Determining Domain Migration Strategies

Previous Topic Next Topic

Considering the Upgrade of Resource Domains

If you are performing an in-place upgrade, you might consider upgrading your resource domains. Resource domains were used in Windows NT to hold the computer accounts of resources such as servers and client computers. Resource domains existed primarily to:


note-icon

Note

As part of your upgrade plan, your administrative model must reflect the implications of upgrading a resource domain. If you have already upgraded the account domain, and then you upgrade the resource domain as a child of the account domain, a transitive trust is established between them. For this reason, you need to consider how this transitive trust affects local administration of resources.

If you do not want administrative permissions to extend beyond the resource domain, you might consider other options, which include:

Restructuring resource domains into organizational units

You might rethink your domain structure and consider merging your resource domains as organizational units (OUs) into the upgraded account domain at a later time. This option would obviously influence your thinking on the order of domain upgrade.

Upgrading a resource domain within the existing forest and using Windows 2000 delegation of administration features

You can upgrade your resource domain to be in the same forest as the account domain(s) and use Windows 2000 delegation of administration features to limit the capabilities of the local administrators. Before you do this, check the administrative groups in the resource domain and remove all administrators who are not administrators in the account domains. If there are only local resource domain administrators, add one or more of your account domain administrators. These administrators will be able to administer the domain while it is being upgraded. As a further precaution, make sure that resource domain administrators do not have administrative access to the domain controllers through local computer accounts.

After the PDC is upgraded, you might create a new domain local group to hold your resource administrators, and use Windows 2000 delegated administration to grant them sufficient privilege to carry out their roles.

Upgrading a resource domain as a tree in a new forest

You can upgrade your resource domain and make it a tree in a new forest, linking the tree to the account domain through an explicit one-way trust. This would effectively mirror the structure that existed before the upgrade.

© 1985-2000 Microsoft Corporation. All rights reserved.