Impersonation
Although you've installed AD on your former PDC, the other legacy domain controllers can't detect the changes you made to the PDC. Installed Win2K domain controllers operate in a mixed mode, which means they can act as AD domain controllers or emulate legacy PDCs. Therefore, your new Win2K domain controller will emulate your old PDC, and your other network BDCs won't notice the change. However, you can't enable some of the more important Win2K and AD features until you switch your systems from mixed-mode to native-mode operation. For example, you might want to enable multimaster replication, which lets domain controllers make changes to AD information and propagate those changes to the other domain controllers on the network. In contrast, if you use the legacy NT model, only PDCs can write changes to the directory, then the PDCs must notify the BDCs so that the BDCs can request the changes.
You can't switch to native mode until you convert all the domain controllers in your entire network to AD-enabled status. After you switch to native mode, you can't switch back—the change from mixed mode to native mode is a one-way operation.
BDC Migration
The next step in the upgrade process is to migrate your BDCs. You upgrade BDCs in a way that is similar to the way you upgraded the PDCs. Before you begin your BDC upgrade, make sure that DNS services function on your network and that the BDCs can reach those services. If you added DNS services to your PDC as part of the upgrade, you can proceed with the BDC upgrade process. If you didn't add the DNS services to the PDC, or if you used another DNS server during your upgrade, you must have the IP address information before you upgrade the BDC.
When DCPROMO starts, it recognizes that your machine used to be a BDC and asks some slightly different questions than it asked for the PDC upgrade. For example, Screen 5 shows that DCPROMO gives you the option of either leaving the BDC functioning as a domain controller or removing the domain controller services from the BDC altogether. Unless you're making layout changes to your network during the upgrade process, leave this server as a domain controller—you can always remove the services later if they're unnecessary.
DCPROMO guides you through setting up this BDC as another domain controller in the domain tree you defined earlier. The program prompts you for a username, password, and domain to use for the Win2K domain you're joining. As with an NT 4.0 installation, this step is a security check for the initial synchronization process. Type an administrative account and password combination in your AD domain, then click Next.
The remaining questions that DCPROMO asks you are the same questions it asked when you migrated the PDC (e.g., where to store the AD and SYSVOL files). Type the required information, and click Next at each step in the process. After you supply all the information that DCPROMO needs to set up this domain controller, it begins the installation process to make the BDC a domain controller in your AD domain.
Resource Domain Migration
After you migrate your entire accounts domain to AD, upgrade your resource domains if you have any. If you want to upgrade your resource domains to the same AD tree as your accounts domain, you might want to first remove the local administrators from the administrative groups of your resource domain. This step is necessary because the Win2K upgrade creates a two-way transitive trust between the child domain (your resource domain) and the parent domain (the accounts domain). If you were using a master domain model in NT, the child and parent domains had only a one-way trust, from the child domain to the parent domain. When you create a two-way trust, you give users who had administrative rights only to your resource domain administrative rights to your accounts domain. If you're concerned about security, remove the administrative privileges from users in the resource domain who shouldn't have administrative privileges in the master (accounts) domain.
When you're ready to begin migrating your resource domains, you proceed with the same series of steps you went through to migrate your accounts domain—migrate PDCs first, then BDCs. You can move through your entire infrastructure one domain at a time and migrate all of your domain controllers to Win2K Server.
Going Native
After you completely migrate all your NT domain controllers, you can switch from mixed-mode to native-mode operation. Windows 2000 Professional (Win2K Pro) is AD-enabled by default, and you must install AD-client software on other OSs so that they can recognize AD. (AD clients are currently available for only Windows 9x.)
After you've migrated all of your systems, launch the AD Domains and Trusts Microsoft Management Console (MMC) snap-in and select your domain in the MMC scope pane. When you right-click your domain and select the Properties option, you'll see a properties page similar to the one Screen 6 shows. The lower portion of the properties page signals that the domain is running in mixed mode. To change the domain to native mode, click Change Mode. Again, this is a one-way operation, so be certain you're ready to change the mode before proceeding. A few dialog boxes will alert you that changing the mode is irreversible, but if you're ready to proceed, make the change. The switch to native mode might take a few minutes while the domain controllers communicate with one another, but after the change to native mode is complete, you can access all of the AD features.
Easy Migration
Although some network administrators might find migrating domain controllers to Win2K and AD intimidating, Microsoft has made the task relatively straightforward. If you follow the company's recommended procedures and have a well-planned AD infrastructure plan before you begin upgrading, your Win2K-upgrade process will be smooth sailing.
Register
Mahmood Jaffer February 22, 2000