1183 Windows 2003 Migration Strategies Gary L. Olsen Consultant Americas Escalation Team HP Services
Windows 2000: Active Directory Design and Deployment Author: Gary Olsen Publisher: New Riders ISBN:
Agenda Migration Roadmap and Planning Migration Plan: Upgrade vs Restructure Functional Levels in Windows 2003 Moving from NT4 to Windows 2003 Moving from Windows 2000 to Windows 2003 Tools
HP’s Roadmap to a successful Windows 2000, 2003 infrastructure Current Design review Current Design review Plan & Design Assessment Manage Implementation Pilot Proof of Concept Proof of Concept Support
The Migration Plan In-Place Upgrade – Upgrade NT PDC to Windows 2003 Interim Mode No W2k DCs Prepare for the “Pile-On” problem Convert to Windows 2003 Forest mode – Upgrade Windows 2000 to Windows 2003 Mixed Mode (by default) NT, W2K, W2K3 DCs Upgrade NT, W2K to W2K3 Convert to Windows 2003 Native Domain, Forest mode In-Place Upgrade vs Restructure
Windows NT 4 1 A 2 C 2 B Windows 2000/2003 A Kerberos B C Windows 2000/2003 A 3 OUOU 3OUOU Domain Upgrade
Domain Restructure Windows NT 4 A C B Windows 2000/2003 “Pristine Domain” 1 A OUOU OUOU 3 4 Microsoft or 3 rd Party Migration Tool 2 1. Create pristine Windows 2000 forest/domain/OU structure 2. Configure Microsoft or 3 rd Party Migration Tool 3. Migrate global groups, machine accts and user accts from MUD 4. Migrate global groups, machine accts, user accts from Resource Domains to domain, OUs Accts, Groups can migrate to any domain/OU
In-Place Upgrade vs Restructure In-Place Upgrade Maintains domain model Retains Users, groups, trusts, settings, services, applications Easier, cheaper Higher Risk – destroys NT4 Structure “Pile-on” bug Collapse domains in multiple steps Domain Restructure Allows one step domain collapse Rebuild trusts, settings, applications, etc. Expensive: Additional new hardware, Migration tool Lower risk – keeps NT4 structure Tear down and re-create with less impact on production
Functional Levels in Windows 2003
Functional Level Basics Review of native and mixed mode Functional levels as Active Directory versioning scheme Domain Functional Level – Windows 2000 Native and Mixed – Windows 2003 Native and Mixed – Windows 2003 Interim (NT) Forest Functional Level – Windows 2000 (none) – Windows 2003 Native – Windows 2003 Mixed NOTE: – Windows 2003 Mixed – “Windows 2000 Native/Mixed” in the UI Default – Windows 2003 Native = “Windows 2003” in the UI
W2k FOREST Review: Win2k Native/Mixed Domains NT 4.0 BDC W2K DC Native Mixed
Win2003 FOREST Domain Functional Levels: Windows Server 2003 Native in W2K Forest NT 4.0 BDC W2K DC Windo ws Server 2003 DC Windows Server 2003 Native W2K Mixed W2k Native
Win2003 Mixed FOREST Domain Functional Levels: Windows Server 2003 “Interim” NT 4.0 BDC W2K DC Windo ws Server 2003 DC Windows Server 2003 Native
Win2003 Native FOREST Windows Server 2003 Forest “Native” level Windows Server 2003 Windows Server 2003 Native
Domain Level Domain VersionDomain Functionality Features EnabledDCs Supported 0Windows 2000 mixedBasic Windows 2000Windows NT 4.0, Windows 2000, Windows Server Windows 2000 nativeGroup nesting, Universal groups Windows 2000, Windows Server Windows Server 2003 interim mixed ??Windows NT 4.0 and Windows Server Windows Server 2003 interim native ??Windows Server DC rename, Logon timestamp, User password attribute, Security?? Windows Server 2003
Forest Level Forest Version Forest FunctionFeatures EnabledDCs Supported 0Windows 2000Basic Windows 2000Windows NT 4.0, Windows 2000, Windows Server Windows Server 2003 interim Link value replication and improved KCC algorithm. Still in mixed mode. Windows NT 4.0, Windows Server Windows Server 2003Whatever… all domains must be in native mode Windows Server 2003
Migration Plan
Win 2003 “Mixed’ FOREST 1. Upgrade all DCs in Forest to Windows Server 2003 NT 4.0 W2K Windo ws Server 2003 Windo ws Server 2003 Native Mixed W2K Native
W2003 Mixed FOREST 2. Raise Domain Functional Level to Windows Server 2003 (2003) – all domains NT 4.0 W2K Windo ws Server 2003 Windo ws Server 2003 Native
W2003 Forest Native 3. Raise Forest Functional Level to Windows Server 2003 (2003) NT 4.0 W2K Windows Server 2003 Windows Server 2003 Native
In-place upgrade Windows NT to Windows 2003
Process Watch for the “Pile On” issue Prepare DNS – Put W2K3 DNS server in NT domain – NT4 Clients can use it (but can’t register) – Ready for the W2K3 upgrade Upgrade PDC first Set Forest Functional level to “Interim” when running DCPROMO Gradually upgrade BDCs Switch Functional Level (forest and domain) to Windows 2003 (Native)
The Pile-On Issue Basic: Win2K Pro workstations will authenticate to a Kerberos Key Distribution Center (KDC) – If no KDC, falls back to NTLM – UNLESS: It finds a KDC once… Problem: In-place upgrade – PDC is upgraded to Win2k as DC (KDC) All W2k Pro clients, servers will authenticate to it – Flood slow WAN links – Won’t authenicate to local BDCs – Big Problem for W2K Member Servers
Pile-on Solution Q – SP2 Required (prefer SP3) Regkey sets NT4 Emulation on PDC (no kerberos) – Problem – can’t Promote DC – needs Kerberos Another “fix” – “Neutralize” RegKey on other DCs – With sufficient DCs to handle the W2K Pro load, re-set the keys – Also see Q – Local Logon Process for Windows 2000 Requires – W2K or W2K3 DNS – W2K Trust
Another Pile-on Solution Downlevel Trust Put W2k Pros in W2k Test Resource Domain W2K Pros Authenticate to W2k DC NT4 “A” W2K “B” Win2k DC PDC
Setting 2003 Interim Level
Migrating from Windows 2000 to Windows 2003
In-Place Upgrade from Windows 2000 Easy and seamless upgrade process – No restructuring necessary – No forest, domain, OU or site topology planning necessary – No user/ workstation/ profile migration necessary Full compatibility between 2003 DC and Windows 2000 DC – 2003 DC can play any FSMO role in Windows 2000 forest – Upgrade from Windows 2000 or build new replica Preparing forest and domains are separate steps from introducing the first 2003 DC
Impact on current Windows 2000 environment Schema extensions (ADPrep) – Affects every DC – W2K and W2K3 – Can’t go back Group Policy – Over 200 new settings Software Restriction Policies RSOP New Cool W2K3 tools – Available thru XP too! Little impact on replication traffic:
Pre-upgrade Checklist Check the HCL System State Backup – At least 2 DCs in each domain +forest root Inventory Domain Controllers in the forest – Windows 2000 SP3 (best) – Windows 2000 SP2 (minimum) Verify end to end AD replication throughout the forest – W2K3 or XP: Repadmin /Replsum Verify FRS Replication FSMO role owners inventory Event Logs – errors, warnings of interest Disk Space inventory
ADPrep /ForestPrep REQUIRED To upgrade Windows Location: Windows 2003 Server CD \i386\adprep.exe Runs on the Schema Master server May cause full replication to Windows 2000 GCs Extends the AD schema Adjusts ACLs on special containers Creates special container when finished successfully – CN=Windows2002Update,CN=ForestUpdates,CN=Configuration,DC= Upgrade without ADPrep first yields errors…
Moving to Windows 2003: Restructuring
Inter-forest scenario: Migrating from Windows NT/2000 to 2003 AmericasEMEAAsiaPac Accounts Server Resources
Restructuring considerations Need to preserve the SID when crossing the domain boundary Use SIDHistory attribute: – Available only in Windows 2000 native mode
Scenario 1: NT-W2K3 Migration New GUID New SID Must use SIDHistory NT4 -> Win2K NT4 -> 2003 Win2K -> 2003 Accoun ts
Scenario 2: Inter-Forest Migration New GUID New SID Must use SIDHistory Win2K -> Win2K Win2K -> 2003 > 2003 W2K-W2KW2K-W2K W2K-W2K3W2K-W2K3 W2K3-W2K3W2K3-W2K3
Scenario 3: Intra-Forest (between domains) Same GUID New SID Must use SIDHistory Win2K -> Win2K Win2K -> 2003 > 2003
Scenario 4: Domain rename Objects are intact 2003 forest only
What you can do (The Good): – Rename a DC. – Rename a domain: DNS or NETBios or both! – Rename and restructure domains in a forest. Restrictions (The Bad): – Can’t do it if Exchange is deployed in forest Earliest support is Titanium SP1 – Can’t Rename A DC that has Certificate Services installed – Can Rename a domain that has Microsoft CA installed but it is very ugly – Must be in Windows 2003 Native Forest mode: Only W2K3 DCs in Forest – Can rename root domain but can’t change domain that is forest root. Intra-forest scenario: Domain rename
Domain Rename A.com C.A.com B.A.com D.B.A.com The Original…
Domain Rename A.com C.A.com B.A.com D.C.A.com Move to new Parent (grandchild)
Domain Rename A.com C.A.com B.A.com D.A.com Move to New Parent (Child)
Domain Rename A.com C.A.com B.A.com D.com New Domain Tree
Domain Rename Z.com C.Z.com B.Z.com D.B.Z.com Still the old “A” domain – just called “Z” now
Domain Rename Gotchas – MUST LOCK DOWN THE ENTIRE FOREST DURING DOMAIN RENAME PROCESS – DCs in renamed domain won’t replicate with DCs in original domain. Replication limbo Two replication topologies What happens to password, other changes?
Domain Rename “Limbo State” my.company.com your.company.com C D E B A No Replication
Domain Rename Gotchas continued – Applications that depend on domain name may have problems. – Affects DFS/FRS – Resources Trusts. Secure channels to workstations (ouch!). Shares, mapped drives, logon scripts. – Does NOT support “Grafting” or Merging of forests. HP will be renaming corporate Windows 2000 domain from CPQCorp.net to HPQCorp.net
Technologies: ADMT V2 Inter-forest and Intra-forest restructuring Inter-forest password migration: – Source: NT4 (incl. syskey) – Windows – Target: Windows 2000 – Windows 2003 Command line interface – Batch mode migration Scripting interface Migration delegation Extensive reporting capabilities
Technologies: 3 rd Party NetIQ Quest Software Aelita bindView
Interex, Encompass and HP bring you a powerful new HP World. Questions?