Here are some more details on some post-upgrade tasks I have implemented in my In-Place Migration strategy for customers migration from NT4 to 2003.  As I previously stated (and have to state once again) - this is not meant to be an exhaustive list, but rather a guide on what you should include in your in-place upgrade plans.  As always - your mileage may vary - ensure you have a good plan in place and know what you are doing before proceeding.

What have we got now?  An NT4 domain that has been in place upgraded with a temporary BDC.  We have all new clean 2003 server installs now promoted to become DCs as well and we have distributed all the FSMO roles to the appropriate servers. We are running in mixed mode and things are just perfect.  There has been minimal interruption to your end users (they couldn’t' change their password for maybe an hour at most and no new accounts or groups could be made) but that was only temporary.  They could still log on and work as normal without any problems.   Let’s finish this up.

Post upgrade tasks
OS upgrade your NT4 BDC machines and cancel the DCPROMO process on first reboot
I want to get out of mixed mode as soon as possible.  Why?  Because without Native Mode, I can't do nested Global groups and I still have to worry about replication with old BDCs. Besides - those old BDCs would look great in my test lab or as a new foot rest under my desk. Go ahead with an OS upgrade on these NT4 BDCs - again about 36 minutes or so for each box - but they can be done in parallel to speed things up. Once the first reboot occurs, they will auto logon and try to run DCPROMO.  The first question it asks is if you want this machine to continue to be a domain controller - select NO and complete the wizard.  It goes ahead and deletes the old role and reboots the system.

Shutdown old BDCs and remove their computer accounts from the new domain.
Once they come up from their last reboot - they are now Member Servers and can be safely shut down and deleted from the AD.  If they are to be re-used, I suggest that you reformat and re-install Windows Server 2003 to get a clean install on the hardware and then add them back into the AD domain with new computer names.

Switch to native mode AD
The moment you have been waiting for - flip the switch (or rather change the drop down box) to Windows 2003 Native mode.  This can be done form Active Directory Users and Computers or from the Active Directory Domains and Trusts MMC console.  You won't have an impact on your users and your BDCs are no longer in existence.

Build OU structure
So you have your AD, you have all new Domain Controllers and you are now running in Native Mode.  Now is the time to implement the power of AD by creating your OU structure. This could be created by hand or an LDIF file can be implemented from a previous lab exercise - your choice.  It shouldn't be complex if you followed my KISS and NIRVANA principles for AD design.

Implement Administrative delegation strategy
Once you are in native mode, you can start to implement nested groups and cleanup that bloated DomainAdmins group that was migrated. You can create new global Groups and delegate out the rights as required for various users and then remove them from Domain Admins.  It's very satisfying to see this take place, but once again - you have designed this strategy in your AD design and tested it in the first phase of your lab environment.  Now is the time to clean up and regain control of your NT 4 administration nightmare.

Implement group policy strategy
Your group Policy testing took place in the first stage of the lab.  I hope that you were using the GPMC and were able to export your policies.  You can now import them back in to your production environment and have them applied to the OU structures you have just implemented.

Move Users, groups and Computer accounts into proper OU structures
Now that your delegation is in place and your GPOs are in place, it's time to move the users, Computers and Groups to your new structure and call it a day. Your existing systems won't notice they are part of an AD domain until they have to renew their computer security connection.  A reboot or patience will fix this. Soon enough you will have your GPOs humming and applied to your systems.

Welcome to the wonderful world of AD and all it entails. Any final comments before my final post on this In-Place migration series? Click on the Feedback/Comments link at the end of this post to make sure you are heard.

Stay tuned to the next post in this series - Wrap up Tomorrow!