Lesson 1: Planning a Network Upgrade

Your network is a critical resource, one that's imperative to the business success of your organization. As such, it is extremely important that you thoroughly plan any network changes or modifications before performing a network upgrade. When you plan and prepare for a network upgrade, you help ensure the upgraded network works properly once completed and that the chosen structure satisfies the business requirements of your organization.

To be better able to plan your upgrade, you need to understand the upgrade process. Upgrading your network from Windows NT 4.0 to Windows 2000 occurs in several discrete steps, as follows:

1. Establishing the root domain of the Windows 2000 Network
2. Upgrading member servers and client computers
3. Upgrading the primary domain controllers to Windows 2000
4. Upgrading the backup domain controllers to Windows 2000
5. Switching the domain from mixed to native mode

You can upgrade member servers and client computers running Windows 95, Windows 98, or Windows NT Workstation 3.51 or 4.0 at any time before or after you upgrade your domain controllers. Member servers and client computers are not dependent upon directory services based on Active Directory technology to operate on the network. By upgrading your member servers and clients first, you can take advantage of the benefits of the new Windows 2000 features, and then upgrade to Active Directory directory services as organizational resources permit.

The model you choose for your Windows 2000 upgrade depends on the Windows NT 4.0 domain structure in your existing network.

In a single domain model, the Windows NT 4.0 primary domain controller (PDC) maintains the master copy of the Security Account Manager (SAM) database. The SAM database can be replicated to one or more backup domain controllers (BDCs). In Windows NT 4.0, the single domain model is the simplest architecture you can use.

If you have a Windows NT 4.0 single domain, you can upgrade it to a single Windows 2000 Active Directory domain. With Active Directory directory services, you will be able to manage the domain much more easily by using organizational units (OUs) within the domain to reflect the structure of your organization.

In Windows NT 4.0, a single master domain model consists of multiple domains, with one domain designated as the master domain. The master domain is the domain where user accounts and global groups are created. The resource domains contain computer accounts and built-in accounts, but do not normally contain user or group accounts. The resource domains trust the master domain.

If you have a Windows NT 4.0 single master domain model, you can upgrade it to a Windows 2000 Active Directory domain tree. In this case, the master domain becomes the root domain of the tree. This makes it much easier to manage the domain by using OUs within the domain to reflect the structure of the organization.

In Windows NT 4.0, the multiple master domain model consists of more than one master domain and one or more resource domains that trust every master domain. This model is often used when organizations contain a large number of accounts, or when domain synchronization traffic between geographically separate sites is undesirable.

If you have a Windows NT 4.0 multiple master domain model, you can also upgrade to a Windows 2000 Active Directory domain tree. To do this, create a new empty root domain, and then upgrade the master domains to child domains of the new root domain. Finally, add any resource domains as child domains of the appropriate upgraded master domains.

In Windows NT 4.0, the complete trust domain model consists of multiple domains, but no master domain. All domains maintain their own user accounts and global groups. All domains trust each other, and administration is decentralized.

If you have a Windows NT 4.0 complete trust domain model, you can upgrade it to a Windows 2000 Active Directory domain tree. Each division within the organization will maintain its own domain as a child of a common, empty root domain. Trust relationships are automatic and transitive, so administrators no longer need to manage relationships.

If each of your Windows NT 4.0 domains represent a subsidiary that operates under a different name, you could alternatively upgrade these domains into a forest, with each domain representing the root of its own tree. This approach works best for separate companies or divisions that need to maintain limited communication, rather than for a single company.

You must carefully consider the following questions before you migrate your network from Windows NT 4.0 to Windows 2000. Careful thought and planning here will help ensure a successful network upgrade.

Consider these questions when planning the Active Directory Migration to Windows 2000:

• Have you identified any domain controllers running critical services, such as Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS), and created a disaster recovery plan for these domain controllers?
• Can you roll back your system if you encounter problems?
• Can you identify the site structure for replication?
• Can you use your existing Domain Name System (DNS) servers or do you need to add new servers?
• Do you need to establish a root zone on your network?
• What do you plan to call your domains?

If you can answer these questions, you are ready to proceed with the network upgrade.

An effective naming strategy is important to help your organization take advantage of Windows 2000 functionality. An effective naming strategy makes it easier for users to log on to the network and to locate network resources.

Every Active Directory domain must have a corresponding DNS domain. If you have an existing DNS namespace, it shouldn't determine your Active Directory structure. Rather, DNS should accommodate Active Directory directory services. It is possible to keep your existing DNS namespace and create a new one for Active Directory directory services.

As you create a DNS namespace, consider the following domain guidelines and standard naming conventions:

• The number of domain levels is determined by Active Directory directory services. DNS provides a naming service to Active Directory directory services, so the number of DNS domains is determined by your Active Directory domain structure. Any existing DNS naming structure should not determine your Active Directory domain structure.
• Use unique names. Each subdomain must have a unique name within its parent domain to ensure that the name is unique throughout the DNS namespace.
• Avoid lengthy domain names. This is especially important if you have many levels of domains because you might potentially exceed naming limitations. Domain names can be up to 63 characters, including the periods. The total length cannot exceed 255 characters.

• Use standard DNS characters and Unicode characters.

• Windows 2000 supports the following standard DNS characters: A-Z, a-z, 0-9, and the hyphen (-).
• The DNS Service also supports the Unicode character set. The Unicode character set includes additional characters not found in the ASCII character set, which are required for languages such as French, German, and Spanish.
• Only use Unicode characters if all servers running the DNS Service in your environment support Unicode.

You can often adapt Windows 2000 DNS and Active Directory directory services to an existing network structure. As you plan your upgrade, examine your existing DNS servers to see if you can use them as part of your Windows 2000 network.

To use an existing DNS server for Active Directory directory services, it must support the following:

• Service location resource records. For more information see RFC 2052.
• Dynamic update protocol for DNS. For more information see RFC 2136.

If your existing DNS servers do not support RFC 2052 and RFC 2136, you must install and configure a DNS server that does. The DNS Service included with Windows 2000 allows you to set up a DNS server that meets these RFC requirements.

You configure a root zone for your intranet in only two instances:

• When you are not connecting to the Internet. The root level domain is for your intranet only.
• When using a proxy service to gain access to the Internet. You create the root of your local DNS namespace. The proxy service handles translation and connection necessary to access the Internet.

Careful planning will help ensure that your upgraded network will work properly. After you complete your planning, the first step in upgrading your network is to establish the root domain of the Windows 2000 network. The next three steps are to upgrade your PDCs, your BDCs, and your member servers and client computers. The last step in upgrading your network is switching the domain from mixed mode to native mode.

The model you choose for your Windows 2000 upgrade depends upon the Windows NT 4.0 domain structure in your existing network. Upgrade a Windows NT 4.0 single domain to a single Active Directory domain, and use organizational units (OUs) within the domain to reflect the structure of your organization. Upgrade a Windows NT 4.0 single master domain model to an Active Directory domain tree. The master domain becomes the root domain of the tree, and you can use OUs within the domain to reflect the structure of the organization.

Upgrade a Windows NT 4.0 multiple master domain model to an Active Directory domain tree. Create a new empty root domain, and then upgrade the master domains to child domains of the new root domain, and add any resource domains as child domains of the appropriate upgraded master domains. Upgrade a Windows NT 4.0 complete trust domain model to an Active Directory domain tree. Each division within the organization will maintain its own domain as a child of a common, empty root domain. Trust relationships are automatic and transitive, so administrators no longer need to manage relationships.

Every Active Directory domain must have a corresponding DNS domain. If your existing DNS server does not support service location resource records (see RFC 2052) and dynamic update protocol for DNS (see RFC 2136), you must install and configure a DNS server that does. The DNS Service included with Windows 2000 allows you to set up a DNS server that meets these RFC requirements.