Active Directory domains that are running
in Windows 2000 Mixed mode can be joined into a separate forest without
the need for domain migration tools or workstation reboots. To
accomplish this, however, you must run a previously unknown process
known as Mixed-Mode Domain Redirect on the environment.
Mixed-Mode
Domain Redirect is useful in situations in which branch offices have
deployed their own separate Active Directory forests, and the need
later surfaces to join these disparate forests into a single, common
forest. It is also useful in corporate acquisitions and mergers, where
separate forests are suddenly required to merge into a single, unified
directory.
1. Prerequisites and Limitations of the Mixed-Mode Domain Redirect Procedure
The
first prerequisite for Mixed-Mode Domain Redirect is that each Active
Directory domain in a forest must be running in Windows 2000 Mixed
mode. If an organization needs to merge forests but has already gone to
Windows 2000 Native mode, other procedures such as using the Active
Directory Migration Tool or synchronizing directories must be utilized
instead.
A big caveat and limitation to
this approach is that Windows 2000/XP/2003 clients might already view
the domain as an Active Directory domain, requiring themselves to be
rejoined to the domain or have their machine/domain password
relationship reset using the netdom utility after the
operation is complete. Unfortunately, there is no way around this as
these client machines eventually discover that their NT domain has
become an AD domain, and adjust themselves accordingly. Postoperation,
it becomes necessary to identify these machines and rejoin them to the
new domain structure. This caveat does not hold true for Windows NT 4.0
clients, however.
In addition, this
procedure also requires several reboots of existing domain controller
servers and is, therefore, best performed on a weekend or over a
holiday.
2. Mixed-Mode Domain Redirect Procedure
The
concept behind Mixed-Mode Domain Redirect is simple: Take an existing
Active Directory domain, downgrade it to a Windows NT 4.0 domain, and
upgrade it back into a different environment, as illustrated in Figure 1.
The
example in the diagrams and in the following sections is based on a
fictional scenario. You can modify this scenario, however, to include
any environment that satisfies the prerequisites outlined previously.
In
this scenario, CompanyXYZ has been acquired by CompanyABC, and the need
has arisen to merge the CompanyXYZ Windows 2000 forest with the
CompanyABC Windows Server 2003 forest. Because the CompanyXYZ domain is
running in Windows 2000 Mixed mode, the staff determined that using the
Mixed-Mode Domain Redirect procedure would be the most straightforward
approach, and there would be no need to change any client settings.
Establishing a Temporary Windows 2000 Domain Controller
The
first step in the Mixed-Mode Domain Redirect process is identifying two
temporary servers that will be needed in the migration. These servers
do not necessarily need to be very fast servers because they will be
used only for temporary storage of domain information.
The
first temporary server should be set up as a Windows 2000 domain
controller in the current Active Directory domain. After the operating
system is loaded (Windows 2000 Server or Advanced Server), you can run
the dcpromo command to make it a domain controller in the
current domain, per the standard Windows 2000 domain controller upgrade
procedure. In addition, this domain controller does not need to be made
into a global catalog server.
In the merger scenario, the temporary server SFDCTEMP01 is built with Windows 2000 and Service Pack 3 and added to the companyxyz.com Windows 2000 domain, where it becomes a domain controller, as illustrated in Figure 2.
The current domain controllers—SFDC01, SFDC02, LADC01, and SDDC01—are
illustrated as well. These four domain controllers will be migrated to
the new environment.
Moving Operations Master Roles and Demoting Existing Domain Controllers
After
the new server is introduced to an environment, the five OM roles must
be moved from their existing locations and onto the temporary server.
This can be done by using the ntdsutil utility.
In
the merger example, the Schema Master and Domain Naming Master OM roles
were moved from SFDC01 to SFDCTEMP01, and the OM roles of PDC Emulator,
RID Master, and Infrastructure Master were moved from SFDC02 to
SFDCTEMP01.
Demoting Production Domain Controllers
Because the old Active Directory forest will be retired, you need to run dcpromo
on the remaining domain controller servers and demote them from domain
controller duties. This effectively makes them member servers in the
domain and leaves the only functional domain controller as the
temporary server built in the preceding section.
In the merger example, as illustrated in Figure 3, SFDC01, SFDC02, LADC01, and SDDC01 are all demoted to member servers, and only SFDCTEMP01 remains as a domain controller.