Re: NT Domain Rename and Upgrade to Serer 2003
- From: "Dean Wells [MVP]" <dwells@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 9 May 2005 09:07:29 -0400
Regarding your empty forest root domain, when motivated solely by
security, this is something of a legacy recommendation since Microsoft
no longer state that a domain is a boundary for security ... the forest
is. In short this means that a sufficiently technical child domain
administrator (with the right [maybe wrong] motivation) will be capable
of elevating their privilege to that of an Enterprise Admin. Is this
the sole reason behind the choice of an empty root?
Schema extensions do indeed need to be well planned for a few reasons;
first and foremost it is necessary to understand that each schema entry
requires certain forest-wide unique identification values, if
defined/created incorrectly these schema extensions may inadvertently
use a publicly standardized value required by a.n.other
Active-Directory-aware application. With Windows Server 2003 when
running at forest functional level 2, this problem can be almost
completely bypassed (often referred to as schema re-use). At any lesser
functional level (or if using Windows 2000 Domain Controllers), the
schema will not accept the conflicting update thereby, generally,
preventing the installation of the application in question.
The second consideration is related to the Global Catalog (GC). Within
the schema a percentage of the base attributes are replicated to all GCs
(~30%), this collective grouping of attributes is known as the PAS
(partial attribute set). The PAS can be extended (and often is) as part
of an Active-Directory-aware application's installation program. Many
of these applications extend the PAS with a number of their newly
created attributes. In a downlevel directory service (i.e. - an Active
Directory containing Windows 2000 DCs) containing more than one domain
and upon receipt of schema extensions _that affect the PAS_, each GC
will perform a complete rebuild of its partial replica set which
includes the content from all domains within its forest other than its
own. In the larger, more mature Active Directory implementations, this
process can quite literally take days to complete (obviously this
timeframe depends on numerous configuration factors). Windows 2003
mitigates this problem since its GCs support incremental update to the
partial replicas but only in the event they source that replica from
another Windows 2003 DC (i.e. - not a Windows 2000 DC). Note that much
of the Windows 2003 documentation claims that this incremental update
capability requires a particular functional level, this is incorrect.
With all that said and assuming you're using 2003 only, I would
recommend introducing the schema extensions prior to the deployment of
the child domain. There is no reason for my recommendation beyond
adopting the well known KISS approach (this actually stands for 'keep it
simple stupid' but isn't intended as a slur, it's merely an acronym
meant to remind us that simple is often better), schema extensions can
be introduced regardless of the number of domain or DCs. Note that NT4
has no direct impact on schema extensions nor the GCs replication
behaviors, the presence of NT4 DCs will, however, prohibit the forest
functional from being increased to 2 which is required for the schema
re-use feature outlined above.
HTH
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
Polly wrote:
> Hi Dean
>
> Many thanks for your positive response here.
>
> Could I please just run one more thing by you. In our Server 2003
> Forest we are going to have a root domain (this will be an 'empty
> domain that will be used for securing the forest) and a child domain
> When I introduce the root my thoughts are, introduce a newly built
> 2003 server as the Root DC, then promote the nt4 pdc to be the child
> dc.
>
> My thoughts are regarding schema extension, will the promotion of the
> NT4 PDC take into account these or will the schema extension such for
> Storage Central etc need to be done on the root before adding the
> child domain.
>
> Any advice would be gratefully appreciated.
>
> Polly
>
> Can you
>
>
>
> Polly
>
>
> "Dean Wells [MVP]" wrote:
>
>> Assuming you mean an in-place upgrade, the domain related issues
>> concerning SIDs are removed when performing an in-place upgrade vs. a
>> migration. If the upgrade process involves only one source NT4
>> domain and one target 2003 domain, I would recommend the upgrade
>> approach over migration since it does not require sIDHistory nor
>> re-ACLing. Other than the steps you've provided not mentioning the
>> upgrade itself, they appear well thought out.
>>
>> There are a number of additional tasks that I perform for the sake
>> of my own comfort following the upgrade of the NT4 PDC that assist
>> in ensuring the physically upgraded DC causes no unpredictable
>> problems at a later time, in short -
>>
>> 1. Install a fresh 2003 server
>> 2. DCpromo it as a replica DC against the newly upgraded NT4 PDC
>> (now a 2K3 DC)
>> 3. Gracefully transfer responsibility for all 5 FSMOs, the GC and
>> DNS to the fresh 2K3 DC
>> 4. Replicate, verify the 2 DCs are consistent
>> 5. Gracefully DCpromo down the upgraded NT4 DC
>>
>> HTH
>>
>> --
>> Dean Wells [MVP / Directory Services]
>> MSEtechnology
>> [[ Please respond to the Newsgroup only regarding posts ]]
>> R e m o v e t h e m a s k t o s e n d e m a i l
>>
>> Polly wrote:
>>> Hi
>>>
>>> I have a few questions I hope you can help with.
>>>
>>> I am involved in a project to re-name an NT Domain then use an
>>> in-house upgrade to Server 2003. My prefered method would have been
>>> build a new 2003 Forest with the new required domain name then user
>>> the ADMT tool to migrate the users and resources.
>>>
>>> However, an alternative solution has been sold to the customer that
>>> being, re-name the NT Domain. Once the NT4 domain has been renamed
>>> then peform an inhouse upgrade.
>>>
>>> My concern is issues around the SID when re-naming the NT4 domain.
>>> The solution will be as follows:
>>>
>>> . Build a new BDC - allow replication
>>> . Remove the new BDC from existing Domain
>>> . Rename to new domain name BDC
>>> . Promote to new domain name PDC
>>> . Reconnect to Network
>>> . Add another BDC
>>> . Establish trusts
>>> . Set up security permissions
>>> . Move 10 client machines into new domain
>>> . Trial Logons
>>> . Resecure DATA at all sites
>>> . Move remaining clients into new domain
>>> . Move Member servers to new domain
>>> . Tidy up
>>>
>>> Can anyone advise if there will be any SID issues when we connect
>>> the users, clients and resoruces to this new domain?
>>>
>>> Polly
.
- References:
- NT Domain Rename and Upgrade to Serer 2003
- From: Polly
- Re: NT Domain Rename and Upgrade to Serer 2003
- From: Dean Wells [MVP]
- Re: NT Domain Rename and Upgrade to Serer 2003
- From: Polly
- NT Domain Rename and Upgrade to Serer 2003
- Prev by Date: Re: Domain Users in ADAM group
- Next by Date: Re: guid
- Previous by thread: Re: NT Domain Rename and Upgrade to Serer 2003
- Next by thread: DNS and AD issues
- Index(es):
Relevant Pages
|
Loading
