Title: Restructuring, Migrating, and Upgrading Domains to Windows 'NET Server 2003 David Rheaume Technical
1Restructuring, Migrating, and Upgrading Domains
to Windows .NET Server 2003David
RheaumeTechnical LeadDirectory Services
Microsoft Corporation
2Objectives
- This WebCast will outline strategies used to
upgrade Microsoft Windows NT 4.0based and
Windows 2000based domains to Windows .NET
Server 2003 Active Directory. - You will also learn some of what Windows .NET
Server 2003 can do for you, and how it will
improve your existing business network.
3Agenda
- Whats New in Windows .NET Server 2003
- Introduction to Functional Levels
- Windows NT Domain Upgrade
- Windows 2000 Domain Upgrade
- Domain Restructuring Using ADMTv2
4Whats New in Windows .NET Server 2003 Active
Directory?
- Replication Topology Engine that Scales to
Thousands of Sites - Domain Rename
- Deploying Sites and Logging on Without Local
Global Catalog Servers - Resultant Set of Policy Planning and Logging
- Transitive, Cross-Forest Kerberos Trusts
- Schema Defunct and Redefine
- Application Partitions
5How Do We Do It?
- Many features work with existing Windows NT 4.0
and Windows 2000 domain controllers. - Some great new features are not backward
compatible with Windows NT 4.0 or Windows 2000. - These new features require a versioning solution
to prevent interoperability problems. - The solution forest and domain functional
levels.
6Functional LevelsIn Windows .NET Server 2003
- Active Directory Versioning Scheme
- Enables new and non-backward compatible features.
- One-way operation.
- Think Windows 2000 native mode .
- Domain Functional Levels
- Forest Functional Levels
- Defined by Attribute of Domain and Configuration
Containers
7Mixed Mode Domains
- Windows NT Controllers Allowed
- Similar to Windows 2000 Mixed Mode Domain
- Previous version (Windows NT 4.0 Server) domain
controllers constrain domain features. - No universal or nested groups.
- No sIDHistory.
- Windows 2000 Domain Controllers
- Allowed, but not required.
- Windows .NET Server 2003 can upgrade Windows NT
4.0 and Windows 2000 domain controllers and
member servers.
8Native Mode Domains
- No More Windows NT 4.0 Domain Controllers
- Any Win32 client or member server is still okay.
- All domain controllers must be Windows 2000 or
Windows .NET. - Windows 2000 domain modes do not increment
msDS-Behavior-Version. - Enables User and Group Management Features
- Windows 2000 and Windows .NET domain controllers
only - Mixed and Native Mode Defined by nTMixedDomain
- 0 (zero) or no value means native mode
- 1 means mixed mode
9Functional Levels
- New in Windows .NET Server 2003
- Introduce new features not compatible with
previous version domain controllers - Manually advanced when all domain controllers in
domain or forest are running Windows .NET Server - Defined by msDS-Behavior-Version attribute on
Domain and Partitions Containers - DCltdomaingt,DClttldgt
- CNPartitions,CNConfiguration,DCltdomaingt,
DClttldgt
10Functional Levels (2)
- Windows .NET Domain
- Windows .NET Interim Forest
- Windows .NET Forest
- http//www.microsoft.com/technet/treeview/default.
asp?url/technet/prodtechnol/windowsnetserver/eval
uate/cpp/reskit/adsec/part1/rkpdsefl.asp
11Domain Functional Levels
- All Domain Controllers Are Windows .NET
- Windows 2000 and Windows NT domain controllers
are blocked. - Manually advanced using Active Directory Domains
and Trusts (Domain.msc). - Also exposed through ADSIEdit.msc, LDP, or
script, for example. - msDS-Behavior-Version 2 on DCltdomaingt,DClttldgt
- msDS-Behavior-Version 1 defines interim domain
mode, but is unused.
12Features by Domain Functionality
13Forest Functional Levels
- Windows .NET Forest Mode
- All domain controllers in the enterprise must run
Windows .NET Server 2003. - Advanced using Domain.msc or by setting
msDS-Behavior-Version 2 on CNPartitions,CNConf
iguration,DCltdomaingt, DClttldgt. - Windows .NET Interim Forest Mode
- Allows Windows NT 4.0 domain controllers.
- Windows 2000 domain controllers are not allowed.
- Only UI is new forest through upgrade and DCPromo
of Windows NT 4.0 primary domain controller (PDC).
14Features by Forest Functionality
15Best Practices for Functional Levels
- Windows NT 4.0 Upgrade
- Windows .NET interim forest mode on restart and
DCPromo - Enables Windows .NET Server 2003 enhancements to
Intersite Topology Generator and Knowledge
Consistency Checker - Makes replication more efficient and robust
- When all domain controllers are upgraded, advance
forest to Windows .NET mode - Native mode domains will automatically transition
to Windows .NET domain level when forest is
advanced
16Best Practices for Functional Levels (2)
- Windows 2000 Domain Upgrade
- Native mode is best for mixed Windows 2000 and
Windows .NET Server 2003 networks. - No functional level change until all domain
controllers are Windows .NET Server 2003. - When all domain controllers run Windows .NET,
advance the forest to Windows .NET forest mode. - When forest is advanced, the domains will
automatically advance to Windows .NET domain mode.
17Upgrading to Windows .NET Server 2003
- Two Distinct Scenarios
- Legacy Windows NT 4.0 domains
- Windows 2000 Active Directory domains
- Many environments may still use both
- Two-Part Process
- Domain preparation
- Domain upgrade
18Preparing to Upgrade
- In all cases, first step should be winnt32.exe
/checkupgradeonly - This provides a detailed report of what will and
will not work with Windows .NET Server 2003. - Exportable list of what needs to be fixed and
what to do about it. - If internet connection is present, Winnt32.Exe
can query Microsoft for any important changes
since the installation media was prepared. - Know your domain
- Visio Network Discovery or similar tools can be
leveraged for network inventory.
19Windows NT 4.0 Domain Upgrade Preparation
- If Domain Name System (DNS) infrastructure
exists, create a delegation for the first PDC to
host the Active Directory zone. - LMRepl should be configured on Windows NT 4.0
domain controllers. - The LMRepl export server should be the last
server upgraded.
20Domain Upgrade Strategies
- Windows NT 4.0 Domain Upgrade
- Similar to process for upgrade to Windows 2000
- Different Approaches for Simplifying Domain
Structure - Single domain strategy
- Empty forest root strategy
21Single Domain Forest Strategy
- Largest Windows NT 4.0 account domain is upgraded
to Windows .NET Server 2003 forest root - Select Windows .NET interim forest mode during
DCPromo. - Let DCPromo configure DNS
- DCPromo will read the delegation and prompt to
install DNS locally. - Forest and domain zones will be created
automatically.
22Single Domain Forest Strategy (2)
- Continue upgrading or retiring backup domain
controllers (BDCs) until all domain controllers
run Windows .NET Server 2003. - When all DCs run Windows .NET Server 2003,
advance the forest to Windows .NET Server
functional level. - Externally trusted domains are migrated into the
forest root domain using ADMTv2. - Migration with sIDHistory and user passwords
requires a Windows 2000 native mode or later
target domain.
23Multi-Domain Strategy
- Establish forest with empty root domain with a
new Windows .NET Server - Advance domain to Windows .NET functionality
level using Domain.msc - Advance forest to Windows .NET interim
functionality level - No UI offered in clean install
- Use ADSIEdit.msc or LDP.exe
- Create delegation in DNS for first PDC to be
upgraded
24Multi-Domain Strategy (2)
- Upgrade Windows NT 4.0 PDC and DCPromo to create
child domain of the empty root - Domain will be automatically set to Windows .NET
Interim Mode - DCPromo will notice the delegation and prompt to
install DNS - DNS will create default application partition
- When all BDCs are upgraded, advance domain to
Windows .NET functionality
25Multi-Domain Strategy (3)
- Repeat process for externally trusted domains as
necessary - Basic rule calls for business justification for
each additional domain - When all domains have been upgraded or
consolidated, advance forest to Windows .NET
functional level
26Windows 2000 Domain Upgrade
- Seamless Upgrade Process
- Shared architecture, compatible operations
- No forest, domain, or OU restructure necessary
- No profile, workstation, or user migration
- Windows .NET Server 2003 Integrates in the
Deployed Infrastructure - Windows .NET Server can hold any operations
master (FSMO) role as well as the global catalog
role - Can be deployed as new domain controller
(DCPromo) - Can upgrade existing Windows 2000 domain
controllers
27Windows 2000 Domain Preparation
- Schema extended and new objects created to
accommodate new features - Default security hardened
- Directory access control lists (ACLs) tightened
- Everyone set unequal to Anonymous
- Display specifiers added
28Active Directory Preparation Tool
- One tool makes all changes Adprep.exe
- Adprep imports LDF scripts to modify directory
- Adprep /forestprep extends the schema
- Runs on operations master
- Requires Schema Admin and Enterprise Admin rights
- Adprep /domainprep modifies the domain for
Windows .NET Server - Runs on the infrastructure master of each domain
in the forest - Requires domain admin rights
29Verifying Domain Preparation
- Adprep changes are said to be Idempotent
- Tool can run many times if needed, but any change
will only be applied once - Upon successful completion, Adprep creates
special containers in the directory - CNWindows2003Update,CNDomainUpdates,
CNSystem,DCltdomaingt,DClttldgt - CNWindows2003Update,CNForestUpdates,
CNConfiguration,DCltforest_root_domaingt,DClttldgt
30Requirements for Domain Upgrade
- Modifications require complete domain and file
replication. - End-to-end throughout the forest.
- Domain controllers that do not replicate schema
and domain changes will be orphaned and must
retire. - All Windows 2000 domain controllers must have SP2
or later applied. - Domain controllers at Windows 2000 SP2 must also
have the post-SP2 NTFRS enhancement deployed. - SP3 provides the best performance.
31Windows 2000 Domain Upgrade
- Domain Naming Operations Master Has Priority
- Creates the default DNS zones for the forest.
- The existing role holder can be first upgraded
machine, or the role can be transferred to new
Windows .NET domain controller. - PDC Emulator Upgrade Performs Special Tasks in
each Domain - Creates additional security groups.
- PDCs should be targeted for upgrade early in the
process. - New Windows .NET Server 2003 domain controller
can also transfer in the PDC role to complete
changes.
32Windows 2000 Domain Upgrade (2)
- Domain reconfiguration is unnecessary.
- Windows .NET Server 2003 will always claim ISTG
role for its site, negotiate optimized topology
with any other Windows .NET ISTG servers - Windows .NET Server 2003 can be deployed to
leverage new technologies. - DNS application partitions
- Enhanced replication
- Internet Information Services (IIS), Terminal
Services, Cluster Server, and so on
33Upgrading DNS with Windows .NET Server 2003
- The first Windows .NET Server in each domain
creates a domain-wide DNS application partition. - Requires Enterprise Admin for first logon after
upgrading. - Dnsmgmt.msc or Dnscmd.exe can be used to create
the partition later. - Root domain will also create forest-wide DNS
application partition.
34Windows .NET DNS Servers
- Automatically request domain-wide DNS data for
their domain - Automatically request forest-wide DNS data
35Migrating to Windows .NET Server
- Most domain upgrades from Windows NT 4.0 to
Active Directory employ a combination of domain
upgrade and domain migration. - Scalability enhancements in Active Directory make
obsolete the complex system of external trusts
often used in Windows NT networks. - Consolidating and restructuring domains
simplifies network management and increases
productivity.
36Active Directory Migration Tool
- The primary tool for domain migration is ADMTv2,
shipped with Windows .NET Server. - Permissions and ACLs are based on domain-specific
security identifiers. - Migration and translation allow administrators to
maintain user access to resources while
restructuring domains.
37Migrating with ADMTv2
- Two Types of Domain Migration
- Interforest Objects are cloned across domain and
forest boundaries - Intraforest LDAP_Move operation after which the
source object no longer exists - By definition, all Windows NT to Active Directory
migrations are Interforest.
38Domain Migration with ADMTv2
- Objects migrated include
- Users
- Groups
- Computers
- Profiles
- Network resources
- Access control lists
- Security identifiers
- Domain controllers cannot be migrated.
39Interforest vs. Intraforest
- Interforest migrations are thought of as safer
because they provide fallback capability. - Intraforest migrations are said to be destructive
because the source object does not exist after
the migration. - Intraforest migrations maintain most attributes
automatically, including objectGUID,
userPassword, and sIDHistory. - Interforest migration requires additional
configuration to enable password and sIDHistory
migration, and GUIDs are never migrated
interforest. - Interforest migration is generally the preferred
method.
40Maintaining Access with ADMTv2
- Windows 2000 introduced the sIDHistory attribute
on Users and Groups in native mode domains. - When Users and Groups are migrated, sIDHistory
can be populated with their security identifiers
from the source domain. - sIDHistory provides a temporary method of
maintaining access to resources during migration. - This should not be considered a permanent
solution for access to resources.
41Translating Security with ADMTv2
- Security translation replaces the access control
entries (ACEs) on resource ACLs so that security
identifiers (SIDs) from the source domain are
replaced with the migrated users new SIDs in the
target domain. - ADMTv2 maintains an internal database of sIDs
that it has migrated. - A SID mapping file can be used to translate
security for accounts that ADMTv2 cannot migrate.
42ADMTv2 Improvements
- Interforest Password Migration
- More Robust Computer Migration Agents
- Group Migration Optimized for Speed
- Internal sID Database Allows Source Domains to be
Retired - Migration Tasks Can be Delegated Rather than
Requiring Domain Administrator Credentials - inetOrgPerson Support
- Post-Migration User Renaming
43ADMTv2 Improvements (2)
- Scripting and Command Line Interfaces
- Customizable Attribute Exclusion Lists
- Enhanced Logging
- Account Transition Options
- Improved Reporting Wizard
- Security Translation and SID Mapping Files
- Now available for free from Product Support
Services (PSS), Microsoft Consulting Services
(MCS), and www.microsoft.com (after product
release).
44Windows .NET Server 2003Upgrade and Migration
Summary
- The skills learned while deploying Active
Directory remain valuable and in-demand. - For Windows 2000 Active Directory shops, the
deployment learning curve will be shallow. - ADMTv2 offers more restructuring and migration
options than ever before. - ADMTv2 is available now from local PSS and MCS
personnel.
45- Thank you for joining todays Microsoft Support
- WebCast.
- For information about all upcoming Support
WebCasts, - and access to the archived content (streaming
media - files, PowerPoint slides, and transcripts),
visit - http//support.microsoft.com/webcasts/
- Your feedback is sincerely appreciated. Please
send any - comments or suggestions about the Support
- WebCasts to supweb_at_microsoft.com.