# &RQWHQWV## # 2YHUYLHZ#4 # 0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV## 'XULQJ#D#'RPDLQ#5HVWUXFWXUH#5 # 3UHSDULQJ#IRU#$FFRXQW#0LJUDWLRQ#,VVXHV#4: # /HYHUDJLQJ#([LVWLQJ#'LUHFWRU\#,QIRUPDWLRQ## 'XULQJ#D#'RPDLQ#5HVWUXFWXUH#5; # 5HYLHZ#63 # # Module 7: Minimizing the Impact on Network Operations During a Domain Restructure # Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.) Lead Program Manager: Angie Fultz Instructional Designer: Robert Deupree (S&T OnSite) Subject Matter Expert : Brian Komar (3947018 Manitoba Inc) Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.), David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC). Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T Onsite) Testers: Testing Testing 123 Instructional Design Consultants: Susan Greenberg, Paul Howard Instructional Design Contributor: Kathleen Norton Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic (S&T OnSite) Copy Editor: Shawn Jackson ( S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Onsite) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Courseware Testing: Data Dimensions, Inc. Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T Onsite) Manufacturing Support: Laura King (S&T Onsite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##LLL# ,QVWUXFWRU#1RWHV# This module provides students with the ability to develop a strategy for restructuring Microsoft ® Windows NT ® version 4.0 domains to Microsoft Windows ® 2000 domains while maintaining network reliability, security, availability, and performance. There is no lab for this module. At the end of this module, students will be able to: „# Examine existing network services and develop a strategy for ensuring their reliability during the domain restructure. „# Plan for issues that arise due to the cloning of accounts when restructuring a Windows 2000 domain. „# Describe how the Active Directory ™ Connector (ADC) allows migration of user attributes to the Active Directory directory service. 0DWHULDOV#DQG#3UHSDUDWLRQ# This section provides you with the required materials and preparation tasks that are needed to teach this module. 5HTXLUHG#0DWHULDOV# To teach this module, you need the following materials: „# Microsoft PowerPoint ® file 2010a_07.ppt „# Module 7, “Minimizing the Impact on Network Operations During a Domain Restructure” 3UHSDUDWLRQ#7DVNV# To prepare for this module, you should: „# Read all of the materials for this module. „# Read all of the delivery tips. „# Read the technical white paper, Dynamic Host Configuration Protocol for Windows 2000, which is located on the Student Materials compact disc. „# Read the technical white paper, Microsoft  Windows  2000 Windows Internet Service (WINS) Overview, which is located on the Student Materials compact disc. „# Read the technical white paper, Windows 2000 DNS, which is located on the Student Materials compact disc. 3UHVHQWDWLRQ=# 93#0LQXWHV# # /DE=# 3#0LQXWHV# LY##0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH# There are several chapters of the Windows 2000 Server Deployment Planning Guide that will also help you prepare your delivery. These documents are in the Additional Readings\Deployment Guide folder on the Student Materials compact disc: „# Chapter 10, “Determining Domain Migration Strategies”, will provide information on the LAN Manager Replication service, domain security, and user profiles. „# Chapter 23, “Defining Client Administration and Configuration Standards,” will provide information on Group Policy. „# Chapter 21, “Testing Applications for Compatibility with Windows 2000,” will support the topic of upgrade impact on applications. „# Chapter 20, “Synchronizing Active Directory with Exchange Server Directory Services,” will provide more background on using the Active Directory Connector. The following documents are also on the Student Materials compact disc and will help to further prepare you to deliver this module: „# Microsoft Windows 2000 Market Bulletin: Active Directory™ Client Extensions for Windows 95, 98 and Windows NT® 4 „# Windows 2000 Operating System Comparison Chart „# Deploying the Active Directory Connector „# Knowledge Base article Q151777, "XADM: How to Move a Microsoft Exchange Server to a New Domain" (It describes how to change the service account within the Exchange Schema.) # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##Y# 0RGXOH#6WUDWHJ\# Use the following strategy to present this module: The previous module in this course, module 6, “Developing a Domain Restructure Strategy,” discussed the basic steps that all organizations must include in their domain restructure plan. Make sure students understand that the number of additional planning steps they must add to that base plan will be dictated by the components in their current network environment. This module may prove to be the most challenging to teach because of the wide variety of topics covered and the background understanding you must have. It is important that you be very familiar with each component discussed in the module, from the perspectives of both Windows NT 4.0 and Windows 2000. Be prepared to contrast the way Windows NT 4.0 handles a particular component with the way it is handled in Windows 2000. Encourage interaction during this module. Ask students how they currently configure a particular network services or handle domain security. Then ask them how they might ensure reliability or availability of those components given what they have learned. Students will likely have questions that relate to the topics in the module but are not directly discussed. Be flexible in addressing their issues, because they have business needs for ensuring the reliability of network operations during their migration. If you are unsure of the answer, turn the question over to the class and use it as an opportunity for discussion. „# Maintaining Reliability of Network Services During a Domain Restructure For many students, network reliability will be the area of greatest concern. Several of the topics in this section discuss differences in the ways that Windows NT 4.0 and Windows 2000 manage common networking services. Potential pitfalls are revealed, with viable work-around solutions. Anticipate the types of questions that students will ask while you prepare for this module. Although students meeting the prerequisites for this course should have an understanding of all of the topics in this module, their level of familiarity will vary dramatically. Be prepared to provide background information if students seem confused. „# Preparing for Account Migration Issues It is critical that you clearly communicate the impact of a domain restructure on each topic. This tells students why they should care about these topics— for example, the trusts required by the migration tools make it possible for a user to log on to either the source or target domain, possibly impacting administrative overhead. Although this may scare some students and make them wary of Windows 2000, you will earn their attention by underscoring the importance of planning. „# Leveraging Existing Directory Information This section focuses on how Microsoft Exchange directory information can be used during migration. You do not have to be an expert with Exchange to successfully deliver this topic. Focus on the three things that Exchange can provide in Active Directory and the steps that must be followed. If questions on the ADC arise, point students to the white paper on their compact discs. # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##4# 2YHUYLHZ# „ 0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV#'XULQJ#D# 'RPDLQ#5HVWUXFWXUH „ 3UHSDULQJ#IRU#$FFRXQW#0LJUDWLRQ#,VVXHV „ /HYHUDJLQJ#([LVWLQJ#'LUHFWRU\#,QIRUPDWLRQ#'XULQJ#D# 'RPDLQ#5HVWUXFWXUH One of your primary migration goals is to ensure continuous network functionality with minimal impact on business productivity. Maintaining network operations may require additional steps to be added to your domain- restructuring plan. At the end of this module, you will be able to: „# Examine existing network services and develop a strategy for ensuring their reliability during the domain restructure. „# Plan for issues that arise due to the cloning of accounts when restructuring a Microsoft ® Windows ® 2000 domain. „# Describe how the Active Directory ™ Connector (ADC) allows migration of user attributes to the Active Directory directory service. 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#RYHUYLHZ#RI# WKH#PRGXOH#WRSLFV#DQG# REMHFWLYHV1# /HDG0LQ# ,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ# DERXW#PLQLPL]LQJ#WKH#LPSDFW# RI#D#GRPDLQ#UHVWUXFWXUH#RQ# \RXU#QHWZRUN#UHOLDELOLW\/# VHFXULW\/#DYDLODELOLW\/#DQG# SHUIRUPDQFH1# 5# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH# ‹‹ #0DLQWDLQLQJ#5HOLDELOLW\#RI#1HWZRUN#6HUYLFHV#'XULQJ#D# 'RPDLQ#5HVWUXFWXUH# „ 3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV „ 3URYLGLQJ#5HOLDEOH#1HW%,26#5HVROXWLRQ#6HUYLFHV „ 3URYLGLQJ#5HOLDEOH#'+&3#6HUYLFHV „ 3URYLGLQJ#5HPRWH#$FFHVV#6HUYLFHV#LQ#D#0L[HG# (QYLURQPHQW „ 6XSSRUWLQJ#/$1#0DQDJHU#5HSOLFDWLRQ „ 0LJUDWLQJ#/RJRQ#6FULSWV#WR#*URXS#3ROLF\ „ 0LJUDWLQJ#6\VWHP#3ROLFLHV#WR#*URXS#3ROLF\ For many network administrators, the biggest risk during a domain restructure is potential interruptions to network operations. Because a restructure will affect numerous network services, careful planning is necessary to ensure a smooth transition. Important planning issues include: „# Examining how Domain Name System (DNS) data will be replicated in a Windows 2000 network so that you can provide reliable DNS naming services during the domain restructure. „# Establishing the need for NetBIOS name resolution so that the continued use of WINS can be evaluated after the restructure. „# Identifying normal interruptions to Dynamic Host Configuration Protocol (DHCP) Server services during the restructure process so that backup services can be planned to ensure maximum reliability. „# Maintaining LAN Manager replication functionality after Windows 2000 File Replication service (FRS) is implemented. „# Developing a strategy for planning Routing and Remote Access support during the restructuring process. „# Developing a strategy for transitioning from Windows ® NT version 4.0 System Policies to Windows 2000 Group Policy. „# Planning for issues involved with user authentication when cloning accounts to a new forest. 6OLGH#2EMHFWLYH# 7R#GHVFULEH#D#VWUDWHJ\#IRU# PDLQWDLQLQJ#UHOLDEOH#QHWZRUN# VHUYLFHV#GXULQJ#D#GRPDLQ# UHVWUXFWXUH1# /HDG0LQ# $#GRPDLQ#UHVWUXFWXUH#ZLOO# DIIHFW#VHYHUDO#QHWZRUN# VHUYLFHV1#&DUHIXO#SODQQLQJ#LV# UHTXLUHG#WR#PDLQWDLQ#UHOLDEOH# QHWZRUN#FRQQHFWLYLW\1# .H\#3RLQW# :KLOH#PDQ\#RI#WKHVH#WRSLFV# DUH#FRYHUHG#LQ#PRGXOH#7/# ³0LQLPL]LQJ#WKH#,PSDFW#RQ# 1HWZRUN#2SHUDWLRQV#'XULQJ# DQ#8SJUDGH/´#WKH#FRQWHQW# IRFXVHV#RQ#SODQQLQJ#LVVXHV# IRU#UHVWUXFWXULQJ/#DV# RSSRVHG#WR#XSJUDGLQJ1# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH##6# 3URYLGLQJ#5HOLDEOH#'16#6HUYLFHV# „ (IIHFW#RI#D#5HVWUXFWXUH#RQ#'16#6HUYLFHV „ 0DWFK#$FWLYH#'LUHFWRU\#'RPDLQV#WR#'16#'RPDLQV z ,QVWDOO#D#VHFRQGDU\#:LQGRZV#5333#'16#VHUYHU#LQ#WKH#WDUJHW# GRPDLQ z 7UDQVIHU#]RQH#ILOH#WKHQ#UHFRQILJXUH#:LQGRZV#5333#'16#DV#WKH# SULPDU\#'16#VHUYHU z 3URPRWH#:LQGRZV#5333#'16#VHUYHU#WR#EH#D#GRPDLQ#FRQWUROOHU# DQG#FRQILJXUH#$FWLYH#'LUHFWRU\#LQWHJUDWHG#]RQHV# „ &UHDWH#1HZ#'16#'RPDLQV#WR#+RVW#659#5HFRUGV z ,QVWDOO#D#SULPDU\#:LQGRZV#5333#'16#VHUYHU#LQ#WKH#WDUJHW#GRPDLQ z 'HOHJDWH#QHZ#VXE0GRPDLQV#RI#H[LVWLQJ#'16#GRPDLQV#WR# :LQGRZV#5333#'16#VHUYHU z 0RYH#UHYHUVH#ORRNXS#]RQHV#WR#:LQGRZV#5333#'16#VHUYHU When performing domain restructuring from Windows NT 4.0 or a separate Windows 2000 forest, one of the first administrative tasks is to integrate the source network DNS infrastructure with the DNS infrastructure required for the target Windows 2000 forest. If you are performing an intra-forest restructure, any DNS domains with writable zones in the source domain must be migrated to the target domain if these DNS domains will still be required after the restructuring. 7KH#(IIHFW#RI#D#5HVWUXFWXUH#RQ#'16#6HUYLFHV# If you deploy your current DNS infrastructure by using Windows NT 4.0, you must plan to immediately move the primary zones to Windows 2000 to provide support for SRV (service) resource records that are required by Active Directory. Bind 8.1.2 and later supports SRV resource records and dynamic updates and can be used to support Active Directory domains. The approach you take to ensure ongoing DNS name resolution during the migration phase depends on the name of the Active Directory root domain. 0DWFKLQJ#$FWLYH#'LUHFWRU\#'RPDLQV#WR#'16#'RPDLQV# If you plan to match the Active Directory domain name to the existing NT 4.0 DNS domain name, your restructure plan must include: „# Establishing a DNS server in the target Windows 2000 domain. This DNS server must be capable of storing the necessary SRV resource records for Active Directory and must also have the ability to accept dynamic updates. 6OLGH#2EMHFWLYH# 7R#GHVFULEH#D#VWUDWHJ\#IRU# SURYLGLQJ#UHOLDEOH#'16# VHUYLFHV#GXULQJ#D#GRPDLQ# UHVWUXFWXUH1# /HDG0LQ# <RXU#GRPDLQ#UHVWUXFWXUH# SODQ#PXVW#GHILQH#KRZ#'16# ZLOO#EH#PDGH#DYDLODEOH#WR#WKH# WDUJHW#$FWLYH#'LUHFWRU\# HQYLURQPHQW1# 5HPLQG#VWXGHQWV#WKDW#WKHUH# LV#QR#QHHG#WR#PDLQWDLQ#WKH# '16#]RQH#IRU#DQ#$FWLYH# 'LUHFWRU\#GRPDLQ#WKDW#LV# EHLQJ#UHPRYHG#IURP#WKH# QHWZRUN1# # ,Q#DGGLWLRQ#WR#VXSSRUWLQJ# 659#UHVRXUFH#UHFRUGV/#'16# DOVR#SURYLGHV#VXSSRUW#IRU# PXOWL0PDVWHU#UHSOLFDWLRQ#E\# XVLQJ#$FWLYH#'LUHFWRU\0 LQWHJUDWHG#]RQHV#DQG#WKH# VXSSRUW#IRU#G\QDPLF#XSGDWHV# RI#]RQH#UHVRXUFH#UHFRUGV1# # 5HPLQG#VWXGHQWV#WKDW# VHFXUH#G\QDPLF#XSGDWHV# DOORZ#RQO\#WKH#RZQHU#RI#D# '16#UHVRXUFH#UHFRUG#WR# PRGLI\#DQ#H[LVWLQJ#'16# UHVRXUFH#UHFRUG1# 1RWH# 1RWH# 7# # 0RGXOH#:=#0LQLPL]LQJ#WKH#,PSDFW#RQ#1HWZRUN#2SHUDWLRQV#'XULQJ#D#'RPDLQ#5HVWUXFWXUH# „# Configuring the Windows 2000 DNS server in the target forest as the primary DNS server for all existing zones. This is accomplished by first configuring the Windows 2000 DNS server as a secondary DNS server for the existing zone. After the existing zone data is transferred to the target Windows 2000 DNS server, its role can be switched to primary DNS server, and the source Windows NT 4.0 primary server must be converted to be a secondary DNS server for the zone. „# Promoting the Windows 2000 DNS server to be a domain controller for the target Active Directory domain. This will cause the registration of all necessary DNS resource records into the DNS zone data. „# Changing any primary DNS zones to Active Directory integrated zones in the target forest. Active Directory integrated zones will provide more fault tolerance and enable multi-master writes for the DNS zone data. In addition, secure dynamic updates can be implemented to prevent Internet Protocol (IP) spoofing. &UHDWLQJ#1HZ#'16#'RPDLQV#7KDW#+RVW#WKH#659#5HVRXUFH# 5HFRUGV# If you plan to create a new DNS domain to host the SRV resource records of the Active Directory domain, your restructure plan must include the following: „# Installing a DNS server in the target Windows 2000 domain. This DNS server will host all necessary zone resource records for Active Directory. „# Integrating Windows 2000 DNS server with the existing Windows NT 4.0 DNS servers. This can involve delegating NS (name server) resource records to Windows 2000 DNS zones that are sub-domains of existing Windows NT 4.0 DNS domains. In the case of separate DNS domains, this can involve either editing the root hints for the DNS implementation or creating secondary zones for the newly created domain under Windows NT 4.0 DNS. „# Moving the reverse lookup zones to the Windows 2000 DNS servers. This will take advantage of multi-master replication that exists within the Windows 2000 DNS server. [...]... Some network applications or services, such as Microsoft Exchange 5.5, require access to network components, such as the SAM database To access these components, a special user account, called a service account, is used to authenticate the application or service in the domain Because these accounts are often defined both within the SAM database and within the application, special care must be taken... (ADMT) is used to clone users, the new accounts are, by default, enabled, making it possible for a cloned user to log on with either the source account or the cloned account credentials This can cause user and administrative confusion when configuration changes are applied to the source account rather than to the cloned account Passwords are not migrated during an inter-forest domain restructure Failed... by altering the registry key to refer to the new primary SID for the user account This functionality is not provided in ClonePrincipal or Netdom „# Determine whether any manual configuration is required for the migrated profile By default, all application-based data in the user profile is migrated to the target domain If additional configuration is required for third-party applications that store configuration... the ADC will be installed To attain the best performance, the ADC should be installed on a Windows 2000-based member server that is on the same physical network segment as a global catalog server and the Exchange 5.5 bridgehead server „# Configure the ADC connection agreement In the ADC, a CA can be configured to define how data will be shared or synchronized between Exchange and Active Directory, in... When accounts are cloned from a source domain to a Windows 2000 target domain during an inter-forest restructure, user passwords are not maintained Authentication issues can arise due to this fact 7KH#(IIHFW#RI#D#5HVWUXFWXUH#RQ#8VHU#$XWKHQWLFDWLRQ# To perform migration operations, trust relationships must be created and maintained between the source and target domains If the Active Directory Migration... to change these mappings to point to the cloned accounts or new servers that will host the application If the account information is not reconfigured correctly, an application may no longer operate The hard-coded configuration will require manual reconfiguration to allow the application to continue to function as before 5HVROYLQJ#+DUG0&RGHG#$FFRXQW#6HWWLQJV#'XULQJ#D# 0LJUDWLRQ# To ensure that hard-coded... information page Be sure to click Migrate all service accounts and update the Service Control Manager for items that include the On the machines where they reside option This will ensure that all service account entries are now changed to the cloned accounts from the original source accounts „# Migrate groups assigned special rights to the target domain You must clone any administrator-created local groups... whether to use xcopy or robocopy to perform the synchronization between the FRS and LAN Manager Replication topologies The bridge between the LAN Manager Replication service and FRS requires that an FRS system act as the master copy of the NETLOGON contents All editing to the contents must be performed in the target domain s NETLOGON share after the bridge has been established 7LS# Robocopy is generally... required during or after a restructure to support migrated clients, integrate the WINS topology of the source domain with that of the target domain To ensure that all accounts will have access to all resources on the network: • Configure at least one Windows 2000 WINS server in the target domain as a push/pull replication partner with a WINS server in the source domain This will ensure that clients in either... Exchange Server to a New Domain on the Student Materials compact disc „# Determine steps to change hard-coded settings The solution to hard-coded settings may require specific registry and configuration changes Finding these changes may require searching through knowledge base articles and contacting the software manufacturer In worst-case scenarios, reconfiguration may require you to reinstall the application . Directory domains. The approach you take to ensure ongoing DNS name resolution during the migration phase depends on the name of the Active Directory root domain. . of the source domain with that of the target domain. To ensure that all accounts will have access to all resources on the network: • Configure at least