One of the best ways to
understand how to accomplish a migration is to look at others who have
had successful migrations. Microsoft offers a number of case studies on
its Web site at http://www.microsoft.com/windowsserver2003/evaluation/casestudies/default.aspx?ddiDirectoryID=65.
In this section, I have shared some migrations I've been involved with as well.
County Government Office
Although I did not get permission to use this
customer's name, this is an excellent example of a very small migration.
This was a small department of a county government in the western
United States. The department had an existing Windows NT 4.0 domain, and
a hundred or so users who were mostly at one site, although a few were
at two other sites and a few were roaming users. The department had an
IT staff of only three, and its DNS services were supplied by the county
IT department. In addition, the department had a mission-critical
application that mainly allowed the users to use templates and create
reports. All of this was stored on a server, and the department wanted
some redundancy. We performed the assessment and design. The namespace
was designed to be a single domain with a migration strategy of starting
from scratch because of the following:
With hardware reaching end of life, and with
fewer than 200 users, the department opted to purchase new hardware,
create the domain infrastructure, and then just create new user accounts
rather than migrate the old Windows NT users. So, this was not a
migration, but a re-creation.
With more
groups than I could imagine for an organization this size, most of which
were not even used anymore, the new domain structure let the department
start from scratch on groups as well.
The department faced an interesting problem. Because
this office was subordinate to the county government, and no other
departments were ready to go to Windows 2000 at the time, they needed a
strategy to move to Windows 2000, without having to tear it down when
the county government moved to Windows 2000 and created a new domain
structure. In addition, because they were receiving DNS services from
the county IT department, they were concerned about disrupting the
county's DNS structure. They wanted to be autonomous, but have the
flexibility to join the county later when they migrated to Windows 2000.
We proposed the solution illustrated in Figure 1.
The key to this working was to get the county to agree to a name for
the county's Windows 2000 forest when they migrated to Windows 2000.
After the name was decided (and the current DNS namespace was a
reasonable name to suggest), our customer could do the following:
1. | Decide on the department's domain name (i.e. Dept2.County.gov).
|
2. | The
department will create the County.gov forest and County.gov root domain
and simply host it on its hardware until the county moves to Windows
2000. Then, all they have to do is add DCs to the domain and
decommission the two County.gov DCs that the department created.
note
Schema changes could be introduced into the forest by
this department's IT staff by installing applications that make schema
changes. They could also make custom changes. In both cases, these
changes will be a permanent part of the schema. The forest will have to
live with those changes. |
3. | Identify
the IP address of the Windows 2000 DNS that will host the temporary
County.gov domain, and then ask the county IT department for a DNS
delegation for the following zones:
_msdcs.county.gov _sites.county.gov _Tcp.county.gov _udp.county.gov
They would also have to ask the county IT department to create the A
record for every host that will not be resolved in the root domain,
which would include every DC in the root domain and any other root
domain resources.
|
4. | Create the County.gov domain.
|
5. | On
the Windows 2000 DNSs hosting County.gov, delegate the dept2.county.gov
zone to DNSs hosting the department's domain. Because the county IT
department controls the county.gov domain/zone, the county department
would be the one to create (another) delegation for the dept1.county.gov
zone—this would not be done within the root AD domain. In addition,
note that the W2K DNSs in the root do not host the county.gov zone, only
subzones of that zone via the delegation in step 3.
|
6. | Create the department's domain with DNSs.
|
Of course the other option would have been to just
create a single autonomous domain, forward out-of-domain requests to the
county IT DNS, and then migrate users, computers, groups, and member
servers when the county Windows 2000 forest was created. Windows Server
2003's Kerberos Trusts would now allow each of the departments to have
its own forest with appropriately configured trusts to allow
authentication as needed, allowing even more flexibility for this
environment. This would eliminate the dependency on selecting a root
domain name as well as not binding the county to any schema changes made
by the departments because each would have its own autonomous forest.
The DNS structure described is a bit unorthodox, but
uses the strategy that Compaq used.
Clients in the child domain find SRV records in the root by going to
the county.gov BIND server and then getting referred to the Windows 2000
DNS server that hosts the four SRV zones.
When the county was ready to migrate, it could add
additional DCs as needed for the existing county.gov domain (probably
adding some in additional sites). It could then create the OU structure,
add groups, and so on. Then, it could migrate the users and groups,
computer accounts, member servers, and so on, much like a restructure
plan would work. This is very similar to HP's migration into the Compaq
namespace, described in the HP case study described in the next section,
though on a much smaller scale. Of course, the key to this whole plan
is getting the county to decide on a Windows 2000 domain name.
note
This approach could be used in other instances where
one business unit—perhaps one company whose parent is a holding
company—is ready to migrate, but the parent and peers are not.
This migration could have been helped by Windows
Server 2003's Domain Rename feature, removing the dependency on getting
the county to decide on a name The department could have just created a
root domain with a placeholder name, handled its own DNS, and forwarded
to the county DNS servers. When the county moved to Windows 2003, the
department could rename its root domain and leave everything intact.
Although Domain Rename could be used in this situation, it's a poor
design that creates a namespace with the intention of renaming it later
on. Remember that Domain Rename is not trivial. In addition, if the
department had installed applications that did not support Domain
Rename, then this plan would fail.
Migration from Windows 2000 to Windows Server 2003 in an infrastructure this small would require a simple in-place upgrade.
