but it does not have to be.

    Bb727132.ckch0816(en-us,TechNet.10).gif

    Figure 8.16

  6. In the next two dialog boxes, confirm that you want to use the proposed locations for the Active Directory database file, the log files, and the SYSVOL by clicking Next.

  7. The next dialog box asks for a password for offline mode. This is used when the administrator needs to start the domain controller in a directory offline mode. In this mode, Active Directory is not running on the domain controller. Therefore, a special password must be used to log on. Provide an offline defragment password and click Next.

  8. The last dialog box presents a summary of the options. Confirm this by clicking Finish.

  9. The installation wizard now starts the promotion process, during which it copies data from the domain controller in the parent domain. After the installation is finished, the server has to be restarted.

After restarting the computer, the administrator tests the Active Directory service. To do this, perform the following steps:

  1. Click the Start button and select Progams. Then select Administrative Tools, and then select Active Directory Domains and Trusts. There is a hierarchy of at least two Active Directory domains.

    Bb727132.ckch0817(en-us,TechNet.10).gif

    Figure 8.17

  2. Right-click the hay-acct-row.hay-buv.tld domain, and select Manage. This opens the Active Directory Users and Computer MMC snap-in.

  3. In the Active Directory Users and Computer manager, open the Domain Controllers organizational unit. You should see four domain controllers.

    Bb727132.ckch0818(en-us,TechNet.10).gif

    Figure 8.18

  4. Open the Users container. You should see all users and groups that were created in the Windows NT 4.0 domain, including FrankK, EvaL, and the Development group:

    Bb727132.ckch0819(en-us,TechNet.10).gif

    Figure 8.19

  5. On one Windows NT 4.0 BDC (such as HB-ACCT-ROW-DC2), open the Event Viewer, and then open the System Log.

  6. When the PDC was promoted on Windows 2000 to a domain controller again, some new objects were created. These objects were replicated to the BDCs. Make sure that you find an event with the ID 5715 in the log that identifies a partial sync from a PDC to a BDC.

    Bb727132.ckch0820(en-us,TechNet.10).gif

    Figure 8.20

  7. Open the Server Manager on one of the BDCs. The PDC now shows up as a Windows 2000 computer (Windows NT 5.0 Primary).

    Bb727132.ckch0821(en-us,TechNet.10).gif

    Figure 8.21

  8. Open a command prompt and use the nltest.exe tool to test the domain status (you can find nltest.ext in the support tools folder on your Windows 2000 Server CD-ROM).

    Type nltest.exe /parentdomain to test for the parent domain:

E:\tools>nltest /parentdomain hay-buv.tld (1) The command completed successfully

Type **nltest /bdc\_query:hb-acct-row** to test the replication status of the BDCs. **Note:** Since HB-ACCT-ROW-DC4 was removed from the network, it should not appear in this list:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">

E:\tools>nltest /bdc_query:hb-acct-row Server : \HB-ACCT-ROW-DC2 SyncState : IN_SYNC ConnectionState : Status = 0 0x0 NERR_Success Server : \HB-ACCT-ROW-DC3 SyncState : IN_SYNC ConnectionState : Status = 0 0x0 NERR_Success The command completed successfully

Check that all trust relationships are in place:

1.  On the PDC, in the **Active Directory Domains and Trusts** manager, right-click the **hb-acct-row.hay-buv.tld** domain and select **Properties**. In the properties dialog box, select the **Trusts** tab. You should see the following trusts:
    
    1.  A parent-child trust relationship to the parent domain hay-buv.tld
    
    2.  An external (Windows NT 4.0-style trust) to the resource domain HB-RES-WC.
    
    ![Figure 8.22:](images\Bb727132.ckch0822(en-us,TechNet.10).gif "Figure 8.22:")
    
    **Figure 8.22**

2.  To verify the trusts, select one entry (such as HB-RES-WC), and click **Edit**. The dialog box will present information about this trust relationship (here, that it is an incoming, nontransitive trust).
    
    ![Figure 8.23:](images\Bb727132.ckch0823(en-us,TechNet.10).gif "Figure 8.23:")
    
    **Figure 8.23**

3.  Click **Verify** and enter administrator credentials for the resource domain.

4.  The next dialog box will tell you that the trust had been verified and is in place.
    
    ![Figure 8.24:](images\Bb727132.ckch0824(en-us,TechNet.10).gif "Figure 8.24:")
    
    **Figure 8.24**
  1. On all BDCs, open the Event Viewer and make sure there are no entries that say "Change log corrupt." Get an event number.

  2. On all BDCs, make sure there are no full or partial sync errors.

  3. On the PDC, create a new user, FredM.

    Bb727132.ckch0825(en-us,TechNet.10).gif

    Figure 8.25

  4. On all BDCs, make sure that the new user appears in the User Manager (this does not mean that the user was replicated because the User Manager always connects to the PDC).

  5. Wait 5 minutes and then check the BDCs. You should see a partial sync event 5715 that was created after the user was replicated from the PDC.

  6. Disconnect the PDC from the network and log on to the workstation HB-RESWC-WS1 using the user account FredM. If the logon succeeds, the trust relationships are in place and replication to the BDCs works. Connect the PDC to the network again.

  7. On the PDC, open a command prompt and execute repadmin.exe to check the replication status with the parent domain. You can find repadmin.exe in the support tools folder on the Windows 2000 Server CD-ROM. Repadmin will show you whether the last replication tries were successful or not:

E:\tools>repadmin /showreps Default-First-Site-Name\HB-ACCT-ROW-DC1 DSA Options : (none) objectGuid : 886a40f9-c627-4b82-a351-9505b2ea2149 invocationID: a4354106-b63c-4244-a3ba-ab6f61368c3a ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Last attempt @ 2000-03-17 18:57.21 was successful. CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Last attempt @ 2000-03-17 19:45.44 was successful. ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============ DC=hb-acct-row,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 CN=Schema,CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 E:\tools>

  1. Use the dcdiag tool to test the Active Directory. Open a command prompt and execute dcdiag.exe without any parameters. Dcdiag is also included in the support tools on the Windows 2000 Server CD-ROM. For an explanation of the tests, run dcdiag /?.

E:\tools>dcdiag DC Diagnosis Performing initial setup: Done gathering initial info. Doing initial non skippeable tests Testing server: Default-First-Site-Name\HB-ACCT-ROW-DC1 Starting test: Connectivity ......................... HB-ACCT-ROW-DC1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\HB-ACCT-ROW-DC1 Starting test: Replications ......................... HB-ACCT-ROW-DC1 passed test Replications Starting test: NCSecDesc ......................... HB-ACCT-ROW-DC1 passed test NCSecDesc Starting test: NetLogons ......................... HB-ACCT-ROW-DC1 passed test NetLogons Starting test: Advertising ......................... HB-ACCT-ROW-DC1 passed test Advertising Starting test: KnowsOfRoleHolders ......................... HB-ACCT-ROW-DC1 passed test KnowsOfRoleHolders Starting test: RidManager ......................... HB-ACCT-ROW-DC1 passed test RidManager Starting test: MachineAccount ......................... HB-ACCT-ROW-DC1 passed test MachineAccount Starting test: Services ......................... HB-ACCT-ROW-DC1 passed test Services Starting test: ObjectsReplicated ......................... HB-ACCT-ROW-DC1 passed test ObjectsReplicated Starting test: frssysvol ......................... HB-ACCT-ROW-DC1 passed test frssysvol Starting test: kccevent ......................... HB-ACCT-ROW-DC1 passed test kccevent Starting test: systemlog ......................... HB-ACCT-ROW-DC1 passed test systemlog Running enterprise tests on : hay-buv.tld Starting test: Intersite ........................ hay-buv.tld passed test Intersite Starting test: FsmoCheck ......................... hay-buv.tld passed test FsmoCheck E:\tools>

  1. After these preliminary tests, take the test matrix defined above and perform all tests. These should work as well as before the PDC upgrade.

If all checks are successful, the new domain controller is functioning properly.

This brings the process to checkpoint No. 2. The domain is now an Active Directory mixed mode domain that can fully participate in the Active Directory forest and benefit from transitive Kerberos trusts and so on. For Windows NT 4.0 clients, the transition is transparent; they can log on to either a Windows NT 4.0 BDC to or the new Windows 2000 domain controller. Windows 2000 clients, however, always log on to mixed or native mode domains using Kerberos trusts and therefore can only log on to Windows 2000 domain controllers, not the Windows NT 4.0 BDCs. In order to balance the load for Windows 2000 client logons and make the system robust, one or more additional domain controllers should be provided soon.

Synchronize File Replication Services

The two file replication services, LMRepl for Windows NT 4.0 and NT File Replication service (NTFRS) for the SYSVOL on Windows 2000, are not compatible, meaning they do not replicate files between them. Therefore, administrators have to create a manual process that copies new scripts from the logon folder in the SYSVOL to the LMRepl export folder on the Windows NT 4.0 domain controller.

The easiest way to perform this operation is as follows:

  1. On the Windows NT 4.0 domain controller, which was configured as LMRepl export server, create a batch file that copies all files from the netlogon share on the PDC to the <repl\export\scripts> folder.

  2. Add this batch file to the list of tasks that are executed once a day by the scheduling service.

  3. Configure the scheduling service to use a user account that has the rights to access the netlogon share on the PDC. Simple user rights are sufficient.

Note: The Windows 2000 Server Resource Kit has a more sophisticated script called lmbridge.cmd. It allows use of either xcopy or robocopy.

To create the batch script:

  1. On HB-ACCT-ROW-DC3 (the LMRepl export server), create the following batch file:

Net use o: /delete Net use o: \hb-acct-row-dc1\netlogon Echo y| copy o:*.* %systemroot%\system32\repl\export\scripts Net use o: /delete

  1. Save the batch file, for example, as c:\tools\brepl.bat.

  2. Open a command prompt and type the following command to configure the schedule service:

at 12:00am /every:m,t,w,th,f,sa,su c:\tools\brepl.bat

  1. Open the server manager, select HB-ACCT-ROW-DC3, and select Services from the Computer menu.

  2. In the Services dialog box, select Schedule in the Service box, and click Startup.

  3. In the Service dialog box for the Schedule service, select Automatic as startup type. In the Log On As: section, select This Account, and press the browse button (). The object picker dialog opens. Select a user account in the object picker that has read access to the netlogon share on the PDC, like the repl service account that is used by the LMRepl directory synchronization service, and click OK.

  4. Enter the password that is used by this account.

    Bb727132.ckch0826(en-us,TechNet.10).gif

    Figure 8.26

  5. Press OK and then click Close to close all dialogs.

To test the synchronization, create a new empty logon script called test3.cmd in the logon scripts folder on the Windows 2000 domain controller. Execute the script manually and check whether it appears on all Windows NT 4.0 domain controllers in the repl\import folder.

Standard Operations Validation

At this point, all standard operations have to be validated. This includes tools as well as procedures. If, for example, customized tools were used in the Windows NT 4.0 domain to push new users from a human resources system to Windows NT, these have to be tested again in the production environment. At this point, a full fallback is still possible without any data loss.

After the validation of the standard procedures, checkpoint No. 3 is reached and the normal daily routine can begin again.

Install Additional Domain Controllers

As pointed out above, it is good practice to provide at least one more Windows 2000 domain controller very quickly. This can be done in two different ways:

  • A Windows 2000 member server can be promoted to domain controller.

  • The existing Windows NT 4.0 BDCs can be upgraded to Windows 2000 and promoted to domain controllers.

Promote Windows 2000 Member Server to Domain Controller

Hay Buv Toys wants to make sure that Windows NT 4.0 and Windows 2000 Professional clients can always log on. The fastest way to ensure that not all Windows 2000 clients depend on a single domain controller is to promote the Windows 2000 member server to a domain controller before upgrading additional Windows NT 4.0 domain controllers.

To promote the member server HB-ACCT-ROW-DC5 to a domain controller, verify first that the server is configured to query the right DNS server. Ensure this by searching the domain again:

F:\>ping hb-acct-row.hay-buv.tld 
Pinging hb-acct-row.hay-buv.tld [12.1.1.2] with 32 bytes of data: 
Reply from 12.1.1.2: bytes=32 time<10ms TTL=128 
Reply from 12.1.1.2: bytes=32 time<10ms TTL=128 
Reply from 12.1.1.2: bytes=32 time<10ms TTL=128 
Reply from 12.1.1.2: bytes=32 time<10ms TTL=128 
Ping statistics for 12.1.1.2: 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 0ms, Maximum =  0ms, Average =  0ms 
F:\>

The partition that will hold the SYSVOL must be an NTFS 5 partition. If it is not, it can be converted using the convert command:

convert c: /fs:ntfs

This converts the c: partition to NTFS. If the converted partition is the partition where the system files live, the computer has to be restarted for the conversion.

To promote the member server to a domain controller:

  1. Open a command prompt.

  2. Type dcpromo to start the Active Directory Installation Wizard.

  3. In the Welcome dialog box*,* press Next.

  4. This time, add a domain controller to an existing domain. Select Additional domain controller for an existing domain in the Domain Controller Type dialog box. Then click Next.

    Bb727132.ckch0827(en-us,TechNet.10).gif

    Figure 8.27

  5. In the Network Credentials dialog box, enter the name for an account with administrative rights in the hb-acct-row.hay-buv.tld domain, enter the password, and then click Next.

  6. The next dialog already presents the hb-acct-row.hay-buv.tld domain as domain name. You could specify a different domain here. For this example, confirm that this is the right domain by clicking Next.

  7. The next two dialog boxes again ask for the location of the Active Directory database, the log files, and the SYSVOL. Accept the defaults and click Next.

  8. In the next dialog box, you must specify a password for the offline mode. Note that this password is unique for this domain controller. Add a password and note it.

  9. Confirm your settings by clicking Next in the Summary page.

  10. Now the promotion process starts. Restart the computer after the wizard has finished.

After the computer restarts, the domain controller has to be tested. The following tests should be performed:

  1. Run dcdiag.exe as above. No errors should be reported.

F:\tools>dcdiag DC Diagnosis Performing initial setup: Done gathering initial info. Doing initial non skippeable tests Testing server: Default-First-Site-Name\HB-ACCT-ROW-DC5 Starting test: Connectivity ......................... HB-ACCT-ROW-DC5 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\HB-ACCT-ROW-DC5 Starting test: Replications ......................... HB-ACCT-ROW-DC5 passed test Replications Starting test: NCSecDesc ......................... HB-ACCT-ROW-DC5 passed test NCSecDesc Starting test: NetLogons ......................... HB-ACCT-ROW-DC5 passed test NetLogons Starting test: Advertising ......................... HB-ACCT-ROW-DC5 passed test Advertising Starting test: KnowsOfRoleHolders ......................... HB-ACCT-ROW-DC5 passed test KnowsOfRoleHolders Starting test: RidManager ......................... HB-ACCT-ROW-DC5 passed test RidManager Starting test: MachineAccount ......................... HB-ACCT-ROW-DC5 passed test MachineAccount Starting test: Services ......................... HB-ACCT-ROW-DC5 passed test Services Starting test: ObjectsReplicated ......................... HB-ACCT-ROW-DC5 passed test ObjectsReplicated Starting test: frssysvol ......................... HB-ACCT-ROW-DC5 passed test frssysvol Starting test: kccevent ......................... HB-ACCT-ROW-DC5 passed test kccevent Starting test: systemlog ......................... HB-ACCT-ROW-DC5 passed test systemlog Running enterprise tests on : hay-buv.tld Starting test: Intersite ......................... hay-buv.tld passed test Intersite Starting test: FsmoCheck ......................... hay-buv.tld passed test FsmoCheck F:\tools>

  1. Run nltest as above. No errors should be reported.

  2. Run repadmin /showreps. You should see more replication partners as before. Both HAY-BUC-DC1 and HB-ACCT-ROW-DC1 should appear as replication partners. The last replication tries should be noted as successful.

F:\tools>repadmin /showreps Default-First-Site-Name\HB-ACCT-ROW-DC5 DSA Options : (none) objectGuid : 09b3c2f6-9475-48b6-805d-90ac4927baed invocationID: d26abd96-e2f4-47d1-8c12-addace280c68 ==== INBOUND NEIGHBORS ====================================== DC=hb-acct-row,DC=hay-buv,DC=tld Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 Last attempt @ 2000-03-17 18:53.58 was successful. CN=Schema,CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Last attempt @ 2000-03-17 18:53.57 was successful. Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 Last attempt @ 2000-03-17 18:53.57 was successful. CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Last attempt @ 2000-03-17 18:53.57 was successful. Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 Last attempt @ 2000-03-17 18:53.57 was successful. ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============ DC=hb-acct-row,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 CN=Schema,CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 CN=Configuration,DC=hay-buv,DC=tld Default-First-Site-Name\HAY-BUV-DC1 via RPC objectGuid: ab24c9b4-a13c-487a-b7c4-9faf86368d33 Default-First-Site-Name\HB-ACCT-ROW-DC1 via RPC objectGuid: 886a40f9-c627-4b82-a351-9505b2ea2149 F:\tools>

  1. Create a user called MariaV on hb-acct-row-dc5. Wait approximately 10 minutes. Then disconnect both Windows 2000 domain controllers from the network. From the workstation hb-resws-ws1, log on as MariaV. If this succeeds, replication works between the Windows 2000 domain controllers as well as from the Windows 2000 PDC operations master role owner to the Windows NT 4.0 domain controllers.

  2. Perform all other tests as defined in the test matrix.

Upgrade Remaining Windows NT 4.0 BDCs

The next step is to upgrade all Windows NT 4.0 BDCs to Windows 2000 and either promote them to domain controllers again or leave them as member servers.

Hay Buv Toys has two Windows NT 4.0 domain controllers left, HB-ACCT-ROW-DC2 and HB-ACCT-ROW-DC3. While HB-ACCT-ROW-DC2 can be used as Windows 2000 domain controller, HB-ACCT-ROW-DC3 will be converted to a member server.

To upgrade the operating system on HB-ACCT-ROW-DC2, follow the same steps as for HAY-ACCT-ROW-DC1. After Windows 2000 is installed and the computer is restarted, the Active Directory Installation Wizard starts up automatically again. No matter whether you want to install Active Directory on the server or not, always proceed with the wizardnever cancel it. The wizard detects that this computer was not the PDC in its domain (which always has to be promoted to a domain controller) and will give you a choice of whether to install the Active Directory or leave the computer as a member server.

These are the steps:

  1. The wizard starts automatically with the Welcome screen. Click Next.

  2. A dialog box will ask you whether you want to leave the computer as a member server or promote it to a domain controller. Select Make a domain controller and click Next.

  3. From here on, the steps are identical to those for the promotion of HB-ACCT-ROW-DC5.

For HAY-ACCT-ROW-DC3, the Windows NT 4.0 domain controller that is not powerful enough to serve as Active Directory domain controller, the steps are slightly different.

The first step is again to upgrade the operating system to Windows 2000. After the upgrade, the Active Directory Installation Wizard will automatically start up again.

Note: Before you run the wizard, check the DNS configuration again and make sure the entries are OK. Otherwise, the computer might not be able to resolve domain names correctly and supply credentials to the right domain controllers. Never cancel the wizardalways go through the dialogs even if you decide to use this computer as member server in the future.

When you run the wizard, select Leave machine as member server in the Additional Domain Controller or Member Server dialog box.

In the next dialog box, provide the credentials for the administrator account in the domain, and then supply an administrator password for the member server. The last dialog asks you to confirm your options.

Now the computer will be configured as a member server and you will have to restart it. This will reset the security context on the member server. The computer will also be removed from the Domain Controllers organizational unit and moved to the Computers container. This ensures that group policies that are configured only for domain controllers will not apply to the member server anymore.

At this point, all domain controllers in the domain are running Windows 2000, but the domain is still in mixed mode. Perform all tests defined in the test matrix to make sure that all operations work as usual.

Switch to Native Mode

The switch from mixed mode to native mode does not affect clients per se, only domain controllers. After the domain was switched, the PDC FSMO will stop replicating to Windows NT 4.0 domain controllers.

After a period of extensive testing in an environment with Windows 2000 domain controllers only, Hay Buv Toys decided that the time for the switch had come. After this, the saved data of the Windows NT 4.0 domain on the backup tapes and the stored Windows NT 4.0 domain controller will become worthless.

To perform the switch:

  1. On any domain controller in the hb-acct-row domain, open the Active Directory Users and Computers manager.

  2. Right-click the domain (hb-acct-row.hay-buv.tld) and select Properties.

  3. In the Properties dialog box, press Change Mode.

  4. A message box will warn that this is a one-way operation. Once the domain is switched into native mode, it can never be reversed to mixed mode again. Press Yes to confirm the switch and then close all dialogs.

  5. Wait approximately 15 minutes until the switch has been replicated to all domain controllers.

After the switch, all tests should be performed again.