You need to decide how you will get from where you are now, possibly a Windows NT domain(s), to Windows 2000 or Server 2003 Active Directory domain(s). The pressure and work that goes along with moving from one network operating system to another network operating system can be intense. You will be required to make many decisions during your journey.
Will you have Windows 2000 or Windows Server 2003 domain controllers?
Will you run some of each type of domain controller?
What client operating system will you run for the IT staff, executives, and other employees?
How many Active Directory domains will you end up with?
How many Active Directory forests will you end up with?
How will you get from your Windows NT domains to Windows Active Directory domains?
What tools will you use to get to your Windows Active Directory domains?
Are there any security concerns that you need to consider during your move to Windows Active Directory?
It is this last question that is focus in this article. They discuss the primary options for going from Windows NT domains to Windows Active Directory domains. It then talks about each of the options, focusing on the different security considerations that you need to contemplate. When you are done reading this article, you should be able to pinpoint the key security considerations that you will face along your journey.
You have two primary options for moving from Windows NT domains to Windows 2000 or Server 2003 Active Directory domains. The second option is to perform a migration. A migration is more complex than an upgrade. With a migration, you will need to create your Active Directory domain(s) in conjunction with your Windows NT domain(s). This will require that you purchase additional hardware and server licenses.
The overall concept of the migration is to gradually move objects (user, group, and computer accounts) from Windows NT to Windows Active Directory.
An upgrade is much simpler in all aspects. With an upgrade you work with the existing Windows NT domain and domain controllers. You will take the Windows 2000 Server or Windows Server 2003 installation CD and place it in the Windows NT Primary Domain Controller. You follow the steps in the wizard and when the computer restarts, you have a Windows Active Directory domain. All of the objects that were once in the Windows NT domain have completely been retained and are immediately available in the Windows Active Directory domain.
If you choose to perform a migration, you most likely are consolidating multiple Windows NT domains into a few (hopefully one) Windows Active Directory domains. It is the method that is available for moving accounts from multiple domains into just a few domains. However, as you perform your migration, you will have unique security concerns that you need to consider during the process.
Here are some of the most prominent security concerns that you will run into.
As you migrate user accounts from NT to Active Directory, you will end up with duplicate user accounts, with one in each domain. Most tools will allow you to control the state of both of the accounts after the migration. There might be times when you want the source user account to be active, and other times when the target user account should be active.
Regardless of your decision, you need to be aware that there are two user accounts in two domains.
When you migrate a user account from NT to Active Directory, you need to consider how the new user account will continue to access resources that exist in the Windows NT domain. This new property is referred to as SIDHistory. During a migration, the primary objects that you will migrate include user, group, and computer accounts, as well as trusts. However, the other configurations that you once had in Windows NT are not transposed to the Active Directory domain. This includes the account policy settings, which include the password min age, max age, min length, and password complexity.
Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security.
http://www.windowsecurity.com/articles/Security-Concerns-Migrations-Upgrades-Windows-Active-Directory.html