Comments inline
-----Original Message-----
From: Mike
Baudino [mailto:[EMAIL PROTECTED]]
Sent:
Wednesday, June 18, 2003 2:47 PM
To: [EMAIL PROTECTED]
Subject:
[ActiveDir] A number of NT4.0 to AD upgrade
questions
All,
I'm not convinced, after
reading the Microsoft documentation, that we've all got our answers nailed down
on an in-place upgrade. So, I'd like to submit these questions to you to
get the "real world" answer.
Since we lack sufficient budget to perform a
proper migration we'll need to do in-place upgrades to our domains and then
consolidate some of the rogue domains into our structure (as well as cleaning
things up after upgrade). All domains will remain mixed mode until we're able to
complete application testing. One of our main drivers is the need to
consolidate domains as well as eventually eliminate our dependence on the
SAM.
1. One of my concerns is following the
upgrade of the PDC it will be
the only AD domain controller in the
domain. Our current DNS settings for servers and workstations are to our
enterprise DNS servers, which are not AD-compatible. We anticipate
creating a new DNS structure for AD and then using forwarders to the other DNS
servers for non-AD-related address resolution. It's my expectation that
NT4.0 clients w/o the AD client will not be impacted by this in any way.
Is this correct?
That's OK. Just make your AD DNS a
subdomain of your existing DNS domain. For example, if your main DNS domain is
"acme.com" and your NT domain is "ACME", then create your AD forest as
"acme.acme.com". Put nameserver records in your existing DNS zone that delegates
acme.acme.com to the DNS server running on your DC. Have your AD DNS server
forward to your existing DNS to resolve anything not in your AD DNS
domain.
2. It's also my expectation that the Win2k clients will be impacted
depending on their configuration. For example, Win2k client that does not have the DNS domain for AD listed in the suffix for the client nor in the DNS search order would not realize that there was an AD domain controller in their midst and would continue to authenticate to the domain as they had prior to the upgrade. And Win2k clients that have the DNS domain for AD in their suffix or search order would prefferentially authenticate against the new AD DC to the extent that they would begin to ignore their local BDC. This is one area of significant concern as we don't want to overload any of the domain controllers. I thought there was a client reg entry that would eliminate this.
If you put the nameserver records in your existing DNS zone, your win2k/XP clients WILL switch to AD authentication. When you convert your NT4 domain ("ACME" in my examples) to AD (acme.acme.com), your 2k/xp workstations will change their primary DNS domain to your AD DNS domain (acme.acme.com) regardless of what's in the interface specific DNS. They will then use your existing DNS (acme.com) to find nameservers for the AD DNS. From there, they will find the DC.
move all Operations Masters roles to the new DC and rebuild the old from scratch as Win2k, so as to avoid any legacy issues? We'll also be bring up other AD DC's to split the roles up between boxes.
4. If something goes wrong and after an hour or two, or sooner, find
that we need to turn off the AD DC and fire back up the offline BDC and promote it to PDC, are the Win2k clients going to be OK? I thought I remembered that if a box authenticated against the domain using Kerberos it never would go back to NTLM.
Thanks,
Mike
As in everything else of this magnitude: test, test, test!
******************* PLEASE NOTE *******************
This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
