1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002

2 Overview Project Objectives Present NT Environment AD Environment Upgrade Path Related Projects Migrating Users

3 Project Objectives Provide a more stable and secure Windows environment for our user community More efficient administration – Simplified domain structure – Delegation of privileges – Enhanced distribution of software and policy (GPOs) – Integrated directory services (including Exchange 2000)

4 Project Objectives Provide new functionality for users – Better support for portables – Better networking support (VPN, wireless) – Better multimedia support – Better communications (OWA) Easier to support – Better support tools (Remote Assistance for Help Desk and local admins)

5 High-level view One domain with OUs representing mission, administrative and funding boundaries Desktops to have Windows XP and Office XP Exchange 2000 for all messaging Project to be completed Dec 2003 Other related projects – New storage project – SMS and GPO’s for software distribution – Monitoring project

6 Current NT Environment DescriptionSept Windows NT/2K domain machines on site~1400 % PC’s purchased as standard Dell HW (80% of current SLAC PC’s are now standard Dell HW) 91% Windows NT user accounts3600 Exchange 5.5 user accounts1500 Windows NT/2K central servers119 Windows NT/2K central file servers data2000GB WinNT workstations supported by central computing1000 (roughly 70%) Compliance for system fixes, anti-virus, etc.90% Other desktops Linux RedHat Desktops450 WinNT Workgroup,Win9x (not supported)~60 Windows 3.1/DOS (not supported)0 Macintosh (not supported)<100

7 Current NT Environment Master domain with 10 resource domains Laptops are W2K; better support for hardware and remote access Desktops are NT4; limiting W2K on the desktop due to the need for admin privilege for running many applications. Fileservers 2 TB data 60% user home directory, 40% groups directory Rate of growth: doubling every 12 months. Storage of user data on central servers is encouraged (there is no backup of workstations provided by SCS). Department servers are discouraged.

8 Current NT Domain Environment

9 Current NT Environment Print services reside on local domains Central account domain in SLAC Machine accounts in local domains Centralized WINS Servers DNS hosted on UNIX Bind systems Remote access via PPTP/VPN and ICA/Citrix

10 Current NT Environment Monitoring via network “ping” Anti-virus on all machines with InoculateIT. Updates downloaded from central server anti-virus scans via Sybari Antigen Veritas BackupExec used with DLT and LTO libraries to back up

11 Active Directory Environment Single forest and domain with multiple domain controllers (DC). FSMO roles reside in SLAC’s DC’s.

12 Windows Active Directory Environment Print services reside on central print servers Exchange 5.5 going to Exchange 2000 Central account domain in SLAC Machine accounts in department OU’s Centralized WINS Servers Delegated DNS zone win.slac.stanford.edu running as “Integrated Zone” on DC’s Remote access via PPTP/VPN and ICA/Citrix

13 Four Options As Upgrade Path 1) Migration tools and SID history pros:clean install of server infrastructure by going to ‘Native mode’, reversible. cons: migration tools were buggy. 2) Double ACL all resources pros:clean install of server infrastructure by going to ‘Native mode’, reversible. cons: need to re-ACL all resources, confusing.

14 Four Options As Upgrade Path 3) Re-ACL to new domain and cutover pros:clean install of server infrastructure by going to ‘Native mode’, short time. cons: not reversible, re-ACL resource domains, disruptive for users

15 Four Options As Upgrade Path 4) In-place Upgrade pros:Easier for administrators and users – No re-ACL – No new domain – No migration tools – No SID History – Less likely to break – Less overhead Upgrade went smoothly, recommended by Microsoft.

16 Related Projects - SMS Utilize for security updates, hotfixes and service packs Currently rolled out to half of lab (~700 workstations) New SMS rollout coincide with W2K/XP rollout Delegate abilities to OU Admin’s

17 Related Projects - GPO’s Use GPO’s for main policies – security policies – disabling services (Internet Connection Sharing, …) – authentication standards Ultimately use GPO’s to co-exist with SMS and boot floppy to rollout registry changes, software, hotfixes and service packs

18 Related Projects Implement new monitoring solution. Implement new backup solution. Upgrade Citrix Metaframe 1.8 on NT TSE to Citrix XPe on Windows 2000 over the coming year

19 Migrating Users Migration to Windows XP Office XP Exchange 2000 Clean install of 1600 client computers

20 Migrating Users-timeline Alpha migration, August 2002 Windows administrators Beta migration, September 2002 All central computing users, and power users from each department Pilot migration, November % representative sample across all departments General migration, December 2002-December 2003

21 Challenges Tight budget limits hardware upgrades – 4 yr. replacement cycle not always followed – XP needs 3 GB hard disk & 256 MB of memory – Older hardware works, but may run slower Limited resources and budget – Freeze Windows NT except for security Interoperability with SLAC UNIX environment – Samba gateway, AFS – Mitigated somewhat by WTS, WinSCP Varied missions, administration and funding