Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beams Division Local Administrators Meeting 9/17/02 Brian Drendel.

Published bySydney Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Beams Division Local Administrators Meeting 9/17/02 Brian Drendel."— Presentation transcript:

1 Beams Division Local Administrators Meeting 9/17/02 Brian Drendel

2 What will we talk about today? n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

3 Today’s Talk n This talk will follow the steps outlined in our “Win2k/XP Migration Steps document located at http://www- bdnew.fnal.gov/network/Migrating-Beams-2- Fermi.htm. http://www- bdnew.fnal.gov/network/Migrating-Beams-2- Fermi.htmhttp://www- bdnew.fnal.gov/network/Migrating-Beams-2- Fermi.htm n We will build on the information given at our last local administrator talk, which can be reviewed at http://vmsstreamer1.fnal.gov/VMS_Site_02/L ectures/BDNetworking/020625Drendel/index. htm. http://vmsstreamer1.fnal.gov/VMS_Site_02/L ectures/BDNetworking/020625Drendel/index. htm http://vmsstreamer1.fnal.gov/VMS_Site_02/L ectures/BDNetworking/020625Drendel/index. htm

4 Upgrade your Operating System to WinNT/2K n Computing Division is only allowing Win2k and WinXP computers to join the Fermi Domain. n There are two options for your Win98/NT Computers: – Upgrade using our Ghost Image. – Fill out the OS upgrade form.

5 Upgrade your Operating System to WinNT/2K n To enhance the material presented in the last local administrators meeting, we have detailed WinXP Ghost Setup instructions at http://www- bdnew.fnal.gov/network/WinXP%20Ghost%20Setup. htm. http://www- bdnew.fnal.gov/network/WinXP%20Ghost%20Setup. htmhttp://www- bdnew.fnal.gov/network/WinXP%20Ghost%20Setup. htm –ISO images are stored on \\Beamssrv1\PC- Support\DriveImages \\Beamssrv1\PC- Support\DriveImages\\Beamssrv1\PC- Support\DriveImages n Complete computer ghosting and post-ghost setup usually takes less than an hour.

6 Upgrade your Operating System to WinNT/2K n As we covered in great detail during the last local administrator talk, local administrators who do not have time to complete operating system upgrades can fill out our Win2k/XP upgrade form http://www- bdnew.fnal.gov/network/w2kmigration/ to schedule a time for the BD/Networking group to upgrade their computer. http://www- bdnew.fnal.gov/network/w2kmigration/http://www- bdnew.fnal.gov/network/w2kmigration/

7 Only secure computers are allowed in the Win2k Domain n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

8 Install Service Packs n Computing Division has asked that any computer that joins the Fermi Win2k Domain have the latest Service Packs and hotfixes. n BD/Networking Group maintains a web page at http://www-bdnew.fnal.gov/network/latest-os- service-packs.htm that lists the latest service packs and hotfixes available on Beamssrv1. http://www-bdnew.fnal.gov/network/latest-os- service-packs.htm http://www-bdnew.fnal.gov/network/latest-os- service-packs.htm n There are two options for installing service packs: –Install them from the service pack script on Beamssrv1 using your local administrator account. –Have BD/Networking install them from the security server.

9 Install Service Packs Recent Operating System Service Packs

10 Does Win2k use Kerberos? n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

11 Kerberos Authentication n CD Security has mandated that all network computer access must use Kerberos authentication. n A Win2k/XP client computer logging into the Win2k domain uses Kerberos authentication. n WinNT computers do not use kerberos n Win2k/XP computers logging into a WinNT Domain do not use kerberos.

12 Kerberos Authentication n You cannot use your WinNT Beams Account to login to the Win2k Domain. –A new Win2k Fermi account will be created for you to login to the new domain. –This account is separate from your WinNT Beams Domain Account. n Important! You need to have access to your WinNT Beams Domain resources (Beamssrv1, Beams-prt- srv,…) from the Win2k Fermi Domain. How will this be done?

13 Kerberos Authentication n Maintaining Beams Domain Resources (part 1): –A one way trust has been setup between the Fermi and Beams Domains to allow Fermi Domain users, with the appropriate access privileges, to access resources in the Beams domain. n The trust does not go the other way, which means that Beams Domain users will NOT have access to Fermi Domain resources. n The Beams Domain servers will remain in the Beams WinNT Domain during the migration. n After the Beams Domain servers are moved to the Win2k Fermi Domain, users in the Beams Domain will no longer have access to the servers.

14 Kerberos Authentication n Maintaining Beams Domain Resources (part 2): –Your new Win2k Fermi Domain account maintains your Beams Domain account privileges through a process called “cloning”. Cloning: n Copies your WinNT SID information to your WIN2k account. n Does not change your WinNT account…you have two accounts. n Computing Division Domain Administrators do the cloning. n BD OU Admins modify the Win2k account after it is cloned.

15 Kerberos Authentication n Computing Division has mandated that no Win2k Account can be created if the user does not have a kerberos principal. –This eventually will be automated for new employees. –Existing employees without kerberos principals must fill out the form at http://www.fnal.gov/cd/forms/strongauth. html to apply for their kerberos principal. http://www.fnal.gov/cd/forms/strongauth. html http://www.fnal.gov/cd/forms/strongauth. html

16 It’s time to clone! n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

17 Cloning your Account n How do you get your account cloned? –You can request that your existing WinNT Beams Account credentials be cloned over to your new Win2k Account by filling out our “Account Request From” at http://www- bdnew.fnal.gov/network/add_user.asp. http://www- bdnew.fnal.gov/network/add_user.asphttp://www- bdnew.fnal.gov/network/add_user.asp –On the next slide will will fill out the form. n We added fields to the account request form. n I will highlight new features of the form to allow the clone request.

18 Cloning your Account 1 3 5 2 4 6

19 After the submit button is clicked, you will see the following if the form was filled out correctly.

20 Cloning your Account Email is then sent to bd-net-accounts@fnal.gov.bd-net-accounts@fnal.gov

21 Cloning your Account n The BD OU Admins receive the clone request and start a help desk “clone request” to the Computing Division Domain Administrators.

22 Cloning your account n After Computing Division clones the account, the BD OU Admins: –Move the account into the BD OU structure. – Make any account modifications. –Set initial password. –Notify the user.

23 Let’s look at a Beams Domain Profile n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

24 Beams Domain Profile n Once your computer has been upgraded to Win2K/XP and your account has been cloned, we are ready to add your computer to the domain. This requires the following steps: –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

25 Beams Domain Profile n First we will login to the user’s WinNT Beams Domain account and look at profile information, including: –Screen background –Desktop icons –Printers

26 Beams Domain Profile Login to the user’s Beams Domain Account while their computer is still a joined to the Beams Domain.

27 Y driveZ drive Printer Desktop & Desktop icons

28 Beams Domain Profile n Now we will logout of the domain account. n Remember, –Screen background –Desktop icons –Printer

29 Will I have to rebuild the user’s profile? n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

30 Copy User Profile n When a user logins in to their new Win2k Domain account, the default action is to create a new user profile. n A user profile contains: –Screen Background –Software and Hardware settings –Printers –Desktop icons and files –Email files (Outlook or Outlook Express) –Network drives –Application data files

31 Copy User Profile n Problem: User profiles can take a long time to rebuild. n Solution: There is a resource kit utility called “moveuser” that lets you copy a user’s WinNT Domain profile before you join the their computer to the Win2k Domain. n We will show you how to use this utility from the local administrator account. n Let’s login.

32 Copy User Profile Login to the local administrator account

33 Copy User Profile Browse to Beamssrv1

34 Copy User Profile n When prompted, login using your Beams Domain credentials.

35 Copy User Profile Browse through the Win2k-Setup folder to the Win2k- migrate folder

36 Copy User Profile Double-click the copy_tools.bat file to copy the move user tools to c:\winnt (c:\windows) on your hard drive.

37 Copy User Profile A command window appears and shows the status of the copy.

38 Copy User Profile n Use “My Computer” or “Explorer” to browse to c:\winnt\tools (or c:\windows\tools) n Find moveuser.bat (not moveuser.exe)

39 Copy User Profile n Moveuser.bat does the following: –Makes a registry setting so that your computer uses only kerberos and NTLMv2 instead of NTLMv1 (more on this shortly). –Prompts you to type the command to copy your profile: n Moveuser Beams\”username” Fermi\”username”

40 Copy User Profile Follow the directions listed in the command window.

41 Copy User Profile n There are common errors: –Error 2 = the profile is currently locked. Simply reboot, login to the local administrator account, and try again. –Error 5 = Access to profile is denied, or the profile does not exist. You will see this if you mistype the account name.

42 Kerberos & NTLMv2 n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

43 NTLMv2 n Win2k Domains authenticate in the following order: –Kerberos –If Kerberos fails, use NTLM. n NTLM is not considered secure by Computing Division. n A registry change can change the Win2k authentication order to: –Kerberos –If Kerberos fails, use NTLMv2. n This is not 100% Kerberos compliance, but is more acceptable than NTLMv1.

44 NTLMv2 n There are a three ways to make this NTLMv2 registry change. –It is automatically made if you run the MOVEUSER.BAT file in the previous step. –Run the registry file that accompanies our moveuser utility (will show this). –Manually edit the registry.

45 NTLMv2 n Use “My Computer” or “Explorer” to browse to c:\winnt\tools (or c:\windows\tools) n Find lma_05.reg (lma_00.reg removes the change)

46 NTLMv2 Double-click lma_05.reg

47 NTLMv2  Alternately, you could manually edit the registry with regedt32 (regedit for WinXP).  The following key is changed.  LmcompatibilityLevel = 5 for NTLMv2  LmcompatibilityLevel=0 for NTLMv1.

48 It’s time to join the Fermi Domain! n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

49 Join the Fermi Domain n Now that the user profile has been copied and the NTLMv2 change is in place, it is time to move the user’s computer into the domain. –The BD OU Admins must add your computer to the BD OU. –The local administrator can then join the computer to the domain.

50 Join the Fermi Domain n The BD OU Admins will add your computer name to the Fermi BD OU. –The BD OU Admins set management privileges in Active Directory to allow the local administrator to add this computer to the domain locally. n The local administrator can join the computer to the domain using their Fermi Domain account credentials. –The computer automatically joins the domain in the correct OU.

51 Join the Fermi Domain  Now we’ll show you how a local administrator can add a computer to the domain after the BD OU Administrators have added the computer information into the Active Directory.  Right-click on My Computer and select properties.

52 Join the Fermi Domain  The System Properties box is opened.  Select the “Computer Name” tab (WinXP) or the “Network Identification” tab (Win2k).  Click on the “Change” button (WinXP) or the “Properties” button (Win2k).

53 Join the Fermi Domain The Change (WinXP) or Properties (Win2k) button pulls up the window where we can change the computer name and/or domain.

54 Join the Fermi Domain   Normal domain changing procedure is:   Change the computer name   Change to Workgroup = Workgroup   Reboot   Change from Workgroup = Workgroup to Domain = Fermi   Reboot   However, if you are not changing your computer name, you can use the following shortcut.

55 Join the Fermi Domain  If you are not changing your computer name, you can change directly from Domain = Beams to Domain = Fermi.

56 Join the Fermi Domain  When prompted for credentials, supply your Fermi domain account username and password.  Remember, the BD OU Administrators grant you the right to join a computer to the domain, so this privilege must be arranged in advance.  If successful, you will get a welcome to fermi domain popup window.

57 Join the Fermi Domain n After joining the Fermi Domain, you will be prompted to reboot. You must do this to complete the Domain joining process. n After the reboot, it is really tempting to let the user login to their Fermi Domain account; however, we are not quite ready for user login. n We must configure group membership before the user’s domain account can maintain the same level of functionality as they are used to.

58 Group Membership is important! n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

59 Group Membership To configure group membership, login to the local administrator account again.

60 Group Membership Open the Control Panel and find “User Accounts” (WinXP) or “Users and Passwords” (Win2K).

61 Group Membership In the User Accounts window, go to the “Advanced” tab

62 Group Membership In the “Advanced” Tab, click on the “Advanced” button

63 Group Membership  The “Advanced” button brings up the “Local Users and Groups” window.  Click on “Groups”.

64 Group Membership The “Groups” folders lists all of the local groups on your computer in the right pane.

65 Group Membership  Double-click on “Administrators” to show what users have administrative privileges on your computer.  We will have to add Fermi\BD Domain Admins.  Click Add

66 Group Membership  The “Select Users or Groups” window is opened.  If you know the group name that you want to add, you can type the name in the bottom pain.

67 Group Membership  You can click on “Check Names” to verify that the group name has been typed correctly.  Clicking OK will add the group.  If you don’t know the name of the group, click the “Advanced” button.

68 Group Membership  The “Advanced” button lets you search for a group.  Enter search criteria (if any) in the name or description fields  Click “Find Now”

69 Group Membership  The “Find Now” button pulls up a list of groups that fit your search criteria.  Double-click on the desired group (BD Domain Admins in our case).

70 Group Membership  The result is we added the Fermi\Domain Admins global group to the Administrators group on your computer.  The list of users in your administrator’s group should match what is shown here.  Add or remove the appropriate group(s) as necessary.

71 Group Membership If Fermi\BD Domain Admins is not added to the administrators group, then the BD OU Admins will not be able to administer your computer.

72 Group Membership Next, we need to modify the Power Users group.

73 Group Membership  Add Fermi\Domain Users.  Without this change users will not be able to add printers and run some programs.  You can remove any other users or groups that are in the Power Users group.

74 Group Membership Next, we will need to edit the Backup Operators group.

75 Group Membership  Add the Fermi\bd-service- backup account to the Backup Operators group.  You can remove any other users or groups that are in the Power Users group.

76 Group Membership Now that the Group Membership configuration is complete, we can logout of the localadmin account and have the user login to their new Fermi Domain account.

77 The final test! n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

78 Login to the Fermi Domain n Have the user login to their Fermi Domain account on the computer that was joined to the Fermi Domain. n Try to remember the Beams Domain Profile that we looked at earlier. –Minos background –Adebt2-color printer –Meeting Maker and Migration Screen icons…

79 Login to the Fermi Domain Have the user login to the Fermi Domain account

80 Y driveZ drive Printer Desktop & Desktop icons

81 Login to the Fermi Domain n Earlier user profile was successful. All user profile configurations that the user had in their WinNT Beams user profile is now in their Win2k Fermi user profile!

82 What will we talk about today? n Upgrade your OS (quick review) –Upgrade OS to WinNT/2K –Install the latest Service Packs n Apply for your Win2k Account –Win2k Kerberos Authentication –Account cloning procedure n Move your Computer into Fermi Domain –Check Beams Profile –Copy Profile –NTLMv2 –Join the Fermi Domain –Group Membership –Login to Fermi Domain

83 Questions?

Download ppt "Beams Division Local Administrators Meeting 9/17/02 Brian Drendel."

Similar presentations

Welcome to the Online Employment Applicant Tutorial Click here for next screen.

Welcome to the Online Employment Applicant Tutorial Click here for next screen.
Welcome to WebCRD.

Welcome to WebCRD.
FILEMAKER SERVER SOFTWARE & REMOTE ADMINISTRATION

FILEMAKER SERVER SOFTWARE & REMOTE ADMINISTRATION
CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Michael Donovan, River Campus Libraries – 12/03 DocuShare Overview and Training.

Michael Donovan, River Campus Libraries – 12/03 DocuShare Overview and Training.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
MZ790 Print Driver and RINC Software Install and Setup These instructions are to assist you in installation and setup of the MZ790 Print Driver and RINC.

MZ790 Print Driver and RINC Software Install and Setup These instructions are to assist you in installation and setup of the MZ790 Print Driver and RINC.
File sharing. Connect the two win 7 systems with LAN card Open the network.

File sharing. Connect the two win 7 systems with LAN card Open the network.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support 301-594-6248 Summer 2006.

How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.

Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.

Similar presentations

Ads by Google