Professional Documents
Culture Documents
Upgrading
Windows NT 4.0
Domains to
Windows Server 2003
Active Directory
Upgrading your domains from Microsoft® Windows NT® 4.0 to Windows® Server 2003 Active Directory®
directory service enables your organization to improve the security and scalability of your network
infrastructure while reducing administrative overhead. As an alternative to restructuring Windows NT 4.0
domains, the in-place upgrade is an efficient, time-saving process that minimizes the effect on the
Windows NT 4.0 production environment.
In This Chapter
Overview of Upgrading Windows NT 4.0 Domains.......................................... .....288
Collecting Design Information........................................................ .....................295
Completing Pre-Upgrade Tasks.................................................................... ........310
Upgrading Domains from Windows NT 4.0 to Windows Server 2003
Active Directory................................................................... ...............................312
Completing Post-Upgrade Tasks.................................................... ......................349
Additional Resources.............................................................................. .............353
Related Information
• For more information about restructuring domains when upgrading from Windows NT 4.0 to
Windows Server 2003, see “Restructuring Windows NT 4.0 Domains to an Active Directory
Forest” in this book.
• For more information about the Active Directory logical structure, see "Designing the Active
Directory Logical Structure" in this book.
• For more information about Windows Server 2003 Active Directory Functional Levels, see
“Enabling Advanced Windows Server 2003 Active Directory Features” in this book.
• For more information about Active Directory site topology, see "Designing the Site Topology"
in this book.
32 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Overview of Upgrading
Windows NT 4.0 Domains
Upgrading your Windows NT 4.0 domains to the Microsoft® Windows® Server 2003, Standard Edition and
Windows® Server 2003, Enterprise Edition operating systems enables you to simplify and reduce network
administration. Windows Server 2003 Active Directory integrates with other applications and services and
allows you to delegate administrative responsibility at the appropriate level when you have multiple
organizations existing in a single domain structure.
When you upgrade your Windows NT 4.0 domains to Windows Server 2003 Active Directory, you improve
scalability because Active Directory domains can scale to meet the needs of your organization. You also gain
new capabilities by using Group Policy, and you gain more flexibility for business units.
In addition, performing an in-place upgrade of Windows NT 4.0 domains to Windows Server 2003 Active
Directory has no adverse effect on your Windows NT 4.0 production environment. There are fewer
administrative complexities than with restructuring your environment, such as maintaining access to shared
directories, files, and printers. Groups and group memberships are retained. You do not need to migrate local
profiles, and you retain the existing passwords and profiles for domain users.
Before planning and implementing Windows NT 4.0 in-place upgrades, ensure that your organization has
already:
• Designed the Active Directory logical structure of the forest and Domain Name System (DNS)
for your Active Directory environment.
• Designed a site topology to efficiently locate domain controllers.
• Deployed a Windows Server 2003 forest root domain if that is the upgrade path that your
organization has decided on. For more information about the paths for in-place upgrading a
Windows NT 4.0 environment, see “Upgrading Domains from Windows NT 4.0 to Windows
Server 2003 Active Directory” later in this chapter.
After completing the in-place upgrade process, you can perform an in-place upgrade for any remaining
Windows NT domains or restructure them into your new Windows Server 2003 forest. For information about
restructuring Windows NT 4.0 domains to a Windows Server 2003 forest, see "Restructuring Windows NT 4.0
Domains to an Active Directory Forest" in this book.
Note
For a list of the job aids that are available to assist you in upgrading
your Windows NT 4.0 domains to Windows Server 2003 Active
Directory, see “Additional Resources” later in this chapter.
Overview of Upgrading Windows NT 4.0 Domains 33
When Windows 2000, Windows XP, and Windows Server 2003 clients are members of a Windows NT 4.0
domain, they will only use the NTLM protocol to authenticate because that is the only authentication protocol
supported by Windows NT 4.0. Windows 2000 and Windows Server 2003 domain controllers are capable of
using either the NTLM or the more secure Kerberos authentication protocol.
When performing an in-place upgrade of a Windows NT 4.0 domain to Windows Server 2003, the first domain
controller upgraded is the Windows NT 4.0 PDC. If clients in the domain running Windows 2000, Windows XP,
and Windows Server 2003 select the new Active Directory domain controller for authentication, the negotiation
of the authentication protocol will reveal that there are now domain controllers in the domain that support the
Kerberos protocol. These clients will then upgrade their secure channel to exclusively use the Kerberos protocol
for authentication requests and will no longer attempt to authenticate using the NTLM protocol, potentially
causing the new Active Directory domain controller to become overloaded with authentication requests.
To prevent Windows Server 2003–based domain controllers from being overloaded with authentication requests,
configure each Windows Server 2003–based domain controller to emulate a Windows NT 4.0–based domain
controller during the upgrade process. Configuring a newly upgraded Windows Server 2003–based domain
controller to emulate a Windows NT 4.0–based domain controller by using the NT4Emulator registry entry
shields the new domain controller from getting too many authentication requests from Active Directory clients.
Shielding the Active Directory domain controller takes place before the operating system is upgraded to
Windows Server 2003 to prevent clients running Windows 2000, Windows XP, and Windows Server 2003 from
ever establishing exclusive communications with a Windows Server 2003–based domain controller.
When upgrading additional Windows NT 4.0–based domain controllers after the PDC has been configured to
emulate a Windows NT 4.0–based domain controller, you must remember to configure the computer you are
upgrading with the NeutralizeNT4Emulator registry entry. This is so that the additional domain controller will
recognize the upgraded PDC that is emulating a Windows NT 4.0–based domain controller as an Active
Directory domain controller. If the computer is not configured to neutralize emulation, you will not be able to
install Active Directory because the additional domain controller will not be able to authenticate to an Active
Directory domain controller.
For each site in which clients are running Windows 2000, Windows XP, and Windows Server 2003, ensure that
you have enough Windows Server 2003–based domain controllers deployed in that site before removing
Windows NT 4.0 emulation.
For more information about emulating Windows NT 4.0–based domain controllers, see “Configure Protection
Against Domain Controller Overload” later in this chapter.
For more information about domain controller placement, see “Designing the Site Topology” in this book. For
more information about domain controller capacity planning and determining the number of domain controllers
needed in each site to service Active Directory clients, see “Planning Domain Controller Capacity” in this book.
36 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Service Compatibility
In Windows NT 4.0 and earlier server operating systems, services running in the context of the Local System
account communicate with other services over the network by using null sessions (a session in which a user
name or password is not provided). In Windows 2000 and later operating systems, services running in the
context of the Local System account on the local computer use the local computer account to authenticate to
other servers. By default, Active Directory does not accept null session queries.
Of all the services that run in the context of the Local System account, Remote Access Services (RAS) is the
most prominent. You cannot use null sessions to access network resources by using NTLM authentication unless
the remote computer allows access with null credentials.
In an Active Directory environment containing both Windows NT 4.0–based and Windows Server 2003–based
domain controllers, a member server that is running Windows NT 4.0 and is configured as a RAS server cannot
retrieve information from a Windows Server 2003–based domain controller. For example, if a caller tries to dial
into your network and accesses a Windows NT 4.0 member server that is configured as a RAS server, the RAS
server must query a domain controller first to verify whether the caller has permission to dial into the network.
Therefore, RAS operates correctly only if the domain controller responding to the RAS authentication request is
a Windows NT 4.0–based BDC or the Active Directory domain has been configured to allow resources to be
accessed by using null credentials. By upgrading the operating system on Windows NT 4.0 member servers that
are configured as RAS servers to Windows Server 2003, you ensure that RAS callers are successfully
authenticated by a Windows Server 2003 Active Directory–based domain controller.
The recommended solution is to upgrade the RAS servers to Windows Server 2003. However, if this cannot be
done, the alternatives are:
• While installing Active Directory on the upgraded Windows NT 4.0 PDC, on the Permissions
page of the Active Directory Installation wizard, select Permissions compatible with pre-
Windows 2000 Server operating systems.
– or –
• Add the Everyone group and the Anonymous Logon group to the Pre-Windows 2000
Compatible Access built-in group by using Active Directory Users and Computers or the
command line.
To add the Everyone group to the Pre-Windows 2000 Compatible Access
Group by using the command line
• At the command line, type:
net localgroup "Pre-Windows 2000 Compatible Access" Everyone /add
Overview of Upgrading Windows NT 4.0 Domains 37
Note After this update to the Pre-Windows 2000 Compatible Access group
replicates, you must restart the Server service on all domain
controllers.
Both of these methods combined allow null sessions to read information out of the directory. After you upgrade
all RAS servers, and when you no longer need backward compatibility with operating systems earlier than
Windows 2000, remove the Everyone group and the Anonymous Logon group from the Pre-Windows 2000
Compatible Access built-in group. For more information about removing the Everyone group and the
Anonymous Logon group from the Pre-Windows 2000 Compatible Access group, see “Eliminate Anonymous
Connections to Domain Controllers” later in this chapter.
Clients running Windows NT 4.0 with Service Pack 3 or earlier installed do not support secure channel signing.
These clients will not be able to establish communications with a Windows Server 2003–based domain
controller. To ensure successful communication, upgrade these clients to a later version of the operating system
or Service Pack. However, if you cannot upgrade your clients, you must disable secure channel signing on all
Windows Server 2003–based domain controllers so that the traffic passing through the secure channel is not
required to be signed or encrypted.
Note
Unlike SMB packet signing, secure channel signing does not affect
Windows 95 clients.
For more information about secure channel signing, see “Domain member: Digitally encrypt or sign secure
channel data (always)” in Help and Support Center for Windows Server 2003.
For more information about configuring secure channel signing on Windows Server 2003–based domain
controllers, see “Modify Security Policies” later in this chapter.
Figure 8.2 shows the steps involved in collecting the design information that will be used to upgrade
Windows NT 4.0 domains to Windows Server 2003 Active Directory.
Figure 8.2 Collecting Design Information
For more information about the effect of upgrading to Windows Server 2003 Active Directory on the RAS
service and the LMRepl service, see “Background Information for Upgrading to Windows Server 2003 Active
Directory” earlier in this chapter.
Overview of Upgrading Windows NT 4.0 Domains 43
Domain controllers BOS-EAST-DC02 and WDC-EAST-DC02 do not meet the minimum memory requirements
for a Windows Server 2003–based domain controller. Therefore, Trey Research has determined that BOS-
EAST-DC02 will be used as the Windows NT 4.0 rollback server if a problem occurs during the in-place
upgrade process and WDC-EAST-DC02 will be assigned as a member server in the Windows Server 2003
forest. All other Windows NT 4.0–based domain controllers are capable of supporting Windows Server 2003
Active Directory.
Overview of Upgrading Windows NT 4.0 Domains 45
Note
You can install device drivers that are not included on the Windows
Server 2003 operating system CD from the vendor’s Web site.
Create a network configuration table listing the type of network adapter that each domain controller uses. Also
include the TCP/IP configuration information for each domain controller, including IP address, subnet mask,
and default gateway. You can run the ipconfig command at the command line to determine IP address, subnet
mask, and default gateway. For more information about the ipconfig command, type ipconfig /? at the command
line.
To determine whether the network card is supported by Windows Server 2003, see the Windows Server Catalog
link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
For a worksheet to assist you in documenting your existing Windows NT 4.0 network configuration, see
“Windows NT 4.0 Network Configuration” (DSSUPNT_3.doc) or “Windows NT 4.0 Domain Controller
Documentation” (DSSUPNT_5.xls) on the Windows Server 2003 Deployment Kit companion CD (or see
“Windows NT 4.0 Network Configuration” or “Windows NT 4.0 Domain Controller Documentation” on the
Web at http://www.microsoft.com/reskit).
Figure 8.6 shows an example of a network configuration worksheet for the EAST domain for Trey Research.
46 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Figure 8.7 Example of a Windows NT 4.0 Domain Controller Role Assignment Worksheet
For more information about restructuring Windows NT domains, see “Restructuring Windows NT 4.0 Domains
to an Active Directory Forest” in this book.
Important
All versions of Windows NT 4.0 must have Service Pack 5 or later
installed before upgrading to Windows Server 2003.
If you have computers in your environment that are running operating systems that you cannot upgrade directly
to a version of Windows Server 2003, such as Windows NT 3.51, you must do one of the following:
• If you need to retain applications that are located on those computers, upgrade the computers to
run an operating system that you can upgrade to Windows Server 2003 after verifying that those
applications will function on and are supported by Windows Server 2003.
• If you do not need to retain applications that are located on those computers, perform a clean
installation of Windows Server 2003 on those computers.
50 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
After you confirm that the Active Directory configuration is correct, you need to verify that Active Directory is
functioning correctly.
Table 8.3 lists the Active Directory functions that you need to test and the methods that you can use to perform
the tests.
Overview of Upgrading Windows NT 4.0 Domains 51
Note
The first recovery method is preferred for restoring a domain to its
original state. The second recovery method should only be used if the
SAM database on all domain controllers becomes corrupt.
1. Remove (either by disconnecting the network cable or turning off) any Windows Server 2003–
based domain controllers from the domain.
2. Promote a Windows NT 4.0 BDC to become the PDC.
3. Synchronize all Windows NT 4.0–based domain controllers.
Overview of Upgrading Windows NT 4.0 Domains 53
Important
You must take all Windows Server 2003–based domain controllers
offline before you promote the rollback server to become the new PDC.
If any Windows Server 2003–based domain controllers remain online in
the domain, the promotion of the BDC to a PDC will not work.
If the server hosting the export directory is the PDC, you can do one of the following:
• Promote a BDC that meets the Windows Server 2003 domain controller hardware requirements
to become the new PDC and demote the existing PDC to serve as a BDC hosting the export
server.
– or –
• Reconfigure the LMRepl export server on a BDC and remove it from the PDC.
To test the new configuration to ensure that LMRepl continues to work correctly, place an empty file on the
export server and verify that the file is replicated to the import directories during replication. Next, delete the
replicated file from the import directory, and then verify that the file is deleted during the next replication.
Note
If your organization already has a Windows 2000 or Windows
Server 2003 Active Directory infrastructure in place, complete the in-
place upgrade process by upgrading to a regional domain in an
existing forest.
To help illustrate the process for upgrading to a regional domain in an existing forest, sample
data for Trey Research, is provided within the context of the tasks that must be performed.
• Upgrade to a single domain forest.
To create a new single domain forest, complete the in-place domain upgrade process by
following the steps outlined in “Upgrading to a Single Domain Forest” later in this chapter. To
help illustrate the process for upgrading to a single domain forest, sample data for a fictitious
company, Fabrikam, Inc, is provided within the context of the tasks that must be performed.
For more information about designing an Active Directory logical structure and determining what forest design
model best suits your organization, see “Designing the Active Directory Logical Structure” in this book.
Overview of Upgrading Windows NT 4.0 Domains 57
Figure 8.9 shows the two paths available for upgrading domains from Windows NT 4.0 to Windows
Server 2003 Active Directory and additional tasks that all organizations must perform regardless of which
option is specified by the Active Directory design. The additional tasks, including modifying security policies,
synchronizing file replication services, recreating trusts, using DNS registration to decrease the workload on the
PDC emulator, and upgrading additional domain controllers, are performed after the PDC is upgraded.
Figure 8.9 Upgrading Domains from Windows NT 4.0 to Windows Server 2003 Active
Directory
After the in-place domain upgrade is complete, you can upgrade additional Windows NT 4.0 domains in-place
or restructure the remaining Windows NT 4.0 domains into your Windows Server 2003 Active Directory
environment. For more information about restructuring Windows NT 4 domains, see “Restructuring
Windows NT 4.0 Domains to an Active Directory Forest” in this book.
58 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Important
Store backup media in a secure offsite location designated by and
accessible to the deployment team before you begin the upgrade
process.
Important
If you raise the forest and domain functional level to Windows
Server 2003 interim, you cannot return to the Windows 2000 mixed
domain functional level or to the Windows 2000 forest functional level.
After you raise the functional level to Windows Server 2003 interim, the
environment only supports Windows NT 4.0– and Windows
Server 2003–based domain controllers. You can no longer add
Windows 2000–based domain controllers into this environment.
You cannot use Active Directory administrative consoles to raise the forest functional level to Windows
Server 2003 interim. Instead, use a Lightweight Directory Access Protocol (LDAP) application such as
ADSI Edit or LDP in Windows Support Tools to edit the value of the msDS-Behavior-Version attribute. You
must be a member of the Enterprise Admins group to raise the forest functional level, and you must do this on
the domain controller that holds the schema master role.
To raise the forest functional level to Windows Server 2003 interim by using ADSI
Edit
1. In ADSI Edit, expand the Configuration partition, expand
CN=Configuration,DC=forestname,DC=domainname,DC=com
2. Right-click CN=Partitions, and then click Properties.
3. Select the msDS-Behavior-Version attribute, and then click Edit.
4. In the Value field, type 1 to raise the forest functional level to Windows Server 2003 interim,
and then click OK.
For more information about raising functional levels, see “Enabling Advanced Windows Server 2003 Active
Directory Features” in this book.
60 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Note
After removing the NT4Emulator registry entry, Windows 2000,
Windows XP, and Windows Server 2003 clients will not immediately
begin to use the Kerberos authentication protocol. This will be delayed
until each client resets its secure channel or is restarted.
If no Windows 2000, Windows XP, or Windows Server 2003 clients are running in a particular site, or if a
Windows Server 2003–based domain controller has the capacity to support the number of clients that are present
in the site, you do not need this configuration.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Windows Server 2003 Deployment Kit
companion CD or on the Web at http://www.microsoft.com/reskit.
After you protect the PDC from becoming overloaded, you must be sure to neutralize the emulation on any
additional domain controllers you upgrade. Additional domain controllers in the same domain must be able to
contact an Active Directory domain controller in their domain for the Active Directory installation to succeed.
On Windows NT 4.0 BDCs, setting the NT4Emulator registry entry before the operating system upgrade will
protect the domain controller from overload. Setting the NeutralizeNT4Emulator registry entry immediately
afterward allows the BDC to contact an Active Directory domain controller that has the NT4Emulator registry
entry set and successfully install Active Directory. For more information about neutralizing Windows NT 4.0
emulation, see “Neutralize Windows NT 4.0 Domain Controller Emulation” later in this chapter.
After you upgrade all domain controllers, or you have enough Windows Server 2003–based domain controllers
to authenticate the clients in your domain that are running Windows 2000, Windows XP, and Windows
Server 2003, you can reverse this configuration by editing the registry again and removing the NT4Emulator
registry entry.
• Configure DNS client settings by using the IP address of the closest DNS server for the
Preferred DNS server setting and either leave the Alternate DNS server setting blank or use
the IP address of the closest DNS server. These DNS client settings are temporary and will be
changed during the installation of Active Directory.
• Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
During the operating system upgrade the computer will restart three times. After you upgrade the operating
system on a Windows NT 4.0 domain controller to Windows Server 2003, the computer is in an intermediate
state, meaning that the computer is no longer a Windows NT 4.0–based domain controller, and it is not a
Windows Server 2003–based member server or domain controller until Active Directory is installed. After the
computer restarts for the last time, the Welcome to the Active Directory Installation Wizard appears.
Note
When you are upgrading to a regional domain in an existing Active
Directory forest, ensure that the domain naming master in the forest
root domain is running Windows Server 2003 before installing Active
Directory on the newly upgraded PDC. This ensures that application
directory partitions are created on the first domain controller in the new
regional domain.
In addition, on the first domain controller in a new regional domain in an existing forest, the wizard does the
following:
• Prompts the administrator to verify the installation and configuration of the DNS Server
service.
• Configures DNS recursive name resolution forwarding by adding the IP addresses of the
existing entries for Preferred DNS server and Alternate DNS server to the list of DNS
servers on the Forwarders tab of the Properties sheet for the domain controller.
• Configures DNS recursive name resolution by root hints, by adding the root hints that are
configured on the Preferred DNS server to the list of DNS servers on the Root Hints tab of
the Properties sheet for the domain controller.
64 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
• Configures the Preferred DNS server to point to the DNS server that is running locally on the
domain controller, and configures the Alternate DNS server to point to the closest DNS server.
• Creates the DomainDnsZones application directory partition that is used by DNS to hold
domain-wide DNS data.
Table 8.5 lists information to install Active Directory on an upgraded Windows NT 4.0 PDC and sample data for
installing Active Directory on the first domain controller in a new regional domain in the
trccorp.treyresearch.net forest, SEA-EAST-DC01.
Table 8.5 Information to Install Active Directory on a Windows NT 4.0 PDC
Wizard Page
Action Example
or Dialog Box
Create New Select Child Domain in an existing
Domain domain tree
Network Type the user name and password of
Credentials an account with sufficient privileges to
install Active Directory on this
computer, and the fully qualified
domain name of the parent domain.
Child Domain Enter the full DNS name of the parent trccorp.treyresearch.ne
Installation domain and the single label name of t
the new regional domain. east
Database and Type the folder locations specified by The design for Trey
Log Folders your design Research specifies that
the database folder
remain in the default
location:
C:\Winnt\Ntds, and that
the log folder is placed
on a separate partition:
D:\Logs
Shared Confirm or type the location specified C:\Winnt\Sysvol
System by your design
Volume
DNS DNS Registration Diagnostics will
Registration indicate that it cannot find the name
Diagnostics and address of the DNS server with
which this domain controller will be
registered. This is because the pre-
created delegation record points to the
local computer and DNS has not been
installed on the domain controller at
this point.
Select the option to Install and
configure the DNS server on this
computer and set this computer to use
this DNS server as its preferred DNS
server.
(continued)
Overview of Upgrading Windows NT 4.0 Domains 65
Table 8.5 Information to Install Active Directory on a Windows NT 4.0 PDC (continued)
Wizard Page or
Action Example
Dialog Box
Permissions Select the security level specified by Because Trey
your design: Research currently
• Permissions compatible with pre- has services running
Windows 2000 server operating on Windows NT 4.0–
systems based servers under
the context of the
• Permissions compatible only with
Local System
Windows 2000 or Windows
account, they
Server 2003 operating systems
selected Permissions
compatible with pre-
Windows 2000 server
operating systems.
Directory In the Password and Confirm
Service password boxes, type any strong
Restore Mode password
Administration
Password
Verify that all information on the Summary page is accurate, and then click Finish. After the Active Directory
Installation Wizard finishes, you will be prompted to restart the computer. The installation will not be complete
until the computer restarts.
For more information about installing and removing Active Directory, see the Directory Services Guide of the
Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
http://www.microsoft.com/reskit).
After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly
known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if
necessary. To enable Remote Desktop for Administration, in Control Panel, double-click System, select the
Remote tab, and then select Allow users to connect remotely to this computer.
66 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Important
When upgrading to a single domain forest, any individual who is a
member of the Domain Admins group in the existing Windows NT 4.0
domain will become a member of the Domain Admins and Enterprise
Admins groups. Before upgrading the first Windows NT 4.0 domain,
remove users whom you do not want to have full access to the entire
forest from both the Administrators and Domain Admins groups.
68 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Important
Before you begin the upgrade process, store the backup media in a
secure offsite location designated by and accessible to the upgrade
team.
Important
When no DNS infrastructure exists, skip this step in the process for
upgrading to a single domain forest and proceed to the next step,
"Configure Protection Against Domain Controller Overload” later in this
chapter. The remainder of this step describes the process of
configuring and delegating a zone in the existing DNS internal
namespace.
In preparation for the deployment of the single domain forest, create a delegation for the DNS servers that will
be running on the domain controllers in the Windows Server 2003 domain. Create the delegation by adding
DNS name server (NS) and address (A) resource records to the parent DNS zone.
Note
The delegation that occurs in this step references the first Windows
Server 2003–based domain controller, which does not currently exist.
The DNS service is installed and configured on the first Windows
Server 2003–based domain controller in a later step.
Overview of Upgrading Windows NT 4.0 Domains 69
To delegate the DNS zone for the Windows Server 2003 domain
1. Create a name server (NS) resource record in the parent zone. Use the full DNS name of the
domain controller.
forest_root_domain IN NS domain_controller_name
2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the
domain controller.
domain_controller_name IN A domain_controller_ip_address
For example, the DNS administrator for Fabrikam created the following DNS resource records
in the parent zone, fabrikam.com:
• fabricorp IN NS SEA-FAB-DC01.fabricorp.fabrikam.com
• SEA-FAB-DC01.fabricorp.fabrikam.com IN A 172.16.16.2
Note
After removing the NT4Emulator registry entry, Windows 2000,
Windows XP, and Windows Server 2003 clients will not immediately
begin to use the Kerberos authentication protocol. This will be delayed
until each client resets its secure channel or is restarted.
If no Windows 2000, Windows XP, or Windows Server 2003 clients are running in a particular site, or if the
Windows Server 2003–based domain controller has the capacity to support the number of clients that are present
in the site, this configuration is not needed.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Windows Server 2003 Deployment Kit
companion CD or on the Web at http://www.microsoft.com/reskit.
70 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
To install the operating system on the computer, insert the Windows Server 2003 operating system CD in the
CD-ROM drive of the domain controller and select the option to install the operating system, or use an
automated installation method. If the Windows Server 2003 media is shared on the network, run the
Winnt32.exe command.
Complete the operating system installation by doing the following:
1. Select Upgrade for the Installation type.
2. Use NTFS to convert the partitions. The installation of Active Directory will not succeed if you
do not have at least one NTFS partition available on which to locate the SYSVOL shared folder.
3. Verify that you are using a static IP address.
4. Configure DNS client settings by using the IP address of the closest DNS server for the
Preferred DNS Server settings. If you have more than one DNS server, add the IP address of
the next closest DNS server to the Alternate DNS server setting. If there are no other DNS
servers, leave the alternate setting blank. These DNS client settings are temporary and will be
changed during the installation of Active Directory.
5. Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
During the operating system upgrade the computer will restart three times. After you upgrade the operating
system on a Windows NT 4.0 domain controller to Windows Server 2003, the computer is in an intermediate
state, meaning that the computer is no longer a Windows NT 4.0–based domain controller, and it is not a
Windows Server 2003–based member server or domain controller until Active Directory is installed. After the
computer restarts for the last time, the Welcome to the Active Directory Installation Wizard appears.
• Configures the Preferred DNS server to point to DNS server that is running locally on the
domain controller, and configures the Alternate DNS server to point to the closest DNS server.
• Creates two application directory partitions that are used by DNS. The DomainDnsZones
application directory partition holds domain-wide DNS data, and the ForestDnsZones
application directory partition holds forest-wide DNS data.
• Prompts the administrator to select the forest functional level.
Table 8.7 lists information to install Active Directory on a Windows NT 4.0 PDC, and lists sample data for
installing Active Directory on the first domain controller in the single domain forest for Fabrikam, SEA-FAB-
DC01.
Table 8.7 Information to Install Active Directory on a Windows NT 4.0 PDC
Wizard Page or
Action Example
Dialog Box
Create New Select Domain in a new forest
Domain
New Domain Type the full DNS name of the Fabricorp.fabrikam.com
Name domain
Forest Choose Windows Server 2003 Because Fabrikam does not
Functional interim plan to add any
Level Windows 2000–based
domain controllers to their
forest at any time they chose
the Windows Server 2003
interim forest functional
level.
Database and Type the folder locations The design for Trey
Log Folders specified by your design Research specifies that the
database folder remain in
the default location:
C:\Winnt\Ntds, and that the
log folder is placed on a
separate partition: D:\Logs
Shared System Confirm or type the location C:\Winnt\Sysvol
Volume specified by your design
(continued)
Overview of Upgrading Windows NT 4.0 Domains 73
Table 8.7 Information to Install Active Directory on a Windows NT 4.0 PDC (continued)
Wizard Page or
Action Example
Dialog Box
DNS DNS Registration Diagnostics
Registration will indicate that it cannot find
Diagnostics the name and address of the
DNS server with which this
domain controller will be
registered. This is because the
pre-created delegation record
points to the local computer and
DNS has not been installed on
the domain controller at this
point.
Select the option to Install and
configure the DNS server on
this computer and set this
computer to use this DNS
server as its preferred DNS
server.
Permissions Select the security level Because Fabrikam currently
specified by your design: has services running on
• Permissions compatible with Windows NT 4.0–based
pre-Windows 2000 server servers under the context of
operating systems the Local System account,
they selected Permissions
• Permissions compatible only
compatible with pre-
with Windows 2000 or
Windows 2000 server
Windows Server 2003
operating systems
operating systems
Directory In the Password and Confirm
Service password boxes, type any
Restore Mode strong password
Administration
Password
Verify that all information on the Summary page is accurate, and then click Finish. After the Active Directory
Installation Wizard finishes, you will be prompted to restart the computer. The installation will not be complete
until the computer restarts.
For more information about installing and removing Active Directory, see the Directory Services Guide of the
Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
http://www.microsoft.com/reskit).
After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly
known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if
necessary. To enable Remote Desktop for Administration, in Control Panel, double-click System, select the
Remote tab, and then select Allow users to connect remotely to this computer.
74 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Note
Domain controllers are only added to sites based on their IP address at
the time of installation. After installation, if the IP address, subnet, or
site information of a domain controller changes, an administrator must
manually move the domain controller to the new site.
To simplify the placement of the domain controller into the appropriate site, configure your site topology before
you install Active Directory on additional domain controllers. After all sites are created, a server object for each
additional domain controller is created in the appropriate site according to its IP address.
Configure your Active Directory site topology as specified in your site topology design. For information about
creating a site topology design, see “Designing the Site Topology” in this book. For more information about
configuring your site topology, see “Configure site settings: Active Directory” and “Configure replication
between sites: Active Directory” in Help and Support Center for Windows Server 2003.
It is recommended that you repeat this operation when the PDC emulator operations master role is transferred or
seized in the forest root domain.
To configure the Windows Time Service on first forest root domain controller
1. Log on to the domain controller.
2. At the command line, type:
W32tm /config /manualpeerlist:<peers> /syncfromflags:manual
where <peers> is a space–delimited list of DNS and/or IP addresses. When specifying multiple
peers, enclose the list in quotation marks.
3. Update the Windows Time Service configuration. At the command line, type:
W32tm /config /update
– or –
Net stop w32time
Note
When specifying a manual peer, do not use the DNS name or IP
address of a computer that uses the forest root domain controller as its
source for time, such as another domain controller in the forest. The
time service will not operate correctly if there are cycles in the time
source configuration.
For more information about configuring and deploying the Windows Time Service, see the Directory Services
Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
http://www.microsoft.com/reskit).
If left unmanaged, the presence of stale RRs in zone data might cause problems, including the following:
• If a large number of stale RRs remain in server zones, they can eventually take up server disk
space and cause unnecessarily long zone transfers.
• DNS servers loading zones with stale RRs might use outdated information to answer client
queries, potentially causing the clients to experience name resolution problems on the network.
• The accumulation of stale RRs at the DNS server can degrade its performance and
responsiveness.
Caution
By default, the aging and scavenging mechanism for the DNS Server
service is disabled. Enable aging and scavenging only after you
understand all parameters. Otherwise, the server could be accidentally
configured to delete resource records that should not be deleted. If a
resource record is accidentally deleted, not only will users fail to
resolve queries for that resource record, but any user can create the
resource record and take ownership of it, even on zones configured for
secure dynamic update.
For more information about how to configure aging and scavenging,
see “Understanding aging and scavenging: DNS” in Help and Support
Center for Windows Server 2003.
To enable the aging and scavenging features, and to configure the applicable server and its Active Directory–
integrated zones, perform these tasks:
• Enable aging and scavenging at the server. These settings determine the effect of zone-level
properties for any Active Directory–integrated zones loaded at the server.
• Enable aging and scavenging for selected zones at the DNS server. When zone-specific
properties are set for a selected zone, these settings apply only to the applicable zone and its
resource records. Unless these zone-level properties are otherwise configured, they inherit their
defaults from comparable settings maintained in server aging/scavenging properties.
To set aging and scavenging properties for the DNS server
1. Log on to the computer that is running the DNS Server service with an account that is a
member of the local Administrators group.
2. In the DNS console tree, right-click the applicable DNS server, and then click Set
Aging/Scavenging for all zones.
3. Select the Scavenge stale resource records check box.
4. Modify other aging and scavenging properties as needed.
Overview of Upgrading Windows NT 4.0 Domains 77
Important
If you modify these policies, the default security policies in your
environment are weakened. However, this is necessary to ensure that
some clients running earlier versions of Windows can access domain
resources. After all the clients in your environment are running versions
of Windows that support SMB packet and secure channel signing, you
can re-enable these security policies to increase security. It is
recommended that you upgrade your Windows clients as soon as
possible.
Note
Modifying these settings in the Domain Controllers container will
change the Default Domain Controllers Policy. Policy changes that are
made here are replicated to all other domain controllers in the domain,
requiring you to modify these policies only one time.
For more information about SMB packet signing and secure channel signing, see “Background Information for
Upgrading to Windows Server 2003 Active Directory” earlier in this chapter.
For more information about security policies, see “Security options: Security Setting Descriptions” in Help and
Support Center for Windows Server 2003.
80 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
2. Use the information listed in Table 8.10 to ensure that the LbridgeAcct has the correct
permissions on both the Windows Server 2003–based domain controller and on the
Windows NT 4.0 BDC.
Table 8.10 Permissions for the LbridgeAcct User Account
Folder Permission
On the Windows NT 4.0 BDC, ensure that the LbridgeAcct Full Control
is granted Full Control to the REPL$ share.
In Server Manager, select the computer configured as the
export server, click Computer, and select Shared
Directories. Select REPL$, and then click Properties. In
the Share Properties dialog box, click Permissions, click
Add, and then click Show Users. Select the LbridgeAcct.
In the Type of Access drop-down list box, select Full
Control.
On the Windows Server 2003–based domain controller in Read
the new Windows Server 2003 domain, ensure that the
LbridgeAcct is granted Read access to the NETLOGON
shared folder.
Access the NETLOGON shared folder by typing
\\win_dc\Netlogon (where win_dc is the name of the
Windows Server 2003–based domain controller) in the
Run dialog box.
3. Create a destination folder on the Windows Server 2003–based domain controller where you
will install the Lbridge.cmd script and the Robocopy.exe tool.
Overview of Upgrading Windows NT 4.0 Domains 81
4. Modify the path statement in Environment Variables to include the destination folder. Right-
click My Computer, click Properties, click the Advanced tab, and then click Environment
Variables. In the System Variables list, select Path and click Edit. Append the Variable value
with the location of the destination folder (;C:\destination folder).
The Lbridge.cmd script and Robocopy.exe tools are available on the Windows Server 2003
Deployment Kit companion CD.
5. On the Windows Server 2003–based domain controller, in Windows Explorer, right-click the
Lbridge.cmd script, and then click Edit. Edit as indicated in Table 8.11.
Table 8.11 Modifications to the lbridge.cmd Script
Script Line Change To
Set L-Destination=%1 Set L-Destination=\\winnt_dc\REPL$
(where winnt_dc is name of the
Windows NT 4.0 BDC hosting the
LMRepl export server.
Call :Xcopy @Rem Call :Xcopy
@Rem Call :Robocopy Call :Robocopy
Echo Robocopy %L-Source% %L- Robocopy %L-Source% %L-
Destination% /E /PURGE Destination% /E /PURGE
6. On the Windows Server 2003–based domain controller, open Control Panel, point to
Scheduled Tasks, and then click Add Scheduled Task.
7. Complete the Scheduled Task Wizard by using the information in Table 8.12. Accept the default
settings when no information is supplied.
Table 8.12 Scheduled Task Wizard Actions for Lbridge.cmd
Wizard Page Action
Click the program you Click Browse.
want Windows to run In the Select Program to Schedule dialog box,
click lbridge.cmd.
Type a name for this Type FRS - LMRepl Replication Bridge.
task
Perform this task Select Daily.
Start time Enter the time and date that you want the
replication to start.
Enter the user name Type LbridgeAcct.
Enter the password Type the password that you have chosen for
LbridgeAcct.
Confirm the password Confirm the password for LbridgeAcct.
Open advanced Select the check box.
properties for this task
when I click Finish
8. In the FRS - LMRepl Replication Bridge dialog box, on the Schedule tab, click Advanced.
9. In the Advanced Schedule Options dialog box, select the Repeat task check box.
10. In the Every box, specify how often you want the script to run.
11. In the Duration box, specify how long you want the script to run, and then click OK.
12. In the FRS - LMRepl Replication Bridge dialog box, on the Schedule page, click OK.
To verify that the script ran successfully and replication is occurring from the Windows Server 2003–based
domain controller to all Windows NT 4.0–based domain controllers, place a file called Test.txt into the
\\Win_dc\SYSVOL\sysvol\domainname\scripts folder. After replication is scheduled to take place, verify that
the Test.txt file has replicated to the \Winnt_dc\system32\REPL\Import\scripts folder.
Recreate Trusts
Trust relationships between Windows NT 4.0 domains use NetBIOS domain names. During the in-place
upgrade of your Windows NT 4.0 environment, if some of your Windows NT 4.0 domains have trust
relationships with other Windows NT 4.0 domains that are then upgraded into separate forests, those trust
relationships between the domains in different forests remain, but continue to use the NetBIOS domain name. It
is recommended that trust relationships between domains in different forests use the DNS name for the domain
in order to gain better functionality in a Windows Server 2003 environment. To rename the trust relationship by
using the DNS name for the domain, delete and recreate external trust relationships that exist between
Windows NT 4.0 domains and Active Directory domains in different forests. Trusts that use NetBIOS names
and exist between Windows NT 4.0 domains can be left in place.
In domains with more than 10,000 users, it might be necessary to reduce the number of authentication requests
received by the PDC emulator and allow it to perform other tasks. If, after upgrading the Windows NT 4.0 PDC,
CPU utilization is higher than 50 percent or if disk queues remain higher than two for several hours or days,
reduce the number of client authentication requests that are received by the PDC emulator.
Note
Other factors that can increase the workload on the PDC emulator
include pre-Active Directory clients or applications that have been
written to contact the PDC emulator.
To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its weight
or its priority in the DNS environment. If you want to proportionately reduce the number of client authentication
requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC emulator does not
receive any client authentication requests, adjust its priority.
Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the weight
and assigning it a decreased value of 50, you can proportionately reduce the number of client authentication
requests that are sent to the PDC. This ensures that the PDC will authenticate half of the number of clients that it
would if the weight value remained at 100.
Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the priority
and assigning it an increased value of 200, you can ensure that the PDC will never receive client authentication
requests unless it is the only accessible domain controller.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Windows Server 2003 Deployment Kit
companion CD or at http://www.microsoft.com/reskit.
To change the weight for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and then press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvWeight, and then press ENTER. (The value name is not
case sensitive.)
5. Double-click the entry name you just typed. .
84 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
6. In the Edit DWORD Value dialog box, select Decimal as the Base option.
7. Enter a value between 0 and 65535 (the recommended value is 50), and then click OK.
8. Click File, and then click Exit to close the registry editor.
Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather than
reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop referring all
clients to this domain controller unless all domain controllers with a lower priority setting are unavailable.
Note
A lower value entered for LdapSrvPriority indicates a higher priority. A
domain controller with an LdapSrvPriority setting of 100 has a lower
priority than a domain controller with a setting of 10. Therefore, clients
attempt to use the domain controller with the setting of 10 first.
To change the priority for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and then press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvPriority, and then press ENTER.
5. Double-click the entry name that you just typed.
6. In the Edit DWORD Value dialog box, select Decimal as the Base option.
7. Enter a value between 0 and 65535 (the recommended value is 200), and then click OK.
8. Click File, and then click Exit to close the registry editor.
For more information about adjusting the weight or the priority of the PDC emulator, see the Active Directory
link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search under
“Administration and Configuration Guides” and download the Active Directory Operations Guide.
To complete the process for upgrading additional domain controllers, perform the following tasks:
1. Configure protection against domain controller overload.
2. Neutralize Windows NT 4.0 domain controller emulation.
3. Upgrade the operating system of Windows NT 4.0 BDCs.
4. Install Active Directory.
5. Install DNS on additional domain controllers.
6. Reconfigure the DNS Service.
7. Add Windows NT 4.0 BDCs to the Windows Server 2003 domain if necessary.
8. Perform post-upgrade tests.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Windows Server 2003 Deployment Kit
companion CD or on the Web at http://www.microsoft.com/reskit.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Windows Server 2003 Deployment Kit
companion CD or on the Web at http://www.microsoft.com/reskit.
Table 8.13 lists information for installing Active Directory on additional domain controllers, as well as sample
data for installing Active Directory on additional domain controllers in a regional domain in the existing Trey
Research forest or in the Fabrikam single domain forest. Trey Research will install Active Directory
immediately after upgrading the operating system. Fabrikam will use the dcpromo /adv command to install
Active Directory on a member server by copying directory data over the network from a domain controller.
Table 8.13 Installing Active Directory on Additional Domain Controllers
Wizard Page
Action Example
or Dialog Box
Additional Select whether you want Upgrading to a regional domain
Domain the computer to become a in an existing forest:
Controller or member server or an Trey Research will select
Member additional domain Additional domain controller to
Server controller for the domain. install Active Directory
immediately.
Upgrading to a single domain
forest:
Fabrikam will select Member
Server. They will install Active
Directory at a later time using the
dcpromo /adv command.
Domain Select Additional domain Upgrading to a regional domain
Controller controller for an existing in an existing forest:
Type domain. Trey Research will not see this
wizard page.
Upgrading to a single domain
forest:
When Fabrikam initiates the
Active Directory Installation
Wizard by using the dcpromo
/adv command, this is the first
wizard page that appears.
Copying Select either: Upgrading to a regional domain
Domain • Over the network from a in an existing forest:
Information domain controller Trey Research will not see this
• From these restored wizard page because they chose
backup files to install Active Directory
immediately following the
operating system upgrade.
Upgrading to a single domain
forest:
Fabrikam will copy domain
information from the first domain
controller that is deployed, SEA-
FAB-DC01, which is in the same
location as the new one.
Therefore, they selected Over the
network from a domain controller
to copy the information in the
shortest time.
(continued)
90 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory
Verify that all information on the Summary page is accurate, and then click Finish. After the Active Directory
Installation Wizard finishes, you will be prompted to restart the computer. The installation will not be complete
until the computer restarts.
Note
All additional domain controllers added to a single domain forest should
be configured as Global Catalog servers. For more information about
global catalog server placement, see “Designing the Site Topology” in
this book.
After you install Windows Server 2003 Active Directory, enable Remote Desktop for Administration, formerly
known as Terminal Services in Remote Administration mode, to enable administrators to log on remotely if
necessary. To enable Remote Desktop for Administration, in Control Panel, double-click System, select the
Remote tab, and then select Allow users to connect remotely to this computer.
Overview of Upgrading Windows NT 4.0 Domains 91
Note
You will not be able to install a new Windows NT 4.0–based BDC in
your environment if you have SMB packet signing and secure channel
signing enabled. If these security policies are enabled in your
environment, modify them before installing a new Windows NT 4.0–
based BDC. For information about modifying security policies, see
“Modify Security Policies” earlier in this chapter.
When using the net localgroup command to add or delete any group or group member name that includes
spaces, such as the Anonymous Logon group, you must enclose the group name in quotation marks.
Important
If you raise the domain and forest functional levels to
Windows Server 2003, this action cannot be reversed and you cannot
add Windows NT 4.0–based or Windows 2000–based domain
controllers to the environment. Any existing Windows NT 4.0 or
Windows 2000–based domain controllers in the environment will no
longer function. Before you raise functional levels to take advantage of
advanced Windows Server 2003 features, ensure that you will never
need to install domain controllers that run Windows NT 4.0 or
Windows 2000 in your environment.
After you determine that your environment is ready, use Active Directory Domains and Trusts to enable the
Windows Server 2003 domain functional level.
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to
Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.
For more information about enabling functional levels and the features available at the Windows Server 2003
domain and forest functional levels, see “Enabling Advanced Windows Server 2003 Active Directory Features”
in this book.
Overview of Upgrading Windows NT 4.0 Domains 95
Important
The CN=Users and CN=Computers containers are computer-protected
objects. You cannot (and must not) remove them for backward
compatibility purposes. However, you can rename these objects.
In Windows Server 2003 Active Directory, when the domain functional level has been raised to Windows
Server 2003, you can redirect the default CN=Users and CN=Computers containers to organizational units that
you specify so that each can support Group Policy, making them easier to manage.
To redirect the Users container
1. In Active Directory Users and Computers, create an organizational unit container to which you
will redirect users that were created with earlier versions of user interface and command-line
management tools.
2. At the command line, change to the system32 directory by typing:
Cd %systemroot%\system32
For more information about creating an organizational unit design, see “Designing the Active Directory Logical
Structure” in this book.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” in this book for more
information about restructuring domains when upgrading from Windows NT 4.0 to Windows
Server 2003.
• “Designing the Active Directory Logical Structure” in this book for more information about the
Active Directory logical structure.
• “Designing the Site Topology” in this book for more information about Active Directory site
topology.
• “Enabling Advanced Windows Server 2003 Active Directory Features” in this book for more
information about enabling functional levels.
• “Deploying DNS” in Deploying Network Services for more information about deploying DNS.
Related Tools
• Adsiedit.exe
The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that you can use
to edit objects in the Active Directory database. For more information about Adsiedit.exe, in
Help and Support Center for Windows Server 2003, click Tools, and then click Windows
Support Tools.
• Ldp.exe
Ldp.exe provides an interface to perform LDAP operations against Active Directory. For more
information about Ldp.exe, in Help and Support Center for Windows Server 2003, click Tools,
and then click Windows Support Tools.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only check box.
• “Active Directory” in Help and Support Center for Windows Server 2003.
• “Windows Support Tools” under “Tools” in Help and Support Center for Windows Server 2003.
• “Configure site settings” in Help and Support Center for Windows Server 2003 for more
information about creating site objects, subnet objects, and associating subnets with sites.
• “Understanding aging and scavenging” in Help and Support Center for Windows Server 2003
for more information about how to configure aging and scavenging of stale resource records.
98 Chapter 8 Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory