Consolidate Win2K domains

Because Windows 2000 (Win2K) supports larger domains than Windows NT 4.0 supports, many administrators will want to reduce the number of domains in their enterprise. Unfortunately, Win2K doesn't include a domain-consolidation tool to help you achieve this goal. However, you can use the Microsoft Windows 2000 Resource Kit's Netdom tool to consolidate an NT 4.0 resource domain into a Win2K domain. Although Netdom isn't completely functional yet, I'm writing about the utility now because it's a useful migration tool that you'll need early in your Win2K implementation.

Suppose you decide to simplify your domain structure by replacing a resource domain with an organizational unit (OU) in what was once a master domain, moving NT accounts from the resource domain to the OU. A separate OU accomplishes many of the same tasks a resource domain accomplishes because you can cede control of the OU to a departmental group of administrators who then have local control.

Creating the OU, establishing the group of administrators, and giving the group power over the OU are simple tasks that you can accomplish quickly. But to complete the process, you must move all the workstations' and servers' machine accounts to the OU. In addition, you need to change the machines' domain affiliations if the machines belong to another domain. This step requires you to visit each machine—a job no administrator wants.

Netdom lets you move a machine's domain and OU affiliation without visiting the machine. The command line looks like

netdom move /d: /uo:
   /po: /ud: /pd:
   /reboot: /ou: /verbose

To put a machine in a domain, you need an administrator account that the machine recognizes (so that the machine lets you put it into a domain) and an administrator account that the domain recognizes (so that the domain lets you create the machine account). The /uo: and /po: options identify the account name and password for an administrator account on the local machine. However, if the machine already belongs to a domain, a domain administrator account from that domain is sufficient. The /ud: and /pd: options identify the account name and password for an administrator account on the domain that you're joining. For either account, you can use the domain\name construction (e.g., bigdogs\Joan). If the account exists on a domain (as opposed to being a local SAM account), you can use the more recent email-like construction (e.g., joan@bigdogs.com). The /reboot: option remotely reboots the machine that you're moving to the domain and OU.

You need to refer to a machine by its NetBIOS name rather than by its DNS-like name. For example, if you wanted to move the machine lemon.fruit.com to the domain citrus.com, the command would be

netdom move /d:citrus.com lemon

rather than

netdom move /d:citrus.com lemon.fruit.com

Suppose you want to move the machine lemon to the domain fruit.com. Lemon has a local administrator account with a blank password, and fruit.com has an administrator account named carmen, with the password ascorbic. The domain fruit.com contains an OU called citrus that you want to put the lemon account into. Finally, you want lemon to reboot 5 seconds after the command finishes so that the changes will take effect. The Netdom command for this action is

netdom move /d:fruit.com lemon
   /uo:lemon\administrator /po:"" /ud:carmen@fruit.com
   /pd:ascorbic /ou:citrus /reboot:5 /verbose

The /verbose option helps you determine what went wrong if the command fails.

Although you must enter the entire Netdom command for each machine, you could probably use VBScript to automate this task. More troubling than this minor inconvenience is that Netdom doesn't work with Win2K beta 3—the /ou: option and remote capabilities aren't functional. However, Microsoft promises to fix these problems by the time Win2K ships.