Active Directory Upgrade Scenarios

This section discusses the various migration scenarios. It looks at the single domain model, the master domain model, the multi-master model, and whether to go to Native Mode.

Single Domain

A single domain Windows NT 4.0 environment is the simplest environment to migrate from. You upgrade your PDC first, and then you upgrade your BDCs. After you have upgraded, reorganize objects into OUs as necessary and apply group policies to take advantage of Active Directory. Next, consider sites to control network traffic.

Master Domain Model

With a master domain model, you should upgrade the master domain first. If you are moving to multiple Active Directory domains, you can upgrade in-place. If you are going to have to a single Active Directory domain, your Windows NT 4.0 resource domain can be moved to the Active Directory domain, but you do need to create explicit trusts.

Multi-Master Model

With the multi-master model, you are able to upgrade into your ideal Active Directory domain model. In this scenario, Active Directory is addressing the issues that the multi-master model identified in large enterprises.

With this migration, you should build one tree with an empty root domain and build a domain tree for each master domain. The empty root domain provides the capability to have a contiguous namespace. The Forest, in which the master domains are located, has a common schema, configuration, and transitive trusts.

Account domains can be consolidated. A large single domain in Active Directory can be supported and does not affect end user authentication because of traffic, as long as there are an appropriate number of DCs, and they are distributed appropriately.

Account domains are consolidated by migrating account domains into separate domains in the same Forest. After an account domain is upgraded, the users and groups can be migrated to another domain in the Forest using ClonePrincipal for individual users, by user migration, or MoveTree for larger migrations.

Complete Trust Model

In this scenario, you need to understand why you have the complete trust model. Is it because your organization grew out of a departmental push for Windows NT? If so, you should create your ideal Active Directory design and upgrade to a single Forest with the empty root domain, similar to the multi-master model. If you have a complete trust model because of the business relationships that exist, you should consider the impact of a single Forest with trees or a multiple Forest implementation scenario.