by Marcin Policht
Microsoft stresses that planning for Windows 2000 deployment is critical.
Take this advice seriously, since the implications of a bad design can be
serious. Here is a couple of points to keep in mind:
Microsoft stresses that planning for Windows 2000 deployment is critical. Take this advice seriously, since the implications of a bad design can be serious. Here is a couple of points to keep in mind:
1. There is no direct way to form a forest from two independently
created Windows
2000 domains.
The process of joining a domain into an existing forest (or creating a new
forest) is possible ONLY when promoting the first domain controller
in this domain (which also establishes the domain). Once the domain is created,
it is firmly placed in the forest hierarchy.
This introduces a problem
during mergers or acquisitions (rather common these days) if both parties have
already established Windows 2000 infrastructure. Having two or more separate
forests prevents creation of transitive trust relationships between them;
instead, NT 4.0-style, non-transitive ones have to be used.
This
can serve as another argument for keeping number of domains small (it’s
recommended to use Organizational Units to replace NT 4.0 resource domains)
since it might simplify maintaining inter-forest non-transitive trust
relationships. A couple of Resource Kit utilities can be helpful –
NetDom.exe for trust relationship management and ClonePrincipal.exe in case you
feel adventurous enough to consider migration of accounts from one forest to
another.
2. There is no support for direct move of
domains between forests.
If there was, the dilemma from the previous item could be easily resolved.
ClonePrincipal.exe from the Resource Kit provides some help, but still the
migration process remains very painful. In addition, any domain with existing
child domains can not be removed.
3. There is no support for renaming domains.
You can however create another domain in your Active Directory tree with the
new name you intended, move users, groups, and computers (using Resource Kit
Movetree.exe utility), and delete the old one (but ONLY if it has no child
domains).
4. There is no support for removing transitive,
two-way trust relationships between domains in a forest.
By design. Fortunately, the situations where this would be desired are
relatively rare. If possible, you would be able to prevent possibility of
assigning access to resources in one domain to an account in another
domain.
5. There is no support for creating a new root
domain in an existing forest.
By design. The first domain controller in the first domain in a forest
becomes the root. Period.
6. There is no support for direct renaming of
a domain controller.
This has to be done
through demotion to a regular server, renaming, and subsequent promotion.