Closing the Active Directory gap

So you've been working with NT domains for a few years, and now you're staring Active Directory in the face. Directories being the complex beasts they are, you know that you're in for a real challenge if you're going to move to Microsoft's next- generation operating system, Windows 2000. Here are a few things that will help you get your NT 4.0 domain infrastructure in order before you flip the switch on Active Directory.

  • Verify the information you already have in your domains. Chances are your old domains have grown cluttered, full of user IDs of past employees, groups that exist for no apparent reason, and accounts that haven't seen action for two months because the users have moved from marketing to sales.

    There's no point in migrating all your garbage to Windows 2000 - clean it up now. Tools such as Entevo's DirectManage suite ( have domain searching and reporting capabilities that can help you weed out duplicate or outdated information within your domains.

  • Consolidate your existing domains. The easiest way to populate your Active Directory will be to do so from a single domain. Many NT 4.0 shops have divided their installations into several domains in order to accommodate multiple geographical locations or autonomous departments. You'll save effort during the upgrade if you consolidate them now.

    The main issues you'll face when consolidating NT 4.0 domains are resolving disparate naming standards and reconciling security policies. Products such as FastLane Technologies' DM/Manager ( and Mission Critical's Domain Administrator ( can help you address these issues for consolidating NT 4.0 domains and migrating NT 4.0 domains to Active Directory.

  • Test the political waters. Educate management and users on the new Active Directory hierarchy and how the migration will affect how they locate and use network resources. You can do this with any number of Active Directory modeling tools.

    For example, Aelita Software Group ( offers a utility called Delegation Manager that lets you create an Active Directory structure, test it in a controlled environment to see if it works and gain management's approval, and then roll back the changes if you don't like it.

  • Minimize the risk when making your move. There are two different scenarios for the migration. The wrong way is to do an in-place upgrade to Windows 2000 at your NT 4.0 primary domain controller and upgrade the entire domain at once. This converts your network irrevocably to Windows 2000. You can't undo it, which is risky.

    The better option is an incremental migration of domain information to Active Directory. This means you move your users over in subgroups, ensuring that both the old NT 4.0 account and the new account in Active Directory have access to the resources. In this respect, you keep the NT 4.0 domain structure intact, so if you do have any problems you can always revert to it and maintain service levels. This is an essential requirement for moving any large enterprise NT 4.0 installation to Active Directory.

  • This story, "Closing the Active Directory gap" was originally published by Network World.

    ITWorld DealPost: The best in tech deals and discounts.
    Shop Tech Products at Amazon