Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.

Published byCaitlin Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT."— Presentation transcript:

1 Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: Corrado.Cappucci@pipeline.it MCSE - MCT

2 Agenda della giornata Ore 09.30: Progettare la migrazione dei servizi di directory Ore 11.00: Coffee Break Ore 11.15: Preparare la migrazione dei servizi di directory Ore 13.00: Intervallo Ore 14.00: Gestione dei servizi di rete durante la migrazione Ore 15.15: Coffee Break Ore 15.30: Upgrading e ristrutturazione dei domini Ore 17.30: Peculiarità della migrazione da Windows NT4 a SBS 2003 Ore 18.00: Domande & Risposte

3 Introduction to Migrating from Windows NT 4.0 to Windows Server 2003

4 The Benefits of Migrating to Windows Server 2003 Domain consolidation Enhanced security Application support Server performance Centralized management with Group Policy Simplified administration and resource management

5 Active Directory Design and Migration Migration Deployment Project Planning the migration deployment Designing a migration strategy Deploying the migration Planning the migration deployment Designing a migration strategy Deploying the migration Forest plan Domain plan DNS namespace plan OU plan Site plan Functional levels plan Active Directory Design The Active Directory design is the input to the migration process

6 Migration Terminology Moving user, group, and computer accounts from a Windows NT 4.0 domain to a Windows Server 2003 domain domain migration The domain from which security principals are being migrated source domain The domain into which security principals are being migrated target domain A Windows NT 4.0 domain that contains user and group accounts account domain A Windows NT 4.0 domain that hosts file, print, and other services and primarily contains computer accounts resource domain To restructure a larger number of domains into a lesser number domain consolidation Provide backward compatibility for the different Windows operating systems that use Active Directory functional levels An attribute of Active Directory security principals that is used to store the former SIDs of moved objects SID-History

7 Migration Preparation Tasks Clean up the SAM database Install Windows NT 4.0 Service Pack 4 or later Prepare the domain controller for migration Prepare for a domain restructure Ensure that DNS implementation supports Active Directory Lock down the Windows NT 4.0–based environment Relocate the LMRepl file Migrate Remote Access Service Freeze the Windows NT 4.0 domain controller environment

8 Interim Migration Tasks Provide reliable naming resolution services during the migration Identify possible interruptions to the DHCP Server service Develop a strategy for planning remote access support Maintain file replication services Develop a strategy for transitioning from Windows NT 4.0 System Policy to Group Policy Develop a strategy for transitioning from Windows NT 4.0 logon scripts to Group Policy Test applications for functionality and interoperability Verify if a service pack or newer version will make software functional

9 Guidelines for Identifying the Current Resources and Network Services Identify: Current network services, which include:  Logical organization of the network and services  Geographic locations and physical connectivity  Statically assigned IP address assignments and other network operating systems DNS infrastructure File and print resources All backup and restore processes

10 Server Planning 1 1 Complete Active Directory site topology 2 2 Determine the number of domain controllers 3 3 Consider operations and services that affect performance 4 4 Determine the minimum number of domain controllers

11 A migration strategy: Components of a Migration Strategy Migration path The migration path for each Windows NT 4.0 domain that will be migrated to Windows Server 2003 Migration sequence The sequence for migrating all Windows NT 4.0 domains to Windows Server 2003 Forest root domain The method for creating the forest root domain A migration strategy consists of: Determines the migration path for every domain in the organization Determines the migration sequence Defines the overall plan for how the migration will occur Determines the migration path for every domain in the organization Determines the migration sequence Defines the overall plan for how the migration will occur

12 How to Develop a Migration Strategy After determining an Active Directory design: Develop a domain upgrade or a restructure strategy 1 1 Plan deployment of migration strategy 3 3 Choose a migration path 2 2

13 Criteria for Selecting a Domain Migration Path Migration path selection criteria Decision points Domain structure Are the domain structures similar? Downtime tolerance What is the tolerance for production downtime? Risk tolerance What is the organization’s tolerance of risk? Time constraints Is there a preference for a shortened timeline? Resource availability Are the resources available for the migration? Application compatibility Are there server-based applications that are incompatible with Windows Server 2003? Budget constraints What are the effects of decreasing budgets? Available tools Are the necessary tools available to implement the migration?

14 A domain upgrade may not be appropriate when: Reasons for Selecting the Domain Upgrade Path The existing domain structure is similar to the proposed Some down time is acceptable Minimal risk is required The migration must be completed in the least amount of time possible Resources to work on the migration are limited Existing applications are compatible Budget is limited for new hardware No special tools are required The existing domain structure is similar to the proposed Some down time is acceptable Minimal risk is required The migration must be completed in the least amount of time possible Resources to work on the migration are limited Existing applications are compatible Budget is limited for new hardware No special tools are required The existing domain infrastructure is ineffective or outdated An infrastructure change directly impacts your production environment There is little or no reduction in the number of servers There is little or no reduction in administrative costs The existing domain infrastructure is ineffective or outdated An infrastructure change directly impacts your production environment There is little or no reduction in the number of servers There is little or no reduction in administrative costs Select the domain upgrade path when:

15 Your current domain infrastructure meets business needs There is a potential short- term increase in hardware costs Your current domain infrastructure meets business needs There is a potential short- term increase in hardware costs Reasons for Selecting the Domain Restructure Path The existing structure does not meet the business or migration goals Downtime cannot be tolerated Some degree of risk can be incurred There is enough time in the schedule There are enough resources available Some of the applications are not compatible with the new environment There is enough money in the budget to buy additional hardware ADMT can be used The existing structure does not meet the business or migration goals Downtime cannot be tolerated Some degree of risk can be incurred There is enough time in the schedule There are enough resources available Some of the applications are not compatible with the new environment There is enough money in the budget to buy additional hardware ADMT can be used A domain restructure may not be appropriate when: Select the domain restructure path when:

16 Rapid deployment of the restructured environment is a migration goal The current environment is not similar to the proposed environment Rapid deployment of the restructured environment is a migration goal The current environment is not similar to the proposed environment Reasons for Selecting the Upgrade and Restructure Path The proposed Active Directory domain structure is similar to the existing domain structure The organization wants to use certain Active Directory features early The organization wants to implement a solution that presents the least amount of risk The organization wants to restructure eventually Resources are not available to perform a restructure Lower short-term hardware costs and administrative costs are desired ADMT can be used The proposed Active Directory domain structure is similar to the existing domain structure The organization wants to use certain Active Directory features early The organization wants to implement a solution that presents the least amount of risk The organization wants to restructure eventually Resources are not available to perform a restructure Lower short-term hardware costs and administrative costs are desired ADMT can be used Select the upgrade and restructure path when: An upgrade followed by a restructure may not be appropriate when:

17 Criteria for Determining How to Create a Forest Root Domain Issues of upgrading an existing domain Domain represents organizational headquarters Region that has fastest network connection Political issues of choosing domain to upgrade Domain represents organizational headquarters Region that has fastest network connection Political issues of choosing domain to upgrade Issues of creating a new forest root domain Creates a clean forest root Serves as a neutral root so that no region appears to be subordinate Overhead of creation and management of domain Creates a clean forest root Serves as a neutral root so that no region appears to be subordinate Overhead of creation and management of domain Create the forest root domain by: Upgrading an existing Windows NT 4.0 domain Running the Active Directory Installation Wizard on a computer running Windows Server 2003

18 The Recommended Sequence for Migrating Domains Resource Domain Resource Domain Account Domain Target OU Migrate the account domain Migrate account domains first to: Improve scalability of Active Directory Delegate user administration Migrate account domains first to: Improve scalability of Active Directory Delegate user administration 1 1 Source Resource Domain Resource Domain Target OU Migrate the resource domain 2 2

19 Guidelines for Determining the Sequence for Upgrading Account Domains Upgrade the domains in which you have the easiest physical access to the domain controllers Upgrade the domains that will contain objects from restructured domains early in the process Balance the risk versus the benefit of upgrading the domain

20 Guidelines for Determining the Sequence for Upgrading Resource Domains Upgrade any domains that contain applications that require the features of Windows Server 2003 Upgrade domains that will contain objects from restructured domains early in the process Upgrade domains with many client computer accounts

21 Guidelines for Determining the Sequence for Upgrading Domain Controllers Upgrade the PDC first Upgrade all of the BDCs after upgrading the PDC Upgrade a BDC first if the PDC does not meet installation requirements  Promote the BDC to a PDC  Upgrade the newly promoted PDC to Windows Server 2003 and Active Directory

22 The Recommended Sequence for Restructuring Objects in a Domain Migrate user and group accounts 1 1 Migrate member servers 3 3 Move domain controllers 4 4 Migrate client computer accounts 2 2

23 Maintaining Network Operations During a Migration

24 Network Components Impacted by Migration Name resolution Remote access DHCP Work station environment not configured Name resolution Remote access DHCP Work station environment not configured Network services issues Compatibility with Windows Server 2003 Compatibility with Active Directory Compatibility with Windows Server 2003 Compatibility with Active Directory Application issues Internet Information Server Internet Information Server SQL Server SQL Server Exchange Server Exchange Server Authentication Active Directory replication Authentication Active Directory replication Network performance issues Domain controller Domain controller

25 The Effects of Migration on DNS Effects of Active Directory: DNS infrastructure must support Active Directory Domain controller must point to DNS servers that support Active Directory DNS infrastructure must support Active Directory Domain controller must point to DNS servers that support Active Directory Effects of a domain upgrade: Enables the configuration of zones to accept SRV records DNS zones hosted on a Windows Server 2003 domain controller can also be configured as Active Directory Integrated zones Enables the configuration of zones to accept SRV records DNS zones hosted on a Windows Server 2003 domain controller can also be configured as Active Directory Integrated zones Effects of a domain restructure: Primary zones must be on a system that supports Active Directory DNS must provide support for SRV resource records Primary zones must be on a system that supports Active Directory DNS must provide support for SRV resource records

26 How to Ensure Reliable DNS Service During a Domain Restructure To match Active Directory domains to DNS domains: Establish a DNS server in the target Windows Server 2003 domain 1 1 Promote a DNS server to a domain controller in the target domain 1 1 Configure a DNS server as the primary DNS server for Active Directory 2 2 Change any primary DNS zones to Active Directory-integrated zones 2 2 To match Active Directory domains to DNS domains: Install a DNS server in the target Windows Server 2003 domain 1 1 Move reverse lookup zones to a DNS server running Windows Server 2003 3 3 Integrate the new DNS server with the existing DNS servers 2 2 To ensure ongoing DNS name resolution on a DNS server running Windows Server 2003:

27 The Effects of Migration on WINS Effects of a domain upgrade: Does not affect:  NetBIOS resolution  WINS servers WINS fails during the first restart of the newly upgraded computer WINS functions properly after the computer’s database is automatically converted to a new version of the Jet database Does not affect:  NetBIOS resolution  WINS servers WINS fails during the first restart of the newly upgraded computer WINS functions properly after the computer’s database is automatically converted to a new version of the Jet database Effects of a domain restructure: NetBIOS client computers in source domain can connect to resources in target forest Migrated client computers can find resources in the source environment until the source WINS can be decommissioned NetBIOS client computers in source domain can connect to resources in target forest Migrated client computers can find resources in the source environment until the source WINS can be decommissioned

28 WINS in the Windows Server 2003 Environment During a Migration Maintain WINS when: Applications on the network cannot function without using NetBIOS Ensure that the migration deployment plan includes : A plan to determine the need for NetBIOS name resolution services Plans to deploy a server running WINS within the target domain, if necessary A plan to determine the need for NetBIOS name resolution services Plans to deploy a server running WINS within the target domain, if necessary

29 How to Maintain WINS for a Domain Restructure Determine if WINS is required 1 1 Plan to decommission the WINS servers 3 3 Integrate the WINS topology 2 2

30 The Effects of Migration on DHCP Effects of a domain upgrade: Dynamically assigned IP addresses are not distributed The DHCP server database is automatically upgraded You must authorize the DHCP server after installing Active Directory Dynamically assigned IP addresses are not distributed The DHCP server database is automatically upgraded You must authorize the DHCP server after installing Active Directory Effects of a domain restructure: DHCP services can be maintained in the existing source domain DHCP services can be moved to the target domain DHCP services can be maintained in the existing source domain DHCP services can be moved to the target domain

31 How to Ensure DHCP Operations in a Windows Server 2003-Based Environment Migrate DHCP services to the target domain early in the process 1 1 Provide backup DHCP services during an upgrade 3 3 Define a process to authorize the server running DHCP after an upgrade 4 4 Determine all scope options that must be configured 2 2

32 What Is a Null Session? Windows NT 4.0 Domain Controller Windows Server 2003 Domain Controller Null credentials Windows NT 4.0 Services running under the system account use connections that do not include a user name, password, or domain name RAS Server Null credentials Null credentials accepted Null credentials not accepted

33 The Effects of a Migration on RAS Effects of a domain upgrade: RAS and RRAS servers running Windows NT 4.0 use null sessions RAS authorization in a mixed environment:  Contacts a BDC to determine user dial-in properties  Authorizes dial-in users by accessing its local SAM database  Has pre-Windows 2000 compatible access mode enabled for Active Directory RAS and RRAS servers running Windows NT 4.0 use null sessions RAS authorization in a mixed environment:  Contacts a BDC to determine user dial-in properties  Authorizes dial-in users by accessing its local SAM database  Has pre-Windows 2000 compatible access mode enabled for Active Directory Effects of a domain restructure: RAS and RRAS servers running Windows NT 4.0 use null sessions Dial-in users may be denied access RAS and RRAS servers running Windows NT 4.0 use null sessions Dial-in users may be denied access

34 How to Ensure Null Sessions During a Migration To configure Active Directory to allow access for the Pre-Windows 2000 Compatible Access group, do one of the following:  Set the Active Directory permissions to be compatible with server products earlier than Windows 2000 -or-  Add the Everyone and Anonymous Logon groups to the Pre-Windows 2000 Compatible Access built-in group

35 How to Ensure RAS Sessions During a Migration Enable compatible access permission in Active Directory Migrate all RAS and RRAS servers running Windows NT 4.0 Determine how to migrate remote access servers in the Windows NT 4.0-based domains Eliminate anonymous connections to domain controllers Identify any additional Remote Access Policy settings 1 1 3 3 4 4 5 5 2 2

36 The Purpose of LAN Manager Replication Service and FRS LAN Manager Replication Service NETLOGON Shared Folder NETLOGON Shared Folder Windows NT 4.0 Windows Server 2003 SYSVOL Replication FRS Logon Scripts System Policies

37 The Effects of Migration on Logon Scripts Effects of a domain upgrade: Logon scripts stored in the NETLOGON shared folder are not affected Client computers run logon scripts assigned to the user account or computer account Logon scripts stored in the NETLOGON shared folder are not affected Client computers run logon scripts assigned to the user account or computer account Effects of a domain restructure: Logon scripts continue to process for copied and moved user accounts if the logon scripts are migrated to the target domain Logon scripts that are not migrated will not process for accounts that have been copied or moved to a new domain Logon scripts continue to process for copied and moved user accounts if the logon scripts are migrated to the target domain Logon scripts that are not migrated will not process for accounts that have been copied or moved to a new domain

38 How to Migrate Logon Scripts to Group Policy Windows NT 4.0 logon scripts must be migrated to the NETLOGON shared folder Bridging ensures contents of NETLOGON shared folder are identical in both source and target domains Logon scripts can be converted to Group Policy Identify all of the logon scripts in the NETLOGON shared folder 1 1 Determine where to apply Group Policy scripts in Active Directory 3 3 Determine if logon scripts can be removed from the network 2 2

39 How to Maintain Applications Identify the applications that you need to test 1 1 Resolve application compatibility problems 3 3 Deploy or distribute applications and solutions 4 4 Identify application compatibility problems 2 2 Leave incompatible applications on a member server running Windows NT 4.0 5 5

40 How to Plan for Authentication Traffic During a Migration Network servers used during authentication: DHCP server, DNS server, domain controller, global catalog server To optimize authentication in an upgraded domain: Deploy all sites and subnets defined in the Active Directory design Place a domain controller in each site where Active Directory- aware clients will be deployed Place a global catalog server at remote sites Provide WINS servers for legacy clients not running DS Client software Deploy all sites and subnets defined in the Active Directory design Place a domain controller in each site where Active Directory- aware clients will be deployed Place a global catalog server at remote sites Provide WINS servers for legacy clients not running DS Client software

41 How to Plan for Migration-Related Replication Traffic Migration-related replication traffic is controlled by scheduling and configuring replication between sites Create sites, subnets, and site links after installing the first domain controller in the forest All subsequent upgraded domain controllers are automatically placed in the appropriate sites based on their IP addresses

42 Preparing for the Migration

43 Overview of Preparing the SAM Database User1 Group1 Computer1 Computer2 Group2 User2 Clean up the SAM database to avoid migrating unused security principals Contains information for all user, group, and computer accounts Computer1 Group1 User1 Clean up the SAM database

44 Overview of Preparing the Windows NT 4.0 Environment Domain upgrade Domain controller preparation tasks: Verify hardware meets requirements Synchronize the accounts database Isolate a BDC Lock down the environment Verify hardware meets requirements Synchronize the accounts database Isolate a BDC Lock down the environment Migrate Domain3Domain1 Domain2 Domain restructure Domain controller preparation task: Lock down the environment Migrate Domain2Domain3Domain1

45 How to Prepare Domain Controllers for Migration Scan for viruses 1 1 Install hardware upgrades and software updates 3 3 Uncompress the drives 4 4 Remove power management and disk management tools 5 5 Disconnect any UPS devices 6 6 Back up files 2 2 Disable third-party software 7 7

46 How to Configure a BDC as an LMRepl Export Server Maintain LMRepl availability during the migration 1 1 Verify files in the NETLOGON shared folder 3 3 Configure the LMrepl file replication service on a BDC 2 2

47 How to Prepare Client Computers for Migration SMB packet signing and secure channel signing are enabled by default in Windows Server 2003 domains Client computers that do not support SMB packet signing and secure channel signing may be blocked from resources in Active Directory To ensure successful authentication and client computer communications: Modify default security policies on the domain controllers 2 2 Install Directory Service Client Pack or appropriate service pack 1 1

48 Guidelines for Locking Down the Windows NT 4.0 Environment Lockdown the Windows NT 4.0 environment when:  All domain updates are complete and replicated  A BDC has been synchronized and taken offline Define the lockdown milestone Do not create or modify security principals Do not create or modify DACLs Force users to reset password Ensure the Domain Administrators group in Windows NT 4.0 contains only appropriate users Define the lockdown milestone Do not create or modify security principals Do not create or modify DACLs Force users to reset password Ensure the Domain Administrators group in Windows NT 4.0 contains only appropriate users Guidelines for locking down the domain:

49 Overview of Creating the Forest Root Domain To create the forest root domain: Deploy the first forest root domain controller 1 1 Reconfigure the DNS service 3 3 Deploy the second domain controller in the same site 2 2 Regional Domain Multiple domains Regional Domain Regional Domain Regional Domain Regional Domain Regional Domain Dedicated Forest Root Domain Single-Domain Forest Single global domain model Single global domain model

50 How to Create the Forest Root Domain To deploy a dedicated forest root: Install Windows Server 2003 Verify the Active Directory installation Install Active Directory Configure the Windows Time Service Verify DNS server recursive name resolution To reconfigure DNS service: Enable Aging and Scavenging Update the DNS delegation Configure DNS client settings on the domain controllers To deploy a forest root domain from a Windows Server NT 4.0: Select Domain in a new forest, after the operating system is upgraded and during Active Directory installation 1 1 3 3 2 2 4 4 5 5 1 1 3 3 2 2

51 How to Configure the Forest Root Domain Configure the site topology 1 1 Assign operations master roles 3 3 Deploy additional domain controllers to other sites 2 2 Raise the forest functional level 4 4 The forest operates by default at the Windows 2000 level Raise the level to Windows Server 2003 interim if there are only Windows NT 4.0 domains and the design requires upgrading The forest operates by default at the Windows 2000 level Raise the level to Windows Server 2003 interim if there are only Windows NT 4.0 domains and the design requires upgrading

52 Upgrading Domains

53 The Domain Upgrade Process A domain upgrade:  Upgrades a PDC to Windows Server 2003 and Active Directory  Maintains existing users, groups, computers, and applications Prevent domain controller overload Upgrade the PDC to Windows Server 2003 Install and configure DNS Install Active Directory 1 1 3 3 4 4 2 2 Verify domain controller operations Upgrade Windows NT 4.0 BDCs 5 5 6 6

54 Effects of a Domain Upgrade on Groups Forest and domain functional levels LocalGlobal Domain Local Universal Windows NT 4.0 (original domain) Windows 2000 Mixed (allows multiple operating systems) Windows 2000 Native (allows multiple operating systems) Windows Server 2003 Interim Windows Server 2003

55 Effects of a Domain Upgrade on Trust Relationships To protect resource security: Audit memberships in all administrative groups 1 1 Review DACLs for important resources 2 2 Windows Server 2003 Domains 2-Way Transitive Trust 2-Way Transitive Trust 2-Way Transitive Trust Res1 Forest Root Acct1 Acct2 One-Way Non-Transitive Trust One-Way Non-Transitive Trust 2 One-Way Non-Transitive Trust Windows NT 4.0 Domains Res1 Acct1 Acct2 Upgrade

56 Implications of Upgrading a PDC What happens during a PDC upgrade? The forest functional level can be set at either:  Windows 2000 mixed  Windows Server 2003 interim Security level permissions are set at either:  Permissions compatible with pre-Windows 2000  Permissions compatible only with Windows 2000 or Windows Server 2003 The upgraded PDC holds the PDC emulator operations master role

57 How to Upgrade a Windows NT 4.0 PDC Select Upgrade for the installation type Verify that you are using a static IP address Configure DNS client settings Configure partitions as NTFS 1 1 4 4 2 2 3 3 Add a newly installed domain controller 1 1 Transfer operations master roles 2 2 Reformat disk on upgraded domain controller and perform a clean installation 3 3 Transfer back any operations master roles 4 4 Process minimizes adverse effects from any corrupted data on the PDC prior to upgrade To upgrade a PDC: Best practice to add additional domain controllers: Install Active Directory 5 5

58 How to Verify Domain Controller Operations Verify trust relationships Verify new user accounts can be created Verify new user object replication Verify successful logon To verify Active Directory is functional: 1 1 3 3 4 4 2 2 At this point a complete recovery is still possible without any data loss Diagnostic tools: Use dcdiag.exe to verify the Active Directory service Use Repadmin.exe/showreps to verify the parent domain Use nltest.exe/bdc_query: domainname to verify the BDC replication status

59 How to Develop a Recovery Plan for a Domain Upgrade Recovery plan: Details steps to roll back directory services migration Recovery plan: Details steps to roll back directory services migration Rollback strategy: A plan to return production environment to the state before changes Remove all computers running Windows Server 2003 Promote the offline BDC to a PDC Recovery tasks: Add a BDC to any domain that contains only a single domain controller Document configuration of services and applications Back up all services and applications to tape Synchronize all BDCs with PDC Take a fully synchronized BDC offline before upgrades are performed Periodically start protected BDC while still in Windows 2000 mixed domain To ensure that a domain can be rolled back:

60 How to Prevent the Domain Controller from Overloading On the domain controller to be upgraded, browse to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ Netlogon\Parameters 1 1 Repeat the procedure on each domain controller 3 3 After additional domain controllers have been added, set the value of the NT4Emulator registry key to 0, or delete the key 4 4 Add the REG_DWORD entry NT4Emulator with the value 1 2 2 Overload occurs when too many client computers request authentication from too few domain controllers

61 How to Neutralize Windows NT 4.0 Domain Controller Emulation The Active Directory installation will fail if the domain controller is configured to prevent domain controller overload Use NeutralizeNT4Emulator for the new entry name 3 3 Change the DWORD value 2 2 In the Edit DWORD Value dialog box, type 1 5 5 Double-click the new entry name 4 4 Click Registry, and then click Exit 6 6 On the client computer, browse to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 1 1

62 How to Add Additional Domain Controllers Process for upgrading a Windows NT 4.0 BDC: Upgrade operating system to Windows Server 2003 1 1 Run the Active Directory Installation Wizard 2 2 Add additional domain controllers for fault tolerance and load balancing Add new servers running Windows Server 2003 to the domain and then install Active Directory Take a Windows NT 4.0 BDC offline, reformat hard disk, then install Windows Server 2003 and Active Directory Upgrade a Windows NT 4.0 BDC to Windows Server 2003 Options :

63 How to Complete the Upgrade To complete the domain upgrade: Reconfigure the DNS service 1 1 Eliminate anonymous connections to domain controllers 3 3 Raise domain and forest functional levels 4 4 Move users and computers to an OU 5 5 Add Windows NT 4.0 BDCs to the domain if necessary 2 2

64 Preparing to Restructure Domains

65 Overview of Restructuring Domains Windows Server 2003 Resource domain Account domain OU2 + + + + OU1 + + +

66 What Is the Active Directory Migration Tool? An interface for migrating directory service objects ADMT ADMT is a utility that: Analyzes migration impact Tests migration scenarios Supports migration within and between forests Provides wizards to support most common migration tasks Analyzes migration impact Tests migration scenarios Supports migration within and between forests Provides wizards to support most common migration tasks ADMT supports these migration tasks: Migrating user, group, and computer accounts Populating the SID-history attribute Performing security translations Translating security on computers Resolving related file, directory, and share issues Migrating user, group, and computer accounts Populating the SID-history attribute Performing security translations Translating security on computers Resolving related file, directory, and share issues

67 ADMT Wizards User Account Migration Wizard User Account Migration Wizard Security Translation Wizard Exchange Directory Migration Wizard Exchange Directory Migration Wizard Group Account Migration Wizard Group Account Migration Wizard Reporting Wizard Reporting Wizard Undo Last Migration Wizard Computer Migration Wizard Computer Migration Wizard Service Account Migration Wizard Service Account Migration Wizard Retry Task Wizard Trust Migration Wizard Group Mapping and Merging Wizard To test migration settings: Use Test migration settings and migrate later option

68 What Is ADMT Scripting? Scripting Options Used to User Migrate a single user or batch of users Group Migrate a single group or set of groups Computers Migrate a single computer or set of computers Security Perform a security translation Service Identify services within the domain Report Create reports for migrating statistics Use this ADMT interface When … GUI You require the flexibility to select options Command line You know which options you want to use and want to perform repetitive or batch operations Scripting You want to make migration decisions dynamically based ADMT Scripting: Lists options in an include file to be used for migrating directory services objects

69 Other Migration Tools Tool Description ClonePrincipal Clones user and group accounts MoveTree Moves container objects between domains in a Windows Server 2003 forest Netdom  Adds, moves, and queries computer accounts  Queries a domain for trust relationship information  Creates a new trust relationship Ldp Displays Active Directory object attributes USMT Migrates data and settings to new computers

70 How to Verify Required Trusts Target Domain ADMT Source domain To migrate resources or translate local profiles, do one of the following: Create a one-way trust between the resource domain and the target domain Create a two-way trust between the source resource domain and the target domain Create a one-way trust between the resource domain and the target domain Create a two-way trust between the source resource domain and the target domain

71 How to Enable Password Migration Passwords on domain controller running ADMT and source PES ADMT on a domain controller running Windows 2000 SP2 or earlier PES from source domain Log on to domain controller in target domain 1 1 Use ADMT command at command line 3 3 Place a blank, formatted diskette in floppy drive 2 2 To enable password migration on source domain: On the PES, insert encryption key diskette 1 1 Modify registry entry AllowPasswordExport 6 6 Navigate to registry subkey on source domain PES 5 5 Insert Windows Server 2003 compact disc 2 2 Run pwdmig.exe 3 3 Complete the setup process 4 4 Use 128-bit high encryption when installing: To create an encryption key:

72 How to Configure Domains to Migrate SID-History To migrate SID-History:  Create a local group used to audit source history operations in the source domain  Enable TCP/IP client support on the source domain PDC  Enable audit policies in the source domain  Enable audit policies in the target domains

73 How to Configure the Target Domain Structure for Administration Log on as an administrator on domain controller 1 1 Create administrative groups and add users Delegate the administration of the OU structure Create the OU structure specified by the Active Directory design 3 3 4 4 2 2

74 Restructuring Domains

75 How to Transition Service Accounts To transition service accounts: Identify service accounts 1 1 Modify the services on each server 3 3 Verify service accounts 4 4 Migrate the service accounts 2 2

76 How to Migrate Global Groups To migrate global groups, use the Group Account Migration Wizard to: Read the global group object in the source Add SID in the source to SID-History in the target Create a new global group object and SID in the target Log events in the source and target domains To verify migration of global groups: Verify global group accounts have been migrated Verify the original SID appears as the value of the SID-History attribute 1 1 2 2 3 3 4 4 1 1 2 2

77 How to Migrate Users Before migration: Notify users when credentials will be transitioned During migration:  Administer users in source domains  Manually synchronize any changes made in source domains After migration:  Re-migrate the global group accounts  Users can continue to log on to the source until switched To migrate user accounts in batches: Create a test account 1 1 Verify users have been migrated 3 3 Migrate user accounts in batch es 2 2 Translate any local user profiles 4 4 Verify migration of local user profiles 5 5 Migrate workstations for the users 6 6 Re-migrate global groups 7 7 Verify computer account migration 8 8

78 How to Migrate Trusts Trusts must be maintained if there is a delay between restructuring account and resource domains To verify that trusts have been migrated: Open Active Directory Domains and Trusts Right-click the domain target, click Properties Click the Trusts tab Select the trust from the list and click Properties In the Properties dialog box, click Validate Provide the appropriate user account and password 1 1 2 2 3 3 4 4 5 5 6 6 To migrate trusts: Start ADMT, open Trust Migration Wizard Complete the wizard 1 1 2 2

79 How to Migrate Client Computers and Member Servers To prepare an ADMT script, create an options file and an include file To migrate client computers and member servers: Start ADMT and then open the Computer Account Migration Wizard Complete the wizard 1 1 2 2 To verify migration of client computers and member servers: Review the migration log for errors Verify that the accounts exist in the target domain 1 1 2 2 Migrate computers in batches of up to 100 systems Accounts in the local SAM database do not need to be migrated

80 How to Migrate Domain Controllers When determining the resource domain migration order : Migrate resource domains that use dedicated domain controllers first Migrate all BDCs before migrating the PDC Migrate resource domains that use dedicated domain controllers first Migrate all BDCs before migrating the PDC Shared local groups should be migrated before upgrading Membership of the local group during the migration is retained Shared local groups should be migrated before upgrading Membership of the local group during the migration is retained When migrating shared local groups: To migrate shared local groups: Open ADMT and select Group Account Migration Wizard Complete the wizard Migrate domain controllers when shared resources are on the domain controller 1 1 2 2 Finally, migrate the BDCs

81 What Is Different About Restructuring After a Domain Upgrade? User and group accounts are moved together as a closed set Not as flexible as migrating users and group accounts between forests SID-History in a post-upgrade restructure SID-History can still be used to preserve users’ access to resources For SID-History to work properly, move an object from source domain to target domain Destructive operation Restructuring security principals within same Windows Server 2003 forest results in moved, not copied, objects Source domain objects cease to exist Closed sets User accounts and their groups must be moved at the same time ADMT does not calculate a complete closed set

82 How to Migrate Users and Groups Between Windows Server 2003 Domains To migrate users and groups between Windows Server 2003 domains: Open the Group Account Migration Wizard 1 1 Enter the required information 2 2 To verify the migration of users and groups: Review the migration log for errors Verify that the user accounts and global groups exist in the target domain Verify that the user with the migrated user account can access shared resources on the target domain

83 Completing the Restructure Process

84 Why Reconfigure Access to Shared Resources? After reconfiguring permissions on shared resources, the SID-History attribute is no longer required Use Security Translation Wizard to replace the source domain SIDs Clear the SID-History attribute

85 How to Reconfigure Permissions on Shared Resources To reconfigure DACLs on shared resources: Log on as Administrator 1 1 Complete the reconfiguration of permissions 3 3 Start ADMT and then open the Security Translation Wizard 2 2 To verify access to the shared resource: Log on as a migrated user 1 1 Open a file in the shared folder 2 2 Run the Security Translation Wizard 1 1 On the Computer Selection page, click Remove 2 2 ADMT resolves the entries 3 3 To resolve member names in the account domain: Create a file in the shared folder 3 3

86 How to Clear the SID-History Attribute for Migrated Accounts cscript.exe ClearSidHistory.vbs -n=My Contact To clear the SID-History of an object called My Contact: To clear the SID-History of an object called Computer1: cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer To clear the SID-History of an object belonging to the object category of person and the object class of user: cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user cscript.exe ClearSidHistory.vbs -n=name [-o=objectCategory] [-c=objectClass] To run the ClearSidhistory.vbs script:

87 How to Decommission Windows NT 4.0 Source Domains Remove all trust relationships 1 1 Disable all accounts created in previous migration steps 3 3 Repurpose any remaining account domain controllers 2 2 Best practice: Retain a full system backup of the PDC for each decommissioned Windows NT 4.0 domain

88 Migrating from Small Business Server 4.5 to Windows Small Business Server 2003

89 A server migration involves  Installing SBS 2003 on a new computer  Migrating data and settings A server migration can be completed to  A computer with a retail version of SBS  A computer with SBS preinstalled by an OEM

90 Crucial Information About the Migration (I) The NetBIOS domain name and computer name for the source and destination server must be different The DHCP Server service on the source computer must be disabled  If the DHCP service is provided by a router, ensure that it is connected to the destination server during setup Migration of mailbox rules and the Adminsitrator mailbox must be performed manually Custom settings must be configured manually, including  SMTP Connector  DHCP Scope options  Group Policy

91 Crucial Information About the Migration (II) If users have mailboxes larger than 200 MB you need to update mail quota settings and modify the default values If users have personal folders larger than 1 GB you need to update disk quota settings and modify the default values The source server must be running SP6a and the high encryption pack (128 bit) Exchange Server 5.5 must be running SP4 SQL Server 7.0 must be running SP4

92 Migration Steps (I) Back up the source server and update the ERD Disconnect users Disable DHCP on source server Disconnect from the Internet Install the destination server using the same Adminsitrator password as the password used on the source server Install antivirus software Install ADMT on the destination computer Migrate users, groups and computer by using ADMT

93 Migration Steps (II) Move user mailboxes by using the Exchange Migration Wizard Copy users folders by using xcopy.exe or robocopy.exe Follow the instrucions in article 314546 to move SQL Server database Update custom logon script and other custom configuration Uninstall ADMT Reconnect to the Internet Leave the source server disconnected from the network but still available for at least a week

Download ppt "Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT."

Similar presentations

Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.

Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.

Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Similar presentations

Ads by Google