1. W2K Migration Experiences Jack Schmidt Windows Policy Committee

2. Outline Background Migration Timeline Present Status Outstanding Issues

3. NT4 Domain Structure BSS TDFNALD0 D0Level3DMACS BDControls BEAMS Controls Systems CD,CDF,ESH, FESS,LS, PPD, VMS File Servers, Email and Web trust ESE

4. Win2k Original Domain Structure WIN FERMI OU’s for Div/Sec/Exp’s BD ControlsD0 ControlsBSS

5. Win2k Current Domain Structure WIN FERMI OU’s for Div/Sec/Exp’s D0 Controls

6. Migration Timeline Fall 2000 – Windows Migration Working Group formed Objective- “Provide Windows users with a secure environment to easily share resources across the site and with other labs.”

7. Migration Timeline Winter/Spring 2001 –Computer Security mandates all systems be ‘kerberized’ and user accounts be centralized. –Authentication issues MIT KDC or Microsoft AD –Allow NTLM authentication? »NTLMv2 vs NTLM/LM

8. Migration Timeline Summer/Fall 2001 –Dynamic DNS Issues All systems or just DCs? –Implementation Plan –Test Domain/Production Domain creation Fall/Winter 2001 –Production Domain/NT4 Domain Trust Issues Microsoft bug –Limited User Migration Clone NT4 user issues

9. Migration Timeline Winter/Spring 2002 –Administration Issues Prevent Creation/Deletion of Users Prevent override of critical security policies Domain Admins/OU Managers/OU Admins –Domain Controller Management Issues Spring/Summer 2002 –Critical System Plan –CNAS Synchronization –Migration Deadline set to Dec 2002 by Computer Security

10. Migration Timeline Summer/Fall 2002 –Service/Captive account procedures defined Service: backups, antivirus Captive: controls, teststands –Terminal Service Security research –Remote Control Software Security research –Workstation Migration increases Fall/Winter 2002 –Windows Policy Committee formed Reports to Directorate –Remote Control Software recommendation (IPSEC solution)

11. Migration Timeline Winter/Spring 2003 –Migration Continues –Terminal Server findings –NetBIOS block work Exception forms VPN Testing

12. Present Status

14. Unresolved Issues Collapsing NT4 Domains Macintosh Authentication Special NT4 Domains Terminal Servers/Wincenters not kerberized. VPN and AD Authentication testing Win95/98/NT4/2k workgroups & standalones, etc.

15. Comments? Questions?