Domain Reconstruction

Many companies view migrating to Windows 2000 as an opportunity to restructure their network domains. Domain restructuring is often necessary to better serve an organization’s business needs or to reduce administrative overhead, and it usually results in domain consolidation (i.e., reducing the number of domains). Active Directory (AD) helps you perform domain consolidation because of its greater scalability and because AD uses sites to control replication and Organizational Units (OUs) to delegate administration. This week, I'll discuss two domain-restructuring strategies.

Upgrading the Domain, then Restructuring
The first strategy calls for performing an as-is upgrade of your current Windows NT domain environment to AD and approaching restructuring as a second, separate migration phase. Also called an in-place migration, this process entails taking the NT domain model you have in place and upgrading it to its AD forest equivalent. For example, if you have a one-master domain model, you can upgrade your account domain to become the root of your forest, with resource domains as children of the root. If you have a multimaster domain, you can either create a multiple-tree forest or a new root domain and upgrade the account domains as children of the root, resulting in a one-tree forest. For variations of a complete trust domain, your choices are similar to those running multimaster domains: you can create a multiple-tree forest or create a new root domain and upgrade the NT domains as children of the root.

After you complete the migration to AD, you must resolve any post-migration issues before restructuring the domain by performing what is called intra-forest restructuring (because all the domains are within the same Win2K forest). One advantage of upgrading before beginning the restructuring is that you can move your network to Win2K sooner. However, there are several disadvantages to upgrading first. For example, problems such as outdated user and group accounts carry over from your NT environment to AD. Also, when you start consolidating your domains, you'll move users and groups between domains instead of copying them, which means that you can't revert to your previous structure if problems arise.

Restructuring as Part of the Initial Migration
The second domain restructuring strategy, which I recommend, is to restructure your domain as part of your initial migration to Win2K. First, identify your ideal AD design. Next, create your root domain with new hardware to give you a pristine Win2K forest that you can populate with users and groups from your NT 4.0 domain by performing inter-forest restructuring. Your goal is to selectively migrate security principals, leaving unnecessary users and groups behind. With inter-forest restructuring, you copy the users and groups to AD instead of moving them, so you won't delete or change them in the source domain. So, while the process is occurring, you can continue to use your NT domains with little effect. Inter-forest reconstruction requires more upfront planning and takes longer to create a production Wn2K network, but the end result is likely to be more desirable.

More to Come
Performing domain reconstruction and consolidation is beneficial to most organizations and, in some cases, might even be the driving factor behind the migration to Win2K. But, as I'm sure you realize, domain reconstruction and consolidation requires much work and planning. Microsoft provides several tools to help with this process, and I'll examine some of them next week. If you're performing domain consolidation and have specific questions or insights, post them as feedback in response to this column. I'll address your feedback in upcoming articles.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.