#

&RQWHQWV##
#
2YHUYLHZ#4
#
0DLQWDLQLQJ#1HWZRUN#6HUYLFHV##
'XULQJ#DQ#8SJUDGH#5
#
0DLQWDLQLQJ#6HFXULW\#'XULQJ#DQ#8SJUDGH#49
#
'HWHUPLQLQJ#WKH#,PSDFW#RI#DQ##
8SJUDGH#RQ#$SSOLFDWLRQV#57
#
/HYHUDJLQJ#([LVWLQJ#'LUHFWRU\#,QIRUPDWLRQ#58
#
0DLQWDLQLQJ#1HWZRUN#3HUIRUPDQFH##
'XULQJ#DQ#8SJUDGH#5:
#
/DE#$=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN##
2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#64
#
5HYLHZ#74
#
#
Module 4: Minimizing
the Impact on Network
Operations During an

Project Lead/Instructional Designer:
Sangeeta Garg (NIIT (USA) Inc.)
Lead Program Manager:
Angie Fultz
Instructional Designer:
Robert Deupree (S&T OnSite)
Subject Matter Expert
: Brian Komar (3947018 Manitoba Inc)
Technical Contributors:
John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de
Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne
Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.),
David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).
Testing Leads:

Sid Benavente, Keith Cotton
Testing Developer:
Greg Stemp (S&T Onsite)
Testers:
Testing Testing 123
Instructional Design Consultants:
Susan Greenberg, Paul Howard
Instructional Design Contributor:
Kathleen Norton

Graphic Artist:
Kirsten Larson (S&T OnSite)
Editing Manager:
Lynette Skinner
Editors:

Lead Product Manager, Development Services:
Bo Galford
Lead Product Managers:
Dean Murray, Ken Rosen
Group Product Manager:
Robert Stewart
# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH##LLL#,QVWUXFWRU#1RWHV#
This module provides students with the ability to develop a strategy for
upgrading from Microsoft
®
Windows NT
®
version 4.0 to Microsoft Windows
®

2000 while maintaining network reliability, security, availability, and
performance.
At the end of this module, students will be able to:
„# Examine existing network services and develop a strategy for ensuring their
reliability during an upgrade.
„# Determine how a domain upgrade will modify existing security and develop
a strategy for maintaining desired security levels during the upgrade.
„# Determine in advance how server applications will behave in a Windows
2000 environment.

“Defining Client Administration and Configuration Standards,” on the
Student Materials compact disc.

3UHVHQWDWLRQ=#
93#0LQXWHV#
#
/DE=#
93#0LQXWHV#
LY##0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#0RGXOH#6WUDWHJ\#
Use the following strategy to present this module:
Make sure that students understand that the strategies outlined in this module
are steps that must be added to the basic upgrade plan if an organization’s
current network environment warrants it. Not all upgrade plans will include all
strategies outlined in this module.
Be prepared throughout this module to provide a quick review of each service
to students who may not have an extensive Windows NT 4.0 background. You
may wish to use the Glasgow computer in class to demonstrate various
Windows NT 4.0 tools or to draw comparisons.
This module is one of the longer modules of the course. Consider taking a short
break in the middle of the module. Keep students’ attention and interest by
asking questions about what services, security, needs, or requirements exist in
their environment and how each topic might impact them.
„# Maintaining Network Services During an Upgrade

For many students, network reliability will be the area of greatest concern.
Several of the topics in this section discuss differences in the way that
Windows NT 4.0 and Windows 2000 manage common networking services.

# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH##Y#Supporting Remote Access Service (RAS) during an upgrade is also a
complex topic to explain because of the many different scenarios in which
an organization can find its RAS servers as an upgrade proceeds. Take the
time to thoroughly explain all the different gyrations.
Make sure you read the Group Policy documents referenced in the module.
Many students may still be confused about the function and purpose of
Group Policy.
„# Maintaining Security During an Upgrade
An upgrade to Windows 2000 will have a minimal effect on user accounts,
group accounts, user profiles, and trust relationships. Students working with
sensitive information will be particularly interested in how changes to trusts
affect administrative access. Emphasize that these changes are designed to
take advantage of new Active Directory features and will likely result in
tightened security in the long term; but in migrating to the new environment,
students need to change the way they think about security administration
and implementation, and security templates.
„# Determining the Impact of an Upgrade on Applications
The only way to determine the impact that an upgrade will have on an
application is to perform a test. Emphasize to students that testing
applications is just one component of the much larger domain upgrade test.
Developing a test plan is covered in more detail in module 7 “Planning to
Deploy a Migration Strategy” of course 2010A, Designing a Microsoft
Windows 2000 Migration Strategy.
„# Leveraging Existing Directory Information
Many applications store user attributes that can be ported into Active
Directory. This topic focuses on Microsoft Exchange 5.5 as an example of
how an application information store can be used to facilitate migration

0DLQWDLQLQJ#1HWZRUN#3HUIRUPDQFH#'XULQJ#DQ#8SJUDGHOne of your primary migration goals will be to ensure continuous network
functionality with minimal impact on business productivity. Potential benefits
of upgrading your existing Microsoft
®
Windows NT
®
4.0 domains to Microsoft
Windows
®
2000 include improved manageability, scalability, security, and
availability. Achieving these benefits while maintaining network operations
may introduce additional considerations to your basic upgrade plan.
This module explores the effects of a domain upgrade on various components
of a Windows NT 4.0 network and suggests planning steps and techniques to
reduce or eliminate interruptions during the upgrade.
At the end of this module, you will be able to:
„# Examine existing network services and develop a strategy for ensuring their
reliability during an upgrade.
„# Determine how a domain upgrade will modify existing security and develop
a strategy for maintaining your desired security levels during the upgrade.
„# Determine in advance how server applications will behave in a Windows
2000 environment.
„# Describe how the Active Directory
™
Connector allows migration of user
attributes to the Active Directory directory service.
„# Develop a strategy for regulating traffic to optimize network performance


‹‹
#0DLQWDLQLQJ#1HWZRUN#6HUYLFHV#'XULQJ#DQ#8SJUDGH#
„
3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV
„
3URYLGLQJ#5HOLDEOH#1HW%,26#5HVROXWLRQ#6HUYLFHV
„
3URYLGLQJ#5HOLDEOH#'+&3#6HUYHU#6HUYLFHV
„
6XSSRUWLQJ#/$1#0DQDJHU#5HSOLFDWLRQ
„
6XSSRUWLQJ#5HPRWH#$FFHVV#6HUYLFHV
„
3ODQQLQJ#IRU#,QWHUDFWLRQ#%HWZHHQ#*URXS#3ROLF\#DQG#
6\VWHP#3ROLFLHV
„
0LJUDWLQJ#DQG#$SSO\LQJ#/RJRQ#6FULSWVFor many network administrators, the biggest risk during a domain upgrade will
be potential interruptions to network operations. Because an upgrade will affect
numerous network services, careful planning is necessary to ensure a smooth
transition. Important planning issues include:
„# Examining how Domain Name System (DNS) data will be replicated in a
Windows 2000 network so that you can provide reliable DNS naming
services during the upgrade.

„# Determining your current usage of NetBIOS names so that you can evaluate
the possibility of removing the Windows Internet Name Service after the


3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV#
„
(IIHFW#RI#DQ#8SJUDGH#RQ#'16#6HUYLFHV
z
=RQHV#FDQ#EH#FRQILJXUHG#WR#DFFHSW#659#UHVRXUFH#UHFRUG#
UHJLVWUDWLRQV
z
5HVRXUFH#UHFRUGV#FDQ#EH#G\QDPLFDOO\#XSGDWHG
„
8SJUDGLQJ#'16#6HUYHUV
„
'16#8SJUDGH#&RQVLGHUDWLRQV
z
:LQGRZV#5333#'16#DQG#:LQGRZV#17#713#'16#PXVW#EH#
PDQDJHG#ZLWK#WKHLU#RZQ#'16#PDQDJHPHQW#WRROV
z
$FWLYH#'LUHFWRU\0LQWHJUDWHG#]RQHV#FDQQRW#EH#UHSOLFDWHG#
EHWZHHQ#GRPDLQV
z
:LQGRZV#5333#'16#VHUYHUV#FDQ#EH #PDVWHU#VHUYHUV#IRU#
:LQGRZV#17#713#'16#VHUYHUVWindows 2000 depends on DNS as a locator service for its clients to find
important Windows 2000 services. During an upgrade to Windows 2000, it is
essential to migrate the Windows NT 4.0 DNS service to Windows 2000 as
quickly as possible to provide the required support for SRV resource records.
These are used to locate network servers hosting Lightweight Directory Access
Protocol (LDAP) or Kerberos authentication.

'HOLYHU\#7LS#
5HPLQG#VWXGHQWV#WKDW#$FWLYH#
'LUHFWRU\#LQWHJUDWHG#]RQHV#
FDQ#RQO\#EH#LPSOHPHQWHG#RQ#
GRPDLQ#FRQWUROOHUV1#,I#'16#LV#
LQVWDOOHG#RQ#D#PHPEHU#
VHUYHU/#LW#FDQ#RQO\#EH#D#
SULPDU\#RU#VHFRQGDU\#'16#
VHUYHU1#
#
(PSKDVL]H#WKDW#$FWLYH#
'LUHFWRU\#LQWHJUDWHG#]RQHV#
DUH#UHFRPPHQGHG#IRU#DQ\#
'16#GRPDLQV#WKDW#ZLOO#
FRQWDLQ#$FWLYH#'LUHFWRU\±
UHODWHG#UHVRXUFH#UHFRUGV1#
#
.H\#3RLQWV#
,I#DW#OHDVW#RQH#'16#VHUYHU#LV#
QRW#XSJUDGHG#WR#:LQGRZV#
5333/#659#UHFRUGV#UHTXLUHG#
E\#$FWLYH#'LUHFWRU\#PXVW#EH#
PDQXDOO\#DGGHG1#
7LS#
7# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#„# Install a new Windows 2000 server and configure it as the secondary DNS
server for the existing zone. After the zone transfer has taken place, reverse
the roles so that the Windows 2000 DNS server is the primary DNS server


7LS#
1RWH#
# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH##8#3URYLGLQJ#5HOLDEOH#1HW%,26#5HVROXWLRQ#6HUYLFHV#
„
(IIHFW#RI#DQ#8SJUDGH#RQ#1HW%,26#5HVROXWLRQ#6HUYLFHV
z
1R#HIIHFW#RQ#1HW%,26#UHVROXWLRQ#RU#WKH#:,16#VHUYLFH#
WKDW#VXSSRUWV#UHVROXWLRQ
„
5HPRYDO#RI#WKH#:LQGRZV#,QWHUQHW#1DPH#6HUYLFH
z
,I#DOO#FRPSXWHUV#DQG#DSSOLFDWLRQV#LQ#:LQGRZV#5333#
IXQFWLRQ#ZLWKRXW#XVLQJ#1HW%,26 QDPLQJ#VHUYLFHV
„
'HWHUPLQLQJ#WKH#1HHG#IRU#:,16
z
5XQ#3HUIRUPDQFH#FRQVROH#IRU#D#:LQGRZV#,QWHUQHW#1DPH#
6HUYLFH#VHUYH U#DQG#H[DPLQH#WKH#FRXQWHUV=#
7RWDO#1XPEHU#RI#5HJLVWUDWLRQV26HF#
4XHULHV26HF#
6XFFHVVIXO#4XHULHV26HFNetBIOS names are used to uniquely identify networking clients and resources.
Windows NT 4.0 uses the Windows Internet Name Service to support NetBIOS
name resolution. Although the Windows Internet Name Service is unnecessary

SXUH#:LQGRZV#5333#
HQYLURQPHQW1#+RZHYHU/#
GXULQJ#D#GRPDLQ#XSJUDGH#
\RX#ZLOO#VWLOO#QHHG#LWV#
VHUYLFHV1#
.H\#3RLQWV#
8SJUDGLQJ#D#:LQGRZV#17#
713#:,16#VHUYHU#WR#
:LQGRZV#5333#GRHV#QRW#
DIIHFW#WKH#VHUYLFH#RU#LWV#
FRQILJXUDWLRQV1#
#
3ODQQLQJ#WR#UHPRYH#:,16#LV#
WKH#SULPDU\#SODQQLQJ#LVVXH1#
#
(PSKDVL]H#WKDW#LI#1HW%,26#
LV#QR#ORQJHU#UHTXLUHG#RQ#WKH#
QHWZRUN/#1HW%,26#QDPH#
UHVROXWLRQ#UHTXHVWV#PXVW#QRW#
EH#VHQW#WR#WKH#:LQGRZV#
,QWHUQHW#1DPH#6HUYLFH#
VHUYHU#+RQO\#UHJLVWUDWLRQV#
DQG#UHOHDVHV,1#
1RWH#
9# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#If you no longer need NetBIOS resolution services on your network, keeping
the Windows Internet Name Service will burden your network with
unnecessary network traffic related to WINS replication and NetBIOS name

Windows Internet Name Service
server.
Queries/Sec Rate at which the
Windows Internet
Name Service server
receives NetBIOS
queries.
A zero value indicates that
NetBIOS name resolution is no
longer taking place. A value
greater than zero might indicate
the continued need for the
Windows Internet Name Service.
Successful Queries/Sec Rate at which the
Windows Internet
Name Service server
successfully resolves
NetBIOS queries.
A zero value indicates that
NetBIOS names are not being
resolved successfully. Compare
this to Queries/Sec. If both are
zero, NetBIOS names are not
being resolved through this
Windows Internet Name Service
server. If queries are taking place
but there are few successful
queries, then NetBIOS name
resolution is taking place.
However, the necessary servers

OU
OU
OU
OU
OU
OU
1
1
1
2
2
2
3
3
3
4
4
4Active Directory requires that the TCP/IP protocol be implemented on the
network. Using DHCP, clients can be automatically configured with TCP/IP
addresses and TCP/IP configuration. A Windows NT 4.0 DHCP server can
provide its services to Windows 2000 and downlevel clients and servers
configured for dynamic address assignment.
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#'+&3#6HUYHUV#
Dynamically assigned IP addresses will not be distributed during a DHCP
server upgrade. When a Windows NT 4.0 Server is upgraded, the DHCP server
database will be automatically converted to a newer Jet database version. Until
the conversion is complete, DHCP will temporarily register errors in the

$#'+&3#VHUYHU#ZLOO#IDLO#WR#
UHQHZ#OHDVHV#RU#SURYLGH#LWV#
VHUYLFHV#GXULQJ#XSJUDGH1#
#
%DFNXS#IRU#'+&3#VHUYLFHV#
PXVW#EH#SURYLGHG#ZKLOH#WKH#
VHUYHUV#DUH#EHLQJ#XSJUDGHG1#
#
8SJUDGHG#'+&3#VHUYHUV#
PXVW#EH#DXWKRUL]HG#LQ#$FWLYH#
'LUHFWRU\#DIWHU#XSJUDGH1#
#
'HOLYHU\#7LS#
8VH#WKH#VOLGH#WR#H[SODLQ#
ZKDW#KDSSHQV#ZKHQ#D#
'+&3#VHUYHU#LV#XSJUDGHG#
DQG#WKH#VWHSV#WKDW#PXVW#EH#
DGGHG#WR#DQ#XSJUDGH#SODQ#WR#
HQVXUH#WKDW#WKH#'+&3#
VHUYHU#SURYLGHV#UHOLDEOH#
VHUYLFH#GXULQJ#D#GRPDLQ#
XSJUDGH1#
;# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#6XSSRUWLQJ#/$1#0DQDJHU#5HSOLFDWLRQ#
„
(IIHFW#RI#DQ#8SJUDGH#RQ#5HSOLFDWLRQ#6HUYLFHV
z
/$1#0DQDJHU#UHSOLFDWLRQ#VHUYLFH#LV#UHPRYHG#IURP#WKH#XSJUDGHG#

master fashion to all other domain controllers in the domain. Only domain
controllers can host the SYSVOL.
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#5HSOLFDWLRQ#6HUYLFHV#
A non-upgraded export server will continue to replicate the contents of its
export directories to non-upgraded import servers. As Windows NT .0 domain
controllers are upgraded, the LAN Manager replication service is removed.
When the last Windows NT computer is upgraded to Windows 2000, the LAN
Manager replication service will be fully removed from the domain.
Maintaining LAN Manager replication remains important while Windows NT
4.0 domain controllers, configured to provide logon scripts and System
Policies, are present in the domain and are authenticating clients.
6OLGH#2EMHFWLYH#
7R#PDLQWDLQ#17/0#SURWRFRO#
UHSOLFDWLRQ#IXQFWLRQDOLW\#DIWHU#
WKH#:LQGRZV#5333#)LOH#
5HSOLFDWLRQ#VHUYLFH#LV#
LPSOHPHQWHG1#
/HDG0LQ#
%HFDXVH#:LQGRZV#5333#
GRHV#QRW#VXSSRUW#/$1#
0DQDJHU#UHSOLFDWLRQ/#\RX#
QHHG#WR#GHYHORS#D#VWUDWHJ\#
IRU#FRH[LVWLQJ#ZLWK#WKH#)LOH#
5HSOLFDWLRQ#VHUYLFH1#
'HOLYHU\#7LS
#
0DNH#VXUH#VWXGHQWV#DUH#QRW#
FRQIXVHG#E\#/$1#0DQDJHU#
UHSOLFDWLRQ/#)56/#DQG#PXOWL0
PDVWHU#UHSOLFDWLRQ1#

clients reliably receive required logon scripts and System Policies, regardless of
the version of the operating system running on the authenticating domain
controller. Integrating the two services will also ensure that updates made to
these files are propagated to all domain controllers in the domain.
To reliably provide logon scripts and System Policies to clients in a domain that
is being upgraded, it is important that an upgrade plan define the following
steps to integrate the LAN Manager replication service and FRS:
„# Identify all Windows NT 4.0 export and import servers.
If the export server is the PDC, move the export services to another
computer. This allows the PDC to be upgraded and allows LAN Manager
replication to continue to replicate scripts and policies for the non-upgraded
backup domain controllers (BDCs) remaining in the domain.

If the export server is a BDC, ensure that it is upgraded last so
that you do not have to redefine the export server for LAN Manager
replication.

„# Create a bridge between the Windows NT 4.0 scripts directory and the
Windows 2000 NETLOGON share.
The Windows 2000 Resource Kit contains a script file named lbridge.cmd
that is used to keep the NETLOGON share in Windows 2000 synchronized
with the Windows NT 4.0 export server. Files are copied from the Windows
2000 NETLOGON share to the Windows NT 4.0 export directory structure.
They are not copied in the reverse direction. The contents of the Windows
NT 4.0 export directory will be replaced by the contents in the Windows
2000 NETLOGON share.

Make Windows NT 4.0 administrators aware of this change
because they cannot continue to update logon scripts and System Policies at
the Windows NT 4.0 export server.

#
7KH#OEULGJH1FPG#VFULSW#FDQ#
EH#FRQILJXUHG#WR#XVH#HLWKHU#
[FRS\#RU#DQRWKHU#:LQGRZV#
5333#5HVRXUFH#.LW#XWLOLW\#
FDOOHG#URERFRS\1#5RERFRS\#
LV#SUHIHUUHG#EHFDXVH#LW#LV#
DOVR#DEOH#WR#GHWHUPLQH#
ZKHWKHU#ILOHV#KDYH#EHHQ#
GHOHWHG#LQ#WKH#VRXUFH#IROGHU1#
7KLV#DOORZV#VFULSWV#WKDW#KDYH#
EHHQ#GHOHWHG#LQ#WKH#VRXUFH#
WR#DOVR#EH#GHOHWHG#LQ#WKH#
WDUJHW#IROGHU1#
,PSRUWDQW#
43# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#6XSSRUWLQJ#5HPRWH#$FFHVV#6HUYLFHV#
„
(IIHFW#RI#DQ#8SJUDGH#RQ#5RXWLQJ#DQG#5HPRWH#$FFHVV
z
$FWLYH#'LUHFWRU\#GRHV#QRW#DFFHSW#TXHU\LQJ#RI#REMHFW#
DWWULEXWHV#WKURXJK#18//#VHVVLRQV
z
:LQGRZV#17#713#5$6#DQG#55$6#VHUYHUV#UHTXLUH#18//#
DFFHVV#WR#XVHU#GLDO0LQ#SURSHUWLHV#IURP#$FWLYH#'LUHFWRU\
„
3URYLGLQJ#5HOLDEOH#5HPRWH#$FFHVV#'XULQJ#8SJUDGH
z

In this scenario, there is no way to guarantee that the member
server will contact a Windows NT 4.0 BDC, as opposed to a Windows 2000
domain controller, to determine dial-in properties.

6OLGH#2EMHFWLYH#
7R#GHWHUPLQH#D#VWUDWHJ\#IRU#
SODQQLQJ#VXSSRUW#IRU#UHPRWH#
DFFHVV#VHUYLFHV#GXULQJ#WKH#
XSJUDGH#SURFHVV1#
/HDG0LQ#
,Q#JHQHUDO/#LW#LV#D#JRRG#LGHD#
WR#XSJUDGH#WKH#5RXWLQJ#DQG#
5HPRWH#$FFHVV#VHUYHUV#
HDUO\#LQ#WKH#XSJUDGH#SURFHVV#
.H\#3RLQWV#
(PSKDVL]H#WKDW#5$6#DQG#
55$6#VHUYLFHV#DUH#
XQDIIHFWHG#ZKHQ#XSJUDGHG1#
+RZHYHU/#LI#GRZQOHYHO#
UHPRWH#DFFHVV#VHUYHUV#DUH#
SUHVHQW#LQ#D#:LQGRZV#5333#
HQYLURQPHQW/#WKH#VXFFHVV#RI#
5$6#FRQQHFWLYLW\#FRXOG#EH#
LQWHUPLWWHQW1#
#
'HVFULEH#KRZ #5$6#DQG#
55$6#XVH#WKH#/RFDO6\VWHP#
DFFRXQW#DQG#WKH#SUREOHPV#
WKLV#FUHDWHV#LQ#D#:LQGRZV#
5333#GRPDLQ1#

To allow Windows NT 4.0 RAS or RRAS server to reliably retrieve user
properties when operating in a mixed Active Directory environment, your
upgrade plan must include provisions for the following:
„# In a mixed- or native-mode Windows 2000 domain, grant the built-in
account, Everyone, permission to read user object attributes. This can be
accomplished in one of the following two ways:
•
When upgrading the first domain controller, select Permission
compatible with pre-Windows 2000 server when configuring the
Active Directory Installation wizard. This adds the Everyone account to
the Pre-Windows 2000 Compatible Access local group.
•
If the first domain controller has already been upgraded, manually add
the Everyone account to the Pre-Windows 2000 Compatible Access
local group with the command
net localgroup “Pre-Windows 2000
Compatible Access” Everyone /add
.Using the Everyone group workaround has the effect of relaxing
domain security and should be used only after understanding its impact on
Active Directory security. After all remote access servers have been upgraded to Windows 2000,
you can strengthen permissions by removing the Everyone group from the
membership list of the Pre-Windows 2000 Compatible Access group.

„# Upgrade all Windows NT 4.0 RAS and RRAS servers as soon as possible.

%HFDXVH#PRVW#FRPSDQLHV#
KDYH#PXOWLSOH#UHPRWH#DFFHVV#
VHUYHUV/#LW#PD\#EH#GLIILFXOW#WR#
XSJUDGH#WKHP#DW#WKH#VDPH#
WLPH#LQ#D#ZD\#WKDW#DYRLGV#
UHOD[LQJ#GRPDLQ#VHFXULW\1#
,PSRUWDQW#
&DXWLRQ#
7LS#
1RWH#
45# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#3ODQQLQJ#IRU#,QWHUDFWLRQ#%HWZHHQ#*URXS#3ROLF\#DQG#6\VWHP#3ROLFLHV#
„
(IIHFW#RI#DQ#8SJUDGH#RQ#6\VWHP#3ROLFLHV
z
,I#:LQGRZV#5333#FOLHQWV#DUH#DXWKHQWLFDWHG#E\#D#:LQGRZV#
5333#GRPDLQ#FRQWUROOHU/#JURXS#SROLF\#LV#DSS OLHG#
z
,I#:LQGRZV#5333#FOLHQWV#DUH#DXWKHQWLFDWHG#E\#D#:LQGRZV#
17#713#GRPDLQ#FRQWUROOHU/#V\VWHP#SROLFLHV#DUH#DSSOLHG
z
:LQGRZV#17#713#FOLHQWV#FDQ#UHFHLYH#RQO\#V\VWHP#SROLFLHV
„
3ROLF\#8SJUDGH#&RQVLGHUDWLRQV
z
'HWHUPLQH#WKH#PRVW#DSSURSULDWH#PHWKRG#IRU#PLJUDWLQJ#
:LQGRZV#17#713#6\VWHP#3ROLF\#VHWWLQJV
z

DSSOLHG#WR#GRZQOHYHO#
:LQGRZV#FOLHQWV/#GR#QRW#
DXWRPDWLFDOO\#PLJUDWH#WR#
:LQGRZV#53331#
1RWH#
# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH# # 46#3ROLF\#8SJUDGH#&RQVLGHUDWLRQV#
When planning for policy application, include the following decision points in
your upgrade plan:
„# Determine the most appropriate method for migrating Windows NT 4.0
System Policy settings. Options include migrating the current settings using
the gpolmig.exe resource kit utility, or processing both System Policy and
Group Policy in a mixed environment. In addition, all System Policies
persist in the registry because they are not written to the \Software\Policies
tree. This occurs because any policies outside of the \Software\Policies tree
are not removed when a user logs off from the network.
„# After all client computers have been migrated to Windows 2000, Windows
NT 4.0 System Policies can be removed from the network by deleting the
Ntconfig.pol file from the NETLOGON share of a Windows 2000 domain
controller. FRS will ensure that the file is deleted from all other domain
controllers in the domain.

47# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#0LJUDWLQJ#DQG#$SSO\LQJ#/RJRQ#6FULSWV#
Logon
Logoff

prompt is displayed.
„# Shutdown. Applied when the computer is shut down, after the user has
logged off from the computer.

6OLGH#2EMHFWLYH#
7R#GHWHUPLQH#D#VWUDWHJ\#IRU#
WUDQVLWLRQLQJ#IURP#:LQGRZV#
17#713#ORJRQ#VFULSWV#WR#
:LQGRZV#5333#*URXS#
3ROLF\1#
/HDG0LQ#
8VHU0EDVHG#ORJRQ#VFULSWV#
VWRUHG#RQ#:LQGRZV#17#713#
GRPDLQ#FRQWUROOHUV#DUH#
XQDIIHFWHG#ZKHQ#WKH#VHUYHU#
LV#XSJUDGHG1#
.H\#3RLQWV#
/RJRQ#VFULSWV#DUH#QRW#
DIIHFWHG#ZKHQ#D#GRPDLQ#
FRQWUROOHU#LV#XSJUDGHG1#
#
$Q#XSJUDGHG#:LQGRZV#5333#
GRPDLQ#FRQWUROOHU#FDQ#DSSO\#
ORJRQ#VFULSWV#LQ#WKH#
1(7/2*21#VKDUH#WR#DQ\#
FOLHQW1#
#
$Q#XSJUDGHG#:LQGRZV#5333#
GRPDLQ#FRQWUROOHU#FDQ#DSSO\#
D#YDULHW\#RI#VFULSWV#GHILQHG#LQ#


‹‹
#0DLQWDLQLQJ#6HFXULW\#'XULQJ#DQ#8SJUDGH#
„
0LJUDWLQJ#5HVRXUFH#$FFHVV#&RPSRQHQWV
„
0LJUDWLQJ#7UXVW#5HODWLRQVKLSV
„
3ODQQLQJ#IRU#6HFXULW\#3ROLF\#$SSOLFDWLRQ
„
+RZ#8VHU#3URILOHV#$UH#$IIHFWHG#E\#'RPDLQ#8SJUDGH
„
&OLHQW#6XSSRUWAn upgrade to Windows 2000 will affect virtually every aspect of a network’s
security infrastructure. User accounts, group accounts, trust relationships, and
security templates are all altered or reorganized to take advantage of new
Active Directory features.
6OLGH#2EMHFWLYH#
7R#GHWHUPLQH#D#
FRPSUHKHQVLYH#VWUDWHJ\#IRU#
PDLQWDLQLQJ#VHFXULW\#GXULQJ#
D#GRPDLQ#XSJUDGH1#
/HDG0LQ#
$#GRPDLQ#XSJUDGH#VWUDWHJ\#
VKRXOG#LQFOXGH#PDLQWDLQLQJ#
FXUUHQW#VHFXULW\#OHYHOV#
GXULQJ#WKH#XSJUDGH#SURFHVV1#
'HOLYHU\#7LS#

upgrade:
„# Security identifiers (SIDs). All user and group SIDs are maintained during
the domain upgrade. A primary SID will change only when an account is
moved between domains during a restructure, or if a security principal is
deleted and recreated with the same name.
„# Group Membership. User accounts retain the same group membership
attributes after a domain upgrade.
„# Share permissions and NTFS file system permissions. During a domain
upgrade, all NTFS and share permissions will be maintained with the same
groups and users referenced within the DACL.
„# Registry permissions. All registry permissions are maintained during the
domain upgrade.
„# Trust relationships. Upgraded domain controllers continue to recognize any
trusts that exist with other downlevel Windows NT domains.

6OLGH#2EMHFWLYH#
7R#GHVFULEH#KRZ#:LQGRZV#
5333#KDQGOHV#UHVRXUFH#
DFFHVV#GXULQJ#D#GRPDLQ#
XSJUDGH1#
/HDG0LQ#
$#:LQGRZV#5333#GRPDLQ#
XSJUDGH#VKRXOG#QRW#DIIHFW#
UHVRXUFH#DFFHVV1#
4;# # 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH#0LJUDWLQJ#7UXVW#5HODWLRQVKLSV#
Upgrade
Upgrade

Active Directory
Domains
Windows NT DomainsIn Windows 2000, trusts are, by default, two-way and transitive in nature. As
you upgrade domains to join the forest, one-way trust relationships in Windows
NT 4.0 domains are automatically reinterpreted and implemented as Windows
2000 trusts. Some one-way trusts become two-way transitive trusts in the new
environment. Others are redefined as shortcut trusts, depending on the order in
which the domains are upgraded and the domain parent-child relationships in
the Active Directory domain hierarchy.
7KH#(IIHFW#RI#DQ#8SJUDGH#RQ#7UXVW#5HODWLRQVKLSV#
No additional steps are required to migrate trust relationships. Each domain that
is upgraded as a child domain will establish a two-way transitive trust between
itself and its parent domain. Domains upgraded as roots of separate trees will
also be linked by a two-way transitive trust. Existing one-way trusts that do not
map to default Windows 2000 trust relationships are maintained, but
reinterpreted as shortcut trusts.

Shortcut trusts can be deleted; however, the default transitive trust
relationships established between domains in a forest cannot. For information on using shortcut trusts to improve network
performance, see Chapter 9 of the Windows 2000 Server Deployment Planning
Guide, “Designing the Active Directory Structure,” on the Student Materials
compact disc.

6OLGH#2EMHFWLYH#

DV#D#VKRUWFXW#WUXVW#LQ#
:LQGRZV#53331#7KLV#LV#
EHFDXVH#WKLV#WUXVW#
UHODWLRQVKLS#LV#QRW#RQH#RI#WKH#
GHIDXOW#IRUHVW#WUXVWV/#EXW#GLG#
H[LVW#LQ#:LQGRZV#17#713#WR#
KHOS#DXWKHQWLFDWLRQ#
SHUIRUPDQFH1#
,PSRUWDQW#
1RWH#
# 0RGXOH#7=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#DQ#8SJUDGH# # 4<#3URWHFWLQJ#5HVRXUFH#6HFXULW\#
In Windows NT 4.0 domains, one-way trust relationships prevent user accounts
and groups in resource domains from being added to DACLs for resources
located in account domains.
With the upgrade to Windows 2000, migrated one-way trust relationships will
translate to two-way trust relationships. When a Windows NT 4.0 domain
model is upgraded, transitive trusts allow users and groups from any domain to
be recognized by any member computer in the forest and included in groups or
DACLs.
While this will not affect the previous security assignments, this does allow
users and groups to be assigned access to resources that were not possible with
just the one-way trust relationship. You can take the following steps to prevent
any security assignments from changing:
„# Audit memberships in all administrative groups to ensure that new accounts
have not been added to the memberships. If membership in administrative
groups is maintained, this should prevent any users without administrative
privileges to suddenly gain these privileges.