SearchWin2000 migration expert Paul Hinsberg responds to leftover audience questions from the May 30 Webcast, "Staying secure during an NT to 2000 migration."
Q.Do you recommend any templates in AD/OU design? What's your opinon on single domain vs. multiple domains AD infrastructure?
A. I don't really have any templates. The application of Windows 2000 and Active Directory is very tailored to each business. Adding more than one domain to an AD structure should be done with great care. It is usually not necessary and leads to additional hardware requirements. Most of the time, the addition of OUs to manage security and other options works better.
Q.What DNS issues do you see with an NT 4.0 domain, only running WINS, being upgraded (in-place) to a mixed mode Win2k domain? How would you configure DNS for this (AD integrated)?
A. If you have DNS on a Windows NT 4.0, you will want to upgrade this server first (unless of course it is a BDC). Then you can upgrade the PDC to Win2k and add Windows 2000. It will be much better to move the NT 4.0 DNS to the Windows 2000 DC eventually to take advantage of the Active Directory Integrated configuration of DNS. If the DNS server is already a Windows NT 4.0 DC, I would be more likely to build a new integrated DNS and then migrate the entries and configuration from the NT 4.0 DC. I am just a big fan of building things new and fresh then upgrading.
Q. What is the difference in the way trusts are established?
A. Trusts are developed a little differently in Windows 2000 than in Windows NT. This becomes more evident when you are looking at subordinate or child domains to the primary. The Windows 2000 trusts are automatically transitive and two-way. This is very different from Windows NT 4.0. In addition, if the part-child relationship is established (you build the child domain and specify a parent), the Enterprise Admins group is added to the Admistrators groups on the child machines. This is very different from NT 4.0 where the establishment of any trust did not imply any immediate access.
Q. We have firewalls in our location. How important is it to apply the numerous security fixes?
A. Firewalls are great, but not perfect. Couple this with the fact that most of the hacks that plague companies come from internal users/employees. Keeping your organization safe from yourself becomes very important.
Q. We have NT BDCs in several remote offices. I have heard that the security on the Windows 2000 DCs is a problem if they are not physically secure. Why is that?
A. NT 4.0 BDCs are read-only copies of data. Whenever you run any operation like Server Manager or User Manager, you're actually working with the PDC’ database. In Windows 2000, the DC local database is modified and the changes are then moved around the AD infrastructure. Thus, gaining local access to a Windows 2000 DC is a greater risk.
Q. You have mentioned planning and analysis a few times. Are there any other resources I can use to give me an idea about what I should be collecting?
A. It sounds a little funny, but the MCSE training guides have provided some pretty nice templates for collecting information. The Microsoft AD planning guide also has some good templates. One thing to keep in mind is that Microsoft tends to suggest burying yourself in this paperwork. You have to think about most of the information, but only some of it will be pertinent depending on the size and complexity of your environment.
Q. Can you recommend any Win2k/AD/migration infrastructure best practices books?
A. Really, at this time I haven’t found one that I really liked. The technology has been out there a little while, but I have yet to see a book that really captures everything.
For more information, check out our Active Directory and Win2k Migration Best Web Links. You can also download PowerPoint presentations from other archived Webcasts from our Online Event Presentations Best Web Links category.
