Get IT Done: Understanding the differences between domains in Windows NT and Windows 2000

Understand domain conventions under Windows 2000

A domain by any other name would be...well, confusing. That's the inescapable conclusion faced by anyone who migrates from NT4 to Windows 2000. Although both network operating systems use the domain as their primary organizing principle, the behavior and configuration of those domains is completely different.

Case in point: Under NT4, network administrators can create primary and backup domain controllers—PDCs and BDCs, for short. If the PDC needs to be retired, it's a simple matter to demote the PDC and promote the BDC to a PDC. Not so with Windows 2000, where the Active Directory adds some serious complications.

I ran into this problem a few months ago, shortly after Windows 2000 went gold, and it inspired my latest Microsoft Challenge. I asked TechRepublic members to help in the following scenario: "You add a second domain controller to your Windows 2000 domain. Later, you decide to retire the original domain controller. What steps do you have to go through to make the change?"

One common misconception is that all domain controllers are equal under Windows 2000. Because all DCs hold a master copy of the Active Directory, there's no need to demote a primary and promote a secondary DC. Well, not exactly. Yes, Windows 2000's Active Directory is a multi-master-enabled database, but for certain types of changes, the AD works in a single-master fashion. If you don't transfer roles properly when retiring a domain controller, the result can be chaos.

TechRepublic member dpeach was the first to lay out the proper steps, in order (earning 500 TechPoints in the process):

1. Set up the new DC and ensure DNS is configured properly.

2. Execute the dcpromo utility. Answer all questions or accept defaults. You must know the FQDN for the existing Domain.

3. Set up the shared sysvol location (NTFS). Set up DNS on the server if applicable. Provide the directory services restore password. When replication is complete, ensure AD is running properly.

4. Demote the old DC by running "dcpromo" and selecting all options to remove AD from the server. Reboot the server.

Three Knowledge Base articles are well worth reading if you're confused by any of these topics:

For an overview of flexible single-master operations (FSMO), look up Q223346, "FSMO Placement and Optimization on Windows 2000 Domain Controllers."

For step-by-step instructions on managing the FSMO roles of domain controllers, see Q238369, "Promoting and Demoting Domain Controller to Member Server in Windows 2000."

Finally, if you run into problems—(especially if the original DC that manages the AD crashes and can't be recovered), Q223787, "Flexible Single Master Operation Transfer and Seizure Process," explains what to do.

Still having troubles with multi-master versus single-master roles? TechRepublic member jdavis offers this somewhat whimsical alternative: "Take the new server and place it in close contact with the old server. Now think really, really, really, really hard, and through willpower alone you can migrate your domain to the new directory model. If this doesn't work, then maybe you should wait one year before you upgrade. It is still a good idea to be just a little bit behind the bleeding-aorta edge of things."

A tip of the hat (and a TechRepublic T-shirt), for the suggestion!

Here's Ed's new challenge
It's every administrator's nightmare. You've just taken over a new job after the previous administrator left unexpectedly, and none of the surviving IT staffers know the password for a key Windows 2000 server. What alternatives do you have? I'm interested in third-party tools as well as functions built in to the operating system. I'll pass out a total of 1,000 TechPoints for the best solutions. If you can help, clickhere to tackle this week's Microsoft Challenge. Don’t delay, though. I’ll accept answers only until Thursday, March 23.