Active Directory Installation, Upgrade, and Migration Technologies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • Active Directory Installation Wizard

  • Active Directory Preparation Tool

  • Active Directory Migration Tool

  • Active Directory Functional Levels

  • Domain Rename

The Active Directory directory service is used in server operating system environments to manage networks comprising Microsoft Windows clients, Windows 2000 Server and Windows Server 2003 servers and domain controllers, and Windows-compatible applications and services. There are many benefits to deploying Active Directory, including centralized management, scalability, and the ability to easily delegate administrative authority.

Some of the tools that are available to help you install and manage Active Directory include the following:

  • The Active Directory Installation Wizard (Dcpromo.exe), which is used to install Active Directory

  • The Active Directory Preparation Tool (Adprep.exe), which is used to prepare an existing Active Directory environment for a newer version of the directory service

  • The Active Directory Migration Tool (ADMT), which is used to restructure Microsoft Windows NT 4.0 or Active Directory domains

  • The domain rename tools (Rendom.exe and Gpfixup.exe), which are used to rename and restructure domains and adjust Group Policy settings to accommodate the new structure

Finally, new Active Directory features are enabled in a Windows Server 2003 environment by increasing domain and forest functional levels.

Active Directory Installation Wizard

The Active Directory Installation Wizard (Dcpromo.exe) configures a server to be a domain controller by installing Active Directory. Using the Active Directory Installation Wizard you can either add a domain controller to an existing domain or create the first domain controller in a new domain. The wizard provides the option to do this.

You can run the Active Directory Installation Wizard from the command line, or from the Configure Your Server Wizard. You can also install Active Directory using an unattended setup script called an answer file.

When running the wizard from the command line, you can append the /adv switch to the dcpromo command to populate the directory using a backup of system state data from another domain controller in the same domain. Installing from backup media reduces the amount of data that must be replicated over the network, thus reducing the time required to install Active Directory.

Before installing Active Directory, the wizard verifies that the server is eligible to run Active Directory by checking certain criteria. The following are examples of some of the criteria that the wizard checks before allowing an Active Directory installation to proceed:

  • There is sufficient disk space on the computer to store the Active Directory database.

  • You have sufficient privileges to install Active Directory on the computer.

  • The computer is running a correct version of the operating system.

After all prerequisites have been met, a user interface is used to gather information specific to the environment in which Active Directory will be installed, such as the Domain Name System (DNS) name and the storage locations for the Active Directory database and the SYSVOL shared folder. If you are installing Active Directory using an answer file, you will prepopulate the script with this information. Finally, the wizard configures Active Directory and makes the server a domain controller.

Active Directory Preparation Tool

The Active Directory Preparation Tool (Adprep.exe) prepares your infrastructure for a new version of Active Directory. Adprep.exe is located on the Windows Server 2003 operating system CD and can only be run from the command line.

To prepare your Windows 2000 forest and domains for upgrade to Windows Server 2003 Active Directory, or to prepare for new Windows Server 2003–based domain controllers, you must:

  • Run adprep /forestprep once on the schema master to prepare the forest.

  • Run adprep /domainprep once on the infrastructure master in each domain in which you plan to install a Windows Server 2003–based domain controller.

Adprep.exe performs a collection of operations that prepare the forest and domains for an Active Directory upgrade, including:

  • Extending the current schema with new schema information, while preserving previous schema modifications in your environment.

  • Allowing applications to access data in Active Directory after security settings have been improved.

Active Directory Migration Tool

The Active Directory Migration Tool (ADMT) is used to consolidate Windows NT 4.0 or Active Directory domains to improve manageability, scalability, and security. You can use ADMT to restructure your Windows NT 4.0 domains to an Active Directory forest or to restructure Windows Server 2003 Active Directory domains within and between Active Directory forests.

When you use ADMT to migrate a user or group from either a Windows NT 4.0 domain to an Active Directory forest or between two Active Directory forests, you can use security identifier (SID) history to maintain resource permissions during migration so that access to resources is not interrupted.

ADMT includes wizards that automate common migration tasks, such as copying users, groups, and service accounts; moving computers; migrating trusts; and performing security translation. ADMT is available on the Windows Server 2003 operating system CD, in the Admigration.msi file in the \i386\admt directory. You can perform ADMT tasks by using the ADMT console, by using a command-line procedure, or by using a script. When running ADMT from the command line, you can use an option file to specify command-line options.

Active Directory Functional Levels

Although most Active Directory features are available by default, certain new features of Windows Server 2003 Active Directory, such as efficient group membership replication and domain rename, cannot be enabled until all domain controllers within a given scope (domain or forest) are running Windows Server 2003.

Windows Server 2003 Active Directory does not automatically enable such a feature even when all domain controllers within a forest are running Windows Server 2003. Instead, the responsibility for the decision is administrative so that you can still add domain controllers that are running earlier versions of Windows. By advancing the functional level of a Windows Server 2003 domain or forest, you enable new features within that scope.

Functional levels protect against incompatibility. Before you raise a functional level, Active Directory verifies that all domain controllers are running the correct version of the operating system. After you raise the functional level, Active Directory no longer allows the introduction of a domain controller with an incompatible version of Windows.

Domain Rename

Domain rename capabilities are available in a Windows Server 2003 forest that has a forest functional level of Windows Server 2003. These capabilities are not available in Windows 2000 Server operating systems.

The structure of an Active Directory forest is the result of the order in which you create domains and the hierarchical names of those domains. Beginning with the forest root domain, all child domains derive their distinguished names and default DNS names from the forest root domain name. The same is true of every additional tree in the forest. The way to change the hierarchical structure of an existing domain tree is to rename the domains. For example, you can rename a child domain to have a different parent or rename a child domain to be a new tree-root domain. In each case, you reposition an existing domain to create a different domain-tree structure. Alternatively, you can rename domains without affecting the structure. For example, if you rename a root domain, the names of all child domains below it are also changed, but you have not created a different domain-tree structure.

The ability to rename domains provides you with the flexibility to make important name changes and forest structural changes as the needs of your organization change. Using domain rename, you can not only change the name of a domain, but you can change the structure of the domain hierarchy and change the parent of a domain or move a domain residing in one domain tree to another domain tree. The domain rename process can accommodate scenarios involving acquisitions, mergers, or name changes in your organization, but it is not designed to accommodate forest mergers or the movement of domains between forests.

The domain rename process involves making basic changes independently at each domain controller in a forest. You set up an administrative computer from which you issue commands that are executed remotely at each domain controller. These commands update the directory database at each domain controller individually with the changes that are necessary for renaming the domains; that is, the updates that rename the domains do not spread across the forest through Active Directory replication.

Rendom.exe is a new tool that is included with Windows Server 2003. You use the Rendom tool to carry out the following multiple steps in the domain rename process:

  • Freeze the current state of the forest so that no changes can occur while a domain rename operation is being performed.

  • Prepare the contents of the forest for a domain rename operation. Rendom runs multiple scripts that perform this preparation.

  • Execute a domain rename operation.

  • Clean up old domain names.

Another tool, Gpfixup, is provided to reinstate Group Policy from the original domains into the newly named domains in the forest.

In Windows Server 2003, domain rename is intended to be a supported method for renaming domains when domain renames are necessary; it is not intended to make domain rename a routine operation. The domain rename process is complex and requires a great deal of care in planning and execution. In addition, the time that is required for a complete domain rename operation is directly proportional to the size of an Active Directory forest in terms of its number of domains, domain controllers, and member computers. Therefore, although domain rename is possible in Windows Server 2003, it should not be undertaken lightly.