Restructuring, Migrating, and Upgrading Domains to Windows 'NET Server 2003 David Rheaume Technical

1
Restructuring, Migrating, and Upgrading Domains
to Windows .NET Server 2003David
RheaumeTechnical LeadDirectory Services
Microsoft Corporation
2
Objectives

• This WebCast will outline strategies used to
  upgrade Microsoft Windows NT 4.0based and
  Windows 2000based domains to Windows .NET
  Server 2003 Active Directory.
• You will also learn some of what Windows .NET
  Server 2003 can do for you, and how it will
  improve your existing business network.

3
Agenda

• Whats New in Windows .NET Server 2003
• Introduction to Functional Levels
• Windows NT Domain Upgrade
• Windows 2000 Domain Upgrade
• Domain Restructuring Using ADMTv2

4
Whats New in Windows .NET Server 2003 Active
Directory?

• Replication Topology Engine that Scales to
  Thousands of Sites
• Domain Rename
• Deploying Sites and Logging on Without Local
  Global Catalog Servers
• Resultant Set of Policy Planning and Logging
• Transitive, Cross-Forest Kerberos Trusts
• Schema Defunct and Redefine
• Application Partitions

5
How Do We Do It?

• Many features work with existing Windows NT 4.0
  and Windows 2000 domain controllers.
• Some great new features are not backward
  compatible with Windows NT 4.0 or Windows 2000.
• These new features require a versioning solution
  to prevent interoperability problems.
• The solution forest and domain functional
  levels.

6
Functional LevelsIn Windows .NET Server 2003

• Active Directory Versioning Scheme
• Enables new and non-backward compatible features.
• One-way operation.
• Think Windows 2000 native mode .
• Domain Functional Levels
• Forest Functional Levels
• Defined by Attribute of Domain and Configuration
  Containers

7
Mixed Mode Domains

• Windows NT Controllers Allowed
• Similar to Windows 2000 Mixed Mode Domain
• Previous version (Windows NT 4.0 Server) domain
  controllers constrain domain features.
• No universal or nested groups.
• No sIDHistory.
• Windows 2000 Domain Controllers
• Allowed, but not required.
• Windows .NET Server 2003 can upgrade Windows NT
  4.0 and Windows 2000 domain controllers and
  member servers.

8
Native Mode Domains

• No More Windows NT 4.0 Domain Controllers
• Any Win32 client or member server is still okay.
• All domain controllers must be Windows 2000 or
  Windows .NET.
• Windows 2000 domain modes do not increment
  msDS-Behavior-Version.
• Enables User and Group Management Features
• Windows 2000 and Windows .NET domain controllers
  only
• Mixed and Native Mode Defined by nTMixedDomain
• 0 (zero) or no value means native mode
• 1 means mixed mode

9
Functional Levels

• New in Windows .NET Server 2003
• Introduce new features not compatible with
  previous version domain controllers
• Manually advanced when all domain controllers in
  domain or forest are running Windows .NET Server
• Defined by msDS-Behavior-Version attribute on
  Domain and Partitions Containers
• DCltdomaingt,DClttldgt
• CNPartitions,CNConfiguration,DCltdomaingt,
  DClttldgt

10
Functional Levels (2)

• Windows .NET Domain
• Windows .NET Interim Forest
• Windows .NET Forest
• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/prodtechnol/windowsnetserver/eval
  uate/cpp/reskit/adsec/part1/rkpdsefl.asp

11
Domain Functional Levels

• All Domain Controllers Are Windows .NET
• Windows 2000 and Windows NT domain controllers
  are blocked.
• Manually advanced using Active Directory Domains
  and Trusts (Domain.msc).
• Also exposed through ADSIEdit.msc, LDP, or
  script, for example.
• msDS-Behavior-Version 2 on DCltdomaingt,DClttldgt
  
• msDS-Behavior-Version 1 defines interim domain
  mode, but is unused.

12
Features by Domain Functionality
13
Forest Functional Levels

• Windows .NET Forest Mode
• All domain controllers in the enterprise must run
  Windows .NET Server 2003.
• Advanced using Domain.msc or by setting
  msDS-Behavior-Version 2 on CNPartitions,CNConf
  iguration,DCltdomaingt, DClttldgt.
• Windows .NET Interim Forest Mode
• Allows Windows NT 4.0 domain controllers.
• Windows 2000 domain controllers are not allowed.
• Only UI is new forest through upgrade and DCPromo
  of Windows NT 4.0 primary domain controller (PDC).

14
Features by Forest Functionality
15
Best Practices for Functional Levels

• Windows NT 4.0 Upgrade
• Windows .NET interim forest mode on restart and
  DCPromo
• Enables Windows .NET Server 2003 enhancements to
  Intersite Topology Generator and Knowledge
  Consistency Checker
• Makes replication more efficient and robust
• When all domain controllers are upgraded, advance
  forest to Windows .NET mode
• Native mode domains will automatically transition
  to Windows .NET domain level when forest is
  advanced

16
Best Practices for Functional Levels (2)

• Windows 2000 Domain Upgrade
• Native mode is best for mixed Windows 2000 and
  Windows .NET Server 2003 networks.
• No functional level change until all domain
  controllers are Windows .NET Server 2003.
• When all domain controllers run Windows .NET,
  advance the forest to Windows .NET forest mode.
• When forest is advanced, the domains will
  automatically advance to Windows .NET domain mode.

17
Upgrading to Windows .NET Server 2003

• Two Distinct Scenarios
• Legacy Windows NT 4.0 domains
• Windows 2000 Active Directory domains
• Many environments may still use both
• Two-Part Process
• Domain preparation
• Domain upgrade

18
Preparing to Upgrade

• In all cases, first step should be winnt32.exe
  /checkupgradeonly
• This provides a detailed report of what will and
  will not work with Windows .NET Server 2003.
• Exportable list of what needs to be fixed and
  what to do about it.
• If internet connection is present, Winnt32.Exe
  can query Microsoft for any important changes
  since the installation media was prepared.
• Know your domain
• Visio Network Discovery or similar tools can be
  leveraged for network inventory.

19
Windows NT 4.0 Domain Upgrade Preparation

• If Domain Name System (DNS) infrastructure
  exists, create a delegation for the first PDC to
  host the Active Directory zone.
• LMRepl should be configured on Windows NT 4.0
  domain controllers.
• The LMRepl export server should be the last
  server upgraded.

20
Domain Upgrade Strategies

• Windows NT 4.0 Domain Upgrade
• Similar to process for upgrade to Windows 2000
• Different Approaches for Simplifying Domain
  Structure
• Single domain strategy
• Empty forest root strategy

21
Single Domain Forest Strategy

• Largest Windows NT 4.0 account domain is upgraded
  to Windows .NET Server 2003 forest root
• Select Windows .NET interim forest mode during
  DCPromo.
• Let DCPromo configure DNS
• DCPromo will read the delegation and prompt to
  install DNS locally.
• Forest and domain zones will be created
  automatically.

22
Single Domain Forest Strategy (2)

• Continue upgrading or retiring backup domain
  controllers (BDCs) until all domain controllers
  run Windows .NET Server 2003.
• When all DCs run Windows .NET Server 2003,
  advance the forest to Windows .NET Server
  functional level.
• Externally trusted domains are migrated into the
  forest root domain using ADMTv2.
• Migration with sIDHistory and user passwords
  requires a Windows 2000 native mode or later
  target domain.

23
Multi-Domain Strategy

• Establish forest with empty root domain with a
  new Windows .NET Server
• Advance domain to Windows .NET functionality
  level using Domain.msc
• Advance forest to Windows .NET interim
  functionality level
• No UI offered in clean install
• Use ADSIEdit.msc or LDP.exe
• Create delegation in DNS for first PDC to be
  upgraded

24
Multi-Domain Strategy (2)

• Upgrade Windows NT 4.0 PDC and DCPromo to create
  child domain of the empty root
• Domain will be automatically set to Windows .NET
  Interim Mode
• DCPromo will notice the delegation and prompt to
  install DNS
• DNS will create default application partition
• When all BDCs are upgraded, advance domain to
  Windows .NET functionality

25
Multi-Domain Strategy (3)

• Repeat process for externally trusted domains as
  necessary
• Basic rule calls for business justification for
  each additional domain
• When all domains have been upgraded or
  consolidated, advance forest to Windows .NET
  functional level

26
Windows 2000 Domain Upgrade

• Seamless Upgrade Process
• Shared architecture, compatible operations
• No forest, domain, or OU restructure necessary
• No profile, workstation, or user migration
• Windows .NET Server 2003 Integrates in the
  Deployed Infrastructure
• Windows .NET Server can hold any operations
  master (FSMO) role as well as the global catalog
  role
• Can be deployed as new domain controller
  (DCPromo)
• Can upgrade existing Windows 2000 domain
  controllers

27
Windows 2000 Domain Preparation

• Schema extended and new objects created to
  accommodate new features
• Default security hardened
• Directory access control lists (ACLs) tightened
• Everyone set unequal to Anonymous
• Display specifiers added

28
Active Directory Preparation Tool

• One tool makes all changes Adprep.exe
• Adprep imports LDF scripts to modify directory
• Adprep /forestprep extends the schema
• Runs on operations master
• Requires Schema Admin and Enterprise Admin rights
• Adprep /domainprep modifies the domain for
  Windows .NET Server
• Runs on the infrastructure master of each domain
  in the forest
• Requires domain admin rights

29
Verifying Domain Preparation

• Adprep changes are said to be Idempotent
• Tool can run many times if needed, but any change
  will only be applied once
• Upon successful completion, Adprep creates
  special containers in the directory
• CNWindows2003Update,CNDomainUpdates,
  CNSystem,DCltdomaingt,DClttldgt
• CNWindows2003Update,CNForestUpdates,
  CNConfiguration,DCltforest_root_domaingt,DClttldgt

30
Requirements for Domain Upgrade

• Modifications require complete domain and file
  replication.
• End-to-end throughout the forest.
• Domain controllers that do not replicate schema
  and domain changes will be orphaned and must
  retire.
• All Windows 2000 domain controllers must have SP2
  or later applied.
• Domain controllers at Windows 2000 SP2 must also
  have the post-SP2 NTFRS enhancement deployed.
• SP3 provides the best performance.

31
Windows 2000 Domain Upgrade

• Domain Naming Operations Master Has Priority
• Creates the default DNS zones for the forest.
• The existing role holder can be first upgraded
  machine, or the role can be transferred to new
  Windows .NET domain controller.
• PDC Emulator Upgrade Performs Special Tasks in
  each Domain
• Creates additional security groups.
• PDCs should be targeted for upgrade early in the
  process.
• New Windows .NET Server 2003 domain controller
  can also transfer in the PDC role to complete
  changes.

32
Windows 2000 Domain Upgrade (2)

• Domain reconfiguration is unnecessary.
• Windows .NET Server 2003 will always claim ISTG
  role for its site, negotiate optimized topology
  with any other Windows .NET ISTG servers
• Windows .NET Server 2003 can be deployed to
  leverage new technologies.
• DNS application partitions
• Enhanced replication
• Internet Information Services (IIS), Terminal
  Services, Cluster Server, and so on

33
Upgrading DNS with Windows .NET Server 2003

• The first Windows .NET Server in each domain
  creates a domain-wide DNS application partition.
• Requires Enterprise Admin for first logon after
  upgrading.
• Dnsmgmt.msc or Dnscmd.exe can be used to create
  the partition later.
• Root domain will also create forest-wide DNS
  application partition.

34
Windows .NET DNS Servers

• Automatically request domain-wide DNS data for
  their domain
• Automatically request forest-wide DNS data

35
Migrating to Windows .NET Server

• Most domain upgrades from Windows NT 4.0 to
  Active Directory employ a combination of domain
  upgrade and domain migration.
• Scalability enhancements in Active Directory make
  obsolete the complex system of external trusts
  often used in Windows NT networks.
• Consolidating and restructuring domains
  simplifies network management and increases
  productivity.

36
Active Directory Migration Tool

• The primary tool for domain migration is ADMTv2,
  shipped with Windows .NET Server.
• Permissions and ACLs are based on domain-specific
  security identifiers.
• Migration and translation allow administrators to
  maintain user access to resources while
  restructuring domains.

37
Migrating with ADMTv2

• Two Types of Domain Migration
• Interforest Objects are cloned across domain and
  forest boundaries
• Intraforest LDAP_Move operation after which the
  source object no longer exists
• By definition, all Windows NT to Active Directory
  migrations are Interforest.

38
Domain Migration with ADMTv2

• Objects migrated include
• Users
• Groups
• Computers
• Profiles
• Network resources
• Access control lists
• Security identifiers
• Domain controllers cannot be migrated.

39
Interforest vs. Intraforest

• Interforest migrations are thought of as safer
  because they provide fallback capability.
• Intraforest migrations are said to be destructive
  because the source object does not exist after
  the migration.
• Intraforest migrations maintain most attributes
  automatically, including objectGUID,
  userPassword, and sIDHistory.
• Interforest migration requires additional
  configuration to enable password and sIDHistory
  migration, and GUIDs are never migrated
  interforest.
• Interforest migration is generally the preferred
  method.

40
Maintaining Access with ADMTv2

• Windows 2000 introduced the sIDHistory attribute
  on Users and Groups in native mode domains.
• When Users and Groups are migrated, sIDHistory
  can be populated with their security identifiers
  from the source domain.
• sIDHistory provides a temporary method of
  maintaining access to resources during migration.
• This should not be considered a permanent
  solution for access to resources.

41
Translating Security with ADMTv2

• Security translation replaces the access control
  entries (ACEs) on resource ACLs so that security
  identifiers (SIDs) from the source domain are
  replaced with the migrated users new SIDs in the
  target domain.
• ADMTv2 maintains an internal database of sIDs
  that it has migrated.
• A SID mapping file can be used to translate
  security for accounts that ADMTv2 cannot migrate.

42
ADMTv2 Improvements

• Interforest Password Migration
• More Robust Computer Migration Agents
• Group Migration Optimized for Speed
• Internal sID Database Allows Source Domains to be
  Retired
• Migration Tasks Can be Delegated Rather than
  Requiring Domain Administrator Credentials
• inetOrgPerson Support
• Post-Migration User Renaming

43
ADMTv2 Improvements (2)

• Scripting and Command Line Interfaces
• Customizable Attribute Exclusion Lists
• Enhanced Logging
• Account Transition Options
• Improved Reporting Wizard
• Security Translation and SID Mapping Files
• Now available for free from Product Support
  Services (PSS), Microsoft Consulting Services
  (MCS), and www.microsoft.com (after product
  release).

44
Windows .NET Server 2003Upgrade and Migration
Summary

• The skills learned while deploying Active
  Directory remain valuable and in-demand.
• For Windows 2000 Active Directory shops, the
  deployment learning curve will be shallow.
• ADMTv2 offers more restructuring and migration
  options than ever before.
• ADMTv2 is available now from local PSS and MCS
  personnel.

45

• Thank you for joining todays Microsoft Support
• WebCast.
• For information about all upcoming Support
  WebCasts,
• and access to the archived content (streaming
  media
• files, PowerPoint slides, and transcripts),
  visit
• http//support.microsoft.com/webcasts/
• Your feedback is sincerely appreciated. Please
  send any
• comments or suggestions about the Support
• WebCasts to supweb_at_microsoft.com.