Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia

Agenda ► Client Integration with Windows Server 2003 ► Update on Functional Levels ► Windows NT 4.0 to Windows Server 2003 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade ► Domain restructuring with ADMT v2

Clients And Windows Server 2003 ► Security improvements change behavior of Windows Server 2003 Domain Controllers ► SMB signing and secure channel encryption enforced ► Adjustments needed for older clients ► Windows NT 4.0 SP4 and higher, Windows 2000, Windows XP clients work without adjustments ► Win95 and Windows NT4 pre-SP4 require changes; either ► Disable enforcement of SMB signing and secure channel encryption ► Install DS Client and/or Service Pack ► Fully documented in the Windows Server 2003 Deployment Kit

SMB Signing Policy

Update on Functional Levels ► Functional Levels ► Domain Functional Levels ► Forest Functional Levels ► Features without Dependencies ► Best Practices For Functional Levels ► Raising Domain Functional Level ► What Happens with Functional Level Upgrades ► Upgrading the PDC ► Forest switch to Windows Server 2003 Functional Level

Functional Levels ► Required in order to introduce non- backward-compatible features ► Admin manually advances functional level when all DCs in forest/domain are upgraded ► Level only increases – no going back ► Legacy DCs blocked from joining/starting

Functional Levels ► Available functional levels ► Windows Server 2003 forest functionality ► Windows Server 2003 interim forest functionality ► Allows mixed-mode domains (NT4 BDCs), but no Windows 2000 DCs ► Windows Server 2003 domain functionality

Domain Functional Levels Domain Functionality Enabled Features Supported DCs in domain Windows 2000 mixed ► Universal Groups (non- security only) Windows NT4 Windows 2000 Windows 2003 Windows 2000 native All mixed mode, plus ► Group nesting ► Universal groups ► SIDHistory ► Group conversions Windows 2000 Windows 2003

Domain Functional Levels Domain Functionality Enabled Features Supported DCs in domain Windows Server 2003 All Windows 2000 native, plus ► Update logon timestamp attribute ► Kerberos KDC version ► User password on INetOrgPerson ► DC rename with netdom ► Redirect users and computers ► Authorisation manager can store authorisation policies ► Constrained delegation for computers ► Selective authentication cross- forest Windows 2003

Forest Functional Levels Forest Functionality Enabled Features Supported DCs in forest Windows 2000 Windows NT4 Windows 2000 Windows 2003 Windows Server 2003 Interim All Windows 2000, plus ► Linked Value Replication ► Improved ISTG ► New attributes added to GC Windows NT4 Windows 2003

Forest Functional Levels Forest Functionality Enabled Features Supported DCs in forest Windows Server 2003 All Windows Server 2003 Interim, plus ► Dynamic aux classes ► User to INetOrgPerson change ► Schema Redefine ► Domain rename ► Cross-forest trust ► Basic and query based groups (for roles based azman) Windows 2003

Features without Dependencies ► Application partitions ► Universal Group Caching ► Install from Media ► No-GC-Full-Sync for PAS schema extensions ► SID History migration delegation ► Concurrent LDAP binds ► Manual trigger of online defrag ► DNS in application partitions ► Single instance store

Forest switch to Windows Server 2003 Functional Level ► Domain controllers switch to new replication pause values ► Windows 2000: registry values ► 5 minutes / 30 seconds ► Windows 2003: new default values if registry keys are not set ► 30 secs / 5 secs ► At forest functional switch ► DCs delete registry values if values are Windows 2000 defaults ► Automatically switch to 30 secs / 5 secs

Best Practices For Functional Levels ► Windows NT 4 Upgrade ► Motivation to move to Windows Server 2003 interim level ► Linked-value-replication (large group support) ► Improved KCC/ISTG ► Set Windows Server 2003 interim forest level ► Once all NT 4 BDCs are upgraded, advance forest to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level

Best Practices For Functional Levels ► Windows 2000 Upgrade ► Do nothing until all DCs are running Windows Server 2003 ► Make sure that no mixed mode domain is left in the forest ► Advance forest level to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level

Raising Domain Functional Level

What Happens with Functional Level Upgrades ► Domain Level ► Special operations on PDC upgrade ► Forest Level ► Special operations when forest is switched to Windows Server 2003 functional level ► Domain and Forest Level switches ► Attributes that define functional levels are initialised

Upgrading the PDC ► New well-known and built-in groups are created ► Builtin\Remote Desktop Users (not on XP) ► Builtin\Network Configuration Operators (not on XP) ► Performance Monitor Users ► Performance Log Users ► Builtin\Incoming Forest Trust Builders (DC only) ► Builtin\Performance Monitoring Users (not on XP) ► Builtin\Performaing Logging Users (not on XP) ► Builtin\Windows Authorization Access Group (DC only) ► Builtin\Terminal Service Licence Server (DC only)

Upgrading the PDC ► Some new group memberships are established ► If Everyone is in the Pre-Windows 2000 Compatible Access group, Anonymous Logon and Authenticated Users is added ► Network Servers is added to Performance Monitoring group ► Enterprise Domain Controllers is added to Windows Authorization Access group ► Has low network / performance impact

Forest switch to Windows Server 2003 Functional Level ► Attributes added to the GC ► ms-DS-Trust-Forest-Trust-Info; Trust- Direction; Trust-Attributes; Trust-Type; Trust- Partner ► Security-Identifier ► ms-DS-Entry-Time-To-Die ► MSMQ-Secured-Source; MSMQ-Multicast- Address ► Print-Memory; Print-Rate; Print-Rate-Unit ► MS-DRM-Identity-Certificate ► No GC – Full Sync – low replication impact!

Windows NT 4 to Windows Server 2003 upgrade ► Upgrading from Windows NT 4 ► Demo: Upgrading the Windows NT 4 PDC

Upgrading from Windows NT4 ► Use Windows Server 2003 Interim Forest mode immediately ► Use dcpromo to do this if upgrading to forest root domain ► Use adsiedit to switch the existing Windows Server 2003 root domain

Upgrading from Windows NT4 (Step by Step) 1.Inventory clients for compatibility with default security settings ► Either install software (dsclient, SP) or relax settings 2.Inventory domain controllers in domain ► Hot fixes ► Recommended: SP6a ► DC hardware: Disk space, CPU, memory ► DC health including replication and lmrelp file replication service

Upgrading from Windows NT4 (Step by Step) 3.Check for services running as local system on all member servers and workstations ► Re-configure service to use user account, or ► Upgrade server to Windows 2000 Server or Windows Server 2003, or ► Use “Enable downlevel access” in dcpromo ► Services which require “Enable downlevel access” include Windows NT 4.0 RAS

Upgrading from Windows NT4 (Step by Step) 4.Configure lmrepl export server ► This will be the last domain controller to be upgraded ► If lmrepl service runs on PDC, either ► Select one BDC to be new lmrepl export server, or ► Move lmrepl to server that will be upgraded as the last DC 5.Secure one BDC ► Sync with PDC ► Take back-up tape and test restore ► Take BDC off-line and keep in storage

Upgrading from Windows NT4 (Step by Step) 6.Upgrade PDC ► PDC will not be able to perform PDC role while upgrade and dcpromo run ► No changes possible (no new users, groups, group membership changes) ► Clients and workstations will not be able to change passwords ► Trusts might fail ► Plan for the change freeze / downtime 7.Configure security settings

Upgrading from Windows NT4 (Step by Step) 8.Verify success ► Verify down-level replication works ► Verify that users can be added and passwords can be changed 9.Install and configure lmbridge ►Windows Server 2003 has no more lmrepl service; it uses sysvol replication (frs) ►Copy all logon scripts and other files from lmrepl export server to PDC emulator ►Configure lmbridge to copy files from PDC emulator to lmrepl export server ►Change files on PDC only

Upgrading from Windows NT4 (Step by Step) 10.Continue upgrading BDCs 11.Once all DCs are Windows Server 2003 ►If this was the last domain to join the forest and all DCs in the forest are Windows Server 2003, switch to Windows 2003 forest functional level ►In multi-domain forests, don’t worry about single domain modes, wait until last domain is upgraded

Upgrading The Windows NT 4.0 PDC

Windows 2000 to Windows Server 2003 upgrade ► Upgrading from Windows 2000 ► Issues with Schema Extensions ► Domain Naming Master ► Domain Upgrade And DNS ► Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrading from Windows 2000 Step by Step

Upgrading From Windows 2000 ► Easy and seamless upgrade process ► No restructuring necessary ► No forest, domain, OU or replication planning necessary ► No user / workstation / profile migration

Upgrading From Windows 2000 ► Windows Server 2003 DCs fully compatible with Windows 2000 DCs ► Windows Server 2003 DCs can interoperate in Windows 2000 forest / domain in any role ► New DC (dcpromo) ► Upgrade of existing DC ► Preparing forest and domains are separate step from introducing the first Windows Server 2003 DC

Issues with Schema Extensions ► Exchange 2000 schema present ► Exchange 2000 schema extensions define three non-RFC conform attributes (houseIdentifier, secretary and labeledURl) ► If Exchange 2000 schema extensions are applied before Windows 2000 InetOrgKit or Windows Server 2003 schema, attributes with mangled names are created ► See KB article Q325379

Issues with Schema Extensions ► Services For Unix version 2.0 ► SFU 2.0 NIS component defines a uid attribute which clashes with the correct interpretation in Windows Server 2003 schema ► Adprep cannot extend the schema unless a QFE is applied ► See KB article Q293783

Domain Naming Master ► Application partitions do not depend on forest functional level ► Domain Naming Master must be Windows Server 2003 to create application partitions

Domain Upgrade And DNS ► Windows 2003 DNS can use application partitions ► Motivation: Removes DNS data from GC ► Once all DCs are running Server 2003, DNS data should be moved from domainNC to app NCs ► Easy through DNS manager ► There is a big difference between creating and using application partitions ► Windows 2000 used domainNC for DNS ► Data must be moved manually from domainNC to application partition ► Not an automated process ► Until then, failure to create application partitions is harmless

Introducing The First Windows Server 2003 Domain Controller In Forest ► Once adprep has run, Windows Server 2003 Domain Controllers can join the forest ► Two methods ► Upgrade existing domain controller ► Install Windows Server 2003 as member server and run dcpromo ► Can choose any domain to hold the first Windows Server 2003 DC

Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrade of PDC emulator performs special operations ► Creates group for Terminal Service, internal groups ► Role transfer to Windows Server 2003 DC triggers same operations ► Best practice ► Install Windows Server 2003 as member server and promote to Domain Controller ► Upgrade PDC to Windows Server 2003 early in the process ► Or transfer PDC emulator role to Windows Server 2003 DC, even if temporarily only

Upgrading from Windows 2000 (Step by Step) 1.Inventory clients for compatibility with default security settings ► Either install software (dsclient, SP) or relax settings 2.Apply schema fixes for Exchange and SFU if needed

Upgrading from Windows 2000 (Step by Step) 3.Inventory domain controllers in forest ► Hot fixes ► Recommended: SP3 ► If not at SP3 please review hotfix and updates required: Q has details ► Disk space ► DC health including AD replication 4.Run adprep /forestprep 5.In each domain, run adprep /domainprep

Upgrading from Windows 2000 (Step by Step) 6.Install Windows Server 2003 member server in forest root domain or any other domain of your choice 7.Promote member server to DC – monitor 8.Move Domain Naming Master role to Windows Server 2003 DC

Upgrading from Windows 2000 (Step by Step) 9.Upgrade existing Windows 2000 domain controllers 10.In each domain ►Upgrade PDC emulator as soon as possible (or transfer PDC emulator role to Windows Server 2003 DC) ►Once all DNS servers are running Windows Server 2003, move domain DNS data into application partition ►Verify that DNM is still running on Windows 2003 DC

Upgrading from Windows 2000 (Step by Step) 11.When all DCs are upgraded ►Switch forest to Windows Server 2003 functional level

Domain restructuring with ADMT V-2 ► Migrating To Windows Server 2003 ► Restructure Activities ► Active Directory Migration Tool Version 2.0

Migrating To Windows Server 2003 ► Most migrations from Windows NT 4.0 to Active Directory are a mix of in-place upgrades and restructuring ► See “Best Practice Active Directory Design for Managing Windows Networks” for more information ► /planning/activedirectory/bpaddsgn.asp

Restructure Activities Activity Part of User migration Account domain restructuring Global Group migration Account domain restructuring Migrating user profiles Account domain restructuring Migrating Exchange mailbox access Account domain restructuring Migrating workstations Resource domain restructuring Migrating resources Resource domain restructuring

Active Directory Migration Tool Version 2.0 ► Password migration ► Windows NT 4.0 to Active Directory ► Forest to forest ► Scripting support ► Command line support ► Can also be used to migrate to Windows 2000 Active Directory

ADMT

Summary ► Windows NT 4 to Windows Server 2003 upgrade very similar to Windows NT 4 to Windows 2000 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade is easy and requires no additional design planning ► ADMT v2 makes restructuring easier

Do More With Less

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.