DEP313 Active Directory Restructuring with ADMT v-2

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
© 2006 Cisco Systems, Inc. All rights reserved. CUDN v1.1—4-1 Migrating from Voice Mail to Unified Messaging Migrating Voice Mail to Unified Messaging.
Module 4: Implementing User, Group, and Computer Accounts
Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.
MSG302 Deploying Exchange Server Overview Sasa Juratovic Consultant Microsoft Ltd.
7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Security and Policy Enforcement Mark Gibson Dave Northey
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management
Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Introduction to Active Directory December 10th, pm Daniels 407.
Chapter 12: Additional Active Directory Server Roles
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Test Review. What is the main advantage to using shadow copies?
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Managing Active Directory Domain Services Objects
Chapter 9: Novell NetWare
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Module 6: Designing Active Directory Security in Windows Server 2008.
MIGRATING FROM MICROSOFT EXCHANGE SERVER AND OTHER MAIL SYSTEMS Appendix B.
Designing Active Directory for Security
DEP351 Windows ® Rights Management (Part 2): Enterprise Readiness & Deployment Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.
Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries.
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Designing Group Security Designing security groups Designing user rights.
Module 13: Designing Active Directory Migrations in Windows Server 2008.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
SERVER I SLIDE: 6. SERVER I Topics: Objective 4.3: Deploy and configure the DNS service Objective 5.1: Install domain controllers.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 7 Active Directory and Account Management.
70-270: MCSE Guide to Microsoft Windows XP Professional 1 Windows XP Professional User Accounts Designed for use as a network client for: Windows NT Windows.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 7 Planning and Deploying Messaging Compliance.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Module 14: Migrating Users from Exchange Server 5.5 to Exchange Server 2003.
MSG331 Exchange Server 2000/2003 Software Development Kit Susan Hill Lead Programmer Writer Microsoft Corporation.
Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) Chapter 1 Designing Active Directory Domain Services.
DEV395 No Touch Deployment for Windows Forms Jamie Cool Program Manager.NET Client Microsoft Corporation.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
OVERVIEW OF ACTIVE DIRECTORY
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
11 UPGRADING AND MIGRATING TO WINDOWS SERVER 2003 Chapter 12.
Active Directory design recommended practices Mark Cribben Consultant.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Overview of Active Directory Domain Services Lesson 1.
11 IMPLEMENTING ACTIVE DIRECTORY Chapter 2. Chapter 2: IMPLEMENTING ACTIVE DIRECTORY2 REQUIREMENTS FOR ACTIVE DIRECTORY  Microsoft Windows Server 2003.
Secure Connected Infrastructure
Deploying Exchange 2003 John Westworth SMS&P
Presentation transcript:

DEP313 Active Directory Restructuring with ADMT v-2 Lothar Zeitler Snr. Consultant Microsoft Services Germany TechEd 2002

Agenda Restructuring scenarios ADMT v-2 Restructuring process Inter-Forest migration Intra-Forest migration Summary TechEd 2002

What is Restructuring Process that moves users between domains Domains can be in different forest or same forest Single users, organizational unit or entire domain Includes moving additional objects with users Groups needed to access resources Workstations Resource servers TechEd 2002

Restructuring Scenarios Mergers and Acquisitions / Spin-offs One-off project Multi-forest deployments User moves happen on a regular basis Collapsing domains to reduce number of domains I.e., after network upgrade TechEd 2002

Inter-forest vs. Intra-forest Source Forest Boundary Target Intra-forest: Active Directory Migration Tool Inter-forest: Active Directory Migration Tool TechEd 2002

Restructuring: Alternative Solutions Multi-forest deployment Two or more forests with user accounts and resources Resource access through trust relationships GC synchronization through MMS Separate or unified DNS namespace Easier with Windows 2003 Cross-forest trusts Kerberos between forests UPN routhing DNS: conditional forwarding Synchronized Exchange forests Exchange resource forest Migrate Exchange mailboxes only TechEd 2002

Restructuring vs. Multi-Forest Reasons for restructuring M&A: IT of acquired company fully integrated Long-term acquisition High level of collaboration required Spin-off from single forest deployment Lowering TCO for AD deployment Reasons for multi-forest deployment Independent IT organizations M&A: Results in independent business unit Acquisition might not be long term Collaboration might be restricted to messaging and calendaring Avoid higher cost attached to restructuring Review Chapter 2 of Windows 2003 Deployment Kit TechEd 2002

Business Goals for Restructuring No service impact Little end user impact Roll-back plan Low TCO for restructuring operation TechEd 2002

ADMT v-2 Overview Single tool to perform all migration operations User, group, computer moves Security translations Profile translations Multiple user interfaces Graphical wizards Scripting interface Command line interface Password migration New delegation model Attribute exclusion list SID mapping file for security translations And many more… TechEd 2002

User Migration – Background User Security ID (SID) tied to domain SID used to grant access to resources Most resource access happens through group memberships User accounts grouped in Global Groups Local Groups protect resources Global Groups added to Local Groups to grant access rights to resource Local Groups store SIDs of Global Groups Business goal: Preserve user access to resources SID history accomplishes this SIDs need to be migrated for users and groups TechEd 2002

How sIDHistory Works HB-ACCT-ROW HB-RESWC hb-acct.hay-buv.tld Hb-acct\Bob HB-ACCT-ROW\Bob sIDHistory: HB-ACCT-ROW\Bob Bob’s Access Token on HB-RES-MEM: User: hb-acct\Bob SID Groups: HB-ACCT-ROW\Bob HB-RES-MEM\TechEditors SID \\HB-RESWC-MEM\Online-Docs: TechEditors: FA File: Bob-Outlines.txt – only Bob has access HB-RESWC-MEM\TechEditors Members: HB-ACCT-ROW\Bob HB-RESWC HB-RESWC-MEM HB-RESWC-WS1 TechEd 2002

User Moves: Profiles Local profiles Roaming profiles Options for profile management Unmanaged Migrate local profiles Combine migration with hardware refresh TechEd 2002

Migration Scenario Starfleet Delta Quadrant Starfleet.com DeltaQ.com DS9.Starfleet.com Voyager.DeltaQ.com SanFrancisco.Starfleet.com Step 1: Create target domains Step 2: Migrate users and resources Step 3: Decommission source domains / forest TechEd 2002

demo User Migration with SID History TechEd 2002

SID Filtering Risk Attack needs Solution Trusted domain DC returns SIDs during authentication Trusting domain DC accepts all SIDs Cannot check that SIDs are legitimate Attack needs Service admin rights in trusted forest, or Physical access to domain controller in trusted forest Solution SID filtering System builds authoritative list of Domain SIDs Authentication Fail authN if user’s account domain NOT in list Remove SIDs not relative to list Configurable on all trust relationships TechEd 2002

When to use SID Filtering Steady-state multi-forest deployment If reason for multi-forests deployment is data or service isolation, use SID Filtering If forests are managed by the same administrators, or DCs are located in same locations, SID Filtering does not provide additional value Mergers and Acquisition Usually admin staff from one forest takes over other forest No more requirement for security isolation No need for SID Filtering TechEd 2002

Migration And SID Filtering Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com SIDHistory filtered jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002

Migration And SID Filtering Fabrikam, Inc. Contoso, Ltd. corp.fabrikam.com corp.contoso.com na.corp.contoso.com ap.contoso.corp.com mf.corp.fabrikam.com rd.corp.fabrikam.com jpn.ap.contoso.corp.com Solution 1: Disable SID filtering on cross-forest trust Solution 2: External trust Solution 3: Perform Security Translation on Resource Solution 4: Migrate resources with users (closed set) TechEd 2002

demo Migration with SID Filtering TechEd 2002

Process for Large Scale Migrations Large migrations require planning Special care for local profile migration Users should not logon with new account before local profile is migrated Workstation should be in same domain as user Smartcard logons, wireless networks Synchronize group policies Application deployment Client side caching TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Restructuring Process – Inter Forest Migrating Users without SID Filtering between Forests TechEd 2002

Restructuring Process – Inter Forest Migrating Users with SID Filtering between Forests TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Restructuring Process – Inter Forest TechEd 2002

Intra Forest Restructuring Example: Reducing number of domains in a forest Different from Inter Forest restructuring Object moved instead of copied Different APIs used Inter-forest: New object is created Intra-forest: LDAP_move() replicates object TechEd 2002

Restructure Comparison Inter-forest vs. Intra-forest Inter-forest migration like object cloning Non-destructive Source object still exists = fallback Incremental migration straightforward Preserves old SID in sIDHistory Doesn’t preserve GUID (Windows 2000, XP) Multiple security principals with same SID TechEd 2002

Restructure Comparison Inter-forest vs. Intra-forest Intra-forest migration like object move Destructive Source object moved = no fallback Incremental migration hard (closed sets) Preserves old SID in sIDHistory Preserves GUID Unique SID TechEd 2002

Restructure Considerations Intra-forest Closed sets Resource access granted through groups User -> GG -> LG -> resource Users and Global Groups must be in same domain Resources and local groups must be in same domain Migration Tools support scenario ADMT automatically changes Global Group to Universal Group if members are in different domains Universal Group automatically migrated back to Global Group once all members are in target domain Permissions on resources can be translated if resource and local group cannot be migrated together TechEd 2002

demo Intra-Forest Migration TechEd 2002

Restructuring Process – Intra-Forest TechEd 2002

Restructuring Process – Intra-Forest TechEd 2002

Restructuring Process – Intra-Forest TechEd 2002

Restructuring Process – Intra-Forest TechEd 2002

Summary Evaluate options in M&A scenarios Restructure or multi-forest ADMT v-2 supports all restructuring tasks Inter-forest restructuring has easier fall-back Processes for large-scale restructurings documented in the Windows 2003 Deployment Kit ADMT v-2 on Windows 2003 CD Web download http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en TechEd 2002

Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

evaluations TechEd 2002

TechEd 2002 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. TechEd 2002

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.