Migrating from Microsoft Windows NT 4.0 to
Microsoft Windows 2000
When you pass this exam,
you achieve Microsoft Certified Professional status. You
also earn credit toward the following certifications:
- Elective credit toward Microsoft Certified Systems
Engineer on Microsoft Windows 2000 certification
- Elective credit toward Microsoft Certified Systems
Engineer on Microsoft Windows NT 4.0 certification
According to Microsoft,
"This certification exam measures your ability to
migrate domains from Windows NT 4.0 to Windows 2000 and to
perform domain restructures. A migration can include an
upgrade only, a restructure only, or an upgrade and a
restructure. A migration refers to the changes made to the
Windows NT Server 4.0 environment during its promotion to
Windows 2000 Server. Migration encompasses two processes:
Domain upgrade - Windows NT Server 4.0 software is
upgraded to Windows 2000 Server on the PDC and some or all
of the BDCs
Domain restructure - Objects in a given domain are
relocated to a Windows 2000 domain that either is part of
the same forest or belongs to a different forest"
It is recommended that you first start by studying 70-210
and 70-215. When you are familiar with Windows 2000, you
should read this case study provided by Microsoft to get a
sense of the "Upgrade" we are talking about here.
You may also want to learn more about the ADMT Active
Directory Migration Tool:
Key points to remember: Windows 2000 as an operating
Windows 2000 Server is suitable for a small
size network (with around 100 users).
Windows 2000 Advanced Server is suitable for a
mid size network (with couple hundreds users).
Both Windows 2000 Advanced Server and Windows
2000 Datacenter Server are suitable for strict 24x7
environment because of the clustering capability.
The component in Windows 2000 that addresses
the problem of resource location is Active Directory. By
integrating Active Directory directory services with Windows
2000, all shared resources in your domain will be available
as objects in the directory.
Tools that can be used in Windows 2000 (but
not in WinNT) to simplify network management include:
Microsoft Management Console
DNS dynamic update protocol
Active Directory directory services
Windows Management Instrumentation
Windows Script Host
You may activate Windows 2000 Personalized
keep track of the programs you use
update the Programs menu to present only the
programs most frequently used
Key points to remember: Windows 2000 installation
Before you purchase new computers for Windows
2000, you must first verify that these hardware components
meet the minimum requirements for Windows 2000. You do this
by checking the Windows 2000 HCL.
If a computer component is not listed in the
HCL, you may still use it if a Windows 2000 driver is
According to Microsoft,
"HCL is a Web-based searchable database which is
updated as additional hardware is tested and approved."
Windows 2000 is best to be started from the
CD. If your computer does not support booting from the
CD-ROM drive, you can start the computer by using the Setup
boot disks that come with Windows 2000.
When you want to install Windows 2000 Server
on a computer that will be a member server in an existing
Windows 2000 domain, you may add the computer to the domain
during installation if the following information is
DNS domain name of the domain you wanna join
Either an existing computer account for this
member server, or the user name and password of the
administrator (such that you can create a computer account
for this computer)
Note that at the time of such installation a
domain controller and a DNS server must be available on
the domain you plan to join.
If you are Windows 2000 Server on a computer
that was previously running another operating system, you
should use a disk partitioning tool such as Partition Magic
to remove any existing partitions and create a new partition
suitable for Windows 2000 installation.
If you wanna install Windows 2000 over the
network to a client computer, you must have the \i386 folder
ready in a network share on the distribution server. You
will also need to create a FAT partition (with a recommended
size of at least 1GB) on the target computer. Finally, you
need to have a network client boot disk ready so that the
target computer can be booted to connect to the distribution
Remote installation of Windows 2000 requires:
A Windows 2000 Server with RIS
A DNS server
A DHCP server
A Windows 2000 Active Directory domain
Client computers that can connect to the RIS
server via the network.
In Windows 2000, the Dynamic DNS feature
allows automatic updates to the primary server's zone
For Windows 2000 to work, you need a DNS
that supports the SRV record.
In WinNT, the DNS is static and must be
manually updated. Since it does not support SRV, you
better upgrade it to Windows 2000 DNS.
DNS Zones are used to divide a domain name
space into different administrative units.
DNS Name servers are used to store DNS zone
information as well as to perform name resolution.
You rely on a forward lookup query to resolve
a name to an IP address. On the other hand, you rely on a
reverse lookup query resolves an IP address to a name.
A DNS name server must have at least one
forward lookup zone in order to enable name resolution.
A reverse lookup zone is not strictly
required, as it is mainly for used by troubleshooting
utilities like Nslookup or IIS logging.
You may use multiple DNS name servers to
provide redundancy and name resolution load sharing.
You should configure a DNS name server as a
root server only if you do not need Internet connectivity or
that you can access the internet via a proxy server.
DNS Requirement for Active Directory Deployment:
Technical Details of DNS:
The Windows 2000 DHCP Service must first be
authorized in Active Directory in order to operate.
In the past when you need to add new
addresses into a subnet scope you will have to delete and
re-create. In Windows 2000, you can simply create a new
scope with the new additional addresses and then combine
it with the existing scope to form a superscope.
On subnet with no DHCP server, you need to
configure DHCP Relay Agent.
Relay Agent can be configured through RRAS
when a Windows 2000 is acting as a router.
You may use DHCP option classes to manage
configuration details for your DHCP clients. The types of
option classes are:
If a DHCP client fails to obtain a lease
from a DHCP server, it will use Automatic Private IP
Addressing to generate a unique IP address.
The APIPA address is in the range
Each WINS client can use at the max 12 WINS
Additional WINS servers provide added level
of fault tolerance.
WINS support is essential for pre-Windows
When everything is Windows 2000, you may not
need to use WINS anymore.
A partition formatted with NTFS.
Enough disk space to store Active Directory.
System time settings are correct and
You may install the Active Directory directory
services using dcpromo to call up the Active Directory
A network with both NT and Windows 2000
running is in the Mixed mode. You must manually switch the
network to Native mode. To do so, you call up the Active
Directory Domains and Trusts snap-in from the Administrative
Native mode is required if you want to create
security-type universal groups.
If you have weak link to your remote office,
it is best that you have a domain controller and a global
catalog server available in that office so that users over
there can still logon and access resources at the time the
link is not working.
The global catalog contains the access
permissions for an Active Directory object. You must have
Read permission for an object in order to locate it.
Logon over the WAN link is not desirable as it
is slow and is not too reliable. To facilitate the logon,
you better configure a domain controller together with a
global catalog server remotely.
Site configuration can help as well. You can
create a site for the main office and another site for the
remote office. To do so, you must:
Create a subnet object for each network
Associate the subnet with the corresponding
Ensure that both sites are using the default
Note that you can assign costs to the
multiple links you have. There is no strict rule to such
assignment. However, if you want a link to be the
preferred one, you should assign a lower cost to it.
The recommend strategy of using domain local
and global groups is:
Place user accounts into global groups
Place global groups into domain local groups
Assign permissions to the domain local
User accounts in your network must have unique
names within their OU.
Computer accounts in your network must have
unique names within the entire Active Directory forest.
When you move an Active Directory object
from one OU to another OU, permissions assigned directly
to the object are retained. However, it will also inherit
the permissions from the new OU. Any previously inherited
permission will become ineffective.
You may delegate administrative control of
the accounts in an OU to your peer via the Delegation Of
You must have the List Contents permission
in order to view the objects in an OU.
You must have the Create Organizational Unit
Objects permission in order to create objects in an OU.
Group Policy Container
Group Policy Template
GPOs implementation order:
To implement restrictions on what a particular
group of users can do on their desktops, you should add
these users in an OU and link a GPO to this OU.
You may "Block Policy Inheritance" at the OU
level. However, the upper level can configure to disallow
You may prevent a user group from being
affected by certain policies. You do this by denying the
Apply Group Policy permission on the discretionary access
control list of the GPO for the corresponding security
You may use Windows 2000 to manage software
through Windows Installer and Windows 2000 Software
Installation And Maintenance.
You may deploy applications by linking the
corresponding GPOs at the domain to the OU levels.
You should assign an application to the
computers if that application is required by all of your
You should assign an application to the users
if only certain users are allowed to use it.
Windows 2000 Group Policy White Paper:
Intro to Desktop Management:
Linking Group Policy:
Key points to remember: Remote Access in a Windows 2000
L2TP supports header compression and can work
closely with IPSec. It is more secure than PPTP.
PPTP is good for backward compatibility.
Non-Windows 2000 computers do not work with L2TP.
You may share your internet connections. This
feature is known as ICS Internet Connection Sharing.
Remote access policies are stored on the
remote access server locally. This is because different
Remote Access servers have different capabilities, that not
all RAS servers are equal.
In a mixed-mode domain, the access permission
setting on the Remote Access policy is overridden.
The server side authentication setting must
match that of the client side.
Client side authentication settings are
configured at the User’s remote access profile.
Connecting users using L2TP:
Planning for IPSec:
Managing Remote Access:
User dial-in properties:
Key points to remember: Upgrading to Windows 2000
To upgrade a server running Windows NT 3.5 to
Windows 2000, you must first upgrade it to Windows NT Server
3.51 or 4.0.
To allow Win95/98 computer to access Active
Directory directory services, you should install the
Directory Service Client for Windows 95 or 98.
To facilitate system recovery in case the
upgrade fails, you should synchronize a BDC with the PDC and
keep this BDC offline before proceeding with the upgrade.
To upgrade a Windows NT 4.0 single master
domain model network to Windows 2000 Active Directory, you
should upgrade the master domain to Windows 2000 so that a
root domain can be created.
To migrate a multiple master domain model
network to Windows 2000 Active Directory where a new empty
root domain is already in place, you should:
Upgrade the PDCs in the resource domains
Instruct the Active Directory Installation wizard to
make a new child domain in an existing domain tree.
Make the resource domains the child domains of the
existing master domains.
Upgrade the BDCs.
When upgrading to Windows 2000, the existing
local groups remain intact and group membership remains
Guide to Windows Interoperability in a Mixed-Platform
You may restructure your domains:
immediately after upgrade
in place of an upgrade
as a general domain redesign in the future
Post Upgrade Migration:
this involves reworking the existing domain
Instead of Upgrade Migration:
design and build a pristine forest first.
After you have built the pilot project, begin domain
restructuring by migrating in small phrases.
domain restructure takes place as part of a
general domain redesign in a pure Windows 2000 environment
sometime in the future.
MCSE: Windows 2000 Migration Study Guide Exam 70-222
(With CD-ROM) -- Todd Phillips, et al; Hardcover
MCSE Migrating from Microsoft Windows NT 4.0 to
Microsoft Windows 2000 Study Guide (Exam 70-222) (Book/CD)
-- Syngress Media Inc (Editor); Hardcover
MCSE Migrating from NT 4 to Windows 2000 Exam Cram
(Exam: 70-222) -- Kurt Hudson (Editor), et al; Paperback