Important planning issues include: „#Examining how Domain Name System DNS data will be replicated in a Windows 2000 network so that you can provide reliable DNS naming services during th
Trang 2Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2000 Microsoft Corporation All rights reserved
Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted
Other product and company names mentioned herein may be the trademarks of their respective owners
Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.) Lead Program Manager: Angie Fultz
Instructional Designer: Robert Deupree (S&T OnSite) Subject Matter Expert: Brian Komar (3947018 Manitoba Inc) Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.), David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC)
Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T Onsite) Testers: Testing Testing 123
Instructional Design Consultants: Susan Greenberg, Paul Howard Instructional Design Contributor: Kathleen Norton
Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner
Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor: Shawn Jackson (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Onsite)
Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Courseware Testing: Data Dimensions, Inc
Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T Onsite) Manufacturing Support: Laura King (S&T Onsite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart
Trang 3At the end of this module, students will be able to:
„#Examine existing network services and develop a strategy for ensuring their reliability during an upgrade
„#Determine how a domain upgrade will modify existing security and develop
a strategy for maintaining desired security levels during the upgrade
„#Determine in advance how server applications will behave in a Windows
To teach this module, you need the following materials:
„#Microsoft PowerPoint® file 2010A_04.ppt
„#Module 4, “Minimizing the Impact on Network Operations During an Upgrade”
3UHSDUDWLRQ#7DVNV#
To prepare for this module, you should:
„#Read all of the materials for this module
„#Read all of the delivery tips
„#Complete the lab
„#Read chapter 10 of the Windows 2000 Server Deployment Planning Guide,
“Determining Domain Migration Strategies,” on the Student Materials compact disc
„#Read chapter 21 of the Windows 2000 Server Deployment Planning Guide,
“Testing Applications for Compatibility with Windows 2000,” on the
Student Materials compact disc
„#Read chapter 23 of the Windows 2000 Server Deployment Planning Guide,
“Defining Client Administration and Configuration Standards,” on the Student Materials compact disc
Trang 4LY# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#
0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
Make sure that students understand that the strategies outlined in this module are steps that must be added to the basic upgrade plan if an organization’s current network environment warrants it Not all upgrade plans will include all strategies outlined in this module
Be prepared throughout this module to provide a quick review of each service
to students who may not have an extensive Windows NT 4.0 background You may wish to use the Glasgow computer in class to demonstrate various
Windows NT 4.0 tools or to draw comparisons
This module is one of the longer modules of the course Consider taking a short break in the middle of the module Keep students’ attention and interest by asking questions about what services, security, needs, or requirements exist in their environment and how each topic might impact them
„#Maintaining Network Services During an Upgrade For many students, network reliability will be the area of greatest concern Several of the topics in this section discuss differences in the way that Windows NT 4.0 and Windows 2000 manage common networking services Although these topics reveal potential pitfalls, you will also discuss why other areas should not be an issue during the domain upgrade Emphasize the importance of careful planning when considering network reliability
Be prepared to provide a short review of basic concepts of the Domain Name System (DNS), to put the first topic of this section into context for students who lack prerequisite knowledge
You may wish to summarize a few of the benefits of Active Directory integrated zones Consolidating DNS and Active Directory replication eliminates the need to maintain multiple replication topologies; multi-master writes eliminate the single point of failure in the DNS hierarchy, and secure dynamic updates prevent unauthorized changes to resource records
Whichever method is chosen for DNS server upgrades, it is best if the DNS server that holds the primary zone data is a Windows 2000 Server to support SRV (service) resource records and dynamic update
The proper SRV record format in the zone text files on a Windows NT 4.0 DNS server is maintained and is displayed once the DNS server is upgraded
Supporting LAN Manager replication during an upgrade is a rather complex topic because it involves many different components and steps Make sure that students begin with a clear understanding of the difference between NTLM protocol replication, File Replication service (FRS) and multi-master replication Students may have many questions on this topic, so be prepared
to provide background information and communicate the need for planning this service’s integration with Windows 2000
Trang 5„#Maintaining Security During an Upgrade
An upgrade to Windows 2000 will have a minimal effect on user accounts, group accounts, user profiles, and trust relationships Students working with sensitive information will be particularly interested in how changes to trusts affect administrative access Emphasize that these changes are designed to take advantage of new Active Directory features and will likely result in tightened security in the long term; but in migrating to the new environment, students need to change the way they think about security administration and implementation, and security templates
„#Determining the Impact of an Upgrade on Applications The only way to determine the impact that an upgrade will have on an application is to perform a test Emphasize to students that testing applications is just one component of the much larger domain upgrade test Developing a test plan is covered in more detail in module 7 “Planning to
Deploy a Migration Strategy” of course 2010A, Designing a Microsoft Windows 2000 Migration Strategy
„#Leveraging Existing Directory Information Many applications store user attributes that can be ported into Active Directory This topic focuses on Microsoft Exchange 5.5 as an example of how an application information store can be used to facilitate migration operations Since this is a planning course, you do not need to detail the configuration options of or demonstrate the ADC Refer students to their compact discs for more information Emphasize that identifying these types
of information stores is an important part of planning the early phases of domain upgrade
„#Maintaining Network Performance During an UpgradeThe key to network performance during an upgrade is site implementation Be prepared for questions from students that deviate from the topic Handle their questions
in a way that doesn’t distract from the main upgrade-related planning issues (Students should have a full understanding of replication and topology design from prerequisite courses) Make sure students understand that the site topology is defined during the Active Directory design, prior to upgrade planning The key during upgrade is implementing the sites in a timely manner to control replication and logon traffic
Trang 7This module explores the effects of a domain upgrade on various components
of a Windows NT 4.0 network and suggests planning steps and techniques to reduce or eliminate interruptions during the upgrade
At the end of this module, you will be able to:
„#Examine existing network services and develop a strategy for ensuring their reliability during an upgrade
„#Determine how a domain upgrade will modify existing security and develop
a strategy for maintaining your desired security levels during the upgrade
„#Determine in advance how server applications will behave in a Windows
Trang 8For many network administrators, the biggest risk during a domain upgrade will
be potential interruptions to network operations Because an upgrade will affect numerous network services, careful planning is necessary to ensure a smooth transition Important planning issues include:
„#Examining how Domain Name System (DNS) data will be replicated in a Windows 2000 network so that you can provide reliable DNS naming services during the upgrade
„#Determining your current usage of NetBIOS names so that you can evaluate the possibility of removing the Windows Internet Name Service after the upgrade
„#Identifying normal interruptions to Dynamic Host Configuration Protocol (DHCP) Server services during the upgrade process so that you can maintain maximum reliability
„#Maintaining NTLM protocol replication functionality after Windows 2000 File Replication service (FRS) is implemented
„#Developing a strategy for planning Routing and Remote Access support during the upgrade process
„#Developing a strategy for transitioning from Windows NT 4.0 System Policies to Windows 2000 Group Policy
„#Developing a strategy for transitioning from Windows NT 4.0 logon scripts
to Windows 2000 Group Policy
Trang 9Upgrading the primary DNS server to Windows 2000, or switching the primary zone to be hosted on a Windows 2000 server, gains the immediate benefit of enabling the configuration of zones to accept SRV resource record registrations and dynamic updates of resource records DNS zones hosted on a Windows
2000 domain controller can also be configured as Active Directory Integrated
8SJUDGLQJ#'16#6HUYHUV#
Your upgrade plan must include upgrading any Windows NT 4.0 DNS services
to Windows 2000 DNS services and moving the writable copy of the DNS zone data to Windows 2000 You can do this in one of two ways:
„#Upgrade the existing Windows NT 4.0 server containing the DNS primary zone to Windows 2000 and then configure the zone to allow dynamic updates
If the primary zone is stored on a primary domain controller (PDC), the Active Directory Installation wizard will start after the upgrade is
completed You can configure the zones to allow updates before the wizard
Trang 107# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#
„#Install a new Windows 2000 server and configure it as the secondary DNS server for the existing zone After the zone transfer has taken place, reverse the roles so that the Windows 2000 DNS server is the primary DNS server for the zone The zone can then be configured to allow dynamic updates After a domain controller with the DNS service is upgraded to Windows 2000, convert the DNS zone to Active Directory Integrated to take advantage of secure dynamic updates and multi-master writes
If you do not upgrade the Windows NT 4.0 DNS service to Windows 2000 on
at least one DNS server, you must manually add all Windows 2000–related SRV resource records to the zone text file at the primary DNS server
In the Windows NT 4.0 DNS Manager, SRV records will appear as generic resource records in the interface; however, queries to a Windows NT 4.0 DNS server for SRV resource records will succeed
„#Active Directory-integrated zones cannot be replicated between domains If you require zones to be hosted on DNS servers in different domains, you will need to configure DNS servers in domains other than the local domain
to be secondary DNS zones
„#Windows 2000 DNS servers can be master servers for Windows NT 4.0 DNS servers Likewise, Windows NT 4.0 DNS servers can be master servers for Windows 2000 DNS servers
7LS#
1RWH#
Trang 11in a Windows 2000 network, it should not be discontinued until you are certain that all computers and applications on the network can function without using NetBIOS name resolution services
Windows Internet Name Service servers can be managed from both Windows NT 4.0 and from the Windows 2000 toolset
5HPRYDO#RI#WKH#:LQGRZV#,QWHUQHW#1DPH#6HUYLFH#
You can discontinue the use of the Windows Internet Name Service after the network is completely migrated to Windows 2000 and all computers and applications on your network can function without using NetBIOS naming services Determining these dependencies is the primary planning issue
Trang 12You can disable NetBIOS on Windows 2000 clients by clicking Disable
NetBIOS over TCP/IP on the WINS tab of Advanced TCP/IP Settings for a
network adapter Alternatively, you can disable it under Advanced Scope
Options for a DHCP scope by clicking the Microsoft Disable NetBIOS option
under Microsoft Windows 2000 Options
'HWHUPLQLQJ#WKH#1HHG#IRU#:,16#
To determine if WINS is still required to support NetBIOS name resolution, use the Performance console administrative tool for a Windows Internet Name Service server and examine the following counters
Windows Internet Name Service Server: Total Number of
Registrations/Sec
Total number of unique and group registrations received per second
Consider removing the Windows Internet Name Service server if the registrations are zero This indicates that there are no clients registering names with the Windows Internet Name Service server
Queries/Sec Rate at which the
Windows Internet Name Service server receives NetBIOS queries
A zero value indicates that NetBIOS name resolution is no longer taking place A value greater than zero might indicate the continued need for the Windows Internet Name Service Successful Queries/Sec Rate at which the
Windows Internet Name Service server successfully resolves NetBIOS queries
A zero value indicates that NetBIOS names are not being resolved successfully Compare this to Queries/Sec If both are zero, NetBIOS names are not being resolved through this Windows Internet Name Service server If queries are taking place but there are few successful queries, then NetBIOS name resolution is taking place However, the necessary servers are not registering or there are problems with your Windows Internet Name Service replication topology that are preventing all NetBIOS records to be replicated
to all Windows Internet Name Service servers
1RWH#
Trang 13# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH# # :#
3URYLGLQJ#5HOLDEOH#'+&3#6HUYHU#6HUYLFHV#
Planning for a DHCP Server Upgrade
1 Upgrade DHCP Server
2 Upgraded DHCP Server cannot
assign IP addresses, provide backup for DHCP services
3 Authorize DHCP Server
4 IP address assignment is re-enabled
DHCP Client
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#'+&3#6HUYHUV#
Dynamically assigned IP addresses will not be distributed during a DHCP server upgrade When a Windows NT 4.0 Server is upgraded, the DHCP server database will be automatically converted to a newer Jet database version Until the conversion is complete, DHCP will temporarily register errors in the system log
3ODQQLQJ#IRU#D#'+&3#6HUYHU#8SJUDGH#
If DHCP Server services are in use in the domain that you intend to upgrade, ensure that your upgrade plan includes the following additional steps:
„#Provide backup DHCP services During the upgrade, the DHCP server will
be unable to provide DHCP-assigned addresses A backup DHCP server must be provided to renew DHCP leases that expire during the upgrade process
„#Define a process to authorize the upgraded DHCP servers After upgrade, the DHCP Server service will be unable to service DHCP requests until a member of the Enterprise Admins group authorizes the server in Active Directory This prevents unauthorized DHCP servers from being implemented on the network and assigning unapproved TCP/IP addresses to clients
Trang 14LAN Manager replication service and FRS are distinct services with different configurations With LAN Manager replication service, a single server (usually
a domain controller) hosts an export directory, and a number of domain controllers or member servers import the contents of the export directory to an import folder stored on the server FRS automatically configures every domain controller to host a replicated System Volume (SYSVOL) Changes made to the contents of the SYSVOL at any domain controller are replicated in multiple-master fashion to all other domain controllers in the domain Only domain controllers can host the SYSVOL
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#5HSOLFDWLRQ#6HUYLFHV#
A non-upgraded export server will continue to replicate the contents of its export directories to non-upgraded import servers As Windows NT 0 domain controllers are upgraded, the LAN Manager replication service is removed When the last Windows NT computer is upgraded to Windows 2000, the LAN Manager replication service will be fully removed from the domain
Maintaining LAN Manager replication remains important while Windows NT 4.0 domain controllers, configured to provide logon scripts and System Policies, are present in the domain and are authenticating clients
Trang 15# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH# # <#
3ODQQLQJ#WR#,QWHJUDWH#5HSOLFDWLRQ#6HUYLFHV#
Integrating the LAN Manager replication service with FRS will ensure that clients reliably receive required logon scripts and System Policies, regardless of the version of the operating system running on the authenticating domain controller Integrating the two services will also ensure that updates made to these files are propagated to all domain controllers in the domain
To reliably provide logon scripts and System Policies to clients in a domain that
is being upgraded, it is important that an upgrade plan define the following steps to integrate the LAN Manager replication service and FRS:
„#Identify all Windows NT 4.0 export and import servers
If the export server is the PDC, move the export services to another computer This allows the PDC to be upgraded and allows LAN Manager replication to continue to replicate scripts and policies for the non-upgraded backup domain controllers (BDCs) remaining in the domain
If the export server is a BDC, ensure that it is upgraded last so that you do not have to redefine the export server for LAN Manager replication
„#Create a bridge between the Windows NT 4.0 scripts directory and the Windows 2000 NETLOGON share
The Windows 2000 Resource Kit contains a script file named lbridge.cmd that is used to keep the NETLOGON share in Windows 2000 synchronized with the Windows NT 4.0 export server Files are copied from the Windows
2000 NETLOGON share to the Windows NT 4.0 export directory structure They are not copied in the reverse direction The contents of the Windows
NT 4.0 export directory will be replaced by the contents in the Windows
2000 NETLOGON share
Make Windows NT 4.0 administrators aware of this change because they cannot continue to update logon scripts and System Policies at the Windows NT 4.0 export server
„#Maintain the bridge between the replication systems
Scheduled Tasks in the Windows 2000 Control Panel can be configured to
periodically run the lbridge.cmd script An interval of two hours is commonly configured
„#Reconfigure the LAN Manager replication service as the upgrade proceeds
As you upgrade each import server to Windows 2000, remove the upgraded server from the list of servers to which the export server replicates
„#Decommission the bridge between the replication systems
The LAN Manager replication configuration will cease when the final Windows NT 4.0 computer involved in directory replication is upgraded to Windows 2000 At this time, the lbridge.cmd task can be removed from the Schedule Tasks listing
Trang 16NT 4.0 environment
The main issue with remote access during a domain upgrade occurs when one
or more Windows NT 4.0 domain controllers have been upgraded, and downlevel remote access servers are still present Without proper planning, the interoperability of remote access services in a mixed environment can cause legitimate dial-in users to be denied remote network access
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#5RXWLQJ#DQG#5HPRWH#$FFHVV#
RAS and RRAS in Windows NT 4.0 use the LocalSystem account to determine
if a user has dial-in permissions and whether any other dial-in settings, such as call-back phone numbers, have been configured
When a service logs on as LocalSystem, it logs on with NULL credentials, meaning that the service does not provide a user name or password By default, Active Directory does not accept querying of object attributes through NULL sessions In a mixed environment, remote users will be successfully authorized only in the following situations:
„#A Windows NT 4.0 RAS or RRAS member server in a mixed-mode Windows 2000 domain contacts a Windows NT 4.0 BDC to determine user dial-in properties This is identical to the previous Windows NT 4.0 behavior
In this scenario, there is no way to guarantee that the member server will contact a Windows NT 4.0 BDC, as opposed to a Windows 2000 domain controller, to determine dial-in properties
Trang 17# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH# # 44#
„#A Windows NT 4.0 RAS or RRAS server that is also a BDC in a mode Windows 2000 environment will successfully authorize dial-in users
mixed-by accessing its local Security Accounts Manager (SAM) database
In this scenario, if Windows 2000 Routing and Remote Access servers are present in the domain, there is no way to guarantee that a user will contact a downlevel server when dialing in
3URYLGLQJ#5HOLDEOH#5HPRWH#$FFHVV#'XULQJ#8SJUDGH#
Planning is necessary to ensure that a user dialing in will be reliably granted remote access during an upgrade while the domain is operating in a mixed environment
To allow Windows NT 4.0 RAS or RRAS server to reliably retrieve user properties when operating in a mixed Active Directory environment, your upgrade plan must include provisions for the following:
„#In a mixed- or native-mode Windows 2000 domain, grant the built-in account, Everyone, permission to read user object attributes This can be accomplished in one of the following two ways:
• When upgrading the first domain controller, select Permission
compatible with pre-Windows 2000 server when configuring the
Active Directory Installation wizard This adds the Everyone account to the Pre-Windows 2000 Compatible Access local group
• If the first domain controller has already been upgraded, manually add
the Everyone account to the Pre-Windows 2000 Compatible Access
local group with the command net localgroup “Pre-Windows 2000 Compatible Access” Everyone /add
Using the Everyone group workaround has the effect of relaxing domain security and should be used only after understanding its impact on Active Directory security
After all remote access servers have been upgraded to Windows 2000, you can strengthen permissions by removing the Everyone group from the membership list of the Pre-Windows 2000 Compatible Access group
„#Upgrade all Windows NT 4.0 RAS and RRAS servers as soon as possible This may alleviate the necessity of relaxing domain security to allow NULL sessions to read user object attributes Once all remote access servers have been upgraded, dial-in users will be reliably authorized
Windows 2000 remote access servers can be configured uniformly by using Remote Authentication Dial-In User Service (RADIUS) servers For
more information, see course 1562B, Designing a Microsoft Windows 2000 Networking Services Infrastructure
Trang 18in one type of domain, and the computer account in another, additional factors need to be considered
Group Policies are only applied to Windows 2000 clients They are not applied to Windows NT 4.0 clients at any time For more information on policy behavior in a mixed environment, see Chapter 23, “Defining Client
Administration and Configuration Standards”, in the Windows 2000 Server Deployment Planning Guide on the Student Materials compact disc
Trang 19the gpolmig.exe resource kit utility, or processing both System Policy and
Group Policy in a mixed environment In addition, all System Policies persist in the registry because they are not written to the \Software\Policies tree This occurs because any policies outside of the \Software\Policies tree are not removed when a user logs off from the network
„#After all client computers have been migrated to Windows 2000, Windows
NT 4.0 System Policies can be removed from the network by deleting the Ntconfig.pol file from the NETLOGON share of a Windows 2000 domain controller FRS will ensure that the file is deleted from all other domain controllers in the domain
Trang 2047# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#
0LJUDWLQJ#DQG#$SSO\LQJ#/RJRQ#6FULSWV#
LogonLogoff
StartupShutdown
\\server\netlogon\script.bat
Windows 2000 Only Windows NT and
Windows 2000
User-based Logon Scripts
User Policy
Computer Policy
When a domain controller is upgraded to Windows 2000, user-based logon scripts stored in the NETLOGON share are unaffected and will continue to be available when clients authenticate The FRS synchronizes the contents of this folder with all Windows 2000 domain controllers To synchronize the contents
of this folder with domain controllers in the domain not yet upgraded, the LAN
Manager replication service must be bridged with FRS
Downlevel clients will continue to process the user-based logon scripts stored
in the NETLOGON share Windows 2000 clients will run any user-assigned logon scripts that are located in the NETLOGON share, as well as any scripts assigned to the user or computer through Group Policy
Logon scripts assigned to Windows 2000 clients through Group Policy are applied at the site, domain, and organizational unit (OU) level Group Policy logon scripts that can be deployed in addition to or in replacement of the user-based scripts include:
„#Logon Applied before the shell is applied to the user
„#Logoff Applied as the user logs off from the computer, before the logon
screen is displayed
„#Startup Applied to computers and will run before the Windows logon
prompt is displayed
„#Shutdown Applied when the computer is shut down, after the user has
logged off from the computer
Trang 21MS-1RWH#
Trang 23The following resource access components are maintained during the domain upgrade:
„#Security identifiers (SIDs) All user and group SIDs are maintained during the domain upgrade A primary SID will change only when an account is moved between domains during a restructure, or if a security principal is deleted and recreated with the same name
„#Group Membership User accounts retain the same group membership attributes after a domain upgrade
„#Share permissions and NTFS file system permissions During a domain upgrade, all NTFS and share permissions will be maintained with the same groups and users referenced within the DACL
„#Registry permissions All registry permissions are maintained during the domain upgrade
„#Trust relationships Upgraded domain controllers continue to recognize any trusts that exist with other downlevel Windows NT domains
Trang 244;# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#
0LJUDWLQJ#7UXVW#5HODWLRQVKLSV#
Upgrade ACCT2
RES1 ACCT1
Map to Default Active Directory Trust Relationships Are Converted into Transitive Trust Relationships
Converted into Transitive Shortcut Trust Relationships
Shortcut Trust
Shortcut Trust
RES1
Empty Root
Empty Root
Active Directory Domains
Windows NT Domains
In Windows 2000, trusts are, by default, two-way and transitive in nature As you upgrade domains to join the forest, one-way trust relationships in Windows
NT 4.0 domains are automatically reinterpreted and implemented as Windows
2000 trusts Some one-way trusts become two-way transitive trusts in the new environment Others are redefined as shortcut trusts, depending on the order in which the domains are upgraded and the domain parent-child relationships in the Active Directory domain hierarchy
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#7UXVW#5HODWLRQVKLSV#
No additional steps are required to migrate trust relationships Each domain that
is upgraded as a child domain will establish a two-way transitive trust between itself and its parent domain Domains upgraded as roots of separate trees will also be linked by a two-way transitive trust Existing one-way trusts that do not map to default Windows 2000 trust relationships are maintained, but
reinterpreted as shortcut trusts
Shortcut trusts can be deleted; however, the default transitive trust relationships established between domains in a forest cannot
For information on using shortcut trusts to improve network
performance, see Chapter 9 of the Windows 2000 Server Deployment Planning Guide, “Designing the Active Directory Structure,” on the Student Materials