Monday, May 01, 2006

Pre-Domain Migration II

Preparing the Target Domain

Create or configure the new domain. For the purposes of this document, we will use Windows 2003 as the new target domain or an existing Windows 2003 target domain.

Domain Configuration:
Select the new domains NetBios name to be unique do not use the name of any existing domains. Example: Old NetBios Name: WINZERO. New NetBios Name: WINZEROAD. Do not use ( _ ) underscores in domain names.

Select a DNS name for the domain that does not reflect the name of a web domain or ftp domain. Example: Web:, Domain Name: an internal name not registered on public DNS servers. Do not use ( _ ) underscores in domain names.

Promote Windows 2003 to be a Windows 2003 domain this would be the equivalent of a Windows 2000 domain in Native mode.

Configure DNS to be Active Directory aware and reside in the target domain.
Configure the DNS network card client to point to the new DNS Server.

If a NT4 domain will be part of the migration project, point the Domain Controllers network card WINS client to the NT4 domains WINS server.

OU Creation:
Create an OU in the target domain that will contain all Administrative and service accounts. Example: NETADMINS.
Move all the Administrative accounts and administrative groups to the new OU. These accounts to move would be: Administrator, Administrators, Domain Admins, Enterprise Admins, DNSAdmins etc.

Create Service Accounts
Create one or more service accounts in the newly created Administrative OU. DO NOT prefix these accounts with symbols such as #, _ or $. These symbols are escape characters in LDAP and will present issues later. Assign domain logon locally and run as a service rights using both the domain and domain controller policies. These newly created service accounts will be used later to replace service accounts in the source domain(s).

Create a Migration Account
Create an account to be used for the migration. Create this account in the new administrative OU. Add the migration account to the Administrators Group, Domain Admins Group and the Enterprise Admins Group. Set the user rights for both domain and domain controller policies to enable logon locally and Run as a Service.

Create a Domain Local Group
Create a Domain Local group called DomainNetBiosName$$$ example: WINZEROAD$$$. Add 3 $ signs to the local group name. DO NOT add members to this group.

Pre-Windows 2000 Compatible Access Group.
Check and Verify that the Everyone group is a member of the Pre-Windows 2000 Compatible Access group. If not add the Everyone group.

Password Policies

Check and verify that the minimum domain password policy and restrictions are less or equally restrictive to any source domain password policy. Passwords will not migrate if the password policy of the target domain is more restrictive then the password policy of the source domain.

Registry Settings:
Check, add and verify the registry settings of the PDC emulator or FSMO server. (Usually the first installed domain controller in the target domain)

Key: AllowpasswordExport
Set to: 1

Key: RestrictAnonymous
Set to: 0

Key: TcpipClientSupport
Set to: 1

Key: MaxUserPort
Set to: 0x0000fffe (hex) or 65534 (decimal)

No comments: