1. Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: Corrado.Cappucci@pipeline.it MCSE - MCT

2. Upgrading Domains

3. The Domain Upgrade Process A domain upgrade:  Upgrades a PDC to Windows Server 2003 and Active Directory  Maintains existing users, groups, computers, and applications Prevent domain controller overload Upgrade the PDC to Windows Server 2003 Install and configure DNS Install Active Directory 1 1 3 3 4 4 2 2 Verify domain controller operations Upgrade Windows NT 4.0 BDCs 5 5 6 6

4. Effects of a Domain Upgrade on Groups Forest and domain functional levels LocalGlobal Domain Local Universal Windows NT 4.0 (original domain) Windows 2000 Mixed (allows multiple operating systems) Windows 2000 Native (allows multiple operating systems) Windows Server 2003 Interim Windows Server 2003

5. Effects of a Domain Upgrade on Trust Relationships To protect resource security: Audit memberships in all administrative groups 1 1 Review DACLs for important resources 2 2 Windows Server 2003 Domains 2-Way Transitive Trust 2-Way Transitive Trust 2-Way Transitive Trust Res1 Forest Root Acct1 Acct2 One-Way Non-Transitive Trust One-Way Non-Transitive Trust 2 One-Way Non-Transitive Trust Windows NT 4.0 Domains Res1 Acct1 Acct2 Upgrade

6. Implications of Upgrading a PDC What happens during a PDC upgrade? The forest functional level can be set at either:  Windows 2000 mixed  Windows Server 2003 interim Security level permissions are set at either:  Permissions compatible with pre-Windows 2000  Permissions compatible only with Windows 2000 or Windows Server 2003 The upgraded PDC holds the PDC emulator operations master role

7. How to Upgrade a Windows NT 4.0 PDC Select Upgrade for the installation type Verify that you are using a static IP address Configure DNS client settings Configure partitions as NTFS 1 1 4 4 2 2 3 3 Add a newly installed domain controller 1 1 Transfer operations master roles 2 2 Reformat disk on upgraded domain controller and perform a clean installation 3 3 Transfer back any operations master roles 4 4 Process minimizes adverse effects from any corrupted data on the PDC prior to upgrade To upgrade a PDC: Best practice to add additional domain controllers: Install Active Directory 5 5

8. How to Verify Domain Controller Operations Verify trust relationships Verify new user accounts can be created Verify new user object replication Verify successful logon To verify Active Directory is functional: 1 1 3 3 4 4 2 2 At this point a complete recovery is still possible without any data loss Diagnostic tools: Use dcdiag.exe to verify the Active Directory service Use Repadmin.exe/showreps to verify the parent domain Use nltest.exe/bdc_query: domainname to verify the BDC replication status

9. How to Develop a Recovery Plan for a Domain Upgrade Recovery plan: Details steps to roll back directory services migration Recovery plan: Details steps to roll back directory services migration Rollback strategy: A plan to return production environment to the state before changes Remove all computers running Windows Server 2003 Promote the offline BDC to a PDC Recovery tasks: Add a BDC to any domain that contains only a single domain controller Document configuration of services and applications Back up all services and applications to tape Synchronize all BDCs with PDC Take a fully synchronized BDC offline before upgrades are performed Periodically start protected BDC while still in Windows 2000 mixed domain To ensure that a domain can be rolled back:

10. How to Prevent the Domain Controller from Overloading On the domain controller to be upgraded, browse to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ Netlogon\Parameters 1 1 Repeat the procedure on each domain controller 3 3 After additional domain controllers have been added, set the value of the NT4Emulator registry key to 0, or delete the key 4 4 Add the REG_DWORD entry NT4Emulator with the value 1 2 2 Overload occurs when too many client computers request authentication from too few domain controllers

11. How to Neutralize Windows NT 4.0 Domain Controller Emulation The Active Directory installation will fail if the domain controller is configured to prevent domain controller overload Use NeutralizeNT4Emulator for the new entry name 3 3 Change the DWORD value 2 2 In the Edit DWORD Value dialog box, type 1 5 5 Double-click the new entry name 4 4 Click Registry, and then click Exit 6 6 On the client computer, browse to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 1 1

12. How to Add Additional Domain Controllers Process for upgrading a Windows NT 4.0 BDC: Upgrade operating system to Windows Server 2003 1 1 Run the Active Directory Installation Wizard 2 2 Add additional domain controllers for fault tolerance and load balancing Add new servers running Windows Server 2003 to the domain and then install Active Directory Take a Windows NT 4.0 BDC offline, reformat hard disk, then install Windows Server 2003 and Active Directory Upgrade a Windows NT 4.0 BDC to Windows Server 2003 Options :

13. How to Complete the Upgrade To complete the domain upgrade: Reconfigure the DNS service 1 1 Eliminate anonymous connections to domain controllers 3 3 Raise domain and forest functional levels 4 4 Move users and computers to an OU 5 5 Add Windows NT 4.0 BDCs to the domain if necessary 2 2