DEP313 Active Directory Restructuring with ADMT v-2 Lothar Zeitler Snr. Consultant Microsoft Services Germany TechEd 2002
Agenda Restructuring scenarios ADMT v-2 Restructuring process Inter-Forest migration Intra-Forest migration Summary TechEd 2002
What is Restructuring Process that moves users between domains Domains can be in different forest or same forest Single users, organizational unit or entire domain Includes moving additional objects with users Groups needed to access resources Workstations Resource servers TechEd 2002
Restructuring Scenarios Mergers and Acquisitions / Spin-offs One-off project Multi-forest deployments User moves happen on a regular basis Collapsing domains to reduce number of domains I.e., after network upgrade TechEd 2002
Inter-forest vs. Intra-forest Source Forest Boundary Target Intra-forest: Active Directory Migration Tool Inter-forest: Active Directory Migration Tool TechEd 2002
Restructuring: Alternative Solutions Multi-forest deployment Two or more forests with user accounts and resources Resource access through trust relationships GC synchronization through MMS Separate or unified DNS namespace Easier with Windows 2003 Cross-forest trusts Kerberos between forests UPN routhing DNS: conditional forwarding Synchronized Exchange forests Exchange resource forest Migrate Exchange mailboxes only TechEd 2002
Restructuring vs. Multi-Forest Reasons for restructuring M&A: IT of acquired company fully integrated Long-term acquisition High level of collaboration required Spin-off from single forest deployment Lowering TCO for AD deployment Reasons for multi-forest deployment Independent IT organizations M&A: Results in independent business unit Acquisition might not be long term Collaboration might be restricted to messaging and calendaring Avoid higher cost attached to restructuring Review Chapter 2 of Windows 2003 Deployment Kit TechEd 2002
Business Goals for Restructuring No service impact Little end user impact Roll-back plan Low TCO for restructuring operation TechEd 2002
ADMT v-2 Overview Single tool to perform all migration operations User, group, computer moves Security translations Profile translations Multiple user interfaces Graphical wizards Scripting interface Command line interface Password migration New delegation model Attribute exclusion list SID mapping file for security translations And many more… TechEd 2002
User Migration – Background User Security ID (SID) tied to domain SID used to grant access to resources Most resource access happens through group memberships User accounts grouped in Global Groups Local Groups protect resources Global Groups added to Local Groups to grant access rights to resource Local Groups store SIDs of Global Groups Business goal: Preserve user access to resources SID history accomplishes this SIDs need to be migrated for users and groups TechEd 2002
How sIDHistory Works HB-ACCT-ROW HB-RESWC hb-acct.hay-buv.tld Hb-acct\Bob HB-ACCT-ROW\Bob sIDHistory: HB-ACCT-ROW\Bob Bob’s Access Token on HB-RES-MEM: User: hb-acct\Bob SID Groups: HB-ACCT-ROW\Bob HB-RES-MEM\TechEditors SID \\HB-RESWC-MEM\Online-Docs: TechEditors: FA File: Bob-Outlines.txt – only Bob has access HB-RESWC-MEM\TechEditors Members: HB-ACCT-ROW\Bob HB-RESWC HB-RESWC-MEM HB-RESWC-WS1 TechEd 2002
User Moves: Profiles Local profiles Roaming profiles Options for profile management Unmanaged Migrate local profiles Combine migration with hardware refresh TechEd 2002
Migration Scenario Starfleet Delta Quadrant Starfleet.com DeltaQ.com DS9.Starfleet.com Voyager.DeltaQ.com SanFrancisco.Starfleet.com Step 1: Create target domains Step 2: Migrate users and resources Step 3: Decommission source domains / forest TechEd 2002
demo User Migration with SID History TechEd 2002
SID Filtering Risk Attack needs Solution Trusted domain DC returns SIDs during authentication Trusting domain DC accepts all SIDs Cannot check that SIDs are legitimate Attack needs Service admin rights in trusted forest, or Physical access to domain controller in trusted forest Solution SID filtering System builds authoritative list of Domain SIDs Authentication Fail authN if user’s account domain NOT in list Remove SIDs not relative to list Configurable on all trust relationships TechEd 2002
When to use SID Filtering Steady-state multi-forest deployment If reason for multi-forests deployment is data or service isolation, use SID Filtering If forests are managed by the same administrators, or DCs are located in same locations, SID Filtering does not provide additional value Mergers and Acquisition Usually admin staff from one forest takes over other forest No more requirement for security isolation No need for SID Filtering TechEd 2002
Migration And SID Filtering Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com SIDHistory filtered jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002
Migration And SID Filtering Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002
demo Migration with SID Filtering TechEd 2002
Process for Large Scale Migrations Large migrations require planning Special care for local profile migration Users should not logon with new account before local profile is migrated Workstation should be in same domain as user Smartcard logons, wireless networks Synchronize group policies Application deployment Client side caching TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Restructuring Process – Inter Forest Migrating Users without SID Filtering between Forests TechEd 2002
Restructuring Process – Inter Forest Migrating Users with SID Filtering between Forests TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Restructuring Process – Inter Forest TechEd 2002
Intra Forest Restructuring Example: Reducing number of domains in a forest Different from Inter Forest restructuring Object moved instead of copied Different APIs used Inter-forest: New object is created Intra-forest: LDAP_move() replicates object TechEd 2002
Restructure Comparison Inter-forest vs. Intra-forest Inter-forest migration like object cloning Non-destructive Source object still exists = fallback Incremental migration straightforward Preserves old SID in sIDHistory Doesn’t preserve GUID (Windows 2000, XP) Multiple security principals with same SID TechEd 2002
Restructure Comparison Inter-forest vs. Intra-forest Intra-forest migration like object move Destructive Source object moved = no fallback Incremental migration hard (closed sets) Preserves old SID in sIDHistory Preserves GUID Unique SID TechEd 2002
Restructure Considerations Intra-forest Closed sets Resource access granted through groups User -> GG -> LG -> resource Users and Global Groups must be in same domain Resources and local groups must be in same domain Migration Tools support scenario ADMT automatically changes Global Group to Universal Group if members are in different domains Universal Group automatically migrated back to Global Group once all members are in target domain Permissions on resources can be translated if resource and local group cannot be migrated together TechEd 2002
demo Intra-Forest Migration TechEd 2002
Restructuring Process – Intra-Forest TechEd 2002
Restructuring Process – Intra-Forest TechEd 2002
Restructuring Process – Intra-Forest TechEd 2002
Restructuring Process – Intra-Forest TechEd 2002
Summary Evaluate options in M&A scenarios Restructure or multi-forest ADMT v-2 supports all restructuring tasks Inter-forest restructuring has easier fall-back Processes for large-scale restructurings documented in the Windows 2003 Deployment Kit ADMT v-2 on Windows 2003 CD Web download http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en TechEd 2002
Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
evaluations TechEd 2002
TechEd 2002 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. TechEd 2002