# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # LLL#,QVWUXFWRU#1RWHV# This module provides students with the ability to analyze their Microsoft® Active Directory™ directory service d
Trang 1Strategy
Trang 2Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2000 Microsoft Corporation All rights reserved
Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted
Other product and company names mentioned herein may be the trademarks of their respective owners
Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.) Lead Program Manager: Angie Fultz
Instructional Designer: Robert Deupree (S&T OnSite) Subject Matter Expert: Brian Komar (3947018 Manitoba Inc) Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.), David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC)
Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T Onsite) Testers: Testing Testing 123
Instructional Design Consultants: Susan Greenberg, Paul Howard Instructional Design Contributor: Kathleen Norton
Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner
Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor: Shawn Jackson (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Onsite)
Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Courseware Testing: Data Dimensions, Inc
Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T Onsite) Manufacturing Support: Laura King (S&T Onsite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart
Trang 3# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # LLL#
,QVWUXFWRU#1RWHV#
This module provides students with the ability to analyze their Microsoft®
Active Directory™ directory service design goals and successfully plan an upgrade strategy The module starts by looking at the factors to consider when examining the Active Directory design and then provides a step-by-step
methodology for creating an upgrade plan
At the end of this module, students will be able to:
„#Examine the Active Directory design of an organization
„#Plan a domain upgrade to Active Directory
Lab A, Developing a Domain Upgrade Strategy, is a scenario-based planning lab The students will collect information concerning the current domain model, DNS infrastructure, and proposed site topology Based on the information gathered, the students will then work in groups to design an upgrade strategy that meets the business needs of the scenario presented
The instructor will keep discussions and decisions regarding mapping designs focused on business needs
0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that are needed to teach this module
5HTXLUHG#0DWHULDOV#
To teach this module, you need the following materials:
„#Microsoft PowerPoint® file 2010A_03.ppt
„#Module 3, “Developing a Domain Upgrade Strategy”
3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„#Read all of the materials for this module
„#Read all the delivery tips
„#Complete the lab
„#Read the white paper, “Planning Migration from Microsoft Windows NT to Microsoft Windows 2000,” on the Student Materials compact disc
„#Read chapter 9 of the Windows 2000 Server Deployment Planning Guide,
“Planning the Active Directory Structure,” on the Student Materials compact disc
„#Read chapter 10 of the Windows 2000 Server Deployment Planning Guide,
“Determining Domain Migration Strategies,” on the Student Materials compact disc
„#Read chapter 13 of the Windows 2000 Server Deployment Planning Guide,
“Automating Server Upgrade and Installation,” on the Student Materials compact disc
Trang 4Use the following strategy to present this module:
„#Introduction to Developing a Domain Upgrade Strategy The module begins with a summary of what a domain upgrade is and what it accomplishes Provide an overview of the upgrade planning process
„#Analyzing an Active Directory Design The Active Directory design is the goal of the migration project: the final, ideal infrastructure In previous migration planning steps, the Active Directory design was examined to ensure goal alignment After an organization selects domain upgrade as a migration path, the plans for Active Directory should be re-examined to provide focus for the upgrade planning process and ensure that the goals of that design are incorporated in the domain upgrade plan This section serves as a sort of pre-upgrade planning checklist, because any issues that are uncovered in this examination must be resolved prior to proceeding with the planning of the upgrade
Begin by explaining the need for examining the Active Directory design and what this examination involves
Explain the planning considerations involved when examining the forest design, site design, and administrative and security plan
Emphasize that a single-forest environment is the simplest to create in an upgrade scenario Upgrading to multiple forests, by contrast, is complicated and requires careful analysis, because multiple-forest environments are commonly considered to solve politically based administrative issues Ensure that students have a clear understanding of a forest and its components before discussing the impact of upgrading to a single- or multiple-forest environment
Remind students that directory-aware applications store information in the Configuration container that applies forest wide For example, Active Directory stores information about the physical network in the Configuration container and uses the information to guide the creation of replication connections between domain controllers The schema defines the objects that can be created in the forest Remind students that the cost of adding a forest includes added domain and hardware maintenance, maintenance of multiple schemas and configuration containers, explicit trust maintenance if users require inter-forest access to resources, and end-user training to locate inter-domain resources
Trang 5# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # Y#
Explain the need for validating the site design against current environment and migration goals, and how to resolve any conflicts that arise Ensure that students have a clear understanding of sites and how upgrading affects site implementation (and vice versa) Emphasize that Active Directory–aware clients use sites to locate the closest domain controller for logon
authentication, resource authorization, and global catalog searches Explain that the site-link cost values determine the path that replication will take through your network
Make sure that students understand that during the upgrade, there are essentially two environments to support, administratively The upgrade plan must define how Active Directory will be administered during the upgrade and how the old administrative model will be phased out
While upgrade preserves permissions and security principals, domain upgrade can compromise security because transitive trusts allow administrators more freedom than one-way trusts allow The upgrade plan should define transition measures and procedures to protect group membership and resource access
„#Planning a Domain Upgrade This section describes the steps for planning the upgrade from Microsoft Windows NT® version 4.0 to Active Directory
During this section, students may have many questions about the impact an upgrade has on network services Tell them that the next module covers this information and defer their questions until then
Begin by introducing the upgrade planning process and then show the video
of Microsoft’s upgrade of their largest domain The video demonstrates the ease of performing a domain upgrade, provided that proper planning has been done As the video demonstrates, the only issue Microsoft encountered during upgrade was with accounts that were defined in a secondary
application’s information store Tell your students that this problem can be avoided if they follow the recommendations to document user accounts and information stores
Explain the upgrade paths for computers running earlier versions of the Microsoft Windows® operating system
Make sure students understand all the components of creating a recovery plan that allows them to roll back to the pre-upgraded Windows NT domain Next, describe the guidelines for choosing the order of upgrading domains
Make sure students understand that any domain can be upgraded first, and subsequent domains can be upgraded in any order If the domain hierarchy
defined in the Active Directory design does not dictate the order, many other factors can help organizations determine the appropriate order
Trang 6Explain the difference between mixed mode and native mode operations, emphasizing that the mode in which a domain runs does not affect client functionality Switching to native mode does not require client computers to run Windows 2000 A native mode domain can consist of a mixed
environment of many types of client operating systems Help students understand the reasons why an organization might choose to stay in mixed mode, but encourage them to switch to native mode—the final Windows
2000 operational state—as soon as possible to realize the full benefit of Active Directory Using the table in the student notes, discuss the Windows
2000 Server features available in mixed mode, and those available only by switching to native mode
Trang 7At the end of this module, you will be able to:
„#Examine the Active Directory design of an organization
„#Plan a domain upgrade to Active Directory
Trang 8Domain upgrade can be gradual and performed without interrupting production operations Upgrading is a process designed to maintain as much of your current environment as possible, and it accomplishes the following:
„#Maintains the existing Windows NT 4.0 domain model
„#Maintains access to Windows NT domains by using existing Windows NT downlevel trust relationships
„#Maintains user account passwords so that users log on to the same account domain by using the same password
„#Maintains compatibility with Windows NT domain controllers and servers
The Active Directory design, completed prior to migration planning, is the goal
of a domain upgrade Before you can develop an upgrade plan, the Active Directory design must be examined to identify the goals for the future infrastructure The goals must be incorporated into the upgrade strategy to ensure alignment of the Active Directory vision and upgrade goals, to ensure the desired Active Directory infrastructure will be achieved, and to prevent deployment conflicts
Trang 9During the initial stages of developing a migration strategy, you identified your business and migration goals If the outcome of this process led you to decide that upgrading your Windows NT 4.0 domain model is the preferred approach
to achieving the infrastructure in your Active Directory design, you need to examine the proposed Active Directory structure to:
„#Determine whether the design proposes a single-forest or a multiple-forest environment, and whether the design will solve any administrative issues
„#Examine the site design to identify and address any issues that may present barriers to upgrading your domain model, and ensure that it does not impact your ability to meet your migration goals
„#Examine the administration and security plans to determine when to make the new features available in the upgraded environment so that the upgrade process is not disrupted, the order in which the features will be deployed, and what must be validated in the test environment
During an upgrade, it is critical to protect the business and migration goals in a way that ensures the successful deployment of the Active Directory design
Trang 107# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#
6LQJOH#9HUVXV#0XOWLSOH#)RUHVWV#
Upgrading to a Multiple Forest
8SJUDGLQJ#WR#D#0XOWLSOH0)RUHVW#(QYLURQPHQW#
Because forests have shared elements, such as schemas, it is necessary for all the administrators of a forest to agree on the content and administration of those shared elements
Organizations may require multiple forests in the upgraded environment to:
„#Prevent cross-divisional administration For example, some organizations with distinct divisions may require a decentralized administrative model, which completely separates the administrators of each division
„#Accommodate the differences in the way administrators want to manage the forest-wide Active Directory components For example, if administrators disagree on how to manage the schemas or forest-wide group membership, multiple forests may be defined
„#Restrict resource access and resource assignment provided by transitive trusts Within a forest, default transitive trusts between domains allow resource permissions to be assigned to users from any domain in the forest Between forests, the absence of default trusts prevents domain
administrators from assigning resource permissions to security principals outside their forests
Trang 11# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 8#
Upgrading to a multiple-forest environment is more complex because it requires planning multiple-forest root and child domain hierarchies While Information Technology (IT) concerns and needs should be addressed in the Active Directory design and migration goals, those issues should not obscure or outweigh the needs of the business it supports
„#Users stand to lose the most from a multiple-forest environment They will not have a single, consistent view of the Active Directory hierarchy, and accessing resources across forests must be manually configured These issues add risk to an upgrade and can lead to unpredictable results when measuring the success of a migration
Carefully consider the long-term impact of a multiple-forest upgrade before deployment If the forests need to be merged in the future, restructuring
is the only way to move domains and domain objects between forests
,PSRUWDQW#
Trang 12The sequence of implementing sites and upgrading domains can also have a significant impact on the logon and replication traffic during an upgrade
&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#WKH#&XUUHQW#(QYLURQPHQW#
By comparing the proposed site design with the information gathered about the current environment, you validate the design and identify opportunities to proactively address issues that may present barriers to performing domain upgrades, such as:
„#Proposed site link costs that would saturate a wide area network (WAN) connection with domain-upgrade-related replication traffic and affect access
to key business applications during hours of peak usage
„#Presence or planned implementation of site-aware applications, such as Microsoft Exchange Server 2000 and Distributed file system (Dfs)
„#Insufficient number of current domain controllers in each key site, which may require the installation of additional domain controllers during the upgrade to provide fault tolerance
If circumstances in the current network environment prevent the site design from being successfully implemented during your upgrade, it is important to resolve these issues before beginning your upgrade to avoid migration setbacks
Trang 13# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # :#
&RPSDULQJ#WKH#6LWH#'HVLJQ#WR#0LJUDWLRQ#*RDOV#
Compare the proposed site design to the migration goals to ensure that the design does not impact your ability to meet the migration goals and proactively resolve any inconsistencies you discover, for example:
„#If one of the migration goals is to ensure high availability of data stored in Active Directory during and after migration, but your site design places only one domain controller in a site
„#If one of the business goals is to maintain worldwide availability of an inventory database, but your site design proposes a replication schedule within a site that conflicts with peak usage on a WAN link required to access the application
„#If a business goal is to complete migration in nine months, but the site topology design will require installation of 10 new high-speed WAN connections requiring 12 months of negotiation, permits, and installation
3UHYHQWLQJ#6LWH#'HVLJQ#&RQIOLFWV#
Conflict between the site design and migration goals represents considerable risk to the migration project and must be resolved before an upgrade begins You can prevent conflicts by ensuring that:
„#There is a business need for the proposed site design
„#The business need is reflected in the migration goals
„#The Active Directory design goals align with the migration goals
For more information on planning site topology design, see course
1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure
For information on how to control logon and replication traffic during the upgrade, see module 4, “Minimizing the Impact on Network Operations During
an Upgrade,” in course 2010A, Designing a Microsoft Windows 2000 Migration Strategy
1RWH#
1RWH#
Trang 14IT to keep focused on the upgrade without disruption
If your Active Directory design defines new administrative functions made available by Active Directory that must be implemented, your upgrade plan should:
„#Reflect the administrative features that will be adopted and when they will
be implemented during the upgrade process
„#Define a process to transition to the new administrative model as the upgrade proceeds This interim administrative model should, at a minimum, identify who is managing what during the upgrade
Prior to beginning an upgrade, validate the proposed administrative plan
by testing, in a lab environment, the Active Directory design for the organizational unit (OU) hierarchy, delegation of administration, and Group Policy deployment, to ensure that the implementation of these features causes them to complement and support one another in a way that meets the migration goals
Trang 15# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # <#
For more information on planning a migration test, see The Windows
2000 Server Deployment Planning Guide
When verifying your security plan during the earlier stages of migration planning, you may discover security gaps, outdated policies, or redundancies
Be sure, when comparing the existing security infrastructure with the features proposed by the Active Directory design, that you resolve these issues in a way that does not disrupt the upgrade process
For more information on designing a security plan, see course 2150A,
Designing a Secure Microsoft Windows 2000 Network For more information
on Active Directory security and administration features, see course 1561B,
Designing a Microsoft Windows 2000 Directory Services Infrastructure
1RWH#
1RWH#
Trang 1643# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#
‹
‹#3ODQQLQJ#D#'RPDLQ#8SJUDGH#
'HWHUPLQH#DQ#XSJUDGH#SDWK 'HYHORS#D#UHFRYHU\#SODQ 'HWHUPLQH#WKH#RUGHU#IRU#XSJUDGLQJ#GRPDLQV 'HWHUPLQH#D#VWUDWHJ\#IRU#XSJUDGLQJ#GRPDLQ#FRQWUROOHUV
1 2 3 4
an upgrade, you need to perform the following steps:
1 Determine if your current operating system can be upgraded directly to Windows 2000
2 Develop a recovery plan that will prevent accidental data loss during upgrade This will ensure that you can roll back to the original configuration
3 Determine the order for upgrading domains Your choice depends on your overall upgrade goals For example, if an existing domain is to become the forest root, you must upgrade that domain first The DNS domain names in use in your organization and the names defined in the Active Directory design may also impact the sequence of domain upgrades
4 Determine your strategy for upgrading domain controllers For example, after the PDC is upgraded, you may wish to upgrade the BDCs running applications
5 Determine when to switch to native mode to take advantage of all Active Directory features
6 Identify post-upgrade tasks, such as optimizing memory settings, or reviewing the Event Viewer
For more information on the upgrade of the Redmond domain at Microsoft, see the video on the Student Materials compact disc
Trang 17Windows NT 3.51 or 4.0
PDC or BDC Windows NT 3.51 or 4.0
Windows NT 3.1 or 3.5
Windows NT 3.1 or 3.5 Windows NT 3.51 or 4.0 Windows 2000
Member Servers
Member Server Windows NT 3.51 or 4.0
Member Server Windows NT 3.51 or 4.0
Member Server Windows 2000
Member Server Windows 2000
Domain Controller Windows 2000
Domain Controller Windows 2000
Optional
E
When planning your upgrade, you must determine if your current operating system can be upgraded directly to Windows 2000 The following table lists the currently supported upgrade paths
Operating system
Upgrade to Windows 2000 Server
Upgrade to Windows 2000 Advanced Server
If you find that a direct upgrade of your operating system is not supported, you must perform an interim upgrade to an operating system that is supported, such
as Windows NT 3.51 or Windows NT 4.0 You must reflect any intermediate upgrade steps in your migration plan
It is strongly recommended that the latest service pack be installed
on Windows NT 3.51 and 4.0 Server prior to upgrade
Windows NT 4.0 BDCs can be upgraded to join a Windows 2000 forest
Trang 1845# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#
'HYHORSLQJ#D#5HFRYHU\#3ODQ#
Domain Controller
Domain Controller
DQG#DSSOLFDWLRQV#UXQQLQJ#RQ#WKH#3'&#
DQG#%'&V#
61#%DFN#XS#VHUYLFHV#DQG#DSSOLFDWLRQV#WR#
WDSH71#)XOO\#V\QFKURQL]H#DOO#%'&V ZLWK#WKH#
3'&
81#7DNH#RQH#IXOO\#V\QFKURQL]HG#%'&#RIIOLQH91#.HHS#WKLV#%'&#RIIOLQH#DQG#DYDLODEOH#XQWLO#
DIWHU#PLJUDWLRQ
It is important that you develop a recovery plan to prevent accidental data loss
during upgrade This plan should include details of how you will back up
domain controllers, applications, and other data before and during the upgrade
To ensure that a domain can be rolled back to its pre-upgrade state, your recovery plan should, at a minimum, include the following steps:
1 Add a BDC to any Windows NT domain that contains only a single domain controller By doing this, you ensure that the domain does not become orphaned if the PDC upgrade fails
2 Document the configuration of any services and applications running on the PDC and the BDCs of a domain targeted for an upgrade, such as file and print services, DHCP, or DNS
3 Back up all services and applications to tape, and then test the backup tapes
by performing a restoration
4 Use Windows NT Server Manager to fully synchronize all BDCs with the PDC to ensure the Security Accounts Manager (SAM) database is fully up-to-date
5 Take one fully synchronized BDC offline before any upgrades are performed to preserve the security principals that reside in the SAM database of the Windows NT 4.0 domain
6 After the upgrade is finished, keep the BDC online and make it available
Trang 19# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 46#
If any problems arise during migration, you can remove all computers running Windows 2000 from the production environment, promote the offline BDC to a PDC, and then bring the BDC back into your network This new PDC will replicate its data to any remaining Windows NT 4.0 BDCs, returning the domain to its previous state
Periodically turn on the protected BDC during the upgrade process while the domain is still in mixed mode to update its directory information Otherwise all changes made to the SAM while the BDC was offline will be lost
,PSRUWDQW#
Trang 2047# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\#
'HWHUPLQLQJ#WKH#2UGHU#IRU#8SJUDGLQJ#'RPDLQV#
Upgrading Account Domains
ƒ Domains where you have easiest access to the domain controllers
ƒ The smallest domain first
ƒ Domains that will contain objects from restructured domains
ƒ Domains where you have easiest access to the domain controllers
ƒ The smallest domain first
ƒ Domains that will contain objects from restructured domains
Upgrading Resource Domains
ƒ Domains in which applications require Windows 2000 features
ƒ Domains with many workstations
ƒ Domains that will contain objects from restructured domains
ƒ Domains in which applications require Windows 2000 features
ƒ Domains with many workstations
ƒ Domains that will contain objects from restructured domains
Upgrading an Existing Domain as the
Forest Root
nwtraders nwtraders.com
Windows NT 4.0 Domain Using a Dedicated Domain as Forest Root
europe asia
Contoso.com
Windows
NT 4.0 Domain
Windows
NT 4.0 Domain europe.contoso.com asia.contoso.com
After you have created a recovery plan, your next step is to determine which domain to upgrade first, and the upgrade order of subsequent domains
'HILQLQJ#WKH#)RUHVW#5RRW#
The first domain created in Active Directory is the starting point, or root, of the Active Directory All other domains are derived from this initial domain Examine the Active Directory design to determine if the forest root requires:
„#Using a dedicated domain as the forest root If your Active Directory design requires a dedicated forest root, your upgrade plan must include steps for creating an additional, dedicated domain to serve solely as the forest root The creation of this domain needs to occur before any actual upgrades are performed
„#Upgrading an existing domain to the forest root If the Active Directory design does not define a dedicated domain, an existing Windows NT 4.0 domain can be upgraded as the forest root
8SJUDGLQJ#$FFRXQW#'RPDLQV#
As a general rule, you will get the most benefit from upgrading your account domains first because there are usually more user accounts to administer than computer accounts By first upgrading account domains to Windows 2000, you will realize an immediate benefit from:
„#Improved scalability of Active Directory Many organizations are pushing the upper bounds of the recommended SAM size with their existing numbers of user and group accounts
„#Delegated user administration The ability to precisely control
Trang 21# 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# # 48#
If there is more than one account domain, the following guidelines should help you choose the order in which to upgrade them:
„#Physical access Though you will have tested your upgrade strategy in a lab,
or through a pilot test, the first live upgrade will be the riskiest because it directly impacts the production environment To mitigate risk, you should upgrade domains where you have the easiest physical access to the domain controllers
„#Mitigate risks and disruption If there is more than one account domain to upgrade, you may wish to upgrade the smallest first so that you minimize disruption to the most possible users, particularly while you are gaining experience with the process
„#Targets of account domain restructure If you are planning to restructure some domains, upgrade the domains that will contain objects from restructured domains early in the process You cannot consolidate domains into a target that does not exist
„#Domains with many workstations Next, you should upgrade domains with many workstations, so that you can take advantage of Windows 2000 infrastructure such as Microsoft IntelliMirror™
„#Targets for resource domain restructure Just as with account domains, if you are planning restructure of your domains, upgrade domains that will contain objects from restructured domains early on You cannot consolidate domains into a target that does not exist
Trang 22After the operating system upgrade of a PDC, the Active Directory Installation wizard automatically starts and requires that you choose to join an existing domain, tree, or forest, or create a new domain, tree, or forest When upgrading the PDC to create a new Windows 2000 domain, you are also required to define the DNS name of the domain
You must not randomly choose the DNS name of a new domain The Active Directory design defines the DNS namespace that should be used when creating Windows 2000 domains For more information on designing a
DNS infrastructure for Active Directory, see course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure
If you do not want the existing PDC to be upgraded first, you can select and promote a more desirable BDC This demotes the original PDC
Running the Active Directory Installation wizard installs all the necessary components on the domain controller, such as the directory data store and the Kerberos version 5 protocol used in authentication Upgrading preserves existing user, group, and computer accounts by copying the existing SAM security principals from the registry to the new data store Existing Windows
NT built-in groups are placed into the built-in container, whereas global and local groups are placed in the Users container When the PDC of a child domain
is upgraded to create a new domain, transitive trust relationships are automatically established to the parent domain during the Active Directory installation