Win2000 Deployment - Part I - Domain Planning

By ServerWatch Staff (Send Email)
Posted Apr 27, 2000


by Marcin Policht

Microsoft stresses that planning for Windows 2000 deployment is critical. Take this advice seriously, since the implications of a bad design can be serious. Here is a couple of points to keep in mind:

Microsoft stresses that planning for Windows 2000 deployment is critical. Take this advice seriously, since the implications of a bad design can be serious. Here is a couple of points to keep in mind:

1. There is no direct way to form a forest from two independently created  Windows 2000 domains. 

The process of joining a domain into an existing forest (or creating a new forest)  is possible ONLY when promoting the first domain controller in this domain (which also establishes the domain). Once the domain is created, it is firmly placed in the forest hierarchy.

This introduces a problem during mergers or acquisitions (rather common these days) if both parties have already established Windows 2000 infrastructure. Having two or more separate forests prevents creation of transitive trust relationships between them; instead, NT 4.0-style, non-transitive ones have to be used. 

This can serve as another argument for keeping number of domains small (it's recommended to use Organizational Units to replace NT 4.0 resource domains) since it might simplify maintaining inter-forest non-transitive trust relationships. A couple of Resource Kit utilities can be helpful -  NetDom.exe for trust relationship management and ClonePrincipal.exe in case you feel adventurous enough to consider migration of accounts from one forest to another.

2. There is no support for direct move of domains between forests.

If there was, the dilemma from the previous item could be easily resolved. ClonePrincipal.exe from the Resource Kit provides some help, but still the migration process remains very painful. In addition, any domain with existing child domains can not be removed. 

3. There is no support for renaming domains.

You can however create another domain in your Active Directory tree with the new name you intended, move users, groups, and computers (using Resource Kit Movetree.exe utility), and delete the old one (but ONLY if it has no child domains).

4. There is no support for removing transitive, two-way  trust relationships between domains in a forest.

By design. Fortunately, the situations where this would be desired are relatively rare. If possible, you would be able to prevent possibility of assigning access to resources in one domain to an account in another domain. 

5. There is no support for creating a new root domain in an existing forest.

By design. The first domain controller in the first domain in a forest becomes the root. Period.

6. There is no support for direct renaming of a domain controller.

This has to be done through demotion to a regular server, renaming, and subsequent promotion.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.