Farewell, NT 4.0
After you update all of a domain's BDCs, you can change the domain from
mixed mode to a pure AD--or native--mode. To do so, open the domain properties dialog box and choose Change Mode, as
Screen 5, page 108, shows.
Changing modes is not automatic, because doing so requires you to choose not to
install any new NT 4.0 BDCs.
After you change modes, the PDC in the now native-mode domain turns
off NTLM replication support. Doing so allows multimaster replication to
all servers in the domain, and therefore a distinction no longer exists
between a PDC and a BDC. Now you can start nesting the groups in AD, and your NT
4.0 and NT 3.51 workstations can start using AD's transitive trusts and can
access the entire domain tree.
Win2K users and groups still require SIDs, but because updated domains no
longer have PDCs to issue SIDs, the domain controllers must use a Relative
Identifier (RID) Pool. A user SID is a combination of a domain SID and a RID,
and the Win2K server that creates a user issues the user's SID. One Win2K server
at a time owns the domain RID Pool, taking RIDs for allocation to users. When
another domain controller needs RIDs, ownership of the RID Pool cycles to that
domain controller.
Dissolving Resource Domains
If your NT 4.0 or NT 3.51 domain model was either a master or multiple
master model, your domains likely have second-tier resource domains. Companies
usually create resource domains to decentralize resource administration. In AD,
OUs and per-server policies let you delegate resource administration within
domains more easily, and to a finer degree. Therefore, if you want to dissolve
your resource domains, you can safely do so. However, if your organization is
heavily decentralized, you can retain your resource domains and enhance their
role by moving user accounts from master domains to the pertinent resource
domains.
The idea behind dissolving resource domains is to transform the resource
domains into OUs within the former master domain. You can still have
decentralized administration because you can delegate administration on a per-OU basis. All users and groups stay valid in the dissolving process, but the local groups in the resource domains you dissolve need attention, because SIDs that the original resource domains issued identify local groups.
Microsoft stated that AD will support SID tracking. For example,
when you move a local group from one AD domain to another, the local group
receives a new SID and remembers its original SID. SID tracking keeps old access permissions valid, as long as you dissolve your resource domains in the proper sequence. However, moving objects from one domain to another is not possible in NT 5.0 Beta 2.
To dissolve your resource domains, migrate at least the PDC of the master domain to AD. This migration does not change the PDC's trusts to the resource domains but lets you administer AD. Next, create OUs that are identical to your resource domains--or if you prefer, create some other OU structure, as Figure 1 shows. It's easy to create OUs at
this point, because after you migrate the master domain's PDC, all your
users and groups are in the AD users container. From the users container, you move the users and groups to the appropriate OUs, and perhaps add some new OUs, depending on the structure you want to create.
After you've created your AD domain, you can migrate the PDC of each
resource domain, placing each PDC in the same domain tree as the migrated master
domain. This procedure lets you move users, groups, and servers from one domain
to another, which was not possible in NT.
After you migrate all your resource domain PDCs, you can drag your BDCs and
standalone servers from the almost-dissolved resource domains to the new AD
domain. A standalone server takes its local groups wherever you move the
server, so moving a standalone server does not affect that server's local
group's access permissions. However, the BDCs you move need to access their
local group information from the PDC until you move those local groups to the AD
domain.
NT workstations are usually members of resource domains, so you need to move
every workstation to the AD domain from the computers container. After taking
all these steps, you can turn off your resource domain PDCs, or move them to the
new AD "master" domain. In either case, in AD you have only one domain
to administer.