The Active Directory service is compatible with Windows NT Server 4.0 and supports a mix of operations that support domain controllers running Windows NT Server 4.0, Windows 2000, and Windows Server 2003. This allows you to upgrade domains and computers at your own pace, based on your organization's needs.
Active Directory supports the Windows NT LAN Manager (NTLM) protocol used by Windows NT. This enables authorized users and computers from a Windows NT domain to log on and access resources in Windows 2000 or Windows Server 2003 domains. To clients running Windows 95, Windows 98, or Windows NT that are not running Active Directory client software, a Windows 2000 or Windows Server 2003 domain appears to be a Windows NT Server 4.0 domain. For more information, see “Active Directory Clients” in the Windows Server 2003 on-screen Help and Support Center.
The upgrade to Active Directory can be gradual and performed without interrupting operations. If you follow domain upgrade recommendations, it should never be necessary to take a domain offline to upgrade domain controllers, member servers, or workstations. When upgrading a Windows NT domain, you must upgrade the primary domain controller first. You can upgrade member servers and workstations at any time after this. For more information, see “Upgrading from a Windows NT Domain” in the Windows Server 2003 on-screen Help and Support Center.
Active Directory allows upgrading from any Windows NT Server 4.0 domain model and supports both centralized and decentralized models. The typical master or multiple-master domain model can be easily upgraded to an Active Directory forest.
Upgrading from a Windows NT Domain
The Active Directory Installation Wizard simplifies upgrading a Windows NT domain to Windows Server 2003 Active Directory. Active Directory Installation Wizard installs and configures domain controllers, which provide network users and computers access to the Active Directory service. Any member server (except those with restrictive license agreements) can be promoted to domain controllers using the Active Directory Installation Wizard. When promoting member servers to domain controllers, you will define one of the following roles for the new domain controller:
An additional domain controller in an existing domain
For additional information on using the Active Directory Installation Wizard, see the Windows Server 2003 on-screen Help and Support Center.
The upgrade process involves the following steps:
Planning and implementing a namespace and DNS infrastructure
Determining forest functionality
Upgrading the server running Windows NT Server 4.0 or earlier primary domain controller
Upgrading any remaining backup domain controllers
Completing the upgrade of the domain
Installing Active Directory client software on older client computers
Planning and Implementing a Namespace and DNS Infrastructure
Namespace refers to the naming convention that defines a set of unique names for resources in a network, such as Domain Name System (DNS), a hierarchical naming structure that identifies each network resource and its place in the hierarchy of the namespace, and Windows Internet Name Service (WINS), a flat naming structure that identifies each network resource using a single, unique name.
DNS is required for Active Directory. DNS is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.
When setting up a namespace, it is recommended that you first choose and register a unique parent DNS domain name that can be used for hosting your organization on the Internet, for example, microsoft.com. Once you have chosen your parent domain name, you can combine this name with a location or organizational name used within your organization to form other subdomain names. For example, if a subdomain were added, such as itg.example.microsoft.com domain tree (for resources used by the information technology group at your organization), additional subdomain names could be formed using this name. For instance, a group of programmers working on electronic data interchange (EDI) in this division could have a subdomain named edi.itg.example.microsoft.com. Likewise, another group of workers providing support in this division might use support.itg.example.microsoft.com.
Prior to beginning the upgrade from Windows NT Server 4.0 to the Windows Server 2003 Active Directory service, ensure that you have designed a DNS and Active Directory namespace and have either configured DNS servers or are planning to have the Active Directory Installation Wizard automatically install the DNS service on the domain controller.
Active Directory is integrated with DNS in the following ways:
Active Directory and DNS have the same hierarchical structure. Although separate and implemented differently for different purposes, an organization's namespace for DNS and Active Directory have an identical structure. For example, microsoft.com is both a DNS domain and an Active Directory domain.
DNS zones can be stored in Active Directory. If you are using the Windows Server DNS service, primary zone files can be stored in Active Directory for replication to other Active Directory domain controllers.
Active Directory uses DNS as a locator service, resolving Active Directory domain, site, and service names to an IP address. To log on to an Active Directory domain, an Active Directory client queries its configured DNS server for the IP address of the Lightweight Directory Access Protocol (LDAP) service running on a domain controller for a specified domain. For more information on how Active Directory clients rely on DNS, see “Locating a Domain Controller” in the Windows Server 2003 on-screen Help and Support Center.
While Active Directory is integrated with DNS and they share the same namespace structure, it is important to distinguish the basic difference between them:
DNS is a name resolution service. DNS clients send DNS name queries to their configured DNS server. The DNS server receives the name query and either resolves the name query through locally stored files or consults another DNS server for resolution. DNS does not require Active Directory to function.
Active Directory is a directory service. Active Directory provides an information repository and services to make information available to users and applications. Active Directory clients send queries to Active Directory servers using LDAP. In order to locate an Active Directory server, an Active Directory client queries DNS. Active Directory requires DNS to function.
For more information on DNS configuration, see the Windows Server 2003 on-screen Help and Support Center.
Determining Forest Functionality
Forest functionality determines the type of Active Directory features that can be enabled within the scope of a single forest. Each forest functional level has a set of specific minimum requirements for the version of operating system that domain controllers throughout the forest can run. For example, the Windows forest functional level requires that all domain controllers be running Windows Server 2003 operating systems.
In the scenario where you are upgrading your first Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest, it is recommended that you set the forest functional level to “Windows interim.” (You will be prompted during the upgrade.) This level contains all the features used in the Windows 2000 forest functional level and also includes two important advanced Active Directory features:
Improved replication algorithms made to the intersite topology generator
Replication improvements made to group memberships
The Windows interim functional level is an option when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. For more information about how to manually set this functional level, see the Microsoft Windows Resource Kits Web site at http://www.microsoft.com/windows/reskits/. The Windows interim forest functional level only supports domain controllers running Windows and Windows NT, not domain controllers running Windows 2000. Servers running Windows 2000 cannot be promoted to a domain controller in a forest where the forest functional level has been set to Windows interim. For more information about forest functionality, see the Raising Domain Functional Levels section in this paper.
Upgrading the Windows NT Server 4.0 or Earlier Primary Domain Controller
The first server running Windows NT Server 4.0 that you must upgrade is the primary domain controller (PDC). Upgrading the Windows NT PDC is required for a successful upgrade of the domain. During the upgrade, the Active Directory Installation Wizard requires that you choose to join an existing domain tree or forest, or start a new domain tree or forest. If you decide to join an existing domain tree, you must provide a reference to the desired parent domain. For more information, see “Checklist: Installing a Domain Controller” in the Windows Server 2003 on-screen Help and Support Center.
Running the Active Directory Installation Wizard installs all necessary components on the domain controller, such as the directory data store and the Kerberos V5 protocol authentication software. Once the Kerberos V5 protocol has been installed, the installation process starts the authentication service and the ticket granting service, and if this is a new child domain, a transitive trust relationship is established with the parent domain. Eventually, the domain controller from the parent domain copies all schema and configuration information to the new child domain controller. The existing Security Accounts Manager (SAM) objects will be copied from the registry to the new data store. These objects are security principals.
During the upgrade, objects are created to contain the accounts and groups from the Windows NT domain. These Container objects are named Users, Computers, and Builtin and are displayed as folders in Active Directory Users and Computers. User accounts and predefined groups are placed in the Users folder. Computer accounts are placed in the Computers folder. Built-in groups are placed in the Builtin folder. Note that these special Container objects are not organizational units. They cannot be moved, renamed, or deleted.
Existing Windows NT Server 4.0 and earlier groups are located in different folders depending on the nature of the group. Windows NT Server 4.0 and earlier built-in local groups (such as Administrators and Server Operators) are located in the Builtin folder. Windows NT Server 4.0 and earlier global groups (such as Domain Admins) and any user-created local and global groups are located in the Users folder.
The upgraded PDC can synchronize security principal changes to remaining Windows NT Server 4.0 and earlier backup domain controllers (BDCs). It is recognized as the domain master by servers running Windows NT Server 4.0 and earlier BDCs.
If a domain controller running Windows Server 2003 goes offline or otherwise becomes unavailable and no other Windows Server 2003 domain controllers exist in the domain, a Windows NT BDC can be promoted to a PDC to fill the role for the offline Windows Server 2003 domain controller.
The upgraded domain controller is a fully functional member of the forest. The new domain is added to the domain and site structure, and all domain controllers receive the notification that a new domain has joined the forest.
Upgrading Any Remaining Backup Domain Controllers
Once you have upgraded the Windows NT Server 4.0 and earlier PDC, you can proceed to upgrade all remaining BDCs. During the upgrade process, you may want to remove one BDC from the network to guarantee a backup if any problems develop. This BDC will store a secure copy of your current domain database.
If any problems arise during the upgrade, you can remove all domain controllers running Windows from the production environment, and then bring the BDC back into your network and make it the new PDC. This new PDC will then replicate its data throughout the domain so that the domain is returned to its previous state.
The only drawback to this method is that all changes that were made while the safe BDC was offline are lost. To minimize this loss, you could periodically turn the safe BDC on and off (when the domain is in a stable state) during the upgrade process, to update its safe copy of the directory.
When upgrading Windows NT Server 4.0 and earlier domains, only one domain controller running Windows Server 2003 can create security principals (users, groups, and computer accounts). This single domain controller is configured as a PDC emulator master. The PDC emulator master emulates a Windows NT Server 4.0 and earlier PDC. For more information about the PDC emulator role, see “Operations Master Roles” in the Windows Server 2003 on-screen Help and Support Center.
When you upgrade a primary domain controller running Windows NT Server 4.0 to a server running Windows Server 2003, existing Windows NT groups are converted in the following way:
When the Windows Server 2003 domain is switched to native mode, Windows NT local groups are converted to domain local groups on servers running Windows Server 2003.
Domain member computers running Windows NT can continue to display and access the converted groups. The groups appear to these clients as Windows NT Server 4.0 local and global groups. However, a Windows NT client cannot display members of groups or modify the member properties when that membership violates Windows NT group rules. For example, when a Windows NT client views the members of a global group on a server running Windows Server 2003, it does not view any other groups that are members of that global group.
Using Converted Groups with Servers Running Windows Server 2003
Client computers that do not run Active Directory client software identify groups with universal scope on servers running Windows Server 2003 as having global scope instead. When viewing the members of a group with universal scope, the Windows NT client can only view and access group members that conform to the membership rules of global groups on servers running Windows Server 2003.
In a Windows Server 2003 domain that is set to a domain functional level of Windows 2000 native, all the domain controllers must be running on servers running Windows Server 2003. However, the domain can contain member servers that run Windows NT Server 4.0. These servers view groups with universal scope as having global scope and can assign groups with universal scope rights and permissions and place them in local groups.
In a Windows Server 2003 domain, a Windows NT Server 4.0 member server running Windows NT administrative tools cannot access domain local groups. However, you can work around this by using a server running Windows Server 2003 and using the administrative tools in its Windows Server 2003 Administration Tools Pack to access the server running Windows NT Server 4.0. You can use these tools to display the domain local groups and assign to them permissions to resources on the server running Windows NT Server 4.0.
Completing the Upgrade of the Domain
If you have upgraded all existing Windows NT Server 4.0 and earlier primary and backup domain controllers to Windows Server 2003 and you have no plans to use Windows NT Server 4.0 and earlier domain controllers, you can raise the domain functional level from Windows 2000 mixed to Windows 2000 native. For more information about how to raise the domain functional level, see the Raising Domain Functional Levels section in this paper.
Several things happen when you raise the domain functional level to Windows 2000 native:
Domain controllers no longer support NTLM replication.
The domain controller that is emulating the PDC operations master cannot synchronize data with a Windows NT Server 4.0 and earlier BDC.
Windows NT Server 4.0 and earlier domain controllers cannot be added to the domain. (You can add new domain controllers running Windows 2000 or Windows Server 2003.)
Users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory and (with the proper authorization) can access resources anywhere in the forest. Although previous versions of Windows do not support the Kerberos V5 protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users or computers to access resources in any domain in the forest for which they have the appropriate permissions.
Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.
Installing Active Directory Client Software on Older Client Computers
Computers running Active Directory client software can use Active Directory features, such as authentication, to access resources in the domain tree or forest and to query the directory. By default, client computers running Windows XP Professional and Windows 2000 Professional have the client software built in and can access Active Directory resources normally.
However, computers running earlier versions of Windows (Windows 98, Windows 95, and Windows NT) require installation of the Active Directory client software before access to Active Directory resources is available. Without the client software, previous versions of Windows can only access the domain as if it were a Windows NT Server 4.0 and earlier domain, finding only those resources available through Windows NT Server 4.0 and earlier one-way trusts.
Windows NT Server 4.0 domain controllers that are upgraded to Windows Server 2003 will by default have Server Message Block (SMB) Protocol packet signing enabled and will therefore require that clients attempting to authenticate to them also have SMB packet signing enabled. Clients in the domain running Windows NT Server 4.0 Service Pack 3 and earlier and Windows 95 will no longer be able to log on or access domain resources on the network.
To allow these clients access to domain resources, configure all Windows-based domain controllers to not require SMB packet signing by disabling the “Microsoft network server: Digitally sign communications (always)” setting in the Group Policy Object Editor. Doing so will prevent domain controllers from requiring SMB packet signing from those clients that do not have it enabled but will still allow domain controllers to negotiate SMB packet signing with those clients that do have it enabled.
For more information about the Active Directory client software, see “Active Directory Clients” in the Windows Server 2003 on-screen Help and Support Center.
When the domain functional level is set to Windows 2000 mixed, the domain controller exposes to clients using earlier versions of Windows only resources in domains that have older, established Windows NT Server 4.0 and earlier explicit trusts. This creates a consistent environment in that the earlier version clients can access only resources in domains with explicit trusts, regardless of whether domain controllers are running Windows Server 2003 or Windows NT Server 4.0 and earlier backup domain controllers.