Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia.

Published byNeal Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia."— Presentation transcript:

1 Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia

2 Agenda ► Client Integration with Windows Server 2003 ► Update on Functional Levels ► Windows NT 4.0 to Windows Server 2003 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade ► Domain restructuring with ADMT v2

3 Clients And Windows Server 2003 ► Security improvements change behavior of Windows Server 2003 Domain Controllers ► SMB signing and secure channel encryption enforced ► Adjustments needed for older clients ► Windows NT 4.0 SP4 and higher, Windows 2000, Windows XP clients work without adjustments ► Win95 and Windows NT4 pre-SP4 require changes; either ► Disable enforcement of SMB signing and secure channel encryption ► Install DS Client and/or Service Pack ► Fully documented in the Windows Server 2003 Deployment Kit

4 SMB Signing Policy

5 Update on Functional Levels ► Functional Levels ► Domain Functional Levels ► Forest Functional Levels ► Features without Dependencies ► Best Practices For Functional Levels ► Raising Domain Functional Level ► What Happens with Functional Level Upgrades ► Upgrading the PDC ► Forest switch to Windows Server 2003 Functional Level

6 Functional Levels ► Required in order to introduce non- backward-compatible features ► Admin manually advances functional level when all DCs in forest/domain are upgraded ► Level only increases – no going back ► Legacy DCs blocked from joining/starting

7 Functional Levels ► Available functional levels ► Windows Server 2003 forest functionality ► Windows Server 2003 interim forest functionality ► Allows mixed-mode domains (NT4 BDCs), but no Windows 2000 DCs ► Windows Server 2003 domain functionality

8 Domain Functional Levels Domain Functionality Enabled Features Supported DCs in domain Windows 2000 mixed ► Universal Groups (non- security only) Windows NT4 Windows 2000 Windows 2003 Windows 2000 native All mixed mode, plus ► Group nesting ► Universal groups ► SIDHistory ► Group conversions Windows 2000 Windows 2003

9 Domain Functional Levels Domain Functionality Enabled Features Supported DCs in domain Windows Server 2003 All Windows 2000 native, plus ► Update logon timestamp attribute ► Kerberos KDC version ► User password on INetOrgPerson ► DC rename with netdom ► Redirect users and computers ► Authorisation manager can store authorisation policies ► Constrained delegation for computers ► Selective authentication cross- forest Windows 2003

10 Forest Functional Levels Forest Functionality Enabled Features Supported DCs in forest Windows 2000 Windows NT4 Windows 2000 Windows 2003 Windows Server 2003 Interim All Windows 2000, plus ► Linked Value Replication ► Improved ISTG ► New attributes added to GC Windows NT4 Windows 2003

11 Forest Functional Levels Forest Functionality Enabled Features Supported DCs in forest Windows Server 2003 All Windows Server 2003 Interim, plus ► Dynamic aux classes ► User to INetOrgPerson change ► Schema Redefine ► Domain rename ► Cross-forest trust ► Basic and query based groups (for roles based azman) Windows 2003

12 Features without Dependencies ► Application partitions ► Universal Group Caching ► Install from Media ► No-GC-Full-Sync for PAS schema extensions ► SID History migration delegation ► Concurrent LDAP binds ► Manual trigger of online defrag ► DNS in application partitions ► Single instance store

13 Forest switch to Windows Server 2003 Functional Level ► Domain controllers switch to new replication pause values ► Windows 2000: registry values ► 5 minutes / 30 seconds ► Windows 2003: new default values if registry keys are not set ► 30 secs / 5 secs ► At forest functional switch ► DCs delete registry values if values are Windows 2000 defaults ► Automatically switch to 30 secs / 5 secs

14 Best Practices For Functional Levels ► Windows NT 4 Upgrade ► Motivation to move to Windows Server 2003 interim level ► Linked-value-replication (large group support) ► Improved KCC/ISTG ► Set Windows Server 2003 interim forest level ► Once all NT 4 BDCs are upgraded, advance forest to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level

15 Best Practices For Functional Levels ► Windows 2000 Upgrade ► Do nothing until all DCs are running Windows Server 2003 ► Make sure that no mixed mode domain is left in the forest ► Advance forest level to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level

16 Raising Domain Functional Level

17 What Happens with Functional Level Upgrades ► Domain Level ► Special operations on PDC upgrade ► Forest Level ► Special operations when forest is switched to Windows Server 2003 functional level ► Domain and Forest Level switches ► Attributes that define functional levels are initialised

18 Upgrading the PDC ► New well-known and built-in groups are created ► Builtin\Remote Desktop Users (not on XP) ► Builtin\Network Configuration Operators (not on XP) ► Performance Monitor Users ► Performance Log Users ► Builtin\Incoming Forest Trust Builders (DC only) ► Builtin\Performance Monitoring Users (not on XP) ► Builtin\Performaing Logging Users (not on XP) ► Builtin\Windows Authorization Access Group (DC only) ► Builtin\Terminal Service Licence Server (DC only)

19 Upgrading the PDC ► Some new group memberships are established ► If Everyone is in the Pre-Windows 2000 Compatible Access group, Anonymous Logon and Authenticated Users is added ► Network Servers is added to Performance Monitoring group ► Enterprise Domain Controllers is added to Windows Authorization Access group ► Has low network / performance impact

20 Forest switch to Windows Server 2003 Functional Level ► Attributes added to the GC ► ms-DS-Trust-Forest-Trust-Info; Trust- Direction; Trust-Attributes; Trust-Type; Trust- Partner ► Security-Identifier ► ms-DS-Entry-Time-To-Die ► MSMQ-Secured-Source; MSMQ-Multicast- Address ► Print-Memory; Print-Rate; Print-Rate-Unit ► MS-DRM-Identity-Certificate ► No GC – Full Sync – low replication impact!

21 Windows NT 4 to Windows Server 2003 upgrade ► Upgrading from Windows NT 4 ► Demo: Upgrading the Windows NT 4 PDC

22 Upgrading from Windows NT4 ► Use Windows Server 2003 Interim Forest mode immediately ► Use dcpromo to do this if upgrading to forest root domain ► Use adsiedit to switch the existing Windows Server 2003 root domain

23 Upgrading from Windows NT4 (Step by Step) 1.Inventory clients for compatibility with default security settings ► Either install software (dsclient, SP) or relax settings 2.Inventory domain controllers in domain ► Hot fixes ► Recommended: SP6a ► DC hardware: Disk space, CPU, memory ► DC health including replication and lmrelp file replication service

24 Upgrading from Windows NT4 (Step by Step) 3.Check for services running as local system on all member servers and workstations ► Re-configure service to use user account, or ► Upgrade server to Windows 2000 Server or Windows Server 2003, or ► Use “Enable downlevel access” in dcpromo ► Services which require “Enable downlevel access” include Windows NT 4.0 RAS

25 Upgrading from Windows NT4 (Step by Step) 4.Configure lmrepl export server ► This will be the last domain controller to be upgraded ► If lmrepl service runs on PDC, either ► Select one BDC to be new lmrepl export server, or ► Move lmrepl to server that will be upgraded as the last DC 5.Secure one BDC ► Sync with PDC ► Take back-up tape and test restore ► Take BDC off-line and keep in storage

26 Upgrading from Windows NT4 (Step by Step) 6.Upgrade PDC ► PDC will not be able to perform PDC role while upgrade and dcpromo run ► No changes possible (no new users, groups, group membership changes) ► Clients and workstations will not be able to change passwords ► Trusts might fail ► Plan for the change freeze / downtime 7.Configure security settings

27 Upgrading from Windows NT4 (Step by Step) 8.Verify success ► Verify down-level replication works ► Verify that users can be added and passwords can be changed 9.Install and configure lmbridge ►Windows Server 2003 has no more lmrepl service; it uses sysvol replication (frs) ►Copy all logon scripts and other files from lmrepl export server to PDC emulator ►Configure lmbridge to copy files from PDC emulator to lmrepl export server ►Change files on PDC only

28 Upgrading from Windows NT4 (Step by Step) 10.Continue upgrading BDCs 11.Once all DCs are Windows Server 2003 ►If this was the last domain to join the forest and all DCs in the forest are Windows Server 2003, switch to Windows 2003 forest functional level ►In multi-domain forests, don’t worry about single domain modes, wait until last domain is upgraded

29 Upgrading The Windows NT 4.0 PDC

30 Windows 2000 to Windows Server 2003 upgrade ► Upgrading from Windows 2000 ► Issues with Schema Extensions ► Domain Naming Master ► Domain Upgrade And DNS ► Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrading from Windows 2000 Step by Step

31 Upgrading From Windows 2000 ► Easy and seamless upgrade process ► No restructuring necessary ► No forest, domain, OU or replication planning necessary ► No user / workstation / profile migration

32 Upgrading From Windows 2000 ► Windows Server 2003 DCs fully compatible with Windows 2000 DCs ► Windows Server 2003 DCs can interoperate in Windows 2000 forest / domain in any role ► New DC (dcpromo) ► Upgrade of existing DC ► Preparing forest and domains are separate step from introducing the first Windows Server 2003 DC

33 Issues with Schema Extensions ► Exchange 2000 schema present ► Exchange 2000 schema extensions define three non-RFC conform attributes (houseIdentifier, secretary and labeledURl) ► If Exchange 2000 schema extensions are applied before Windows 2000 InetOrgKit or Windows Server 2003 schema, attributes with mangled names are created ► See KB article Q325379

34 Issues with Schema Extensions ► Services For Unix version 2.0 ► SFU 2.0 NIS component defines a uid attribute which clashes with the correct interpretation in Windows Server 2003 schema ► Adprep cannot extend the schema unless a QFE is applied ► See KB article Q293783

35 Domain Naming Master ► Application partitions do not depend on forest functional level ► Domain Naming Master must be Windows Server 2003 to create application partitions

36 Domain Upgrade And DNS ► Windows 2003 DNS can use application partitions ► Motivation: Removes DNS data from GC ► Once all DCs are running Server 2003, DNS data should be moved from domainNC to app NCs ► Easy through DNS manager ► There is a big difference between creating and using application partitions ► Windows 2000 used domainNC for DNS ► Data must be moved manually from domainNC to application partition ► Not an automated process ► Until then, failure to create application partitions is harmless

37 Introducing The First Windows Server 2003 Domain Controller In Forest ► Once adprep has run, Windows Server 2003 Domain Controllers can join the forest ► Two methods ► Upgrade existing domain controller ► Install Windows Server 2003 as member server and run dcpromo ► Can choose any domain to hold the first Windows Server 2003 DC

38 Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrade of PDC emulator performs special operations ► Creates group for Terminal Service, internal groups ► Role transfer to Windows Server 2003 DC triggers same operations ► Best practice ► Install Windows Server 2003 as member server and promote to Domain Controller ► Upgrade PDC to Windows Server 2003 early in the process ► Or transfer PDC emulator role to Windows Server 2003 DC, even if temporarily only

39 Upgrading from Windows 2000 (Step by Step) 1.Inventory clients for compatibility with default security settings ► Either install software (dsclient, SP) or relax settings 2.Apply schema fixes for Exchange and SFU if needed

40 Upgrading from Windows 2000 (Step by Step) 3.Inventory domain controllers in forest ► Hot fixes ► Recommended: SP3 ► If not at SP3 please review hotfix and updates required: Q331161 has details ► Disk space ► DC health including AD replication 4.Run adprep /forestprep 5.In each domain, run adprep /domainprep

41 Upgrading from Windows 2000 (Step by Step) 6.Install Windows Server 2003 member server in forest root domain or any other domain of your choice 7.Promote member server to DC – monitor 8.Move Domain Naming Master role to Windows Server 2003 DC

42 Upgrading from Windows 2000 (Step by Step) 9.Upgrade existing Windows 2000 domain controllers 10.In each domain ►Upgrade PDC emulator as soon as possible (or transfer PDC emulator role to Windows Server 2003 DC) ►Once all DNS servers are running Windows Server 2003, move domain DNS data into application partition ►Verify that DNM is still running on Windows 2003 DC

43 Upgrading from Windows 2000 (Step by Step) 11.When all DCs are upgraded ►Switch forest to Windows Server 2003 functional level

44 Domain restructuring with ADMT V-2 ► Migrating To Windows Server 2003 ► Restructure Activities ► Active Directory Migration Tool Version 2.0

45 Migrating To Windows Server 2003 ► Most migrations from Windows NT 4.0 to Active Directory are a mix of in-place upgrades and restructuring ► See “Best Practice Active Directory Design for Managing Windows Networks” for more information ► http://www.microsoft.com/windows2000/techinfo /planning/activedirectory/bpaddsgn.asp

46 Restructure Activities Activity Part of User migration Account domain restructuring Global Group migration Account domain restructuring Migrating user profiles Account domain restructuring Migrating Exchange mailbox access Account domain restructuring Migrating workstations Resource domain restructuring Migrating resources Resource domain restructuring

47 Active Directory Migration Tool Version 2.0 ► Password migration ► Windows NT 4.0 to Active Directory ► Forest to forest ► Scripting support ► Command line support ► Can also be used to migrate to Windows 2000 Active Directory

48 ADMT

49 Summary ► Windows NT 4 to Windows Server 2003 upgrade very similar to Windows NT 4 to Windows 2000 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade is easy and requires no additional design planning ► ADMT v2 makes restructuring easier

50 Do More With Less

51 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia."

Similar presentations

Microsoft Active Directory

Microsoft Active Directory
What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.

AD Child Domains By: Joan Carter 05/29/2003. Who can bring up a child domain in AD.ASU.EDU?  Campus/college/VP level units  Considerations: Is there.
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
Getting off NT4… Raj Natarajan National Technology Specialist.

Getting off NT4… Raj Natarajan National Technology Specialist.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

Similar presentations

Ads by Google