Presentation is loading. Please wait.

Presentation is loading. Please wait.

V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant In Place Windows NT 4.0 Upgrade.

Published byAndra Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant In Place Windows NT 4.0 Upgrade."— Presentation transcript:

1 V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant In Place Windows NT 4.0 Upgrade

2 Agenda Why Upgrade from Windows NT 4.0 Domains to Windows 2003 Active Directory? In Place Upgrade Customer Experiences Not covering design (Domain, Forest, OU, Site..)

3 Why Upgrade from Windows NT 4.0 Domains to Windows Server 2003 Active Directory?

4 Why Upgrade from NT4 to Win2K3 AD? Technical Benefits – Deploy Directory enabled applications – Exchange 200x – ISA Server – Live Communications Server – Numerous 3 rd party applications – Reduced Complexity – Fewer domains & trusts – Easier to apply policies – Easier to delegate administrative tasks within IT organisation (e.g. helpdesk not Domain Admin)

5 Increased security – Kerberos – Secure by Design, Deployment and Default – PKI / smartcard – Wireless network security More user self-service / delegated admin – Delegation – MMC Why Upgrade from NT4 to Win2K3 AD?

6 Business Benefits – Reduced Cost – Increased Security – Support business changes – Raise productivity – Be supportable

7 In Place Upgrade

8 Benefits – Minimal migration effort for users, clients and servers – Preserves NetBIOS domain name – No need for SIDHistory / re-ACLing – No need to migrate mailboxes Disadvantages – Need to avoid “piling-on” – Perceived as higher risk (big bang) Not the MCS preferred method when Windows 2000 was released

9 Preparation – Domain health checks & determine security settings – Check for services running as Localsystem Test Upgrade (typical approach is the “swing” upgrade) – Delegate DNS Zone for new root/child domain – Backup an old BDC and take offline – Install new NT4 BDC on new production hardware – Promote new BDC to PDC – Upgrade PDC to Windows 2003 Rollback if needed – Take new PDC offline – Bring back old BDC – Promote to PDC In Place Upgrade

10 Preparation Security improvements change behaviour of Windows 2003 Server Domain Controllers – SMB signing and secure channel encryption enforced – Domain Controller access policies Adjustments needed for older clients – Windows NT 4.0 SP3 and higher, Windows 2000, XP clients work without adjustments – Win9x and Windows NT 4.0 pre-SP3 require to make changes to the default policies – Disable enforcement of SMB signing – Network access, allow anonymous SID look-up

11 Win2K3 AD Security Changes

12 Preparation Check for services running as local system on all member servers and workstations – Re-configure service to use user account, or – Upgrade server to Windows 2000 / 2003, or – Use “Enable downlevel access” in dcpromo – E.g. RAS service

13 Preparation Cleanup the NT 4.0 directory – Unused groups – Group Membership (esp. Domain Admin) – Retired users – Old computer accounts Ensure NT4 SP6a is on all DCs and SP3+ on other NT computers Check for LMHOST & static WINS addresses Change freeze Check replication health (KB158148) NLTEST /BDC_QUERY: Windows NT 4. Resource Kit Tools: http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp

14 Preparation Backup – PDC – The BDC which will be taken offline for rollback – Test the backup to ensure it can be restored successfully

15 Test Create a test lab to prove the process – Isolated test lab (same NetBIOS names) Use a restored copy of the production PDC and BDC – Could use Virtual Server and the VS Migration Toolkit to make a copy of the 2 production DCs Use same hardware as that planned for the new production environment Resolve all issues before attempting in production – Repeat full tests if necessary, right from creating a new backup

16 Upgrade Make the DC you will upgrade last the Lmrepl export server – If Lmrepl export is on PDC, promote a BDC or – Select one NT 4.0 BDC to be new Lmrepl export server & reconfigure Lmrepl on all NT 4.0 BDCs to point at this one – Wait for Lmrepl to stabilise before proceeding

17 Upgrade Secure one BDC – Sync with PDC – Take back-up and test restore – Take BDC off-line and keep in storage Install new BDC on new production hardware – Make partition as large as possible (>2Gb) – No agents – No 3 rd party software (other than drivers if needed) Promote new BDC to PDC

18 Upgrade Win2K and WinXP clients will only communicate with Win2K/Win2K3 DCs in a mixed-mode domain Potential for DC overload, especially when the PDC is upgraded Solution is to make the Win2K3 DCs emulate NT 4.0 DCs (KB298713) – Set the following registry keys on each Win2K3 DC prior to completing DCPromo; HKLM/System/CurrentControlSet/Services/Netlogon/Parameter s/NT4Emulator DWORD 0x1

19 Upgrade Upgrade PDC – PDC will not be able to perform PDC role during upgrade & DCPromo execution – No changes possible (no new users, groups, group membership changes) – Clients and workstations will not be able to change passwords – Trusts might fail – Use Nltest and Netdom to test/fix – Plan for the change freeze / downtime

20 Review: AD Functional Levels Domain Functional LevelForest Functional Level Windows 2000 mixed 1 Windows 2000 Windows 2000 native 1 Windows 2000 Windows Server 2003 interim 2 Windows Server 2003 1 These modes also apply to Windows Server 2003 domains & have the same name 2 Only when upgrading directly from NT4 to Win2K3 (no Win2K DCs)

21 AD Functional Levels Domain functional level directly affects migration; – Windows 2000 domain native mode needed for – SIDHistory – Group Nesting Forest functional level indirectly affects migration; – Windows Server 2003 interim forest functional level needed for – Linked-list replication (groups with >5k users) – ISTG improvements (larger # AD sites)

22 Windows Server 2003 interim functional level Enabled in two ways; – In place upgrade route: – When upgrading the NT4.0 PDC, the Active Directory Installation Wizard offers you the option to raise the forest functional level to Win2K3 interim – New Win2K3 Forest route: 1. Build a new Win2K3 domain as the forest root 2. Raise the forest functional level to Win2K3 interim using ADSIEdit or LDP (KB322692) 3. Upgrade existing NT 4.0 domains as child domains

23 AD Functional Levels Conclusion – Only 1 downside (not able to have Windows 2000 DCs) – Several benefits – Use it unless you will have Win2K DCs

24 Upgrade Configure security settings – SMB Signing – Anonymous SID/name translation Authorise DHCP if installed on PDC Verify success – Verify down-level replication works – Verify that users can be added and passwords can be changed

25 Upgrade Install and configure Lmbridge to export the contents of SYSVOL on a Win2K3 DC to the Lmrepl export server – http://www.microsoft.com/downloads/details.aspx?FamilyID=9d46 7a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=9d46 7a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en Copy all logon scripts and other files from Lmrepl export server to PDCe Configure Lmbridge to copy files from PDCe to Lmrepl export server Change files on PDCe only

26 Upgrade Continue upgrading BDCs by adding new Win2K3 servers and retiring old NT 4.0 servers (i.e. don’t upgrade NT 4.0 BDCs) Once all DCs in all domains are Windows 2003, switch to Windows 2003 forest functional level

27 Post Upgrade The problem with NT4Emulator: – The DC ignores LDAP calls – so you cannot remotely administer it, nor can you add further Win2K/2K3 DCs Solution is another registry key on the admin client(s) and additional Win2K/2K3 DCs (before running DCPromo) HKLM/System/CurrentControlSet/Services/ Netlogon/Parameters/NeutralizeNT4Emulator DWORD 0x1 Transfer FSMO roles off 1 st DC and DCPromo out of domain (machine was an NT 4.0 upgrade) In multi-domain forests, don’t worry about single domain modes, wait until last domain is upgraded

28 Rollback If there are problems after the upgrade of the PDC (e.g. authentication, replication etc) which cannot be resolved – Turn off new PDC – Turn secured BDC back on – Promote secured BDC to PDC – Initiate replication – If you’ve not used NT4Emulator, any Win2K and XP clients will not be happy with rollback – Reset the secure channel using Netdom, or – Remove workstation from domain, and re-introduce

29 Customer Experiences

30 Alliance & Leicester – Forgot to add NT4 RAS servers to RAS and IAS Servers group – Teamed NIC became un-teamed during upgrade, one NIC stole the hostname so the new PDC had the wrong name Motorola – In place upgrade of master account domain – Migrated 7 further account domains into new master – Collapsed 8 resource domains into 1 child domain In Place Upgrade - Customer Experiences

31 mikebran@microsoft.com

32 ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant In Place Windows NT 4.0 Upgrade."

Similar presentations

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.
Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc

Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant Domain Migration.

V1.1 Mike Brannigan Enterprise Strategy and Senior Consultant Domain Migration.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Getting off NT4… Raj Natarajan National Technology Specialist.

Getting off NT4… Raj Natarajan National Technology Specialist.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Active Directory Implementation Class 4

Active Directory Implementation Class 4
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google