Network Migration to NT 5.0

8 steps from NT 4.0 to NT 5.0

If you keep up with the latest developments in the Windows NT 5.0infrastructure, your head is swimming with a myriad of new terms. You'veheard about forests, trees, sites, Kerberos trusts, and Active Directory (AD). But, how familiar are you with NT 5.0 networking? NT 5.0 brings so many new concepts to Microsoft networking that seeing how all the new operating system's (OS's) pieces fit together can be challenging. Of all the questions people ask me about NT 5.0, I hear most often, "What will the new OS mean for my network?" A look at a fictitious midsized network's upgrade from NT 4.0 to NT 5.0 can help answer this question.

Meet BigCorporation
BigCorporation, my fictitious firm, has an NT 4.0 network that includes 19servers and serves 500 users in three offices. Of the company's 500 users, 250 work at BigCorporation's headquarters in Maryland, 95 work in a branch office in Ohio, and 155 work in a branch office in New York. BigCorporation's network comprises four NT domains in a single master domain model.

The company's administrators manage all user accounts from an accountsdomain called BIGCORP (the master domain), and each of the company's offices has a resource domain. The resource domains are MARYLAND, OHIO, and NEWYORK. Each resource domain has a one-way trust relationship with the accounts domain, and each office houses a Backup Domain Controller (BDC) in the BIGCORP domain that handles local authentication requests. Figure 1 depicts BigCorporation's domain structure. Table 1 lists each BigCorporation server's NetBIOS name and explains the server's function.

BigCorporation decision makers chose the single master domain model fortheir NT 4.0 network because this domain configuration keeps administrativecosts down. The configuration keeps centralized control over the accountsdatabase within the company's IS group, because giving each site'sadministrators account operator permissions in the BIGCORP domain would givethem rights over all the company's accounts. But, the configuration's resource domain structure lets administrators at each site perform routine tasks such as backing up servers, starting and stopping services, and rebooting servers. Local administration of the resource domains is more cost-effective than remote administration.

BigCorporation's network uses TCP/IP as the primary protocol. Eachoffice has a Dynamic Host Configuration Protocol (DHCP) and Windows InternetNaming Service (WINS) server, and each office uses two adjacent, private class-C address blocks for servers and workstations.Table 2 lists these subnets. Each resource domain's DHCP and WINS server gives its address to clients in its domain for use as a primary WINS server and gives clients the address of an enterprisewide WINS server in the BIGCORP domain for use as a secondary WINS server. The resource domains' WINS servers are push/pull replication partners with the BIGCORP domain's WINS server. (For information about WINS push/pull replication, see Mark Minasi, "Advanced WINS Features," September 1997.)

Because BigCorporation delegates administration tasks, it decided to upgrade to NT 5.0. AD will let BigCorporation reduce its number of domains from four to one, provide local administrators with administrative rights for user accounts and resources at each site, and reduce the number of servers the network requires. (For more information about AD, see Mark Minasi, Inside Out, November 1997 through February 1998.) BigCorporation uses an eight-step approach to upgrade from NT 4.0 to NT 5.0.

Step 1
Designing the New Infrastructure
NT 5.0 introduces the concept of Organizational Units. OUs areadministrative boundaries in AD that organize user and resource objects. Think of an OU as a directory in a file system and think of the OU's users and resources as files within the directory. You can assign a user administrative rights for one OU's accounts and resources but exclude the same user from administrative rights for other OUs' accounts and resources within the same domain. This flexible account and resource organization contrasts with NT 4.0 organization, in which domain boundaries are the administrative boundaries. BigCorporation collapses its four-domain infrastructure into one domain and organizes the domain's accounts and resources into OUs. Delegating administration becomes straightforward when you can grant separate administrative rights for each OU.

BigCorporation administrators design an NT 5.0 network that consists ofthree OUs: OU-MARYLAND, OU-OHIO, and OU-NEWYORK. Each OU contains all the useraccounts and resources for its office. BigCorporation's IS department definesaccess control lists (ACLs) for the OUs so that each office's localadministrators have permission to reset passwords, reboot servers, start andstop services, and perform backup operations on their OU's objects but not onthe other OUs' objects.

"But wait," you say. "Won't rolling the four domains intoone domain increase traffic over the WAN?" Microsoft anticipated thepossibility of an increase in traffic and borrowed the concept of sitesfrom Exchange and Systems Management Server (SMS) for controlling traffic overslower links. Microsoft defines a site as a collection of computers with a localaffinity. A more common definition of site is one or more well-connectedsubnets. This definition leaves unclear how to determine which subnets arewell-connected, but one Microsoft document targets 512 kilobits per second(Kbps--about one-third the speed of a T1 circuit and four times the speed of afull ISDN Basic Rate Interface--BRI--connection) as an appropriate amount ofbandwidth for devices within the same site. Microsoft doesn't recommend usinglinks slower than 512Kbps or high-speed links that are too saturated to produceat least 512Kbps of bandwidth to connect machines within an NT 5.0 site. NT5.0's 512Kbps minimum connection speed for machines within a site issubstantially higher than Exchange's current minimum speed (128Kbps) forintrasite connections, but the difference isn't surprising. AD'smultimaster replication creates a lot of work within NT 5.0 sites. (For moreinformation about multimaster replication, see Mark Minasi, "NT 5.0 GetsBetter and Better--Mostly," December 1997.)

BigCorporation uses the TCP/IP subnets Table 2 lists to create three sites:SITE-MARYLAND, SITE-OHIO, and SITE-NEWYORK. BigCorporation defines each sitewith a /23 addressing scheme, which translates into a subnet mask of255.255.254.0. By defining each site's IP address range, BigCorporation ensuresthat every NT system in the domain can differentiate between other machines inits site and systems outside its site (i.e., systems it has slow connectionsto). NT 5.0 adjusts replication according to site boundaries to minimize trafficover BigCorporation's WAN links.

NT 5.0 contains a Dynamic Domain Name System (DDNS) implementation thatcomplies with Request for Comments (RFC) 2136. An organization no longer needsNetBIOS names after all its machines have migrated to NT 5.0, so beforemigrating any systems to NT 5.0, BigCorporation makes sure all its machines have DNS-compliant names. DNS names consist of only the letters A through Z, the numbers 0 through 9, and the hyphen character. (SQL Server systems have a problem with names that contain hyphen characters.) Because BigCorporation's servers will eventually rely solely on DNS for name resolution on the network, the company adds the DNS service to each WINS server before upgrading any machines.

After BigCorporation completes the WINS-to-DNS transition, the company isready to migrate its network to NT 5.0. Figure 2, page 138, shows the company's NT 5.0 network design.

Step 2
Migrating the Accounts Domain
Because BigCorporation wants to roll all its systems into the BIGCORPdomain, the company starts the NT 5.0 migration in that domain. The first stepin migrating a domain to NT 5.0 is upgrading the domain's Primary DomainController (PDC) to NT 5.0. This upgrade lets you use NT 5.0 administrativetools to create AD objects for the new infrastructure. To the domain's BDCs, thenew NT 5.0 domain controller still looks like an NT 4.0 PDC

After BigCorporation administrators migrate the BIGCORP PDC, they migratethe domain's four BDCs and the BIGCORP WINS server. The domain name changes fromthe NetBIOS name BIGCORP to the DNS name bigcorporation.com, and the BDCs become domain controllers.

Step 3
Defining OUs and SitesAfter step 2, BigCorporation has a functional AD that consists of thebigcorporation.com domain. NT 5.0 domain controllers emulate NT 4.0 PDCs andBDCs, so the company's resource domains continue to function as usual. To begin the resource domain migration, BigCorporation administrators define in AD the OUs and sites they designed in step 1. As administrators migrate the resource domains' servers to NT 5.0, they place users and resources into the OUs and sites they create in this step. After creating the OUs and sites, BigCorporation administrators move the servers that were the three offices' BIGCORP BDCs to the offices' OUs.

Step 4
Migrating Local Domain Groups
Before migrating resource domain machines, BigCorporation administratorscarefully examine how the NT 4.0 network grants access to resources (such asfiles and printers) to ensure the network doesn't lose security configurations during the migration. NT 4.0 uses security IDs (SIDs) to identify access control entries (ACEs). As BigCorporation migrates to NT 5.0, it loses the SIDs that define the resource domains' security. If administrators defined security in NT 4.0 using global groups in the master accounts domain or local groups directly on the member servers, NT 5.0 automatically inherits the company's NT 4.0 security structure. But, if BigCorporation administrators used local domain groups in the resource domains to define security in NT 4.0, they need to re-create their NT 4.0 security groups as global groups in the NT 5.0 master domain. They need to test their NT 5.0 security configuration to make sure that the global groups' security works correctly before proceeding to step 5.

Step 5
Migrating Resource Domain PDCs
After configuring OU security, BigCorporation upgrades its resource domains'PDCs to NT 5.0 and inserts the new domain controllers into AD. This step enables AD's SID tracking mechanism to follow the servers' movement from the NT 4.0 resource domains to big corporation.com. When BigCorporation migrates the resource domains' PDCs to NT 5.0, the BDCs remain NT 4.0 systems, and the resource domains continue to function.

Step 6
Moving Member Servers, Workstations, and Users to OUs
After migrating the resource domain PDCs to AD, BigCorporation moves theresource domains' member servers and workstations to OUs inBigcorporation.com. At the same time, the company transfers user accounts into the appropriate OUs. BigCorporation administrators take this step slowly so they can detect and resolve any security or configuration problems they previously overlooked. When they have moved all the network's resources and user accounts to the new OUs, BigCorporation administrators are almost finished with the migration.

Step 7
Testing Security
Security is an important concern during an NT 4.0-to-NT 5.0 migration. Tomake sure the network is working properly, BigCorporation thoroughly testsnetwork security before turning off the NT 4.0 resource domains' PDCs and BDCs.

Step 8
Shutting Down the NT 4.0 Network
Finally, BigCorporation shuts down all the NT 4.0 resource domains' PDCs andBDCs. Administrators take this step slowly and keep an eye on the network tomake sure the new network is functioning properly. If everything works fineafter the PDCs and BDCs disappear from the network, administrators need toswitch the network from a mixed-domain environment to a purely AD environment. This switch tells NT 5.0 to rely completely on the multimaster replication protocol and prevents administrators from adding NT 4.0 PDCs or BDCs to the network in the future. Because this operation is irreversible, NT 5.0 requires an administrator to manually initiate the switch.

Prepare for Your Network's Migration
This migration scenario works for BigCorporation's simple, textbook-casenetwork, but it's not an ideal migration plan for every business. Thiseight-step approach isn't the only migration plan open to BigCorporation; it's one of many possible approaches for moving a network to NT 5.0. I've based BigCorporation's migration plan on Microsoft documents and white papers about NT 5.0 beta 1.

Take this migration plan with a grain of salt. Most modern networks aremuch more complex than BigCorporation's, and Microsoft needs to iron out many details of the NT upgrade. Nevertheless, this simple example will help you think about the basic steps you'll need to take to upgrade your network. You can use this plan to create a framework for your network's migration, then fill in the framework with details when those details become available.