W2K Migration Experiences Jack Schmidt Windows Policy Committee

Outline Background Migration Timeline Present Status Outstanding Issues

NT4 Domain Structure BSS TDFNALD0 D0Level3DMACS BDControls BEAMS Controls Systems CD,CDF,ESH, FESS,LS, PPD, VMS File Servers, and Web trust ESE

Win2k Original Domain Structure WIN FERMI OU’s for Div/Sec/Exp’s BD ControlsD0 ControlsBSS

Win2k Current Domain Structure WIN FERMI OU’s for Div/Sec/Exp’s D0 Controls

Migration Timeline Fall 2000 – Windows Migration Working Group formed Objective- “Provide Windows users with a secure environment to easily share resources across the site and with other labs.”

Migration Timeline Winter/Spring 2001 –Computer Security mandates all systems be ‘kerberized’ and user accounts be centralized. –Authentication issues MIT KDC or Microsoft AD –Allow NTLM authentication? »NTLMv2 vs NTLM/LM

Migration Timeline Summer/Fall 2001 –Dynamic DNS Issues All systems or just DCs? –Implementation Plan –Test Domain/Production Domain creation Fall/Winter 2001 –Production Domain/NT4 Domain Trust Issues Microsoft bug –Limited User Migration Clone NT4 user issues

Migration Timeline Winter/Spring 2002 –Administration Issues Prevent Creation/Deletion of Users Prevent override of critical security policies Domain Admins/OU Managers/OU Admins –Domain Controller Management Issues Spring/Summer 2002 –Critical System Plan –CNAS Synchronization –Migration Deadline set to Dec 2002 by Computer Security

Migration Timeline Summer/Fall 2002 –Service/Captive account procedures defined Service: backups, antivirus Captive: controls, teststands –Terminal Service Security research –Remote Control Software Security research –Workstation Migration increases Fall/Winter 2002 –Windows Policy Committee formed Reports to Directorate –Remote Control Software recommendation (IPSEC solution)

Migration Timeline Winter/Spring 2003 –Migration Continues –Terminal Server findings –NetBIOS block work Exception forms VPN Testing

Present Status

Unresolved Issues Collapsing NT4 Domains Macintosh Authentication Special NT4 Domains Terminal Servers/Wincenters not kerberized. VPN and AD Authentication testing Win95/98/NT4/2k workgroups & standalones, etc.

Comments? Questions?