# &RQWHQWV## # 2YHUYLHZ#4 # ,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ## 8SJUDGH#6WUDWHJ\#5 # $QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ#6 # 3ODQQLQJ#D#'RPDLQ#8SJUDGH#43 # /DE#$=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH## 6WUDWHJ\#55 # 5HYLHZ#6: # Module 3: Developing a Domain Upgrade Strategy # Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.) Lead Program Manager: Angie Fultz Instructional Designer: Robert Deupree (S&T OnSite) Subject Matter Expert : Brian Komar (3947018 Manitoba Inc) Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.), David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC). Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T Onsite) Testers: Testing Testing 123 Instructional Design Consultants: Susan Greenberg, Paul Howard Instructional Design Contributor: Kathleen Norton Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic (S&T OnSite) Copy Editor: Shawn Jackson ( S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Onsite) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Courseware Testing: Data Dimensions, Inc. Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T Onsite) Manufacturing Support: Laura King (S&T Onsite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##LLL# ,QVWUXFWRU#1RWHV# This module provides students with the ability to analyze their Microsoft ® Active Directory ™ directory service design goals and successfully plan an upgrade strategy. The module starts by looking at the factors to consider when examining the Active Directory design and then provides a step-by-step methodology for creating an upgrade plan. At the end of this module, students will be able to: „# Examine the Active Directory design of an organization. „# Plan a domain upgrade to Active Directory. Lab A, Developing a Domain Upgrade Strategy, is a scenario-based planning lab. The students will collect information concerning the current domain model, DNS infrastructure, and proposed site topology. Based on the information gathered, the students will then work in groups to design an upgrade strategy that meets the business needs of the scenario presented. The instructor will keep discussions and decisions regarding mapping designs focused on business needs. 0DWHULDOV#DQG#3UHSDUDWLRQ# This section provides you with the required materials and preparation tasks that are needed to teach this module. 5HTXLUHG#0DWHULDOV# To teach this module, you need the following materials: „# Microsoft PowerPoint ® file 2010A_03.ppt „# Module 3, “Developing a Domain Upgrade Strategy” 3UHSDUDWLRQ#7DVNV# To prepare for this module, you should: „# Read all of the materials for this module. „# Read all the delivery tips. „# Complete the lab. „# Read the white paper, “Planning Migration from Microsoft Windows NT to Microsoft Windows 2000,” on the Student Materials compact disc. „# Read chapter 9 of the Windows 2000 Server Deployment Planning Guide, “Planning the Active Directory Structure,” on the Student Materials compact disc. „# Read chapter 10 of the Windows 2000 Server Deployment Planning Guide, “Determining Domain Migration Strategies,” on the Student Materials compact disc. „# Read chapter 13 of the Windows 2000 Server Deployment Planning Guide, “Automating Server Upgrade and Installation,” on the Student Materials compact disc. 3UHVHQWDWLRQ=# 93#0LQXWHV# # /DE=# 93#0LQXWHV# LY##0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# „# Read the white paper, “Automating the Windows 2000 Upgrade,” on the Student Materials compact disc. „# Read the file, “Windows 2000 Operating System Comparison Chart,” on the Student Materials compact disc. 0RGXOH#6WUDWHJ\# Use the following strategy to present this module: „# Introduction to Developing a Domain Upgrade Strategy The module begins with a summary of what a domain upgrade is and what it accomplishes. Provide an overview of the upgrade planning process. „# Analyzing an Active Directory Design The Active Directory design is the goal of the migration project: the final, ideal infrastructure. In previous migration planning steps, the Active Directory design was examined to ensure goal alignment. After an organization selects domain upgrade as a migration path, the plans for Active Directory should be re-examined to provide focus for the upgrade planning process and ensure that the goals of that design are incorporated in the domain upgrade plan. This section serves as a sort of pre-upgrade planning checklist, because any issues that are uncovered in this examination must be resolved prior to proceeding with the planning of the upgrade. Begin by explaining the need for examining the Active Directory design and what this examination involves. Explain the planning considerations involved when examining the forest design, site design, and administrative and security plan. Emphasize that a single-forest environment is the simplest to create in an upgrade scenario. Upgrading to multiple forests, by contrast, is complicated and requires careful analysis, because multiple-forest environments are commonly considered to solve politically based administrative issues. Ensure that students have a clear understanding of a forest and its components before discussing the impact of upgrading to a single- or multiple-forest environment. Remind students that directory-aware applications store information in the Configuration container that applies forest wide. For example, Active Directory stores information about the physical network in the Configuration container and uses the information to guide the creation of replication connections between domain controllers. The schema defines the objects that can be created in the forest. Remind students that the cost of adding a forest includes added domain and hardware maintenance, maintenance of multiple schemas and configuration containers, explicit trust maintenance if users require inter-forest access to resources, and end-user training to locate inter-domain resources. # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##Y# Explain the need for validating the site design against current environment and migration goals, and how to resolve any conflicts that arise. Ensure that students have a clear understanding of sites and how upgrading affects site implementation (and vice versa). Emphasize that Active Directory–aware clients use sites to locate the closest domain controller for logon authentication, resource authorization, and global catalog searches. Explain that the site-link cost values determine the path that replication will take through your network. Make sure that students understand that during the upgrade, there are essentially two environments to support, administratively. The upgrade plan must define how Active Directory will be administered during the upgrade and how the old administrative model will be phased out. While upgrade preserves permissions and security principals, domain upgrade can compromise security because transitive trusts allow administrators more freedom than one-way trusts allow. The upgrade plan should define transition measures and procedures to protect group membership and resource access. „# Planning a Domain Upgrade This section describes the steps for planning the upgrade from Microsoft Windows NT ® version 4.0 to Active Directory. During this section, students may have many questions about the impact an upgrade has on network services. Tell them that the next module covers this information and defer their questions until then. Begin by introducing the upgrade planning process and then show the video of Microsoft’s upgrade of their largest domain. The video demonstrates the ease of performing a domain upgrade, provided that proper planning has been done. As the video demonstrates, the only issue Microsoft encountered during upgrade was with accounts that were defined in a secondary application’s information store. Tell your students that this problem can be avoided if they follow the recommendations to document user accounts and information stores. Explain the upgrade paths for computers running earlier versions of the Microsoft Windows ® operating system. Make sure students understand all the components of creating a recovery plan that allows them to roll back to the pre-upgraded Windows NT domain. Next, describe the guidelines for choosing the order of upgrading domains. Make sure students understand that any domain can be upgraded first, and subsequent domains can be upgraded in any order. If the domain hierarchy defined in the Active Directory design does not dictate the order, many other factors can help organizations determine the appropriate order. YL##0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# Explain the order of upgrading domain controllers. Emphasize that the primary domain controller (PDC) is always the first domain to be upgraded. If an organization wishes to upgrade a computer designated as a backup domain controller (BDC) first, they must promote the BDC to the roll of PDC first. You may wish to explain the upgrade process detailed in this section and include a brief explanation of the operations master roles that each upgraded PDC will, by default, be assigned. Make sure students understand that most computer and domain configurations are preserved during the upgrade. Remind students that Active Directory requires an NTFS file system partition. Also remind them that the Domain Name System (DNS) namespace planning is a part of developing the Active Directory design, and at least one DNS server is required to complete Active Directory installation. Tell students that the manner in which BDCs are upgraded is the same as in PDCs. Explain the difference between mixed mode and native mode operations, emphasizing that the mode in which a domain runs does not affect client functionality. Switching to native mode does not require client computers to run Windows 2000. A native mode domain can consist of a mixed environment of many types of client operating systems. Help students understand the reasons why an organization might choose to stay in mixed mode, but encourage them to switch to native mode—the final Windows 2000 operational state—as soon as possible to realize the full benefit of Active Directory. Using the table in the student notes, discuss the Windows 2000 Server features available in mixed mode, and those available only by switching to native mode. # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##4# 2YHUYLHZ# „ ,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\ „ $QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ „ 3ODQQLQJ#D#'RPDLQ#8SJUDGH Upgrading a Microsoft ® Windows NT ® version 4.0 domain infrastructure to Microsoft Windows ® 2000 allows an organization to take advantage of Windows 2000 features, such as improved security, easier management, and improved administration. Your upgrade strategy will vary depending on your migration goals, current network environment, and your Microsoft Active Directory ™ directory service design goals. This module explains how to analyze your Active Directory design goals and provides a step-by-step methodology for creating an upgrade strategy. At the end of this module, you will be able to: „# Examine the Active Directory design of an organization. „# Plan a domain upgrade to Active Directory. 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#RYHUYLHZ#RI# WKH#PRGXOH#WRSLFV#DQG# REMHFWLYHV1# /HDG0LQ# ,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ# DERXW#DQDO\]LQJ#WKH#$FWLYH# 'LUHFWRU\#GHVLJQ#JRDOV#DQG# GHYHORSLQJ#DQ#XSJUDGH# VWUDWHJ\#IURP#:LQGRZV#17# 713#WR#:LQGRZV#5333#$FWLYH# 'LUHFWRU\1# 5# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# ,QWURGXFWLRQ#WR#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# „ 'HWHUPLQH#DQ#$FWLYH#'LUHFWRU\# 'HVLJQ „ 3ODQ#D#'RPDLQ#8SJUDGH Domain Upgrade Domain upgrade can be gradual and performed without interrupting production operations. Upgrading is a process designed to maintain as much of your current environment as possible, and it accomplishes the following: „# Maintains the existing Windows NT 4.0 domain model. „# Maintains access to Windows NT domains by using existing Windows NT downlevel trust relationships. „# Maintains user account passwords so that users log on to the same account domain by using the same password. „# Maintains compatibility with Windows NT domain controllers and servers. The Active Directory design, completed prior to migration planning, is the goal of a domain upgrade. Before you can develop an upgrade plan, the Active Directory design must be examined to identify the goals for the future infrastructure. The goals must be incorporated into the upgrade strategy to ensure alignment of the Active Directory vision and upgrade goals, to ensure the desired Active Directory infrastructure will be achieved, and to prevent deployment conflicts. 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#LQWURGXFWLRQ#WR# GHYHORSLQJ#D#GRPDLQ# XSJUDGH#VWUDWHJ\1# /HDG0LQ# $IWHU#\RX#KDYH#FRQVLGHUHG# WKH#RYHUDOO#LVVXHV#LQYROYLQJ# \RXU#GRPDLQ#PLJUDWLRQ#DQG# FUHDWHG#D#SODQ#IRU#UHVROYLQJ# DQ\#SUREOHPV#WKDW#DULVH/#\RX# FDQ#EHJLQ#SODQQLQJ#IRU#D# GRPDLQ#XSJUDGH1# 3URYLGH#D#VXPPDU\#RI#ZKDW# D#GRPDLQ#XSJUDGH#LV#DQG# ZKDW#LW#DFFRPSOLVKHV1#*LYH# DQ#RYHUYLHZ#RI#WKH#XSJUDGH# SODQQLQJ#SURFHVV1# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\##6# ‹‹ #$QDO\]LQJ#DQ#$FWLYH#'LUHFWRU\#'HVLJQ# Single vs. Multiple Forest Site Z Site Y Site X Site Design &RPSXWHUV 8VHUV 'RPDLQ Administration and Security Plans During the initial stages of developing a migration strategy, you identified your business and migration goals. If the outcome of this process led you to decide that upgrading your Windows NT 4.0 domain model is the preferred approach to achieving the infrastructure in your Active Directory design, you need to examine the proposed Active Directory structure to: „# Determine whether the design proposes a single-forest or a multiple-forest environment, and whether the design will solve any administrative issues. „# Examine the site design to identify and address any issues that may present barriers to upgrading your domain model, and ensure that it does not impact your ability to meet your migration goals. „# Examine the administration and security plans to determine when to make the new features available in the upgraded environment so that the upgrade process is not disrupted, the order in which the features will be deployed, and what must be validated in the test environment. During an upgrade, it is critical to protect the business and migration goals in a way that ensures the successful deployment of the Active Directory design. 6OLGH#2EMHFWLYH# 7R#LQWURGXFH#WKH# FRQVLGHUDWLRQV#ZKHQ# DQDO\]LQJ#DQ#$FWLYH# 'LUHFWRU\#GHVLJQ1# /HDG0LQ# $#WKRURXJK#DVVHVVPHQW#RI# $FWLYH#'LUHFWRU\#GHVLJQ# LQYROYHV#H[DPLQLQJ#IRUHVW# DQG#VLWH#GHVLJQ/#DQG#VHFXULW\# DQG#DGPLQLVWUDWLRQ#SODQV1# ([SODLQ#WKH#QHHG#IRU# DQDO\]LQJ#WKH#$FWLYH# 'LUHFWRU\#GHVLJQ#DQG#ZKDW#LW# LQYROYHV1# .H\#3RLQWV# (PSKDVL]H#WKDW#WKH#$FWLYH# 'LUHFWRU\#GHVLJQ#LV#UH0 H[DPLQHG#EHFDXVH#LW#LV#WKH# JRDO#RI#DQ#XSJUDGH1# 7# # 0RGXOH#6=#'HYHORSLQJ#D#'RPDLQ#8SJUDGH#6WUDWHJ\# 6LQJOH#9HUVXV#0XOWLSOH#)RUHVWV# Upgrading to a Multiple Forest „ 6LPSOH#WR# &UHDWH „ 8QLILHG#9LHZ# RI#'LUHFWRU\ Upgrading to a Single Forest „ 5HTXLUHV# $GGLWLRQDO# &RQILJXUDWLRQ# DQG# $GPLQLVWUDWLRQ „ 1HHGV#&DUHIXO# ([DPLQDWLRQ One of the first tasks in analyzing the Active Directory design is to determine whether there is a need for a single forest or multiple forests. 8SJUDGLQJ#WR#D#6LQJOH0)RUHVW#(QYLURQPHQW# A single-forest environment is simplest to create and maintain in an upgrade migration scenario. The first domain that is upgraded becomes the Active Directory forest root. As additional domains are upgraded to the forest, no additional trust configuration is required. Because a global catalog is used to present users with a unified view, users do not need to be aware of the Active Directory hierarchy. 8SJUDGLQJ#WR#D#0XOWLSOH0)RUHVW#(QYLURQPHQW# Because forests have shared elements, such as schemas, it is necessary for all the administrators of a forest to agree on the content and administration of those shared elements. Organizations may require multiple forests in the upgraded environment to: „# Prevent cross-divisional administration. For example, some organizations with distinct divisions may require a decentralized administrative model, which completely separates the administrators of each division. „# Accommodate the differences in the way administrators want to manage the forest-wide Active Directory components. For example, if administrators disagree on how to manage the schemas or forest-wide group membership, multiple forests may be defined. „# Restrict resource access and resource assignment provided by transitive trusts. Within a forest, default transitive trusts between domains allow resource permissions to be assigned to users from any domain in the forest. Between forests, the absence of default trusts prevents domain administrators from assigning resource permissions to security principals outside their forests. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH# FRQVLGHUDWLRQV#LQ# GHWHUPLQLQJ#D#IRUHVW#GHVLJQ1# /HDG0LQ# $#VLQJOH0IRUHVW#HQYLURQPHQW# LV#VLPSOHVW#WR#FUHDWH#LQ#DQ# XSJUDGH#VFHQDULR1# 8SJUDGLQJ#WR#PXOWLSOH# IRUHVWV/#E\#FRQWUDVW/#LV#PRUH# FRPSOLFDWHG#DQG#UHTXLUHV# FDUHIXO#H[DPLQDWLRQ1# 'LVFXVV#WKH#LPSDFW#RI# XSJUDGLQJ#WR#VLQJOH0#DQG# PXOWLSOH0IRUHVW# HQYLURQPHQWV1# [...]... current implementation of Exchange 5.5 will be upgraded one year after the domain upgrade Are any domains reaching the upper limits of the SAM database? Yes, the Toronto domain has a SAM size of approximately 30 megabytes (MB) Are any domains targets for restructure? Not at this time Are any network or line-of-business applications incompatible with Windows 2000? No, all applications have been successfully... Backup Backup It is important that you develop a recovery plan to prevent accidental data loss during upgrade This plan should include details of how you will back up domain controllers, applications, and other data before and during the upgrade To ensure that a domain can be rolled back to its pre -upgrade state, your recovery plan should, at a minimum, include the following steps: 1 Add a BDC to any... Account Domains nwtraders.com Upgrading Resource Domains Upgrading Resource Domains ƒ ƒDomains where you have easiest Domains where you have easiest access to the domain controllers access to the domain controllers ƒ ƒThe smallest domain first The smallest domain first ƒ ƒDomains that will contain objects Domains that will contain objects from restructured domains from restructured domains 8VH#WKH#VOLGH#WR#H[SODLQ#WKH#... NT domain that contains only a single domain controller By doing this, you ensure that the domain does not become orphaned if the PDC upgrade fails 2 Document the configuration of any services and applications running on the PDC and the BDCs of a domain targeted for an upgrade, such as file and print services, DHCP, or DNS 3 Back up all services and applications to tape, and then test the backup tapes... requires a dedicated forest root, your upgrade plan must include steps for creating an additional, dedicated domain to serve solely as the forest root The creation of this domain needs to occur before any actual upgrades are performed „# Upgrading an existing domain to the forest root If the Active Directory design does not define a dedicated domain, an existing Windows NT 4.0 domain can be upgraded as the... nwtraders ƒ ƒDomains in which applications Domains in which applications require Windows 2000 features require Windows 2000 features ƒ ƒDomains with many workstations Domains with many workstations ƒ ƒDomains that will contain objects Domains that will contain objects from restructured domains from restructured domains After you have created a recovery plan, your next step is to determine which domain. .. which to upgrade them: „# Domains in which applications require Windows 2000 features First, you should upgrade domains where you are deploying applications that demand Windows 2000 infrastructure or features, such as the Active Directory required by Microsoft Exchange 2000 „# Domains with many workstations Next, you should upgrade domains with many workstations, so that you can take advantage of Windows... support the Paris domain Four domain controllers, including the PDC, support the resource domain, Nwtres Are any domain controllers not physically accessible? The PDC of each domain resides in a secured area of the data center in each location How many domain controllers does the Active Directory design require to support each domain? Additional domain controllers, beyond what exist today, are not required... VXSSRUWLQJ#GHWDLOV1# Native Mode Domain Once all domain controllers have been upgraded, you can leave the domain operating in mixed mode indefinitely; or, you can move it to the final operational state known as the native mode, which increases functionality and eases the further consolidation of domains Understanding your current environment, your migration goals, and the advantages of native mode will help... upgraded all domain controllers to Windows 2000 Server, you can then choose to move the domain to native mode Native mode is the final operational state of a Windows 2000 Server domain, and is manually enabled by setting a switch in Active Directory Domains and Trusts While this mode enables a user to take full advantage of all Windows 2000 Server features, it is important to plan its implementation carefully . upgrading domains. Make sure students understand that any domain can be upgraded first, and subsequent domains can be upgraded in any order. If the domain. domain upgrade to Active Directory. Lab A, Developing a Domain Upgrade Strategy, is a scenario-based planning lab. The students will collect information