This document tries to map out the options and directions of our Windows NT to Windows 2000 domain migration.
There are several
domain configurations available to us ranging from a direct mapping of our
current domains to a very simple domain tree or to very complex domain
forests. For purposes of discussion, I
will describe the most likely candidates.
The simplest option is collapsing all of our user and machine accounts into one domain. Microsoft and many people advise a single domain unless there is an overriding reason to choose a more complex domain structure.
o Simplicity
o Ease of management
o Consolidation of servers
o Fewer domain controllers
o Less separation between user populations
The next most complex case is a single parent and child domain. This would be necessary if the domain-wide settings were different enough to require multiple domains.
o Matches our current domain structure
o Provides for different global policies
o Requires twice as many domain controllers as a single domain
o Harder to manage
Another case is an empty root domain for Cerritos.edu.
Symmetric domain name space
o Requires three times as many domain controllers as a single domain
o Harder to manage
Converting from NT 4.0 domains to Windows 2000 Active Directory can be quite interesting.
The “official” method of migration is to take the PDC of the main domain for a site and convert it to Windows 2000 and Active Directory. You subsequently convert the BDCs in the domain to Win2K and AD, giving yourself a fallback to NT as long as you have an NT BDC available.
After the first Win2K domain has been created, additional NT domains are converted and placed as child domains of the first. If domain consolidation is desired, there is a utility called the Active Directory Migration Tool (ADMT) that will apply sufficient magic to move users and computers from one domain to another.
o Least amount of work
o Potential for destroying your PDC
An alternate method of migration is to create a new Windows 2000 domain that is trusted by the existing domain(s). You then copy user accounts from an existing domain to the Win2K domain and disable the old account. You are left with an empty NT domain that then can be removed.
o No irreversible conversion step
o Lots of cruft can be left behind
o More work involved
o Requires notification of users to use a new domain
o Passwords are not preserved
We can either organize computer accounts logically or physically. I don’t really see how to organize them logically, so let’s describe physical organization.
Ø Building Name
o Room Name
§ Computer Name
Giving thirtysome building names at the top level.
We can either organize user accounts logically or physically. Things like GPOs that need a physical organization can be handled by computer accounts. A logical organization would look like:
Ø Division Name
o Department Name
§ User Name
Ø Fiscal Services
o Department Name
§ User Name
Ø Student Services
o Department Name
§ User Name
Ø Academic Affairs
o Department Name
§ User Name
Ø Students
o User Name
Giving a dozen top level user OUs.
Assuming that we decide on a single domain and single computer architecture, the current server naming convention is redundant. Computer names should be organized by functional description. Something like FFn, where n is a unique number and FF comes from a list of functional descriptions: