# &RQWHQWV##
#
2YHUYLHZ#4
#
0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV##
'XULQJ#D#'RPDLQ#5HVWUXFWXUH#5
#
3UHSDULQJ#IRU#$FFRXQW#0LJUDWLRQ#,VVXHV#4:
#
/HYHUDJLQJ#([LVWLQJ#'LUHFWRU\#,QIRUPDWLRQ##
'XULQJ#D#'RPDLQ#5HVWUXFWXUH#5;
#
5HYLHZ#63
#
#
Module 7: Minimizing
the Impact on Network
Operations During a
Domain Restructure

#

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying

: Brian Komar (3947018 Manitoba Inc)
Technical Contributors:
John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads:

Sid Benavente, Keith Cotton
Testing Developer:
Greg Stemp (S&T Onsite)
Testers:
Testing Testing 123
Instructional Design Consultants:
Susan Greenberg, Paul Howard
Instructional Design Contributor:
Kathleen Norton

Graphic Artist:
Kirsten Larson (S&T OnSite)
Editing Manager:
Lynette Skinner
Editors:
Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic
(S&T OnSite)
Copy Editor:
Shawn Jackson

(
S&T Consulting)
# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##LLL#,QVWUXFWRU#1RWHV#
This module provides students with the ability to develop a strategy for
restructuring Microsoft
®
Windows NT
®
version 4.0 domains to Microsoft
Windows
®
2000 domains while maintaining network reliability, security,
availability, and performance.
There is no lab for this module.
At the end of this module, students will be able to:
„# Examine existing network services and develop a strategy for ensuring their
reliability during the domain restructure.
„# Plan for issues that arise due to the cloning of accounts when restructuring a
Windows 2000 domain.
„# Describe how the Active Directory
™
Connector (ADC) allows migration of
user attributes to the Active Directory directory service.

0DWHULDOV#DQG#3UHSDUDWLRQ#
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
There are several chapters of the Windows 2000 Server Deployment Planning
Guide that will also help you prepare your delivery. These documents are in the
Additional Readings\Deployment Guide folder on the Student Materials
compact disc:
„# Chapter 10, “Determining Domain Migration Strategies”, will provide
information on the LAN Manager Replication service, domain security, and
user profiles.
„# Chapter 23, “Defining Client Administration and Configuration Standards,”
will provide information on Group Policy.
„# Chapter 21, “Testing Applications for Compatibility with Windows 2000,”
will support the topic of upgrade impact on applications.
„# Chapter 20, “Synchronizing Active Directory with Exchange Server
Directory Services,” will provide more background on using the Active
Directory Connector.

The following documents are also on the Student Materials compact disc and
will help to further prepare you to deliver this module:
„# Microsoft Windows 2000 Market Bulletin: Active Directory™ Client
Extensions for Windows 95, 98 and Windows NT® 4
„# Windows 2000 Operating System Comparison Chart
„# Deploying the Active Directory Connector
„# Knowledge Base article Q151777, "XADM: How to Move a Microsoft
Exchange Server to a New Domain" (It describes how to change the service
account within the Exchange Schema.)

# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##Y#
should have an understanding of all of the topics in this module, their level
of familiarity will vary dramatically. Be prepared to provide background
information if students seem confused.
„# Preparing for Account Migration Issues
It is critical that you clearly communicate the impact of a domain restructure
on each topic. This tells students why they should care about these topics—
for example, the trusts required by the migration tools make it possible for a
user to log on to either the source or target domain, possibly impacting
administrative overhead. Although this may scare some students and make
them wary of Windows 2000, you will earn their attention by underscoring
the importance of planning.
„# Leveraging Existing Directory Information
This section focuses on how Microsoft Exchange directory information can
be used during migration. You do not have to be an expert with Exchange
to successfully deliver this topic. Focus on the three things that Exchange
can provide in Active Directory and the steps that must be followed. If
questions on the ADC arise, point students to the white paper on their
compact discs.

# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##4#2YHUYLHZ#
„
0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV#'XULQJ#D#
'RPDLQ#5HVWUXFWXUH
„
3UHSDULQJ#IRU#$FFRXQW#0LJUDWLRQ#,VVXHV
„
/HYHUDJLQJ#([LVWLQJ#'LUHFWRU\#,QIRUPDWLRQ#'XULQJ#D#

VHFXULW\/#DYDLODELOLW\/#DQG#
SHUIRUPDQFH1#
5# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#‹‹
#0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV#'XULQJ#D#
'RPDLQ#5HVWUXFWXUH#
„
3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV
„
3URYLGLQJ#5HOLDEOH#1HW%,26#5HVROXWLRQ#6HUYLFHV
„
3URYLGLQJ#5HOLDEOH#'+&3#6HUYLFHV
„
3URYLGLQJ#5HPRWH#$FFHVV#6HUYLFHV#LQ#D#0L[HG#
(QYLURQPHQW
„
6XSSRUWLQJ#/$1#0DQDJHU#5HSOLFDWLRQ
„
0LJUDWLQJ#/RJRQ#6FULSWV#WR#*URXS#3ROLF\
„
0LJUDWLQJ#6\VWHP#3ROLFLHV#WR#*URXS#3ROLF\For many network administrators, the biggest risk during a domain restructure
is potential interruptions to network operations. Because a restructure will affect
numerous network services, careful planning is necessary to ensure a smooth
transition. Important planning issues include:
„# Examining how Domain Name System (DNS) data will be replicated in a

.H\#3RLQW#
:KLOH#PDQ\#RI#WKHVH#WRSLFV#
DUH#FRYHUHG#LQ#PRGXOH#7/#
³0LQLPL]LQJ#WKH#,PSDFW#RQ#
1HWZRUN#2SHUDWLRQV#'XULQJ#
DQ#8SJUDGH/´#WKH#FRQWHQW#
IRFXVHV#RQ#SODQQLQJ#LVVXHV#
IRU#UHVWUXFWXULQJ/#DV#
RSSRVHG#WR#XSJUDGLQJ1#
# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##6#3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV#
„
(IIHFW#RI#D#5HVWUXFWXUH#RQ#'16#6HUYLFHV
„
0DWFK#$FWLYH#'LUHFWRU\#'RPDLQV#WR#'16#'RPDLQV
z
,QVWDOO#D#VHFRQGDU\#:LQGRZV#5333#'16#VHUYHU#LQ#WKH#WDUJHW#
GRPDLQ
z
7UDQVIHU#]RQH#ILOH#WKHQ#UHFRQILJXUH#:LQGRZV#5333#'16#DV#WKH#
SULPDU\#'16#VHUYHU
z
3URPRWH#:LQGRZV#5333#'16#VHUYHU#WR#EH#D#GRPDLQ#FRQWUROOHU#
DQG#FRQILJXUH#$FWLYH#'LUHFWRU\#LQWHJUDWHG#]RQHV#
„
&UHDWH#1HZ#'16#'RPDLQV#WR#+RVW#659#5HFRUGV
z
,QVWDOO#D#SULPDU\#:LQGRZV#5333#'16#VHUYHU#LQ#WKH#WDUJHW#GRPDLQ

„# Establishing a DNS server in the target Windows 2000 domain. This DNS
server must be capable of storing the necessary SRV resource records for
Active Directory and must also have the ability to accept dynamic updates.
6OLGH#2EMHFWLYH#
7R#GHVFULEH#D#VWUDWHJ\#IRU#
SURYLGLQJ#UHOLDEOH#'16#
VHUYLFHV#GXULQJ#D#GRPDLQ#
UHVWUXFWXUH1#
/HDG0LQ#
<RXU#GRPDLQ#UHVWUXFWXUH#
SODQ#PXVW#GHILQH#KRZ#'16#
ZLOO#EH#PDGH#DYDLODEOH#WR#WKH#
WDUJHW#$FWLYH#'LUHFWRU\#
HQYLURQPHQW1#
5HPLQG#VWXGHQWV#WKDW#WKHUH#
LV#QR#QHHG#WR#PDLQWDLQ#WKH#
'16#]RQH#IRU#DQ#$FWLYH#
'LUHFWRU\#GRPDLQ#WKDW#LV#
EHLQJ#UHPRYHG#IURP#WKH#
QHWZRUN1#
#
,Q#DGGLWLRQ#WR#VXSSRUWLQJ#
659#UHVRXUFH#UHFRUGV/#'16#
DOVR#SURYLGHV#VXSSRUW#IRU#
PXOWL0PDVWHU#UHSOLFDWLRQ#E\#
XVLQJ#$FWLYH#'LUHFWRU\0
LQWHJUDWHG#]RQHV#DQG#WKH#
VXSSRUW#IRU#G\QDPLF#XSGDWHV#
RI#]RQH#UHVRXUFH#UHFRUGV1#
#

the Active Directory domain, your restructure plan must include the following:
„# Installing a DNS server in the target Windows 2000 domain. This DNS
server will host all necessary zone resource records for Active Directory.
„# Integrating Windows 2000 DNS server with the existing Windows NT 4.0
DNS servers. This can involve delegating NS (name server) resource
records to Windows 2000 DNS zones that are sub-domains of existing
Windows NT 4.0 DNS domains. In the case of separate DNS domains, this
can involve either editing the root hints for the DNS implementation or
creating secondary zones for the newly created domain under Windows NT
4.0 DNS.
„# Moving the reverse lookup zones to the Windows 2000 DNS servers. This
will take advantage of multi-master replication that exists within the
Windows 2000 DNS server.

# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##8#3URYLGLQJ#5HOLDEOH#1HW%,26#5HVROXWLRQ#6HUYLFHV#
„
(IIHFW#RI#D#5HVWUXFWXUH#RQ#1HW%,26 5HVROXWLRQ#6HUYLFHV
z
0LJUDWHG#DFFRXQWV#DUH#LVRODWHG#IURP#WKH#UHVRXUFHV#DQG#
QDPH#UHVROXWLRQ#VHUYLFHV#RI#WKH#VRXUFH#GRPDLQ#
„
5HVWUXFWXULQJ#'RPDLQV#WR#6HUYH#1HW%,26#&OLHQWV
z
'HWHUPLQH#LI#WKH#:LQGRZV#,QWHUQHW#1DPH#6HUYLFH#LV#
UHTXLUHG#
GXULQJ
D#UHVWUXFWXUH

Performance console provides NetBIOS-related counters that can be
used to determine the continued need for WINS. See the section titled
Providing Reliable NetBIOS Resolution Services in module 4, "Minimizing
the Impact on Network Operations During an Upgrade," in course 2010A,
Designing a Microsoft Windows 2000 Migration Strategy.

6OLGH#2EMHFWLYH#
7R#GHVFULEH#D#VWUDWHJ\#IRU#
SURYLGLQJ#UHOLDEOH#1HW%,26#
UHVROXWLRQ#VHUYLFHV#GXULQJ#D#
GRPDLQ#UHVWUXFWXUH1#
/HDG0LQ#
:LOO#\RX#VWLOO#UHTXLUH#:,16#
DIWHU#WKH#GRPDLQ#
UHVWUXFWXUH"#
5HPLQG#VWXGHQWV#WKDW#
UHPRWH#1HW%,26#UHVRXUFHV#
FDQ#DOVR#EH#UHVROYHG#XVLQJ#
WKH#/0+2676#FRQILJXUDWLRQ#
WH[W#ILOH#VWRUHG#LQ#WKH#
V\VWHPURRW
?V\VWHP65?#
GULYHUV?HWF#IROGHU1#
1RWH#
9# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#„# If WINS is required during or after a restructure to support migrated clients,
integrate the WINS topology of the source domain with that of the target
domain. To ensure that all accounts will have access to all resources on the


3URYLGLQJ#5HOLDEOH#'+&3#6HUYHU#6HUYLFHV#
„
(QVXULQJ#7KDW#'+&3#6HUYLFHV#&RQWLQXH#WR#2SHUDWH
z
0LJUDWH#'+&3#VHUYLFHV#WR#WKH#WDUJHW#GRPDLQ#HDUO\#LQ#WKH#
UHVWUXFWXUH
8SJUDGH#WKH#H[LVWLQJ#'+&3#VHUYHU#LI#WKH#VRXUFH#GRPDLQ#
LV#D#:LQGRZV#17#713#GRPDLQ
0LJUDWH#WKH#'+&3#VHWWLQJV#WR#D#QHZ#VHUYHU#E\#XVLQJ#WKH#
1(76+#FRPPDQG
z
'HWHUPLQH#QHZ#VFRSH#RSWLRQV#WKDW#QHHG#WR#EH#FRQILJXUHGDHCP dynamically assigns IP addresses and provides automatic network
configurations to DHCP clients. Both Windows NT 4.0 and Windows 2000
DHCP servers can provide services to Windows 2000 and earlier clients and
servers.
During the migration to Windows 2000, both the source and target domains will
run on the same physical network structure. DHCP services can be maintained
in the existing source domain structure or can be moved to the target
Windows 2000 domain during the restructuring process.
(QVXULQ J#WKDW#'+&3#6HUYLFHV#&RQWLQXH#WR#2SHUDWH#
One of the goals in migrating the source DHCP services to the target network is
to maintain the current IP reservations and to ensure that the DHCP options are
not changed from their current definitions.
„# Migrate DHCP services to the target domain early in the restructure. This
ensures that current IP address assignments are maintained. It also will
prevent the need to split the DHCP scope between DHCP servers in the

DQG#WDUJHW#GRPDLQV#ZLWKRXW#
RYHUODS1#
.H\#3RLQWV#
7KH#GKFSFPG
#
FRPPDQG#
FDQ#EH#XVHG#WR#VFULSW#WKH#
DXWKRUL]DWLRQ#RI#D#'+&3#
VHUYHU1#
#
7KH#1(76+#FRPPDQG#FDQ#
EH#XVHG#WR#H[SRUW#VHWWLQJV#
IURP#ERWK#:LQGRZV#17#713#
DQG#:LQGRZV#5333#'+&3#
6HUYHU#VHUYLFHV1#
;# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#•
Migrate the DHCP settings to a new server by using the NETSH
command. The NETSH command can export the current source DHCP
settings to a text file that can in turn be imported into the target
Windows 2000 DHCP Server service.

For more information about using NETSH with DHCP, see “Netshell
Commands for DHCP,” in the Windows 2000 Server Help files. After the DHCP configuration information is imported into the
Windows 2000 DHCP Server in the target domain, the original DHCP

'HWHUPLQH#KRZ#UHPRWH#DFFHVV#VHUYHUV#ZLOO#EH#PLJUDWHG#
z
(QVXUH#WKDW#UHPRWH#DFFHVV#DXWKHQWLFDWLRQV#ZLOO#EH#VXFFHVVIXO#
z
5HPRYH#EDFNZDUG#FRPSDWLELOLW\#SHUPLVVLRQV
z
,GHQWLI\#DGGLWLRQDO#5HPRWH#$FFHVV#3ROLF\#VHWWLQJV#WR#FRQILJXUHRouting and Remote Access in Windows 2000 provides dial-in and tunneling
access to Windows 2000 networks. An inter-forest restructure requires planning
to integrate Windows NT 4.0 Remote Access Service (RAS) and Routing and
Remote Access Service (RRAS) that are migrated to a Windows 2000 target
domain.
7KH#(IIHFW#RI#D#5HVWUXFWXUH#RQ#5$6#DQG#55$6#
The main issue with remote access during a domain restructure occurs when
Windows NT 4.0 RAS or RRAS servers are moved to join a Windows 2000
target domain. Windows NT 4.0 RAS and RRAS servers use NULL sessions to
determine dial-in permissions and whether any other dial-in settings, such as
call-back telephone numbers, are configured for remote users. By default,
Active Directory does not accept object attribute queries through NULL
sessions.
Without proper planning, the interoperability of remote access services in a
mixed environment can cause legitimate dial-in users to be denied remote
network access.

There are no issues with Routing and Remote Access when the
restructure takes place between two Windows 2000 domains. The is because the
Windows 2000 Routing and Remote Access servers do not use NULL sessions
to determine dial-in rights for a remote user.

43# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#$OORZLQJ#18//#6HVVLRQ#$XWKHQWLFDWLRQ#
When users use their cloned accounts in the target domain, they authenticate
against Active Directory rather than the Windows NT 4.0 Security Accounts
Manager (SAM) database. If your network contains Windows NT 4.0 RAS
servers, and you want to continue providing remote access via down-level
remote access servers, you must configure Active Directory to allow pre-
Windows 2000 compatible group access by:
„# Setting the Active Directory permissions to be compatible with pre-
Windows 2000 Server when running the Active Directory Installation
wizard
OR
„# Adding the Everyone group to the Pre-Windows 2000 Compatible Access
built-in group.

The Pre-Windows 2000 Compatible Access group is able to query the
properties of objects in Active Directory without authenticating with Active
Directory. This allows Windows NT 4.0 RAS servers to function by connecting
to Active Directory servers will NULL sessions to determine whether a
connecting user has dial-in permissions.
(QVXULQ J#WKDW#5$6#DQG#55$6#6HUYLFHV#&RQWLQXH#WR#
2SHUDWH#
To ensure that Windows NT 4.0 RAS and RRAS servers continue to function as
required once their computer accounts have been moved and the member
servers have been configured to join the target domain, your inter-forest
restructure plan must include the following steps:
„# Determine how source remote access servers will be migrated. These
servers might be upgraded to Windows 2000 and join the target domain.

DQG#SROLFLHV#XQWLO#ILOH#UHSOLFDWLRQ#LV#LQWHJUDWHG#ZLWK#
:LQGRZV#5333#)56
„
,QWHJUDWLQJ#5HSOLFDWLRQ#6HUYLFHV
z
(QVXUH#WKDW#WKH#WZR#ILOH#UHSOLFDWLRQ#V\VWHPV#DUH#EULGJHG
z
0DLQWDLQ#WKH#EULGJH#EHWZHHQ#WKH#UHSOLFDWLRQ#V\VWHPV#
z
'HWHUPLQH#ZKHQ#WR#UHPRYH#WKH#EULGJH#EHWZHHQ#
UHSOLFDWLRQ#V\VWHPVWindows NT 4.0 Server uses the LAN Manager Replication service to replicate
logon scripts, System Policies, and other data. Windows 2000 does not support
LAN Manager Replication service but offers the same functionality through
FRS.
7KH#(IIHFW#RI#D#5HVWUXFWXUH#RQ#5HSOLFDWLRQ#6HUYLFHV#
While the logon script attribute for user accounts is migrated, cloned users will
not by default receive logon scripts until the script itself is made available in the
target domain. System policies must also be migrated to continue processing on
computer accounts that have joined the target domain.
To ensure that user-assigned logon scripts and system policies will be available
as cloned users begin to authenticate in the target Windows 2000 domain, the
contents of the NETLOGON share must be bridged to the Windows 2000
domain.
6OLGH#2EMHFWLYH#
7R#H[SODLQ#KRZ#WR#PDLQWDLQ#
/$1#0DQDJHU#UHSOLFDWLRQ#
IXQFWLRQDOLW\#DIWHU#

,I#\RX#ZDQW#WR#XVH#URERFRS\/#
FRQILJXUH#WKH#OLQHV#DV#VKRZQ#
KHUH=#
#
#5HP#&DOO#=;&RS\#
&DOO#=5RERFRS\#
#
,I#\RX#ZDQW#WR#XVH#[FRS\/#
OHDYH#DV#RULJLQDOO\#VKLSSHG1#
45# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#,QWHJUDWLQJ#5HSOLFDWLRQ#6HUYLFHV#
If you require logon scripts and system policies to continue processing for
accounts that are migrated from Windows NT 4.0 to Windows 2000, logon
scripts found in the NETLOGON share on Windows NT 4.0 domain controllers
must be made available to and replicated within the Windows 2000 structure.
An inter-forest domain restructure plan must include the following to provide
logon scripts and System Policies to migrated users and keep the files
synchronized between the two replication systems:
„# Ensure that the two file replication systems are bridged. The lbridge.cmd
file found in the Windows 200 Resource Kit will copy the contents of a
Windows 2000 domain controller NETLOGON share to the Windows NT
4.0 LAN Manager replication export server. The lbridge.cmd file must be
configured to allow the synchronization between the Windows 2000 FRS
and the Windows NT 4.0 LAN Manager Replication service. The edits that
must be performed include:
a. Manually entering the destination directory for the Windows NT 4.0
export server. This universal naming convention (UNC) path will be the
target for the copy process.

# 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH# # 46#0LJUDWLQJ#/RJRQ#6FULSWV#WR#*URXS#3ROLF\#
„
(IIHFW#RI#D#5HVWUXFWXUH#RQ#/RJRQ#6FULSWV
z
8VHU#DFFRXQWV#FRQILJXUHG#IRU#ORJRQ#VFULSWV#ZLOO#FRQWLQXH#WR#
SURFHVV#WKH#VFULSWV#LI#WKH#VFULSW#LV#SURSHUO\#PLJUDWHG
„
0LJUDWLQJ#/RJRQ#6FULSWV#WR#:LQGRZV#5333#
z
,QYROYHV#EULGJLQJ#ILOH#UHSOLFDWLRQ#V\VWHPV
„
8VLQJ#:LQGRZV#5333#*URXS#3ROLF\#WR#3URFHVV#6FULSWV
z
,GHQWLI\#DOO#ORJRQ#VFULSWV#LQ#WKH#1(7/2*21#VKDUH
z
'HWHUPLQH#LI#XVHU0EDVHG#ORJRQ#VFULSWV#FDQ#EH#UHPRYHG
z
'HWHUPLQH#ZKHUH#WR#DSSO\#*URXS#3ROLF\#VFULSWVWindows NT 4.0 user-based logon scripts are implemented as MS-DOS
®
batch
files stored in the NETLOGON share of primary domain controllers (PDCs)
and backup domain controllers (BDCs). When users accounts are moved or
cloned to a target Windows 2000 domain, the logon script property for those
users are retained as account attributes in the target Windows 2000 domain.

VLWHV/#GRPDLQV#DQG#28V1#
*URXS#3ROLF\#FDQQRW#EH#
DSSOLHG#WR#GRZQ0OHYHO#
FRPSXWHU#DFFRXQWV1#
#
5HPLQG#VWXGHQWV#WKDW#*URXS#
3ROLF\#VFULSWV#FDQ#EH#
VHSDUDWHG#LQWR#FRPSXWHU0
EDVHG#VFULSWV#IRU#ERWK#WKH#
VWDUWXS#DQG#VKXWGRZQ#
VHTXHQFHV/#RU#LQWR#XVHU0
EDVHG#VFULSWV#WKDW#FDQ#EH#
DSSOLHG#ZKHQ#FOLHQWV#UXQQLQJ#
:LQGRZV#5333#HLWKHU#ORJ#RQ#
RU#ORJ#RII1#
47# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#8VLQJ#:LQGRZV#5333#*URXS#3ROLF\#WR#3URFHVV#6FULSWV#
When moving computer accounts to a target Windows 2000 domain, logon
scripts can be converted to Windows 2000 Group Policy. Group Policy allows
greater flexibility in applying scripts; for example, scripts can be assigned to
both computer and user accounts at the container level in Active Directory.
Additional scripts can also be applied through the use of Group Policy, such as
user logoff and computer startup and shutdown scripts. By using the Windows
Script Host to process the scripts, more flexible commands can be executed
than were possible in the MS-DOS batch file format used for Windows NT
user-based logon scripts.
To determine if Group Policy can be used in the target environment to process
scripts, the following steps must be added to the domain restructure plan:

„
,QWHJUDWLQJ#6\VWHP#3ROLFLHV#LQ#:LQGRZV#5333
z
%ULGJH#WKH#ILOH#UHSOLFDWLRQ#VHUYLFHV
„
0LJUDWLQJ#6\VWHP#3ROLFLHV#WR#:LQGRZV 5333
z
'HWHUPLQH#ZKDW#PLJUDWHG GRZQOHYHO FOLHQWV#UHTXLUH#6\VWHP#
3ROLFLHV#
z
'HWHUPLQH#ZKDW#VHWWLQJV#IURP#6\VWHP#3ROLFLHV#QHHG#WR#EH#
DSSOLHG#WR#FOLHQWV#XSJUDGHG#WR#:LQGRZV#5333#
z
'HWHUPLQH#ZKHUH#LQ#WKH#28#VWUXFWXUH#WR#GHSOR\#*URXS#3ROLF\
z
'HWHUPLQH#LI#6\VWHP#3ROLFLHV#VKRXOG#EH#GHFRPPLVVLRQHGDuring an inter-forest restructure, different mixes of System Policies and Group
Policy will be applied to users and computers. This will depend on whether the
user account or computer account is located in a Windows 2000 or Windows
NT 4.0 domain.
When a computer account is in a Windows NT 4.0 domain, system policies are
applied to the computer. When a user account is located in a Windows NT 4.0
domain, system policies are applied to the user. If a computer or user account is
in a Windows 2000 domain, group policies are applied to that account.
For example, if a user with an account on a Windows 2000 domain logs on to a
computer with an account in a Windows NT 4.0 domain:
„# Computer settings are applied from any system policy that applies to the
computer account.

DUH#QRW#DQ#LVVXH#ZKHQ#
SHUIRUPLQJ#LQWUD0IRUHVW#
PLJUDWLRQ1#
,PSRUWDQW#
49# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#,QWHJUDWLQJ#6\VWHP#3ROLFLHV#LQ#:LQGRZV#5333#
To ensure that System Policies continue to process for Windows NT 4.0
computer accounts in a Windows 2000 domain, you must migrate the Windows
NT 4.0 system policy file (Ntconfig.pol) to the Windows 2000 NETLOGON
share. Use a bridge between the LAN Manager Replication service in Windows
NT 4.0 and FRS in Windows 2000, to connect the NETLOGON shares so that
System Policies are available in the Windows 2000 network.
0LJUDWLQJ#6\VWHP#3ROLFLHV#WR#:LQGRZV#5333#
Processing System Policies for migrated clients in a Windows 2000 domain is
necessary only until clients are upgraded to Windows 2000. Once all users are
migrated to and authenticating against the Windows 2000 target domain and
client computers are upgraded, System Policy functionality must be replaced
with Group Policy. The following steps are necessary in a restructure plan to
fully migrate System Policies to Group Policy:
„# Determine what migrated down-level clients require System Policies. Only
previous Microsoft clients whose accounts have been moved to the target
domain require System Policies from the NETLOGON share.
„# Determine what settings from System Policies need to be applied to clients
upgraded to Windows 2000. System Policy settings can be migrated to
Group Policy using the Gpolmig.exe Windows 2000 Resource Kit utility.
This tool translates current System Policy settings into Group Policy
settings and maps the necessary registry settings to the Windows 2000
registry settings.

3URYLGLQJ#5HOLDEOH#6HUYLFH#$FFRXQW#2SHUDWLRQ
„
0LJUDWLQJ#+DUG0&RGHG#$FFRXQW#0DSSLQJV
„
0LJUDWLQJ#8VHU#5LJKWV#$VVLJQPHQWV
„
0LJUDWLQJ#8VHU#3URILOH#During the domain restructure, accounts are moved or cloned to a target
Windows 2000 domains. If done improperly, this process can affect several
areas, including password continuity, service accounts, application
functionality, and user rights.
6OLGH#2EMHFWLYH#
7R#GHVFULEH#WKH#LVVXHV#WKDW#
RFFXU#GXH#WR#WKH#FORQLQJ#RI#
DFFRXQWV#ZKHQ#UHVWUXFWXULQJ#
D#:LQGRZV#5333#GRPDLQ1#
/HDG0LQ#
&DUHIXO#SODQQLQJ#LV#UHTXLUHG#
WR#PLJUDWH#DFFRXQWV#WR#WKHLU#
QHZ#GRPDLQV1#
4;# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH#0LQLPL]LQJ#$XWKHQWLFDWLRQ#,VVXHV#'XULQJ#5HVWUXFWXUH#
„
3DVVZRUGV#$UH#1RW#&ORQHG#DQG#$FFRXQWV#$UH#(QDEOHG
„
0LQLPL]LQJ#$XWKHQWLFDWLRQ#6HUYLFH#,VVXHV

administrative confusion when configuration changes are applied to the source
account rather than to the cloned account.
Passwords are not migrated during an inter-forest domain restructure. Failed
user logon attempts due to incorrect passwords can generate significant support
issues during migration.

Refer to the Migration Tools Comparison worksheet on the Student
Materials compact disc for information on how each migration tool handles
passwords.

0LQLPL]LQJ#$XWKHQWLFDWLRQ#6HUYLFH#,VVXHV#
To minimize the impact of authentication service issues during a domain
restructure:
„# Determine how passwords will be set on cloned accounts. Each tool handles
passwords differently. For example, MoveTree maintains the existing
password when a user account is moved. ADMT, however, can set random
complex passwords on user accounts, and set the password on migrated
accounts to the user name. ClonePrincipal, by default, sets the password to
NULL on cloned accounts. Additional scripting is required to set initial
passwords when using this tool.
6OLGH#2EMHFWLYH#
7R#SODQ#IRU#LVVXHV#LQYROYHG#
ZLWK#XVHU#DXWKHQWLFDWLRQ#
ZKHQ#FORQLQJ#DFFRXQWV#WR#D#
QHZ#IRUHVW1#
/HDG0LQ#
(YHQ#WKRXJK#XVHU#DFFRXQWV#
DUH#PLJUDWHG#WR#
:LQGRZV#5333/#XVHU#
SDVVZRUGV#DUH#QRW#FDUULHG#

administrator enables them in Active Directory Users and Computers in the
Microsoft Management Console (MMC). ADMT offers more flexibility
because you can decide to disable either the source or target account.
„# Determine when clients will be allowed to log on using target cloned
accounts. The ADMT can be configured to disable cloned accounts.
Accounts must not be made available to users until the target environment is
fully deployed and tested, passwords are distributed, and source accounts
are disabled.

7LS#