Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Upgrade Your Domains from Windows 2000 Active Directory to Windows Server 2003

by Mitch Tulloch
08/30/2005

Windows Server 2003 offers a lot of real benefits as far as Active Directory (AD) is concerned. These new features include:

To gain full advantage from these new features and others, you need to upgrade your existing Windows 2000 domains to Windows Server 2003, and raise your forest functional level to Windows Server 2003 level. But before you throw in your CD, click Upgrade, and hope for the best, it's a good time to pause, step back, and think about what you plan to do. That's because upgrading your domains without proper planning can get you in pretty deep hot water, pretty fast. Below are half-a-dozen tips on what you should and shouldn't do when you migrate your domains from Windows 2000 Active Directory to Windows Server 2003.

It's Time to Simplify

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

First and most importantly, don't upgrade your current AD infrastructure if it was originally designed badly and doesn't fit with your company's needs. Upgrading a badly-designed forest will result in an improved, but still badly-designed, forest. Unfortunately, when Windows 2000 first came out, there wasn't much practical guidance on how to design Active Directory. The result was that some large companies did some pretty dumb things like using too many domains, deploying multiple forests, using complicated site link bridges, mixing users and computers in their OUs, and so on. Lots of bad things happened as a result, such as replication failures, authentication problems, and difficulties implementing Group Policy.

With Windows Server 2003 you now have a chance to get things right. Using the Active Directory Migration Tool (ADMT) v2 and the Rendom.exe domain rename utility, you can restructure your forest to make it more reliable and manageable. After all, why use ten domains just because your company has ten different offices around the world? High-speed WAN links are pretty reliable nowadays, and migrating to a single domain makes Active Directory easier to support, easier to troubleshoot, and easier to recover from when things go wrong.

Tip: you can test-drive ADMT 2.0 online for free at the Active Directory Migration Tool 2.0 Interactive Simulation site.

Don't Be Pressured

Of course, sometimes there are what seem to be legitimate business reasons why you need additional domains, or even additional forests. For example, if your company recently merged with another company, you may have two opposing IT groups who don't trust each other. The result is that neither side wants the other to own the all-powerful Enterprise Admins account. The logical technical solution to this problem might seem to be to create two separate forests and link them with a cross-forest trust. But if you're deploying Exchange Server for your company and want to have only one Exchange organization, you have to jump through hoops to make this work in a two-forest scenario. The problem in this case, however, is that you're trying to solve a business problem with a technical solution. Instead, you should solve business problems with business solutions--in other words, management should create a written policy that guides how the two IT groups share responsibility and work together. Management should then monitor and enforce that policy as needed. Opting for two forests simply avoids the real problem of getting your different business units to function together properly.

Tidy Things Up

Upgrading domains where there are inconsistencies in the directory store or the SYSVOL share can only lead to problems. So before you upgrade your domain controllers to Windows Server 2003, take time to verify that everything is working properly, including directory replication and Group Policy processing. Microsoft has lots of tools you can use for performing such checks, including dcdiag.exe and repadmin.exe, and you should learn how to use them. Check your event logs for another good source of potential problems that might impact an upgrade, and make sure you have sufficient disk space on machines you plan to upgrade in place. Move all your Flexible Single Master Operations (FSMO) roles to a single machine for each domain and make all your domain controllers global catalog servers in case connectivity becomes an issue. Then once everything is neat and tidy, back everything up on your FSMO domain controllers so you can quickly roll back if something goes wrong during the upgrade.

Watch Your Clients

Before you upgrade your domain controllers to Windows Server 2003, make sure that your client computers are happy with Server Message Block (SMB) signing, which Windows Server 2003 enables by default on domain controllers. There's no issue here if your client machines run Windows XP, Windows 2000, or Windows 98, but older clients and non-Windows clients may require that you disable SMB signing or install an update to get them working properly.

Test Everything

Finally, be sure to test your upgrade scenario in a test environment before you try it in a production environment. A good tool for testing different scenarios is Microsoft Virtual Server, which allows you to set up a virtual test network you can use to try out different approaches and analyze the result. To get the most out of using Virtual Server for testing migration scenarios, get the Virtual Server Migration Toolkit (VSMT) from Microsoft. This toolkit enables you to migrate actual production machines (like your existing Windows 2000 domain controllers) to virtual machines so you can deploy them within Virtual Server and try out different upgrade scenarios to see how they work.

When in Doubt...

...ask. If you're not sure about something relating to upgrading Windows 2000 Active Directory to Windows Server 2003, why not post your question to the microsoft.public.windows.server.active_directory newsgroup? Microsoft Communities newsgroups are haunted by several thousand Microsoft Most Valuable Professionals (MVPs) and there are many who know a lot about Active Directory and are eager to answer questions and help people like you with your problems. You can access these newsgroups by:

Don't be afraid to ask dumb questions, but please don't ask extremely broad questions like, "Could someone please outline step-by-step how I can migrate my domains to Windows Server 2003?" or you'll probably get an answer that contains links to several dozen Knowledge Base articles for you to read!

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.