Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEP313 Active Directory Restructuring with ADMT v-2

Published byAmie Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "DEP313 Active Directory Restructuring with ADMT v-2"— Presentation transcript:

1 DEP313 Active Directory Restructuring with ADMT v-2
Lothar Zeitler Snr. Consultant Microsoft Services Germany TechEd 2002

2 Agenda Restructuring scenarios ADMT v-2 Restructuring process
Inter-Forest migration Intra-Forest migration Summary TechEd 2002

3 What is Restructuring Process that moves users between domains
Domains can be in different forest or same forest Single users, organizational unit or entire domain Includes moving additional objects with users Groups needed to access resources Workstations Resource servers TechEd 2002

4 Restructuring Scenarios
Mergers and Acquisitions / Spin-offs One-off project Multi-forest deployments User moves happen on a regular basis Collapsing domains to reduce number of domains I.e., after network upgrade TechEd 2002

5 Inter-forest vs. Intra-forest
Source Forest Boundary Target Intra-forest: Active Directory Migration Tool Inter-forest: Active Directory Migration Tool TechEd 2002

6 Restructuring: Alternative Solutions
Multi-forest deployment Two or more forests with user accounts and resources Resource access through trust relationships GC synchronization through MMS Separate or unified DNS namespace Easier with Windows 2003 Cross-forest trusts Kerberos between forests UPN routhing DNS: conditional forwarding Synchronized Exchange forests Exchange resource forest Migrate Exchange mailboxes only TechEd 2002

7 Restructuring vs. Multi-Forest
Reasons for restructuring M&A: IT of acquired company fully integrated Long-term acquisition High level of collaboration required Spin-off from single forest deployment Lowering TCO for AD deployment Reasons for multi-forest deployment Independent IT organizations M&A: Results in independent business unit Acquisition might not be long term Collaboration might be restricted to messaging and calendaring Avoid higher cost attached to restructuring Review Chapter 2 of Windows 2003 Deployment Kit TechEd 2002

8 Business Goals for Restructuring
No service impact Little end user impact Roll-back plan Low TCO for restructuring operation TechEd 2002

9 ADMT v-2 Overview Single tool to perform all migration operations
User, group, computer moves Security translations Profile translations Multiple user interfaces Graphical wizards Scripting interface Command line interface Password migration New delegation model Attribute exclusion list SID mapping file for security translations And many more… TechEd 2002

10 User Migration – Background
User Security ID (SID) tied to domain SID used to grant access to resources Most resource access happens through group memberships User accounts grouped in Global Groups Local Groups protect resources Global Groups added to Local Groups to grant access rights to resource Local Groups store SIDs of Global Groups Business goal: Preserve user access to resources SID history accomplishes this SIDs need to be migrated for users and groups TechEd 2002

11 How sIDHistory Works HB-ACCT-ROW HB-RESWC hb-acct.hay-buv.tld
Hb-acct\Bob HB-ACCT-ROW\Bob sIDHistory: HB-ACCT-ROW\Bob Bob’s Access Token on HB-RES-MEM: User: hb-acct\Bob SID Groups: HB-ACCT-ROW\Bob HB-RES-MEM\TechEditors SID \\HB-RESWC-MEM\Online-Docs: TechEditors: FA File: Bob-Outlines.txt – only Bob has access HB-RESWC-MEM\TechEditors Members: HB-ACCT-ROW\Bob HB-RESWC HB-RESWC-MEM HB-RESWC-WS1 TechEd 2002

12 User Moves: Profiles Local profiles Roaming profiles
Options for profile management Unmanaged Migrate local profiles Combine migration with hardware refresh TechEd 2002

13 Migration Scenario Starfleet Delta Quadrant
Starfleet.com DeltaQ.com DS9.Starfleet.com Voyager.DeltaQ.com SanFrancisco.Starfleet.com Step 1: Create target domains Step 2: Migrate users and resources Step 3: Decommission source domains / forest TechEd 2002

14 demo User Migration with SID History TechEd 2002

15 SID Filtering Risk Attack needs Solution
Trusted domain DC returns SIDs during authentication Trusting domain DC accepts all SIDs Cannot check that SIDs are legitimate Attack needs Service admin rights in trusted forest, or Physical access to domain controller in trusted forest Solution SID filtering System builds authoritative list of Domain SIDs Authentication Fail authN if user’s account domain NOT in list Remove SIDs not relative to list Configurable on all trust relationships TechEd 2002

16 When to use SID Filtering
Steady-state multi-forest deployment If reason for multi-forests deployment is data or service isolation, use SID Filtering If forests are managed by the same administrators, or DCs are located in same locations, SID Filtering does not provide additional value Mergers and Acquisition Usually admin staff from one forest takes over other forest No more requirement for security isolation No need for SID Filtering TechEd 2002

17 Migration And SID Filtering
Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com SIDHistory filtered jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002

18 Migration And SID Filtering
Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002

19 demo Migration with SID Filtering TechEd 2002

20 Process for Large Scale Migrations
Large migrations require planning Special care for local profile migration Users should not logon with new account before local profile is migrated Workstation should be in same domain as user Smartcard logons, wireless networks Synchronize group policies Application deployment Client side caching TechEd 2002

21 Restructuring Process – Inter Forest
TechEd 2002

22 Restructuring Process – Inter Forest
TechEd 2002

23 Restructuring Process – Inter Forest
TechEd 2002

24 Restructuring Process – Inter Forest
TechEd 2002

25 Restructuring Process – Inter Forest Migrating Users without SID Filtering between Forests
TechEd 2002

26 Restructuring Process – Inter Forest Migrating Users with SID Filtering between Forests
TechEd 2002

27 Restructuring Process – Inter Forest
TechEd 2002

28 Restructuring Process – Inter Forest
TechEd 2002

29 Intra Forest Restructuring
Example: Reducing number of domains in a forest Different from Inter Forest restructuring Object moved instead of copied Different APIs used Inter-forest: New object is created Intra-forest: LDAP_move() replicates object TechEd 2002

30 Restructure Comparison Inter-forest vs. Intra-forest
Inter-forest migration like object cloning Non-destructive Source object still exists = fallback Incremental migration straightforward Preserves old SID in sIDHistory Doesn’t preserve GUID (Windows 2000, XP) Multiple security principals with same SID TechEd 2002

31 Restructure Comparison Inter-forest vs. Intra-forest
Intra-forest migration like object move Destructive Source object moved = no fallback Incremental migration hard (closed sets) Preserves old SID in sIDHistory Preserves GUID Unique SID TechEd 2002

32 Restructure Considerations Intra-forest
Closed sets Resource access granted through groups User -> GG -> LG -> resource Users and Global Groups must be in same domain Resources and local groups must be in same domain Migration Tools support scenario ADMT automatically changes Global Group to Universal Group if members are in different domains Universal Group automatically migrated back to Global Group once all members are in target domain Permissions on resources can be translated if resource and local group cannot be migrated together TechEd 2002

33 demo Intra-Forest Migration TechEd 2002

34 Restructuring Process – Intra-Forest
TechEd 2002

35 Restructuring Process – Intra-Forest
TechEd 2002

36 Restructuring Process – Intra-Forest
TechEd 2002

37 Restructuring Process – Intra-Forest
TechEd 2002

38 Summary Evaluate options in M&A scenarios
Restructure or multi-forest ADMT v-2 supports all restructuring tasks Inter-forest restructuring has easier fall-back Processes for large-scale restructurings documented in the Windows 2003 Deployment Kit ADMT v-2 on Windows 2003 CD Web download TechEd 2002

39 Community Resources Community Resources
Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

40 evaluations TechEd 2002

41 TechEd 2002 © 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. TechEd 2002

Download ppt "DEP313 Active Directory Restructuring with ADMT v-2"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
© 2006 Cisco Systems, Inc. All rights reserved. CUDN v1.1—4-1 Migrating from Voice Mail to Unified Messaging Migrating Voice Mail to Unified Messaging.

© 2006 Cisco Systems, Inc. All rights reserved. CUDN v1.1—4-1 Migrating from Voice Mail to Unified Messaging Migrating Voice Mail to Unified Messaging.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.

Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.
MSG302 Deploying Exchange Server Overview Sasa Juratovic Consultant Microsoft Ltd.

MSG302 Deploying Exchange Server Overview Sasa Juratovic Consultant Microsoft Ltd.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Understanding Active Directory

Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

Similar presentations

Ads by Google