1183 windows 2003 migration strategies gary l. olsen consultant americas escalation team hp services...
TRANSCRIPT
1183 Windows 2003 Migration
Strategies
Gary L. Olsen
Consultant
Americas Escalation Team
HP Services
Windows 2000: Active Directory Design and Deployment
Author: Gary OlsenAuthor: Gary OlsenPublisher: New RidersPublisher: New RidersISBN: 1578702429ISBN: 1578702429
Agenda
Migration Roadmap and Planning
Migration Plan: Upgrade vs Restructure
Functional Levels in Windows 2003
Moving from NT4 to Windows 2003
Moving from Windows 2000 to Windows 2003
Tools
HP’s Roadmap to a successful Windows 2000, 2003 infrastructure
CurrentDesign review
CurrentDesign review
Plan & DesignPlan & Design
AssessmentAssessment ManageManage
Implementation Implementation
PilotPilot Proof ofConcept
Proof ofConcept
SupportSupport
The Migration Plan
In-Place Upgrade– Upgrade NT PDC to Windows 2003
• Interim Mode• No W2k DCs• Prepare for the “Pile-On” problem• Convert to Windows 2003 Forest mode
– Upgrade Windows 2000 to Windows 2003• Mixed Mode (by default)• NT, W2K, W2K3 DCs• Upgrade NT, W2K to W2K3• Convert to Windows 2003 Native Domain, Forest
mode
In-Place Upgrade vs Restructure
Windows NT 4
11A
22
C
22
B
Windows 2000/2003
AKerberos
B
Kerberos
C
Windows 2000/2003
A
33
OUOUOUOU
33
OUOUOUOU
Domain Upgrade
Domain Restructure
Windows NT 4
A
CB
Windows 2000/2003“Pristine Domain”
11
AOUOUOUOU OUOUOUOU
33
44
Microsoft or 3rd Party
Migration Tool
22
1. Create pristine Windows 2000 forest/domain/OU structure2. Configure Microsoft or 3rd Party Migration Tool3. Migrate global groups, machine accts and user accts from MUD4. Migrate global groups, machine accts, user accts from Resource
Domains to domain, OUsAccts, Groups can migrate to any domain/OU
In-Place Upgrade vs Restructure
In-Place Upgrade Maintains domain model
Retains Users, groups, trusts, settings, services, applications
Easier, cheaper
Higher Risk – destroys NT4 Structure
“Pile-on” bug
Collapse domains in multiple steps
Domain RestructureAllows one step domain
collapse
Rebuild trusts, settings, applications, etc.
Expensive: Additional new hardware, Migration tool
Lower risk – keeps NT4 structure
Tear down and re-create with less impact on production
Functional Levels in Windows 2003
Functional Level Basics
Review of native and mixed mode
Functional levels as Active Directory versioning scheme
Domain Functional Level– Windows 2000 Native and Mixed– Windows 2003 Native and Mixed – Windows 2003 Interim (NT)
Forest Functional Level– Windows 2000 (none)– Windows 2003 Native– Windows 2003 Mixed
NOTE: – Windows 2003 Mixed – “Windows 2000 Native/Mixed” in the UI
• Default– Windows 2003 Native = “Windows 2003” in the UI
W2k FOREST
Review: Win2k Native/Mixed Domains
NT 4.0 BDC
W2K DC
Native
Mixed Mixed
Win2003 FOREST
Domain Functional Levels: Windows Server 2003 Native in W2K Forest
NT 4.0 BDC
W2K DC
Windows Server 2003 DC
Windows Server 2003 Native
W2K Mixed
W2k Native
Win2003Mixed FOREST
Domain Functional Levels: Windows Server 2003 “Interim”
NT 4.0 BDC
W2K DC
Windows Server 2003 DC
Windows Server 2003 Native
Windows Server 2003 Native
Windows Server 2003 Native
Win2003 Native FOREST
Windows Server 2003 Forest “Native” level
Windows Server 2003Windows
Server 2003 Native
Windows Server 2003 Native
Windows Server 2003 Native
Domain Level
Domain Version Domain Functionality Features Enabled DCs Supported
0 Windows 2000 mixed Basic Windows 2000 Windows NT 4.0, Windows 2000, Windows Server 2003
0 Windows 2000 native Group nesting, Universal groups
Windows 2000, Windows Server 2003
1 Windows Server 2003 interim mixed
?? Windows NT 4.0 and Windows Server 2003
1 Windows Server 2003 interim native
?? Windows Server 2003
2 Windows Server 2003 DC rename, Logon timestamp, User password attribute, Security??
Windows Server 2003
Forest Level
Forest Version
Forest Function Features Enabled DCs Supported
0 Windows 2000 Basic Windows 2000 Windows NT 4.0, Windows 2000, Windows Server 2003
1 Windows Server 2003 interim
Link value replication and improved KCC algorithm.Still in mixed mode.
Windows NT 4.0, Windows Server 2003
2 Windows Server 2003 Whatever… all domains must be in native mode
Windows Server 2003
Migration Plan
Win 2003 “Mixed’ FOREST
1. Upgrade all DCs in Forest to Windows Server 2003
NT 4.0
W2K
Windows Server 2003
Windows Server 2003 Native
Mixed W2K Native
W2003 Mixed FOREST
2. Raise Domain Functional Level to Windows Server 2003 (2003) – all domains
NT 4.0
W2K
Windows Server 2003
Windows Server 2003 Native
Windows Server 2003 Native
Windows Server 2003 Native
W2003 Forest Native
3. Raise Forest Functional Level to
Windows Server 2003 (2003)
NT 4.0
W2K
Windows Server 2003
Windows Server 2003 Native
Windows Server 2003 Native
Windows Server 2003 Native
In-place upgradeWindows NT to Windows 2003
Process
Watch for the “Pile On” issue
Prepare DNS– Put W2K3 DNS server in NT domain– NT4 Clients can use it (but can’t register)– Ready for the W2K3 upgrade
Upgrade PDC first
Set Forest Functional level to “Interim” when running DCPROMO
Gradually upgrade BDCs
Switch Functional Level (forest and domain) to Windows 2003 (Native)
The Pile-On Issue
Basic: Win2K Pro workstations will authenticate to a Kerberos Key Distribution Center
(KDC)– If no KDC, falls back to NTLM– UNLESS: It finds a KDC once…
Problem: In-place upgrade– PDC is upgraded to Win2k as DC (KDC)
• All W2k Pro clients, servers will authenticate to it– Flood slow WAN links– Won’t authenicate to local BDCs– Big Problem for W2K Member Servers
Pile-on Solution
Q284937– SP2 Required (prefer SP3)
• Regkey sets NT4 Emulation on PDC (no kerberos)– Problem – can’t Promote DC – needs Kerberos
• Another “fix” – “Neutralize” RegKey on other DCs– With sufficient DCs to handle the W2K Pro load, re-set the
keys– Also see Q231789 – Local Logon Process for Windows
2000
Requires– W2K or W2K3 DNS– W2K Trust
Another Pile-on Solution
Downlevel
Trust
•Put W2k Pros in W2k Test Resource Domain
•W2K Pros Authenticate to W2k DC
NT4
“A”
W2K “B”
Win2k DC PDC
Setting 2003 Interim Level
Migrating from Windows 2000 to
Windows 2003
In-Place Upgrade from Windows 2000
Easy and seamless upgrade process– No restructuring necessary– No forest, domain, OU or site topology planning necessary– No user/ workstation/ profile migration necessary
Full compatibility between 2003 DC and Windows 2000 DC– 2003 DC can play any FSMO role in Windows 2000 forest– Upgrade from Windows 2000 or build new replica
Preparing forest and domains are separate steps from introducing the first 2003 DC
Impact on current Windows 2000 environment
Schema extensions (ADPrep)– Affects every DC – W2K and W2K3– Can’t go back
Group Policy– Over 200 new settings
• Software Restriction Policies• RSOP
New Cool W2K3 tools– Available thru XP too!
Little impact on replication traffic:
Pre-upgrade Checklist
Check the HCL
System State Backup– At least 2 DCs in each domain +forest root
Inventory Domain Controllers in the forest– Windows 2000 SP3 (best)– Windows 2000 SP2 (minimum)
Verify end to end AD replication throughout the forest– W2K3 or XP: Repadmin /Replsum
Verify FRS Replication
FSMO role owners inventory
Event Logs – errors, warnings of interest
Disk Space inventory
ADPrep /ForestPrep
REQUIRED To upgrade Windows 2000 - 2003
Location: Windows 2003 Server CD \i386\adprep.exe Runs on the Schema Master server
May cause full replication to Windows 2000 GCs
Extends the AD schema
Adjusts ACLs on special containers
Creates special container when finished successfully– CN=Windows2002Update,CN=ForestUpdates,CN=Configuration,DC=<
forest_root_domain>
Upgrade without ADPrep first yields errors…
Moving to Windows 2003:
Restructuring
Inter-forest scenario:Migrating from Windows NT/2000 to 2003
Americas EMEA AsiaPac Accounts
ServerResources
Restructuring considerations
Need to preserve the SID when crossing the domain boundary
Use SIDHistory attribute:– Available only in Windows 2000 native mode
Scenario 1: NT-W2K3 Migration
New GUID
New SID
Must use SIDHistory
NT4 -> Win2K
NT4 -> 2003
Win2K -> 2003
Accounts
Scenario 2: Inter-Forest Migration
New GUID
New SID
Must use SIDHistory
Win2K -> Win2K
Win2K -> 2003
2003 -> 2003
•W2K-W2KW2K-W2K
•W2K-W2K3W2K-W2K3
•W2K3-W2K3W2K3-W2K3
Scenario 3: Intra-Forest (between domains)
Same GUID
New SID
Must use SIDHistory
Win2K -> Win2K
Win2K -> 2003
2003 -> 2003
Scenario 4: Domain rename
Objects are intact
2003 forest only
What you can do (The Good):– Rename a DC.– Rename a domain: DNS or NETBios or both!– Rename and restructure domains in a forest.
Restrictions (The Bad):– Can’t do it if Exchange is deployed in forest
• Earliest support is Titanium SP1– Can’t Rename A DC that has Certificate Services installed– Can Rename a domain that has Microsoft CA installed but it is
very ugly– Must be in Windows 2003 Native Forest mode: Only W2K3 DCs in
Forest– Can rename root domain but can’t change domain that is forest
root.
Intra-forest scenario:Domain rename
Domain Rename
A.com
C.A.comB.A.com
D.B.A.com
The Original…The Original…
Domain Rename
A.com
C.A.comB.A.com
D.C.A.com
Move to new Move to new Parent Parent
(grandchild)(grandchild)
Domain Rename
A.com
C.A.comB.A.com
D.A.com
Move to New Move to New Parent (Child)Parent (Child)
Domain Rename
A.com
C.A.comB.A.com
D.com
New Domain New Domain TreeTree
Domain Rename
Z.com
C.Z.comB.Z.com
D.B.Z.com
Still the old “A” domain – just called
“Z” now
Domain Rename
Gotchas – MUST LOCK DOWN THE ENTIRE FOREST
DURING DOMAIN RENAME PROCESS
– DCs in renamed domain won’t replicate with DCs in original domain.
• Replication limbo• Two replication topologies• What happens to password, other changes?
Domain Rename “Limbo State”
my.company.com your.company.com
CD
E
B
A
No Replication
Domain Rename Gotchas continued
– Applications that depend on domain name may have problems.
– Affects DFS/FRS– Resources
• Trusts.• Secure channels to workstations (ouch!).• Shares, mapped drives, logon scripts.
– Does NOT support “Grafting” or Merging of forests.
HP will be renaming corporate Windows 2000 domain from CPQCorp.net to HPQCorp.net
Technologies: ADMT V2
Inter-forest and Intra-forest restructuring
Inter-forest password migration:– Source: NT4 (incl. syskey) – Windows 2000 - 2003– Target: Windows 2000 – Windows 2003
Command line interface – Batch mode migration
Scripting interface
Migration delegation
Extensive reporting capabilities
Technologies: 3rd Party
NetIQ
Quest Software
Aelita
bindView
Interex, Encompass and HP bring you a powerful new HP World.
Questions?