Proving that you’re ready to perform a migration to Windows 2000 requires a deep understanding of Windows 2000, Active Directory, NT 4.0, and the tools in the Win2K Resource Kit.
Passing the Migrating to Win2K exam demonstrates that
you have knowledge of Windows NT 4.0, Windows 2000, Active
Directory design, and the ability to plan and manage a
migration from an NT 4.0 network to a Win2K network. Migration
is the premier Win2K skill set. Both large and small organizations
will need to move their entire networks from NT 4.0 in
the next couple of years, and experts who can plan and
manage a migration are few and far between. If you want
to show you have what it takes, this exam is for you.
However, make no mistake, this test is in-depth, broad-based,
and darned difficult. If you pass it, you’ll have distinguished
yourself from the rest of the pack.
to Win2K (70-222)
“This exam is hard! Be sure you practice
with and have an in-depth knowledge
of the migration tools before you take
Migrating from Microsoft Windows NT
4.0 to Microsoft Windows 2000
Went live Nov. 15, 2000.
Number of Questions:
Two case study-based testlets on the
beta, each with 14 to 15 questions,
plus 31 multiple-choice questions not
associated with a case study. Total
number of questions: 60
220 minutes for beta, plus 20 minutes
for comments for a total of four hours.
Who should take
it? Counts as an elective exam
for the Win2K MCSE certification. Passing
it makes you an MCP.
What course prepares
you? No. 2010: Designing a Microsoft
Windows 2000 Migration Strategy, two
The exam uses a unique format; half of it is case-study
based, and the other half consists of multiple-choice
questions that aren’t based on a case study. This exam
is loaded with the new “build tree and reorder” style
of questions. Download the case study-based test demo
(choose Testing Innovations from the left menu) and practice
answering the sample questions.
In this type of question, you’re given a scenario at
the top of the dialog box. Then you must select the items
or actions from the right window that apply to the scenario
and move them to the left window. Then, in the left window,
you must put the items or actions in the order indicated
by the scenario. These questions are exceptionally difficult
because they not only test to see if you know exactly
what must be done, but also the order in which actions
should take place. Make sure you know the order of actions
in a migration or you’ll be unable to answer these questions
Developing the Migration Strategy
There are three types of migrations: domain upgrade,
domain upgrade and restructure, and domain restructure.
Each migration type applies to a different type of domain
environment. You must take a variety of factors into account
when choosing the migration strategy, including the current
hardware, security, network infrastructure, application
compatibility, current domain design, business needs,
technical needs, and existing network services. You should
know how each of the above-named issues affects your choice
of a migration type and how to choose the appropriate
type of migration based on those issues.
Tip: Be sure you know how
to perform each type of migration, the order in which
domains should be upgraded/migrated, and when to use each
type of migration strategy.
Become thoroughly familiar with all of the security issues
surrounding a domain upgrade or restructure. Be sure you
know how to maintain seamless user access to resources
during and after the migration.
Tip: Be sure you understand
how SID histories work, when to use them, when to remove
them, and which migration tools maintain SID history and
which ones don’t. Remember, if you choose to use SID histories,
users with more than a total of 1,023 SIDs may not be
able to log on or access resources on the network.
Preparing the Environment
The objectives under this heading involve preparing the
new environment that will be the target of the upgrade,
as well as preparing the source environment for the upgrade
process. The first task in preparing the new environment
involves either upgrading your DNS services to ones that
support Active Directory or installing and configuring
the Win2K DNS service and configuring it for dynamic updates.
Tip: Ensure that you know
which versions of the UNIX Bind service are capable of
supporting Active Directory—and the reasons for continuing
to use it instead of the Win2K DNS service.
The second part of preparing the new environment involves
either upgrading one of your source NT 4.0 domains to
Win2K or installing Win2K in a new, clean, “pristine”
You also need to back up your old environment in such
a way that you can quickly recover your old environment
in case the migration runs into issues that can’t be resolved
quickly enough to keep users up and running without a
long network outage. This includes backing up the databases
for various network services, including WINS, DNS, DHCP,
and so on. It also involves backing up your existing user
accounts and domain information in such a way that you
can quickly recover your existing domain environment.
Tip: Consider installing
NT 4.0 on an additional domain controller, synchronizing
the new controller with the existing PDC, and then taking
the new domain controller offline during the migration/upgrade
process to ensure that you can quickly restore your existing
environment by bringing the controller back online, promoting
it to PDC, and then synchronizing with the existing BDCs
to restore your network to its pre-migration state. Be
sure to take the existing PDC offline during the process
to ensure that it doesn’t corrupt this process. Then bring
it online, demote it to a BDC, and synchronize it with
the new PDC.
Planning and Deploying a Domain Upgrade
When you upgrade an NT 4.0 domain to Win2K, you have
to deal with a lot of ongoing issues. First, you must
choose which computers will be upgraded—and when. For
example, you can upgrade member servers and workstations
at any time, but the BDCs can’t be upgraded until the
PDC has been upgraded. If you’re running the NT 4.0 DNS
service on a member server, that server must be upgraded
to Win2K before you upgrade any domain controllers to
provide the DNS services required by Active Directory.
If you’re using logon scripts and NT 4.0 system policies,
you may run into replication issues once the PDC has been
upgraded, because Win2K doesn’t support the NT 4.0 LAN
Manager replication service.
Tip: Before you upgrade
any domain controllers, determine which BDC will be the
last one to be upgraded and configure it as the source
server for replication of logon scripts and system polices;
configure all of the other BDCs to use it as the source.
Once the PDC is upgraded to Win2K, implement lbridge.cmd
to ensure that the NT 4.0 BDCs are kept up to date with
the most current logon scripts and system policy files
stored on the Win2K domain controllers.
Also, only NT 4.0 computers use NT system policy—Win2K
computers don’t. Therefore you must migrate your system
policy settings to Group Policy so the same settings will
be applied on all computers in the domain.
Authentication can be a problem in a mixed NT 4.0/Win2K
environment. RAS and RRAS servers use an authentication
method unsupported by default in Win2K. To ensure that
remote users are authenticated in a mixed environment,
select the “Permissions compatible with pre-Windows 2000
Tip: If you don’t know whether
the appropriate option was selected, make sure that the
Everyone group is a member of the Pre-Windows 2000 Compatible
Access domain local group. This ensures that authentication
of remote users on NT 4.0 RAS and RRAS servers works correctly.
Herein lies the heart of the exam. There are two types
of migrations: those that consolidate multiple Win2K domains
in a single forest (called an intra-forest restructure)
and those that consolidate NT 4.0 and Win2K domains into
one or more Win2K domains in a different forest (called
an inter-forest restructure). Microsoft provides many
tools for performing restructuring tasks, including the
Active Directory Migration Tool (ADMT), ClonePrincipal,
Movetree, and Netdom. ADMT is a wizard-based graphical
tool that can be used for both types of migrations. ClonePrincipal
is really a series of Visual Basic scripts that perform
various inter-forest migration tasks. Movetree is a command-line
tool used to perform various intra-forest migration tasks.
Finally, Netdom is a command-line tool used to view and
manage trust relationships in both NT 4.0 and Win2K environments.
Tip: Practice using each
of these tools in a test lab environment until you’re
familiar with the capabilities and limitations of each,
and know the nuances of each tool. Be sure you know how
each tool manages passwords on migrated user accounts.
Before you’re ready to perform a migration, you need
to establish the new environment. Be sure you’ve created
the destination OUs and delegated control of those OUs
to the appropriate administrative users/groups. Also,
ensure that you’ve created all of the required trust relationships
between the source domains and the target Win2K domain.
Tip: You can use Netdom
to create and verify all of your trust relationships prior
to migration. You can also use it to document the existing
trusts in your environment before beginning the migration
In addition to establishing trust relationships, the
target domain must be a Win2K domain in native mode, and
the source domain controller must have TCP/IP client support
Tip: To enable TCP/IP client
support, the following registry entry must exist on the
source domain controller: HKEY_LOCAL_ MACHINE/system/CurrentControlSet/
Lsa/TcpipClientSupport. It must be a REG_DWORD with a
value of 0X1. TCP/IP client support should be disabled
(set to 0) whenever migration tools aren’t in use.
This is a huge objective! With any type of network activity
as complex as domain restructuring, there will be problems.
Of course, it will be up to you to troubleshoot and resolve
them. You might encounter myriad problems; each requires
its own, special solution. The key to avoiding problems
lies in proper planning; however, even the best-laid plans
can miss a minor point or be derailed by hardware or authentication
issues. The best preparation for this part of the exam
is a deep understanding of all of the technical issues
surrounding a migration and thinking through as many of
the possible problems in each type of migration.
Also, preparing for problems is almost mandatory when
performing a migration. You must back up your existing
environment in such a way that it can be quickly restored
in the event that the migration fails. Be sure you know
not only how to back up domains and various networking
services, but also how to restore a partially migrated
environment to its pre-migration status.
Making It to the Top
Pass this exam, and you’ll demonstrate that you have
what it takes to migrate any type of NT 4.0 network to
Win2K. You’ll have shown that you stand out from the crowd
of MCSEs who don’t have the experience to take on tough
migration jobs. Being successful requires years of experience
with NT 4.0 and Win2K and a deep understanding of the
migration process. I don’t think we’ll see a lot of new
MCSEs passing this exam. If you feel up to the challenge
and want to demonstrate your expertise in the migration
process, here’s your chance. Good luck!