Chapter 10: Putting the Enterprise Network into Production 449 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 Figure 10-1 The User, Data, and PC Migration Process P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:02 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com  NOTE Using a commercial migration tool avoids many of the migration hassles because it takes all of these situations into account. Using the Active Directory Migration Tool The ADMT offers several features for the support of the Parallel Network Migration Approach. It is fairly simple to use. Its installation is based on a Windows Installer file (as are the Support Tools, the Resource Kit, the Group Policy Management Console, and other WS03 add-ons and installable components) that is located on the WS03 CD in the |i386|ADMT folder. Simply double-click on the ADMIGRATION.MSI file for installation. Once it is installed, you can launch the ADMT console by moving to Administrative Tools and selecting Active Directory Migration Tool. You need Enterprise Administrator rights to be able to use this tool. The operation of the ADMT basically consists of right-clicking on Active Directory Migration Tool to access the context menu and selecting the appropriate wizard to operate. ADMT offers several wizards: • User Account Migration • Group Account Migration • Computer Migration • Service Account Migration • Security Translation • Trust Migration • Group Mapping and Merging • Exchange Directory Migration • Reporting The operation of the wizards is straightforward. You need to identify the source domain, the target domain, the objects you want to migrate, the container you want to migrate them to, and how you want to perform the migration. In addition to performing account or group migration, ADMT supports migration of Exchange objects such as user mailboxes, distribution lists, and so on. ADMT also migrates trust relationships between domains and it can perform group mapping or merging.  CAUTION The ADMT should be run in test mode first. Choosing this mode allows you to test migration results before actually performing the operation. Simply select “Test the migration settings and migrate later?” when you use one of the wizards. 450 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The best way to use ADMT in the Parallel Network Migration Process is to migrate groups of users. When ADMT migrates a group, it can also migrate the users that are contained within that group, making it easier for you to determine what to migrate. But before you can move users and computers from one network to another, you need to ensure that the data you will migrate will be filtered and that all obsolete records will be removed. You don’t want to input obsolete data into your brand new WS03 network! Creating Domain Data Reports To filter data from your source domain, you need to use ADMT’s Reporting Wizard. This reporting tool can support the creation of several different report types to summarize the results of your migration operations: • Migrated Users and Groups • Migrated Computers • Expired Computers • Impact Analysis • Name Conflicts The Expired Computers report lists the computers with expired passwords. Name Conflicts does the same with potential objects that will have the same name in the target domain. The report that allows you to identify obsolete objects is the Impact Analysis report. It provides a detailed list of the user, group, and computer objects that are found in your source domain. You can use this report to identify what must be removed from this database. You can perform this removal in several ways: • You can remove the objects from the source domain, and then migrate the accounts. • You can create new groups that contain only valid objects in the source domain and migrate objects by using these groups. • You can move the accounts to a specific OU, clean them up, and then move them to their destination OUs.  NOTE Reports must be generated before you can view them. Many reports are generated from information that is collected from computers throughout your network. This will impact their performance, therefore you may decide to use dedicated servers for this function. Also, reports are not dynamic; they are point in time reports and must be regenerated to get an updated picture. The last approach may be your best bet since the ADMT will allow you to control the way accounts are treated after the migration. In fact, you can ensure that no account is activated until you perform a cleanup operation on the newly migrated accounts. Chapter 10: Putting the Enterprise Network into Production 451 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com  NOTE The ADMT is also available from http://www.microsoft.com/windows2000/downloads/tools/admt/ default.asp. In addition, you can refer to Chapter 9 of the Microsoft Domain Migration Cookbook for more information on account and other object migration at http://www.microsoft.com/technet/ prodtechnol/windows2000serv/deploy/cookbook/cookchp9.asp. Finally, a summary of the operations required to run ADMT can be found in the Microsoft Knowledge Base article number Q260871 at http://support.microsoft.com/default.aspx?scid=KB;en-us;260871&. Special ADMT Considerations There are a few items you must keep in mind when using the ADMT. The first is related to the security identifier (SID). As mentioned earlier, all of a user’s data is associated with the SID that represents the user at the time the object is created. Thus all of a user’s data will be associated with the user’s legacy SID. When you transfer this data to the new network, you must use a special technique that will either carry over the user’s legacy SID or translate the SID on the object to the user’s new SID (the one generated by the new network). The best way to do this is to ensure that the user’s legacy SID is migrated to the new domain (using the appropriate check box in the Account Migration wizards) and then to use SID translation. The latter is performed through the use of the ADMT’s Security Translation Wizard. But in order for security translation to work properly, you must make sure that all of a user’s data has been migrated to the new network first, otherwise you will need to perform the SID translation again once this is done. 452 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com It is also important to note that for SID history migration to work, a Password Export Server (PES) is required. The PES is installed on a domain controller in the legacy network. It is best to use a dedicated server for this operation because it is resource intensive. Therefore, you must stage a new domain controller (BDC in Windows NT or simply a DC in Windows 2000) and dedicate it to this task. Installing the PES is simply a matter of launching the PES installation file found in the PWDMIG folder under ADMT on the WS03 installation CD. This installation will also support password migration if this is what you choose to do (you can also regenerate passwords during the migration). There is no doubt that password migration is easiest on your users even if you force them to reset passwords at their first login to the network. It is also more secure than password regeneration because in regeneration mode, you must find a private way to communicate the new password to users. This can be an opportunity for account theft. Your network also needs to meet the following conditions before you can perform password migration or SID translation: • Auditing must be enabled on the source domain. If it isn’t, ADMT will offer to turn it on during the migration. • Your target domain must be in native mode, but this shouldn’t be an issue since it was set to native mode during its creation in Chapter 4. • You must also activate legacy access in the target domain by inserting the Everyone group into the Pre-Windows 2000 Compatible Access group.  CAUTION It is recommended to activate legacy access only for the duration of a migration operation and to deactivate it as soon as the operation is complete because it is a potential security risk. This means that you activate it, perform a user or group migration, and then deactivate it. Do not activate it for the duration of the domain migration because this can last quite a while depending on your migration strategy and the size of the legacy domain. There are other prerequisites you must take care of before performing a migration (such as service pack level for the source domain machines). ADMT will also require some additional settings, but it can automatically perform the modifications during a migration operation. Thus, you can use the ADMT to perform most of the operations identified above to support your network migration, including: • Create a source domain object report for filtering purposes. • Migrate user accounts, groups and computer accounts (if the systems are already running Windows XP or at the very least Windows 2000). • Perform security translations to give users access to their data. The only operation it does not handle is the migration of user data that is stored on network shares. As mentioned earlier, it is important to migrate user data before you perform security translations. Chapter 10: Putting the Enterprise Network into Production 453 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Transferring Networked User Data Migrating networked user data will involve the copying of data found on server shares within the legacy network. It should include public, group, project, and user data. User data should include home directory data if they were in use within the legacy network. This operation consists mostly of relocating shared data from one network onto the other. In most cases, it will mean moving the data from a specific share on one server to the same share on another server. This may even give you the opportunity to consolidate server processes and regroup file shares on fewer servers. In addition, if you used the practices provided in Chapter 7, you will be now using DFS shares instead of mapped drives. Thus you will have to ensure that your migration program includes a user information program showing them how to access the new shares. This user information program should also include the procedure to use to access personal user data because this process has changed. The parallel network no longer uses the home directory concept. It uses redirected folders. There is a catch, though: redirected user folders are not created until the user has logged on at least once (in fact, three times before the redirection process is complete). You cannot simply move the user’s home folder files from one server to another because the user’s destination folder won’t be created until later. Thus, you must devise a special personal user Data Migration Strategy. There are three possibilities: • You can ask all users to move all of their home directory files into their My Documents folders on their desktop. Then, when they migrate to the new network and log on for the first time, the contents of their My Documents folders will automatically be moved to the new shared folder thanks to the Folder Redirection Group Policy. This process will require two additional logons before completion if you are using Fast Logon Optimization. • If you need to stage PCs because they are not running either Windows XP or Windows 2000, you can add an operation to the User State Migration process since it will be required on all systems. The operation you need to add is similar to the first approach: script a process that takes all of a user’s home directory data and copies it to the My Documents folder before 454 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10  QUICK TIP Now that your new network is using DFS, it will support simplified migrations since you can ensure that all networks use the same DFS naming strategy.  QUICK TIP You may consider turning off Fast Logon Optimization for the duration of the migration in order to simplify the creation of redirected folders. P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 10: Putting the Enterprise Network into Production 455 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 performing the backup portion of the USMT. The data will automatically be redirected when the recovery portion of the USMT runs at a user’s first logon to the new network and the Folder Redirection GPO is applied. • You can migrate data to a holding folder and, using a special one-time logon script, move the files to the user’s newly created redirected folder once the user is logged on and the Group Policy has been applied. Of these three strategies, the third is the best, though it requires operations that occur during a user’s first logon. The first would also work, but it has a major flaw: you must rely on operations that are out of your control for the process to complete. It will not work unless you have a well-trained user base and you provide them with excellent instructions. The second only works if the user’s PCs must be staged. Thus, if your network does not meet these two conditions, you must use the third option. Finally, you may need to migrate Roaming User Profiles if they were in use in the legacy network. Remember that the new network does not use Roaming Profiles, but relies on Folder Redirection instead. To migrate Roaming Profiles, simply turn the feature off in the legacy network (only for users targeted for migration). The profile will return to the local machine. If the machine is already running Windows XP or 2000, the profile will automatically be transformed to Folder Redirection when the machine is joined to the new domain and the user logs on because the GPOs will activate Folder Redirection. If the machine needs to be staged, the profile will be captured through the use of the User State Migration Tool. Using a Commercial Migration Tool The ADMT is a very powerful tool, especially in its second edition, but it does not do everything in a migration. If you find that you have several thousands of users and several gigabytes of data to migrate in multiple locations, you may decide that using the ADMT is not enough. In this case, you may decide to use a commercial migration tool. There are several on the market and all of them include the capability to migrate both accounts or other directory objects and networked user data. Thus, using a commercial migration tool facilitates the migration process because it offers professional tools and support for every aspect of this process. The NetIQ Migration Suite is the product suite upon which is based on the Active Directory Migration Tool. When you begin to use the Domain Migration Administrator (DMA), you will see the similarities between both products. But there are subtle differences. While DMA also supports the migration of user accounts, groups, and computer accounts from one domain to another, it does so in a much more intelligent way. For example, during the migration of accounts, you can tell DMA to ignore accounts in the source domain that have been marked as disabled, performing a database cleanup as you perform the migration instead of having to do it beforehand or afterwards as with the ADMT. It also provides more comprehensive reports when analyzing source domain data. It provides better support for Microsoft Exchange migrations. Finally, it provides extensive cleanup capabilities. For example, it will allow you to remove SID histories from your target network once all the security translations are performed. P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:03 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com In addition, the NetIQ suite includes Server Consolidator, a tool that is designed to migrate files, folders, shares, printers and printer settings, and the appropriate access permissions from one server to another. It is not only designed to migrate data, but also to help in the consolidation process, allowing you to regroup resources on larger servers and even Server Clusters.  NOTE More information on the NetIQ Migration Suite can be found at http://www.netiq.com/products/ migrate/default.asp. Commercial tools such as NetIQ’s DMA and Server Consolidator can be expensive, but there are ways to reduce costs for their use. For example, Microsoft Consulting Services (MCS) has a special usage license for these products. If you hire an MCS consultant to assist in your migration, they may be able to provide you with the Migration Suite under certain circumstances. Another way to acquire the Migration Suite is to acquire other products from NetIQ. For example, if you acquire the NetIQ Administration Suite—a set of tools that is designed to assist ongoing administration of WS03 networks, you may be able to obtain the Migration Suite for free. NetIQ isn’t the only provider of such tools. Several other manufacturers offer migration support tools. Both Aelita Software (http://www.aelita.com/products/ControlledMigration.htm) and Quest Software (http://www.quest.com/solutions/microsoft_infrastructure.asp#deploy) offer very powerful migration and administration tools. Both also offer programs that give you access to their migration suites at special rates. 456 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:04 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com  NOTE Microsoft offers information on products that integrate with WS03 and support migrations at http:// www.microsoft.com/windows2000/partners/amatlsrv.asp. Decommissioning the Legacy Network Once everything has been migrated from the legacy network to the new network, you can proceed with the decommissioning of the legacy network. This process involves the following tasks: 1. Begin by removing embedded groups. You only need to do this in the new domain. Thus, you can remove Legacy Global groups from your production Domain Local groups. 2. Remove the trust relationships. Once again, you only need to remove trusts from the new production domain. Use the AD Domains and Trusts console to perform this activity. 3. Now you can move on to the decommissioning of the legacy domain itself. But before you do so, it is a good idea to perform full backups of the PDC (if it is a Windows NT network) or the DC (if it is Windows 2000). 4. When the backups are complete, store them in a safe place, then shut down the legacy domain’s final domain controller (PDC or DC). 5. If you need to recover this server within the new network, you can reinstall it in a new role in your new production domain. But it is a good idea to hold on to this server as a backup for a while as you iron out the operation of the new network. You might consider having a celebration at this stage because you certainly deserve it. You and your migration team have done a lot of hard work preparing the new network and migrating every legacy resource to the new environment. Congratulations! Celebrations aside, it will also be a good idea for you to perform a post-migration review to ensure that you can reuse this process and improve upon it if you ever need it again. Revising the IT Role Structure As you prepared to place the new network online, you probably realized that a review of administrative and operational roles is also required. In fact, this review of operational roles focuses on the third quadrant of the Service Lifecycle illustrated in Figure 1-1 (in Chapter 1), Production, since the activities of the first two quadrants are now complete (Planning and Preparation). The operations outlined in the Production quadrant require a new organizational structure because many of them will be delegated to users who do not have administrative privileges. Chapter 10: Putting the Enterprise Network into Production 457 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:04 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com New and Revised AD IT Roles One of the areas where IT roles are modified the most is in terms of Active Directory management. If you’re migrating from Windows NT to Windows Server 2003, most of these roles are new. If you’re already using Windows 2000, you know that all of these roles are necessary. The relationship of AD IT roles is illustrated in Figure 10-2. This figure was originally drawn from the Microsoft Best Practice Active Directory Design for Managing Windows Networks guide (www.microsoft.com/windows2000/ techinfo/planning/activedirectory/bpaddsgn.asp), but has been enhanced with additional IT roles. The responsibilities of each role are outlined in Table 10-1. Depending on the size of your organization, you may combine roles. What is important here is that each function be identified within your IT group. It will also be important to ensure that no unnecessary privileges are given to administrators and operators within the Active Directory. 458 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 Figure 10-2 AD IT role relationships P:\010Comp\Tip&Tec\343-x\ch10.vp Monday, March 24, 2003 1:53:05 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Responsibilities Forest Owner IT Planning and Enterprise Architecture Service Management Ensure that all forest standards are maintained within the forest Responsible for the forest schema Identify and document new standards Forest Administrator IT group Service Management Ensure that the forest is operating properly Responsible for the forest configuration Enforce all forest standards Responsible for Forest... Directory, 79, 100 104 , 115–116, 137 Application Servers, 345 backups, 442–443 enterprise networks infrastructure, 194–195 File Servers, 345 forest design, 100 groups, 260–266 Infrastructure Servers, 346 IT roles, 467 massive server installations, 75–76 migrations, 467 naming AD forests, 102 104 network services, 344–346 NLB clustering, 441–442 PCs OUs, 240–241 planning for WS03, 33 Print Servers, 345... State, 433–435 tools for, 430, 435–438 vs shadow copies, 295 WINS, 183 bandwidth Site Links, 128–129 WANs, 99 baselines, server, 426–428 best practices Active Directory, 79, 100 104 , 115–116, 137 Application Servers, 345 backups, 442–443 enterprise networks infrastructure, 194–195 File Servers, 345 forest design, 100 groups, 260–266 Infrastructure Servers, 346 IT roles, 467 massive server installations,... advantages of, 104 best practices, 109 –112 creating for production domain, 104 –112 delegation, 235 described, 81 design process, 104 107 Desktop, 214–216 External, 215–216 group-related, 245–246, 267–268 Index 481 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com hidden object, 342 Mobile Systems, 215–216 owners, 460 PC, 107 , 198–242 for PC management, 214–220 People, 108 109 , 266–282... policies, 97 templates for, 254–255 vendors, 254 ACPI (Advanced Configuration and Power Interface), 54 Acquisition Process stage, 7 ACS (Application Center Server) , 463 Active Desktop, 278–279 Active Directory (AD) best practices, 79, 100 104 , 115–116, 137 data management, 87 delegation in, 221–225 designing, 78–138 DNS and, 102 103 , 160 finding shares in, 304 forest/tree/domain strategy, 91 100 Implementation... e n t s inter-forest transfers, 147–148, 151 License Mode, 162–163 movetree command, 147 names, 94, 101 104 networks, 94 ongoing management of, 194 perimeter, 130–131 production, 95–96 security, 93–94 sharing items, 93–94 staging activities, 100 , 154–176 strategies for, 91 100 trusts, 94 utilitarian, 100 FQDN (fully qualified domain name), 101 FRS (File Replication System), 306–307, 310 FSMO (flexible... Network Infrastructure Server Configuration Checklist, 176–177 Network Infrastructure Servers configuring, 176–189 described, 26 installing, 176–177 RIS server role, 337–339 network interface cards (NICs), 143–145, 416 Network Load Balancing See NLB networks, 286–347 See also enterprise networks Application Servers, 324–329 Collaboration Servers, 337 enterprise See enterprise networks forests, 94 parallel... approach for the migration toward a new Windows Server 2003 enterprise network As such, it tried to focus on the best features WS03 has to offer for the enterprise Since you are only beginning to use this technology, you will surely discover additional ways to use it Learn from WS03 It is by far the most powerful operating system Microsoft has ever delivered Microsoft began the move toward the enterprise. .. domain modes, 85–86 domain name registrars, 101 domain names, 101 Domain Naming Master, 117, 169–170 Domain Naming System See DNS domain objects, 102 103 domain owner, 459 domain policies, 200–201 domain replication, 185–189 domain trusts, 94 domains design strategies, 97–99 forests and, 81 names, 102 103 production, 98–99 restructuring, 147–148 strategies for, 91 100 trust relationships, 91–92 DOS, 68... naming AD forests, 102 104 network services, 344–346 NLB clustering, 441–442 PCs OUs, 240–241 planning for WS03, 33 Print Servers, 345 production OU design, 109 –112 resiliency strategies, 441–443 restores, 442–443 schema modifications, 135 security, 404–405 security templates, 373–374 server clusters, 442 service positioning, 120 site topology design, 130 SOPs, 13–14 system recovery, 442 Terminal Servers, . wizards. 450 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:10CompTip&Tec343-xch10.vp Monday,. copies it to the My Documents folder before 454 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest. rates. 456 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 10 P:10CompTip&Tec343-xch10.vp Monday,