Migrating to Windows Server 2003 Active Directory

Agenda  Functional levels  General deployment strategies  Preparing the forest and domains  Performing in-place domain upgrades  Active Directory Enhancements  Active Directory Multi-Forest Support  DNS Enhancements

Domain Functional Levels Domain Functionality Enabled Features Supported DCs in domain Windows 2000 mixed  Install from media  Universal Group caching (For Windows Server 2003 DCs) Windows NT4 Windows 2000 Windows Server 2003 Windows 2000 native All mixed mode, plus  group nesting  Universal security groups  SIDHistory Windows 2000 Windows Server 2003 Windows Server 2003 Interim Same as Windows 2000 mixed plus replication enhancements Windows NT4 Windows Server 2003 All Windows 2000 native, plus  DC Rename  Update logon timestamp attribute  Kerberos KDC version  User password on INetOrgPerson Windows Server 2003

Forest Functional Levels Forest Functionality Enabled Features Supported DCs in forest Windows 2000  Install from media  Universal Group caching (For Windows Server 2003 DCs) Windows NT4 Windows 2000 Windows Server 2003 Windows Server 2003 Interim All Windows 2000, plus  LVR replication  Improved ISTG (For Windows Server 2003 DCs) Windows NT4 Windows Server 2003 All Windows Server 2003 Interim, plus  Dynamic aux classes  User to INetOrgPerson change  Schema de-/reactivation  Domain rename  Cross-forest trust  Partial GC Sync Windows Server 2003

Domain Functionality Win NT4 Win2000 Windows Server 2003 mixed Windows mixed Windows native native Windows Server 2003 Interim Windows Server 2003 Prior to Windows Server 2003 Upgrade to Windows Server 2003 (DCPROMO) UI (Users & Computers or Domains and Trusts) Happens automatically (when Forest version is raised during PDC upgrade) A B C

Forest Functionality Win2000 Windows Server 2003 Interim Windows Server 2003 DCPROMO (Upgrade to Windows Server 2003) UI (Domains and Trusts) Recommended (choose option in DCPROMO during PDC upgrade) Workaround if you decide to go to level ‘1’ later (using LDP, adsiedit) Win NT4 Win2000 Windows Server 2003 Win2000 A B C

Deployment strategies  Domain restructure  In-place domain upgrade From Windows 2000 From Windows 2000 From NT 4.0 From NT Upgraded domain is forest root - Upgraded domain is forest root - Upgraded domain is additional domain in forest - Upgraded domain is additional domain in forest

Domain Restructure  “Consolidation” or “collapse”  Move security principals and DCs between domains  Allows you to design an ideal forest  Use restructuring tools ADMT, Movetree, Clone Principal, 3 rd party ADMT, Movetree, Clone Principal, 3 rd party Restructure MUD RES1 MUD1 RES1RES2RES3 MUD2

Upgrade from Windows 2000  Easy and seamless upgrade process No restructuring necessary No restructuring necessary No forest, domain, OU or replication planning necessary No forest, domain, OU or replication planning necessary No user / workstation / profile migration No user / workstation / profile migration  Windows Server 2003 DCs fully compatible with Windows 2000 DCs Windows Server 2003 DCs can play in Windows 2000 forest / domain in any role Windows Server 2003 DCs can play in Windows 2000 forest / domain in any role - New DC (dcpromo) - New DC (dcpromo) - Upgrade of existing DC - Upgrade of existing DC  Preparing forest and domains are separate step from introducing the first Windows Server 2003 DC

Windows 2000 Forest/Domain Upgrade  New features and fixes require upgrade operations Tightens security on resources that use the Everyone group to grant access by: Tightens security on resources that use the Everyone group to grant access by: Improving default security descriptors. Improving default security descriptors. Changing group memberships: the Anonymous Logon group is no longer a member of the Everyone group. Changing group memberships: the Anonymous Logon group is no longer a member of the Everyone group. Creates new objects used by individual applications. Creates new objects used by individual applications. Creates new containers that can be used to verify that the preparation was successful. Creates new containers that can be used to verify that the preparation was successful. Updates the Active Directory Schema. Updates the Active Directory Schema. Previous schema modifications in your environment are not affected Previous schema modifications in your environment are not affected  Single tool (adprep) to accomplish all tasks Run once per forest (adprep /forestprep) Run once per forest (adprep /forestprep) Run once per domain (adprep /domainprep) Run once per domain (adprep /domainprep)

ADPREP /FORESTPREP  Schema upgrade Needs to run on schema master Needs to run on schema master Does not cause a GC full-sync Does not cause a GC full-sync Small number of new indexed attributes Small number of new indexed attributes SP3 DCs: No performance impact SP3 DCs: No performance impact Schema extension creates little replication traffic only Schema extension creates little replication traffic only  Display specifiers Enables new features in UI Enables new features in UI Creates around 100KB replication traffic Creates around 100KB replication traffic

ADPREP /FORESTPREP  Adjusts ACLs to enable new features RSOP, Everyone != Anonymous logon, PKI RSOP, Everyone != Anonymous logon, PKI Little replication traffic only Little replication traffic only  Adprep /forestprep has only small impact Replication Replication Domain controller performance Domain controller performance No impact on Windows 2000 SP3 DCs No impact on Windows 2000 SP3 DCs Small impact on pre-Windows 2000 SP3 DCs Small impact on pre-Windows 2000 SP3 DCs AD database size AD database size  Creates special container when finished successfully CN=Windows2002Update,CN=ForestUpdates,CN=Configurati on, DC= CN=Windows2002Update,CN=ForestUpdates,CN=Configurati on, DC=

ADPREP /DOMAINPREP  Needs to run on Infrastructure Master in each domain  Impact on Domain Controllers is hardly measurable (network traffic, DC impact)  Creates special container when finished successfully CN=Windows2002Update,CN=DomainUpdates,C N=System, DC= CN=Windows2002Update,CN=DomainUpdates,C N=System, DC=

Introducing the First WS2003 Domain Controller in Forest  Once adprep has run, Windows Server 2003 Domain Controllers can join the forest  Two methods Upgrade existing domain controller (Windows 2000 or Windows NT 4) Upgrade existing domain controller (Windows 2000 or Windows NT 4) Install Windows Server 2003 as member server and run dcpromo Install Windows Server 2003 as member server and run dcpromo  Choose any domain to hold the first Windows Server 2003 DC  Upgrade of PDC performs special operations again Creates group for Terminal Service, internal groups Creates group for Terminal Service, internal groups Role transfer to Windows Server 2003 DC triggers same operations Role transfer to Windows Server 2003 DC triggers same operations  Best practice Install Windows Server 2003 member server and promote to Domain Controller Install Windows Server 2003 member server and promote to Domain Controller Upgrade PDC to Windows Server 2003 early in the process Upgrade PDC to Windows Server 2003 early in the process Or transfer PDC role to Windows Server 2003 DC, even if temporarily only Or transfer PDC role to Windows Server 2003 DC, even if temporarily only

Features depending on Windows Server 2003 Version  More scalable KCC algorithm  Link value replication  Cross forest trust  Dynamic auxiliary classes  InetOrgPerson objectClass change  Schema delete  Domain rename

Active Directory Enhancements Active Directory Enhancements

Agenda Enhancements in the areas of:  Building Domain Controllers  Active Directory versioning and functional levels  AD Replication  Global Catalog Improvements  Enhanced Administration  Active Directory Objects and Architecture  Schema deletes  Application directory partitions  Domain Controller & Domain Rename

Design Goals  Incremental release Build on Windows 2000 Build on Windows 2000  Design fundamentals are the same Build on existing Active Directory deployment Build on existing Active Directory deployment Impose no requirement to redesign Impose no requirement to redesign No specific planning considerations: continue with Windows 2000 planning/deployment No specific planning considerations: continue with Windows 2000 planning/deployment  Review new security lockdown features Scalability, management, monitoring Scalability, management, monitoring Improve deployment and manageability Improve deployment and manageability Alleviate fear of making irreversible decisions Alleviate fear of making irreversible decisions

Replica From Media DC Store to media: DVD CDROM Tape File System Windows Backup backup system state DCPROMO /ADV Target Server Restore to an alternative location

Replication Model  Replication is at attribute level The replication model is described as multimaster, loose consistency with convergence The replication model is described as multimaster, loose consistency with convergence Multimaster Multimaster  Changes can be made at any DC Loose consistency Loose consistency  There is a latency between changes being made and their availability throughout the enterprise Convergence Convergence  Eventually the changes will propagate to all DCs and conflicts will have to be detected and resolved

Problem: Group Replication Srv1 Multivalue attributes are replicated as a single entity One change, lots of data replicated One change, lots of data replicated If the same group is simultaneously updated, after replication only one set of users will be retained If the same group is simultaneously updated, after replication only one set of users will be retained G1 Srv2 Members Sally John Jane MembersSallyJohn Pete On Replication newer attribute wins

Solution: Linked-Value Replication  Store per-value replication metadata for linked multi-valued attributes Replicate individual changes instead of whole membership Replicate individual changes instead of whole membership Storage and protocol incompatible with Windows only works with Windows Server 2003 Storage and protocol incompatible with Windows only works with Windows Server 2003 Requires Windows Server 2003 or Windows Server 2003 Interim forest functionality Requires Windows Server 2003 or Windows Server 2003 Interim forest functionality  Eliminates the limit of 5000 direct group members

Problem: KCC Scalability  No issues for Intra-Site replication  Inter-Site replication topology (ISTG) can be a complex operation, similar to OSPF routing  Factors are Number of Sites Number of Sites Number of Domains Number of Domains  Transitiveness of Site-Links increases CPU cost of topology generation Transitiveness is implemented as one Site-Link-Bridge that contains all Site- Links Transitiveness is implemented as one Site-Link-Bridge that contains all Site- Links

Workaround: Windows 2000 Guidelines  Always disable transitiveness  Less than 500 sites: Use KCC But test your hardware first But test your hardware first Follow guidelines in KB article Q Follow guidelines in KB article Q  More than 500 sites: Create connection objects manually  Branch Office deployment guide recommends manual topology for more than 100 sites

Solution: Improved ISTG  Vastly improved inter-site topology generation (ISTG) scalability Eliminates need for manual topology Eliminates need for manual topology Vastly more scaleable Vastly more scaleable Current thinking is that it scales to 5,000 sites (3000 tested) Current thinking is that it scales to 5,000 sites (3000 tested) Still single threaded – uses only one CPU on SMP DCs Still single threaded – uses only one CPU on SMP DCs Generates different topology than Windows 2000 ISTG Generates different topology than Windows 2000 ISTG Requires Windows Server 2003 or Interim forest functionality Requires Windows Server 2003 or Interim forest functionality

Problem: Logon and GC Dependency  During the logon process the security access token is constructed Security Access Token User SID Group SIDs Membership details in logon domain A user’s universal group membership changes by: Adding the user to a universal groupAdding the user to a universal group Adding a global group of which the user is a memberAdding a global group of which the user is a member Nesting appropriate global and universal groupsNesting appropriate global and universal groups Builtin Domain Local GlobalUniversal GC Membership details in GC

Workaround #1  A GC at every site to avoid logon failures when the network is down Increased hardware costs Increased hardware costs Replication overhead Replication overhead

Workaround #2  Logon failed if GC not available Administrators can still logon Administrators can still logon Registry switch: Registry switch: HKLM\system\CurrentControlSet\Control \Lsa\IgnoreGCFailure  Logon with failed GC presents a possible security breach Incomplete security token Incomplete security token Ignores access deny for universal groups Ignores access deny for universal groups

Solution: GC-less Logon London Bellevue GC DC On first logon the users group details are cached Periodically updated default 8 hours -The cached group information stored in the user’s msDS-Cached-Membership attribute msDS-Cached-Membership attribute - Enabled as attribute of site object

Solution: Universal Group Caching  Domain controller caches complete group membership of an user Cache is populated at first logon Cache is populated at first logon Subsequent logons use cache Subsequent logons use cache Cache is refreshed periodically Cache is refreshed periodically Source from nearest GC Source from nearest GC Observe replication schedule on site link Observe replication schedule on site link All DCs in site perform cache refresh for users who have logged on to that site All DCs in site perform cache refresh for users who have logged on to that site Replicated to all other DCs in domain * Replicated to all other DCs in domain *

Design Implications of Universal Group Caching  Design benefit GCs not needed permanently for logon GCs not needed permanently for logon GC placement only driven by applications now GC placement only driven by applications now Reduces replication overhead for GCs in many deployments Reduces replication overhead for GCs in many deployments  Still good reasons to widely distribute GC servers (e.g. Exchange 2000)

Problem: GC Full Sync  Adding attributes to the GC partial attribute set causes all GCs to full sync Equivalent to repromoting all GCs Equivalent to repromoting all GCs No interruption in service No interruption in service Bandwidth, CPU intensive Bandwidth, CPU intensive  Applications may add attributes to the GC partial attribute set that trigger a mass replication Exchange 2000 Exchange 2000

Solution: No GC Full Sync  Replicate only added attributes Modification to replication protocol Modification to replication protocol Works in Windows 2000-mode domain / forest* Works in Windows 2000-mode domain / forest* Works between Windows Server 2003 DCs only Works between Windows Server 2003 DCs only If Windows Server 2003 DC cannot find Windows Server 2003 partner, it will full sync If Windows Server 2003 DC cannot find Windows Server 2003 partner, it will full sync  Design benefit Schema extensions that change GC PAS can now be deployed without GC full sync Schema extensions that change GC PAS can now be deployed without GC full sync Implication on deployment of Windows Server 2003 DCs in a Windows 2000 AD Implication on deployment of Windows Server 2003 DCs in a Windows 2000 AD

Application Directory Partitions

AD as an Application Directory  Inappropriate to store volatile data Only three choices of replication scope Only three choices of replication scope Not replicated Not replicated Domain-wide (domain NC) Domain-wide (domain NC) Forest-wide (configuration NC) Forest-wide (configuration NC) Data may go to places where not used Data may go to places where not used  But the DS is a rich data store! Powerful query, extensible schema, rich access control, and more Powerful query, extensible schema, rich access control, and more

Application Directory Partitions  Provides the ability to create new naming contexts within the directory The DCs that host the replicas of the NC can be controlled The DCs that host the replicas of the NC can be controlled Cross-domain replication is supported Cross-domain replication is supported  With the exception of security principals any type of object/attribute can be supported  Will typically be created directly by applications

Application Partitions  Create on/replicate to any DC in a forest (can cross domain boundaries) As few/many replicas as you want As few/many replicas as you want Not replicated to GC Not replicated to GC Observes existing forest site topology, replication schedule Observes existing forest site topology, replication schedule Can contain any object type except security principals Can contain any object type except security principals Named/located via DNS (e.g., MyApp.xyz.com) Named/located via DNS (e.g., MyApp.xyz.com)  Domain1 Data  DNS Data  IP Telephony Data  Domain1 Data  DNS Data  Domain2 Data  IP Telephony Data  Domain2 Data  DNS Data  Domain1 Data Forest Domain Controller = Domain1 Domain2

DEMO: Application Partition DEMO: Application Partition

Active Directory Multi-Forest Support Active Directory Multi-Forest Support

Forest Trust Scenarios Reasons for using forest trust  High security demands / not trusting all domain admin in forest / all DC in forest not physically secured.  Different AD schema requirements.  Isolation of DMZ.  Outsourcing IT operations (Operator creates separate forests and administrates using same credentials.)  Creating separate Application forest(s).  Sharing information with other organizations partners, customers, suppliers…

External Trust  Required for AD-NT4, AD-AD (inter- forest) and AD-AD (intra-forest shortcut trust)  Non Transitive – direct trust to each trusted domain required.  External trust is NT 4.0 style trust. Require NetBIOS name resolution (WINS or LMHOSTS file).  Kerberos fails over external trust  Only NTLM authentication and authorization possible over external trust.  No support for UPN logons

Forest AForest B Forest C External Trust Management

Limits to W2K Multi-Forest Support: Kerberos Authentication Kerberos NTLM only Forest A Forest B User’s PC File Server Multi-tier Application External Trust

External Trusts and Kerberos

Limits to W2K Multi-Forest Support: UPN Logon Kerberos Fails Forest A Forest B External Trust Logon as Alice’s DC NTLM Fails

Forest Trust Overview  One way or two way Kerberos trust.  Established between forest root domains.  Transitive – between all domains in two forests.  Forest trust is NOT transitive between forests.  Kerberos trust – NTLM supported over trust. A BC Forest A does NOT trust forest C Trust A-BTrust B-C Forest A Forest B

Forest Trust Explained  Allows you to authenticate using account in trusted forest.  Allows Kerberos and NTLM authentication  Allows assigning rights to users, machines and groups in trusted forest.  Allow UPN logon using credential from any trusted domain. (Logon using NetBIOS domain name only possible between forest root domains.)

What Forest Trust NOT provide  For security, privacy and performance reasons it is NOT possible to perform LDAP browsing of trusted forests. (LDAP search is however possible – as long as you know the name of security principal you wish to add from the trusted forest.)  It is NOT possible to logon, using credentials from trusted domain, if client does not support UPN logon (except between the forest domain roots.)  Kerberos delegation is NOT supported over forest trusts.

Cross-forest Authentication  Network logon Both Kerberos & NTLM are enabled Both Kerberos & NTLM are enabled  Interactive logon Smartcard logon for Kerberos Smartcard logon for Kerberos Logon with UPN Logon with UPN Both Kerberos & NTLM are enabled Both Kerberos & NTLM are enabled Type full UPN (no domain selection / dropdown or NT4 style names) Type full UPN (no domain selection / dropdown or NT4 style names)

Cross-forest logon

DEMO: Forest Trust

DNS Enhancements

Zone Forward all other names Forward *.acquired.com Forward *.example.com Forward all other names Conditional forwarding example.com acquired.com

Stub zone Queries for *.acquired.com Zone:acquired.com Stub Zone: acquired.com Zone:example.com

DNS inter-namespace resolution mechanisms Conditional Forwarding Stub Zone Delegation Any name at same or higher level than local zones Any name at same, lower or higher level than local zones Only to sub-domains of local zones Server resolves query iteratively then can try recursive Server resolves query or passes referral to client for iterative resolution, depending on query Firewall-friendly Can be affected by firewalls blocking clients Configured per-server Automatically replicated if AD-integrated Always replicated to other NS of parent zone Has to be re-configured when NS added to target zone Auto. updated when NS added to target zone Has to be re-configured when NS added to target zone Can be fault-tolerant

DNS Application Partitions in Active Directory

Issues with AD-integrated DNS zones (Windows 2000)  Stored in Domain-NC Only replicates intra-domain Only replicates intra-domain  Complicates replication of: Non-AD namespaces Non-AD namespaces Forest root domain Forest root domain

Availability of Forest Root  The DNS zone of the forest root contains the DNS entries for Global Catalog location Global Catalog location DC location by GUID DC location by GUID Required for replication Required for replication  If DNS zone corresponding to forest root domain cannot be queried by DCs in other domains: Replication may fail Replication may fail GCs won’t be found GCs won’t be found Inter-tree trust relationships will fail Inter-tree trust relationships will fail  Result: Forest Root Zone must be widely available Especially zone _msdcs. Especially zone _msdcs.  e.g. _msdcs.company.com

corp.example.com Domain1.corp.example.com Site1 Site2 Site3 Deploying DNS Best Practices (Win 2000) Zones: Primary AD-int corp.example.com Zones: Primary AD-int Std. Secondary Domain1.corp.example.com _msdcs.corp.example.com Zone Transfer _msdcs.corp.example.com

corp.example.com Domain1.corp.example.com Site1 Site2 Site3 Deploying DNS Best Practices (WS 2003) Zones: App Part: Primary AD-int corp.example.com Zones: App Part: Primary AD-int Domain1.corp.example.com AD Replication _msdcs.corp.example.com

DEMO: DNS Application Partition

Questions ?