1183 Windows 2003 Migration Strategies Gary L. Olsen Consultant Americas Escalation Team HP Services [email protected] Windows 2000: Active Directory Design and Deployment Author: Gary Olsen Publisher: New Riders ISBN: 1578702429 Agenda Migration Roadmap and Planning Migration Plan: Upgrade vs Restructure Functional Levels in Windows 2003 Moving from NT4 to Windows 2003 Moving from Windows 2000 to Windows 2003 Tools HP’s Roadmap to a successful Windows 2000, 2003 infrastructure Pilot Proof of Concept Implementation Plan & Design Support Assessment Current Design review Manage The Migration Plan In-Place Upgrade vs Restructure In-Place Upgrade – Upgrade NT PDC to Windows 2003 • • • • – Interim Mode No W2k DCs Prepare for the “Pile-On” problem Convert to Windows 2003 Forest mode Upgrade Windows 2000 to Windows 2003 • • • • Mixed Mode (by default) NT, W2K, W2K3 DCs Upgrade NT, W2K to W2K3 Convert to Windows 2003 Native Domain, Forest mode Domain Upgrade Windows 2000/2003 Windows NT 4 A Windows 2000/2003 A 1 Kerberos C B B OU C 2 2 A Kerberos 3 3 OU Domain Restructure 1 Windows 2000/2003 Windows NT 4 2 “Pristine Domain” 3 A B C 4 1. 2. 3. 4. Microsoft or 3rd Party Migration Tool A OU OU Create pristine Windows 2000 forest/domain/OU structure Configure Microsoft or 3rd Party Migration Tool Migrate global groups, machine accts and user accts from MUD Migrate global groups, machine accts, user accts from Resource Domains to domain, OUs Accts, Groups can migrate to any domain/OU In-Place Upgrade vs Restructure In-Place Upgrade Domain Restructure Maintains domain model Allows one step domain Retains Users, groups, trusts, collapse settings, services, Rebuild trusts, settings, applications Easier, cheaper Higher Risk – destroys NT4 Structure “Pile-on” bug Collapse domains in multiple steps applications, etc. Expensive: Additional new hardware, Migration tool Lower risk – keeps NT4 structure Tear down and re-create with less impact on production Functional Levels in Windows 2003 Functional Level Basics Review of native and mixed mode Functional levels as Active Directory versioning scheme Domain Functional Level – – – Windows 2000 Native and Mixed Windows 2003 Native and Mixed Windows 2003 Interim (NT) Forest Functional Level – – – Windows 2000 (none) Windows 2003 Native Windows 2003 Mixed NOTE: – – Windows 2003 Mixed – “Windows 2000 Native/Mixed” in the UI • Default Windows 2003 Native = “Windows 2003” in the UI Review: Win2k Native/Mixed Domains NT 4.0 BDC Native W2K DC W2k FOREST Mixed Mixed Domain Functional Levels: Windows Server 2003 Native in W2K Forest Win2003 FOREST W2K Mixed NT 4.0 BDC Windows Server 2003 Native W2K DC Windo ws Server 2003 DC W2k Native Domain Functional Levels: Windows Server 2003 “Interim” Win2003 Mixed FOREST Windows Server 2003 Native NT 4.0 BDC Windows Server 2003 Native W2K DC Windows Server 2003 Native Windo ws Server 2003 DC Windows Server 2003 Forest “Native” level Win2003 Native FOREST Windows Server 2003 Native Windows Server 2003 Windows Server 2003 Native Windows Server 2003 Native Domain Level Domain Version Domain Functionality Features Enabled DCs Supported 0 Windows 2000 mixed Basic Windows 2000 Windows NT 4.0, Windows 2000, Windows Server 2003 0 Windows 2000 native Group nesting, Universal groups Windows 2000, Windows Server 2003 1 Windows Server 2003 interim mixed ?? Windows NT 4.0 and Windows Server 2003 1 Windows Server 2003 interim native ?? Windows Server 2003 2 Windows Server 2003 DC rename, Logon timestamp, User password attribute, Security?? Windows Server 2003 Forest Level Forest Version Forest Function Features Enabled DCs Supported 0 Windows 2000 Basic Windows 2000 Windows NT 4.0, Windows 2000, Windows Server 2003 1 Windows Server 2003 interim Link value replication and improved KCC algorithm. Still in mixed mode. Windows NT 4.0, Windows Server 2003 2 Windows Server 2003 Whatever… all domains must be in native mode Windows Server 2003 Migration Plan 1. Upgrade all DCs in Forest to Windows Server 2003 NT 4.0 Win 2003 “Mixed’ FOREST Mixed Windo ws Server 2003 Native W2K Windo ws Server 2003 W2K Native 2. Raise Domain Functional Level to Windows Server 2003 (2003) – all domains NT 4.0 W2003 Mixed FOREST Windo ws Server 2003 Native Windo ws Server 2003 Native W2K Windo ws Server 2003 Windo ws Server 2003 Native 3. Raise Forest Functional Level to Windows Server 2003 (2003) NT 4.0 W2003 Forest Native Windows Server 2003 Native Windows Server 2003 Native W2K Windows Server 2003 Window s Server 2003 Native In-place upgrade Windows NT to Windows 2003 Process Watch for the “Pile On” issue Prepare DNS – Put W2K3 DNS server in NT domain – NT4 Clients can use it (but can’t register) – Ready for the W2K3 upgrade Upgrade PDC first Set Forest Functional level to “Interim” when running DCPROMO Gradually upgrade BDCs Switch Functional Level (forest and domain) to Windows 2003 (Native) The Pile-On Issue Basic: Win2K Pro workstations will authenticate to a Kerberos Key Distribution Center (KDC) – – If no KDC, falls back to NTLM UNLESS: It finds a KDC once… Problem: In-place upgrade – PDC is upgraded to Win2k as DC (KDC) • All W2k Pro clients, servers will authenticate to it – – – Flood slow WAN links Won’t authenicate to local BDCs Big Problem for W2K Member Servers Pile-on Solution Q284937 – SP2 Required (prefer SP3) • Regkey sets NT4 Emulation on PDC (no kerberos) – Problem – can’t Promote DC – needs Kerberos • Another “fix” – “Neutralize” RegKey on other DCs – With sufficient DCs to handle the W2K Pro load, re-set the keys – Also see Q231789 – Local Logon Process for Windows 2000 Requires – W2K or W2K3 DNS – W2K Trust Another Pile-on Solution NT4 Win2k DC PDC W2K “B” “A” •Put W2k Pros in W2k Test Resource Domain •W2K Pros Authenticate to W2k DC Setting 2003 Interim Level Migrating from Windows 2000 to Windows 2003 In-Place Upgrade from Windows 2000 Easy and seamless upgrade process – – – No restructuring necessary No forest, domain, OU or site topology planning necessary No user/ workstation/ profile migration necessary Full compatibility between 2003 DC and Windows 2000 DC – – 2003 DC can play any FSMO role in Windows 2000 forest Upgrade from Windows 2000 or build new replica Preparing forest and domains are separate steps from introducing the first 2003 DC Impact on current Windows 2000 environment Schema extensions (ADPrep) – – Affects every DC – W2K and W2K3 Can’t go back Group Policy – Over 200 new settings • Software Restriction Policies • RSOP New Cool W2K3 tools – Available thru XP too! Little impact on replication traffic: Pre-upgrade Checklist Check the HCL System State Backup – At least 2 DCs in each domain +forest root Inventory Domain Controllers in the forest – – Windows 2000 SP3 (best) Windows 2000 SP2 (minimum) Verify end to end AD replication throughout the forest – W2K3 or XP: Repadmin /Replsum Verify FRS Replication FSMO role owners inventory Event Logs – errors, warnings of interest Disk Space inventory ADPrep /ForestPrep REQUIRED To upgrade Windows 2000 - 2003 Location: Windows 2003 Server CD \i386\adprep.exe Runs on the Schema Master server May cause full replication to Windows 2000 GCs Extends the AD schema Adjusts ACLs on special containers Creates special container when finished successfully – CN=Windows2002Update,CN=ForestUpdates,CN=Configuration,DC=< forest_root_domain> Upgrade without ADPrep first yields errors… Moving to Windows 2003: Restructuring Inter-forest scenario: Migrating from Windows NT/2000 to 2003 Americas EMEA AsiaPac Server Resources Accounts Restructuring considerations Need to preserve the SID when crossing the domain boundary Use SIDHistory attribute: – Available only in Windows 2000 native mode Scenario 1: NT-W2K3 Migration Accoun ts New GUID New SID Must use SIDHistory NT4 -> Win2K NT4 -> 2003 Win2K -> 2003 Scenario 2: Inter-Forest Migration •W2K-W2K •W2K-W2K3 •W2K3-W2K3 New GUID New SID Must use SIDHistory Win2K -> Win2K Win2K -> 2003 2003 -> 2003 Scenario 3: Intra-Forest (between domains) Same GUID New SID Must use SIDHistory Win2K -> Win2K Win2K -> 2003 2003 -> 2003 Scenario 4: Domain rename Objects are intact 2003 forest only Intra-forest scenario: Domain rename What you can do (The Good): – – – Rename a DC. Rename a domain: DNS or NETBios or both! Rename and restructure domains in a forest. Restrictions (The Bad): – – – – – Can’t do it if Exchange is deployed in forest • Earliest support is Titanium SP1 Can’t Rename A DC that has Certificate Services installed Can Rename a domain that has Microsoft CA installed but it is very ugly Must be in Windows 2003 Native Forest mode: Only W2K3 DCs in Forest Can rename root domain but can’t change domain that is forest root. Domain Rename The Original… A.com B.A.com D.B.A.com C.A.com Domain Rename Move to new Parent (grandchild) A.com B.A.com C.A.com D.C.A.com Domain Rename Move to New Parent (Child) A.com B.A.com D.A.com C.A.com Domain Rename New Domain Tree A.com D.com B.A.com C.A.com Domain Rename Z.com B.Z.com D.B.Z.com C.Z.com Still the old “A” domain – just called “Z” now Domain Rename Gotchas – MUST LOCK DOWN THE ENTIRE FOREST DURING DOMAIN RENAME PROCESS – DCs in renamed domain won’t replicate with DCs in original domain. • • • Replication limbo Two replication topologies What happens to password, other changes? Domain Rename “Limbo State” A E B No Replication D C my.company.com your.company.com Domain Rename Gotchas continued – Applications that depend on domain name may have problems. Affects DFS/FRS Resources – – • • • – Trusts. Secure channels to workstations (ouch!). Shares, mapped drives, logon scripts. Does NOT support “Grafting” or Merging of forests. HP will be renaming corporate Windows 2000 domain from CPQCorp.net to HPQCorp.net Technologies: ADMT V2 Inter-forest and Intra-forest restructuring Inter-forest password migration: Source: NT4 (incl. syskey) – Windows 2000 - 2003 – Target: Windows 2000 – Windows 2003 – Command line interface – Batch mode migration Scripting interface Migration delegation Extensive reporting capabilities Technologies: 3rd Party NetIQ Quest Software Aelita bindView Questions? Interex, Encompass and HP bring you a powerful new HP World.
© Copyright 2026 Paperzz