Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft Corporation

Agenda Migration Strategy Preparing to Migrate Choose a Migration Path Upgrade Migration Restructure Migration Upgrade and Restructure Migration

Migration Strategy Migrate by roles Divide migration into manageable chunks Do high-return migrations first Priority = (Value of migration) x (number of servers) HighLowHigh Priority 1 Priority 3 Low Priority 2 Priority 4 Number of servers Value

Value by Role Different for each organization What are your priorities? Reduce capital cost Reduce labor cost Reduce space/labor requirements Increase reliability Deploy new applications High-value upgrades: Application servers Domain controllers File servers

Upgrade by Role Examples Example: Major U.S. bank Server role: Application servers Server count: 200 Key innovation: applications can be consolidated; reliability Business value: space and power savings; lower capital cost; higher availability Example: GE Medical Systems Server role: Domain controllers Server count: 70 Key innovation: Active Directory scalability, central management (GPMC) Business value: lower management cost (no need to maintain trust relationships; Exchange integration); higher reliability Example: Microsoft IT Group Server role: Print servers Server count: 16 Key innovation: performance Business value: lower capital cost, lower management cost

Preparing to Migrate

Identify The Current Environment Identify Current domain model Existing trust relationships Number and location of domain controllers User, group, and computer accounts How user profiles are managed Domain administration Security standards and procedures

Migration Terminology Domain Migration – Moving user, group, and computer accounts from a Windows NT 4.0 domain to a Windows Server 2003 domain Source Domain – The domain from which user principals are being migrated Target Domain – The domain into which security principals are being migrated Account Domain – A Windows NT 4.0 domain containing user and group accounts Resource Domain – A Windows NT 4.0 domain hosting file, print, and other services and contain computer and group accounts Consolidate Domains – Restructure a larger number of domains into a lesser number Functional Levels – Provide backward compatibility for different Windows operating systems using Active Directory Clone – Create new accounts in the target domain that mirror accounts in the source domain SID-History – An attribute of Active Directory security principals that stores the former SIDs of moved objects

Choose a Migration Path

Determine A Migration Path Evaluate upgrade decisions Evaluate restructure decisions Evaluate upgrade and restructure decisions Possible domain migration paths Domain Upgrade Domain Restructure Upgrade and Restructure

Reasons To Choose A Path Upgrade Similar domain structures suitable to the needs of the organization Offers lowest risk/shortest time/fewest resources/no new servers Restructure Existing structure does not meet needs Organization cannot tolerate downtime Need optimum domain structure Upgrade and Restructure Similar domain structures Implement AD features as soon as possible

NT4.0 File and Print Server Consolidation Name Group Microsoft Corporation

Demo Scenario: Trey Research Scenario Trey Research has too many File and Print servers in their Windows NT 4.0 domain Using DFS to enable pilot migration and consolidation of their Atlanta office Objectives Reduce administration costs Migrate NT 4 servers without impacting end-user productivity Improve overall user productivity.

1 DFS links to other servers on the network that store the files… Productive Consolidation at Trey Research, using DFS 2 Mitch uses DFS to easily browse to and find Trey.doc. He then happily goes to editing. 3 Once migration is complete, the NT servers are decommissioned—and DFS redirects Mitch to Windows Server 2003! NT 4.0 servers Windows Server 2003 The NT servers are migrated & consolidated to And Mitch never stopped working!

Before and after Consolidation at Trey Research NT 4.0 net before Consolidation After Consolidating to Windows Server 2003

Upgrade Migration

Clean Up The SAM Database Delete Duplicate user accounts Unused user, group or computer accounts Group accounts for resources that do not exist Disable For accounts not needed in the near term To retain rights, permissions, and group memberships For accounts that own important network resources Consolidate accounts that do the same thing

Clean Up The SAM Database Name Group Microsoft

The Order Of Upgrade Upgrade account domains first Upgrade an existing account domain to the forest root -or- Create a forest root Upgrade account domains to form child domains in Active Directory Upgrade resource domains

Upgrade Account Domains Domains to which you have the easiest physical access Domains that will contain objects from domains restructured early in the process Always balance the risk/benefit of upgrading a domain

Upgrade Resource Domains Domains that contain applications requiring features of Windows Server 2003 Domains that will contain objects from domains restructured early in the process Domains with many client accounts

Upgrade Domain Controllers Upgrade the PDC first Upgrade BDCs -or- Decommission BDCs and install Windows Server 2003 DCs Upgrade a BDC first if the PDC does not meet installation requirements

What Happens During A PDC Upgrade DNS is configured for Active Directory The domain function level is set to Windows 2000 mixed The forest functional level is set to Windows 2000 The upgraded PDC holds the PDC Emulator operations master role

Upgrading The PDC Name Group Microsoft

Domain Upgrades Effect Trusts Windows NT 4.0 Domains ACCT1ACCT2 RES1 Upgrade Windows Server 2003 Domains Forest root ACCT1ACCT2 RES1 TransitiveTrust TransitiveTrust TransitiveTrust

Ensure Reliable DNS Upgrade DNS Upgrade the server Install a new server with Windows Server 2003 DNS Update non-Microsoft DNS servers Minimize the impact of DNS upgrade Use only native tools to manage DNS Define master servers for DNS

Restructure Migration

Benefits Of Using The Active Directory Migration Tool Why use ADMT? Why use ADMT? Analyzes the migration impact both before and after the actual migration process Tests migration scenarios before you perform the migration Supports migration within a forest and between forests Provides wizards to support the most common migration tasks Migration tasks supported by ADMT Migration tasks supported by ADMT Migrating user, group, and computer accounts between domains Performing security translation on local groups, user profiles, and file and print resources Populating the SID-History attribute with migrated security principals Translating security on computers Resolving the related file, directory, and share security issues

ADMT User Migration Options OptionPurpose Translate roaming profiles Copies roaming profiles from the source domain to the target domain for the selected user accounts Update user rights Sets the user rights assigned to the new user account in the target domain to be the same as the user rights of the original user account Migrate associated user groups Migrates the user’s group at the same time as the user account Update previously migrated objects Updates the groups of which the migrated user accounts are members Do not rename accounts Tries to assign the migrated account the same name as the account in the source domain Rename with prefix Adds the specified prefix to the name of each migrated account in the target domain Rename with suffix Adds the specified suffix to the name of each migrated account in the target domain

ADMT Password Migration OptionPurpose Complex passwords Automatically generates a complex password for each migrated user account Same as user name Sets the password for each copied user account to the first 14 characters of the user account name Migrate passwords Maintains the user password during the account migration You can use Password Encryption Service to migrate passwords by using the User Account Migration Wizard It is not possible for any password filter to verify the password’s complexity or length because only a hash of the password exists in the source domain Location to store password file Specifies a password file to which the assigned or generated passwords are written

Sequence For Collapsing Domains AccountDomain OU ResourceDomain ResourceDomain Source Target OU 1 OU Migrate the account domain 2 Migrate the resource domain

Moving Migrated Users Name Group Microsoft

Global Groups Migrating Global Groups Group Account Migration Wizard Reads global group objects in the source domain Creates a new object in the target (with a new SID) Adds original SID to the SID-History attribute of the new object Logs events in source and target Domain1 Domain3 Domain2 Windows NT 4.0 Windows Server 2003 Domain New Object New SID SID-History

Group Migration Options OptionPurpose Update user rights Copies the user rights assigned in the source domain to the target domain Copy group members Copies the members of the groups you selected to migrate Update previously migrated objects Updates the members of the groups you selected to migrate Migrate group SIDs to target domain Adds the SID of the migrated accounts in the source domain to the SID-History of the new accounts in the target domain Do not rename accounts Tries to assign the migrated group the same name as the group in the source domain Rename with prefix Adds the specified prefix to the name of each migrated group in the target domain Rename with suffix Adds the specified suffix to the name of each migrated group in the target domain

Naming Conflicts Options OptionPurpose Ignore conflicting accounts and don't migrate Leaves the account in the target domain unchanged Replace conflicting accounts Changes properties of existing accounts in the target domain to match the properties of the account with same name in the source domain Remove existing user rights Ensures that the account in the target domain does not have more user rights than the account with the same name in the source domain Remove existing members of groups being replaced Ensures that the members of the migrated groups in the target domain are the same as the members of the associated groups in the source domain Rename conflicting accounts by adding the following Adds the specified prefix or suffix to the name of the migrated account in the target domain

Account Transition Options OptionPurpose Disable source accounts Disables the original user account in the source domain Disable target accounts Disables the new user account in the target domain Leave both accounts open Leaves both the existing account in the source domain and the new account in the target domain active Days until source account expires Sets the number of days after which the source account will no longer be available Migrate user SIDs to target domain Adds the SID of the migrated accounts in the source domain to the SID-History attribute of the new accounts in the target domain

Domain1 Migrating Trusts Domain3 Domain2 Windows Server 2003 Domain Trusts When there is a delay in restructuring domains Manually create new trusts Migrate complex trusts The trust is external, non-transitive, and one-way No migration options, just migrate Windows NT 4.0

Migrating Service Accounts Identify service accounts Migrate service accounts Update the services to log on using the migrated accounts Domain1 Domain3 Domain2 Windows NT 4.0 Windows Server 2003 Domain Service Accounts service1service2 service3 service1service2 service3

Migrating Computer Accounts Computer accounts include workstations and member servers Workstations and member servers each have their own local SAM database Access granting accounts move automatically with computer accounts Domain1 Domain3 Domain2 Windows Server 2003 Domain Computer Accounts SAM DBs Windows NT 4.0

Migrating Local User Profiles For workstations running Windows NT 4.0 Windows 2000 Windows XP Domain1 Domain3 Domain2 Windows Server 2003 Domain User Profiles Windows NT 4.0

Profile Migration Options On this wizard page Do this Translate Objects Security Translation Options (1) Security Translation Options (2) Specify the type of objects for which you want ADMT to translate security Select Previously migrated objects to retrieve previously migrated objects for security translation Select Other objects specified in a file to retrieve objects that are specified in a file Select Replace to exchange the SID for the account in the source domain with the SID for the account in the target domain Select Add to include both the old SID and the new SID in the profile list registry key on the client computer running Windows NT 4.0 Select Remove to delete the SID for the account in the source domain

Migrating Shared Local Groups To ensure resource access after migration Migrate local groups to Windows Server 2003 Upgrade the domain controller Move it to the same domain -or- Upgrade all domain controllers in the resource domain to Windows Server 2003 Raise the domain functional level Change the group type to universal groups Domain1 Domain3 Domain2 Windows NT 4.0 Shared Local Groups Windows Server 2003 Domain

Reconfigure Shared Resource Permissions SID-History attribute maintains resource access Reconfigure to use new security identifiers Clear the SID-History attribute Decrease the size of access tokens Decrease logon time Increase environment performance

Maintain DNS Service During Restructure Match Active Directory domains to DNS domains Establish DNS in the Windows Server 2003 domain Make it primary for all AD domains Promote the DNS server to a Windows Server 2003 DC Change DNS zones to AD integrated Create new DNS domains to host SRV records Install DNS in the Windows Server 2003 domain Integrate it with existing DNS servers Move reverse lookup zones

Upgrade And Restructure Migration

Restructure After Upgrade U P G R A D E Domain1 Domain3 Domain2 R E S T R U C T U R E Windows Server 2003 Domain Windows NT 4.0

Migrate System Policies Effects of a domain upgrade Effects of a domain upgrade Group Policy is applied if a Windows Server 2003 domain controller authenticates client computers running Windows Server 2003 System policies are applied if a Windows NT 4.0 domain controller authenticates client computers running Windows Server 2003 System policies are applied if a user account or a computer account is located in a Windows NT 4.0 domain Group Policy is applied if a user account or a computer account is located in a Windows Server 2003 domain Effects of a domain restructure Effects of a domain restructure System policies from the source domain are not automatically processed by migrated client computers System policies are applied if a user account or a computer account is located in a Windows NT 4.0 domain Group Policy is applied if a user account or a computer account is located in a Windows Server 2003 domain

Migrate Logon Scripts Effects of a domain upgrade Effects of a domain upgrade User-based logon scripts stored in the NETLOGON shared folder are not affected Client computers running Windows Server 2003 run any user-based logon scripts and any script assigned to the user account or computer account by using Group Policy if user-based logon scripts are stored in the NETLOGON shared folder Effects of a domain restructure Effects of a domain restructure Logon scripts continue to process for cloned and moved user accounts if the logon scripts are migrated to the target domain Logon scripts that are not migrated will not process for accounts that have been cloned or moved to a new domain

Microsoft OTG Consolidated 32 NT4.0 Print Servers to 16 Windows 2000 Print Servers then reduced to 4 servers running Windows Server 2003 Reduced administration time by 50 percent Higher performance and I/O throughput provides higher service levels at peak times Print Server Consolidation Customer Experience “Now that we’re running Windows Server 2003, the group who administers our print queues can maintain and monitor in about half the time,” Tomas Vetrovsky, Lead Program Manager of the Microsoft OTG.

GE medical Systems Consolidated 70 autonomous NT4 domain to 4 Windows Server 2003 domains with Active Directory forest infrastructure. Effective central management of 40,000 users through the implementation of enterprise-wide standards and policies Distribute and roll out updates and patches faster, with less overhead. 20% reduction in the number of servers Domain Server Consolidation “With Windows Server 2003, we’re building a more automated, robust system that is more secure, stable, and manageable” Ron Brahm Global Infrastructure Program Manager. Customer Experience

Call To Action 1. Make the move to Windows Server 2003 – Do More with Less 2. Evaluate Windows Server 2003 and see the benefits it can provide in your enterprise 3. Contact Microsoft and its Partners and leverage them to assist in your deployment and migration projects

More Information Windows Server 2003 Website at Microsoft.com Top 10 Reasons to move to Windows Server technologies/security technologies/security Top 10 Features of Windows Server 2003 for Organizations Upgrading from Windows NT Server evaluation/whyupgrade/top10nt.mspx evaluation/whyupgrade/top10nt.mspx

Microsoft Press Information Introducing Microsoft Windows Server 2003 ( ) Available now Migrating from Microsoft Windows NT Server 4.0 to Microsoft Windows Server 2003 ( ) June 2003

MCSE Official Curriculum and Courses MCSA/MCSE Self-Paced Training Kit (Exam /70-296): Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 Environment for MCSAs and MCSEs Certified on Microsoft Windows 2000 (ISBN TBD) Q4CY03 Available Today: Course 2270: Updating Support Skills from Microsoft Windows NT 4.0 to the Microsoft Windows Server 2003 Family (Beta) Course 2283: Migrating from Microsoft Windows NT 4.0 to Microsoft Windows Sever 2003 (Beta) Available Soon: Course 2208: Updating Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows Server 2003 (August) Workshop 2209: Updating Systems Administrator Skills from Microsoft Windows 2000 to Microsoft Windows Server 2003 (May) Workshop 2210: Updating Systems Engineer Skills from Microsoft Windows 2000 to Microsoft Windows Server 2003 (June)

Do More With Less

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.