Manage Learn to apply best practices and optimize your operations.

Which should I make the forest root -- my registered DNS name or an upgraded domain controller?

Is it best to use an empty root domain?

I am the administrator of a small NT 4.0 network consisting of two domains with a complete trust set up between them. We plan to migrate to Windows 2000 with Active Directory in early 2003. We have a registered domain name and host our own Web site. Our DNS service is hosted by a third party. Our users access the Internet via a Microsoft proxy server.

My plan was to put up a new Win2k server, run DCPROMO, have it run the DNS service and use our registered DNS name as the forest root. I would then upgrade our existing PDCs (primary domain controllers) in each domain and create child domains beneath the root. My partner believes we should just upgrade one of the existing DCs (domain controllers) first and make it the forest root. What's your opinion?

If another outside company is hosting the DNS service, then, unless you plan to bring this internally, you should not use the registered name as the forest root. You can successfully use a subdomain as the forest root. So if MyCompany.com is the registered root, you can use Internal.MyCompany.com, Corp.MyCompany.com, Office.MyCompany.com or whatever suits you. That having been addressed, let's look at your options for the upgrade path.

My first question would have to be why do you have two domains with a complete trust? If they are completely trusted I would be leaning more towards eliminating the two domains, as opposed to try to build them into my new AD configuration. Organizational units (OU) would more than likely provide sufficient separation of the groups and allow you to administrator the resources, machines and users separately.

For the moment let us assume that you like my choice and decide to abandon the two domains and merge them into one. You can do the merge before or after. My choice would be after. I like to build an Active Directory infrastructure and then migrate the users and resources into the new domain. The ADMT (Active Directory Migration Tool) can solve the problem of moving user accounts, machines and permissions into the new domain. Doing it this way also allows you to migrate users with the least amount of risk and interruption. If they can't access resources or log in, they can still revert back to the old NT 4.0 domain and continue working. Once everyone is moved, then you take down the NT 4.0 domains and are left with your well-designed Windows 2000 Active Directory. Pretty cool.

Now let's say instead that you have business or organizational reasons for not moving to a single domain, as I suggested. Creating an Active Directory domain and then moving the other two into the new AD is a bit more work and certainly results in more hardware being required. If, however, the two domains need to be separated but you want to maintain centralized control over the organization this is not a bad way to go.

Your partner's choice of simply upgrading both domains is the easiest, but probably takes the least advantage of Windows 2000's Active Directory.

In either case (since we are assuming here that you didn't take my advice), your migration probably carries with it more risk or at least interruption to users. You will need to perform the upgrade after regular business hours, as it will definitely affect the users. In addition, if your upgrade produces problems, you will be very busy trying to get everyone back in working order. If the domains are relatively error-free now, then you probably won't experience any problems.

Dig Deeper on Windows systems and network management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.