MCSE: Windows 2000 Migration Study Guide (Exam 70-222)

MCSE: Windows® 2000 Migration Study Guide

Todd Phillips with Quentin Docter and Robert King

SYBEX®

MCSE: Windows 2000 Migration Study Guide

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

MCSE: Windows® 2000 Migration Study Guide

Todd Phillips with Quentin Docter and Robert King

San Francisco • Paris • Düsseldorf • Soest • London Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Associate Publisher: Neil Edde Contracts and Licensing Manager: Kristine O’Callaghan Acquisitions and Developmental Editor: Elizabeth Hurley Editor: Linda Recktenwald Production Editors: Elizabeth Campbell, Lisa Duran, Judith Hibbard, Kelly Winquist Technical Editors: Glenn Fincher, Robert Gradante, Don Fuller Book Designer: Bill Gibson Graphic Illustrator: Tony Jonick Electronic Publishing Specialists: Judy Fung, Jill Niles, Nila Nichols Proofreaders: Nancy Riddiough, Nelson Kim, Laurie O'Connell, Sarah Tannehill, Ted Pushinsky Indexer: Lynnzee Elze CD Coordinator: Kara Eve Schwartz CD Technician: Keith McNeil Cover Designer: Archer Design Cover Photographer: Natural Selection Copyright © 2001 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 00-106413 ISBN: 0-7821-2768-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, © 1994, 1997-1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. Microsoft® Internet Explorer © 1996 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Internet Explorer logo, Windows, Windows NT, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SYBEX is an independent entity from Microsoft Corporation, and not affiliated with Microsoft Corporation in any manner. This publication may be used in assisting students to prepare for a Microsoft Certified Professional Exam. Neither Microsoft Corporation, its designated review company, nor SYBEX warrants that use of this publication will ensure passing the relevant exam. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

To Our Valued Readers: In recent years, Microsoft’s MCSE program has established itself as the premier computer and networking industry certification. Nearly a quarter of a million IT professionals have attained MCSE status in the NT 4 track. Sybex is proud to have helped thousands of MCSE candidates prepare for their exams over these years, and we are excited about the opportunity to continue to provide people with the skills they’ll need to succeed in the highly competitive IT industry. For the Windows 2000 MCSE track, Microsoft has made it their mission to demand more of exam candidates. Exam developers have gone to great lengths to raise the bar in order to prevent a papercertification syndrome, one in which individuals obtain a certification without a thorough understanding of the technology. Sybex welcomes this new philosophy as we have always advocated a comprehensive instructional approach to certification courseware. It has always been Sybex’s mission to teach exam candidates how new technologies work in the real world, not to simply feed them answers to test questions. Sybex was founded on the premise of providing technical skills to IT professionals, and we have continued to build on that foundation, making significant improvements to our study guides based on feedback from readers, suggestions from instructors, and comments from industry leaders. The depth and breadth of technical knowledge required to obtain Microsoft’s new Windows 2000 MCSE is staggering. Sybex has assembled some of the most technically skilled instructors in the industry to write our study guides, and we’re confident that our Windows 2000 MCSE study guides will meet and exceed the demanding standards both of Microsoft and you, the exam candidate. Good luck in pursuit of your MCSE!

Neil Edde Associate Publisher—Certification Sybex, Inc.

SYBEX Inc. 1151 Marina Village Parkway, Alameda, CA 94501 Tel: 510/523-8233 Fax: 510/523-2373 HTTP://www.sybex.com Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms.

available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to:

The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the "Owner(s)"). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media.

SYBEX Inc. Customer Service Department 1151 Marina Village Parkway Alameda, CA 94501 (510) 523-8233 Fax: (510) 523-2373 e-mail: [email protected] WEB: HTTP://WWW.SYBEX.COM

In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time. Reusable Code in This Book The authors created reusable code in this publication expressly for reuse for readers. Sybex grants readers permission to reuse for any purpose the code found in this publication or its accompanying CD-ROM so long as all three authors are attributed in any application containing the reusable code, and the code itself is never sold or commercially exploited as a stand-alone product. Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate readme files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s). Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not

After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX. Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions. Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files. Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

I dedicate nearly everything I do to my wife and son, and the rest of our family for their loving support, and so this book is dedicated to them. But I also wish to dedicate this work to my students wherever they may be and hope that this humble offering helps them to attain their goals.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Acknowledgments

I would like to thank all of the wonderful people at Sybex for their support during this difficult process. Most especially, I would like to thank Neil Edde for giving me the opportunity to write this book; Elizabeth Hurley for her unwavering support in the face of adversity; also Judith Hibbard, Lisa Duran, Elizabeth Campbell, Linda Recktenwald, Judy Fung, and my wonderful technical editors Glenn Fincher, Robert Gradante, and Don Fuller. I'm sorry if I’ve missed anyone, as this was a huge undertaking and many talented people were involved at the various steps along the way. I sincerely hope that I will have the opportunity to work with all of you again in the future.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

Microsoft’s new Microsoft Certified Systems Engineer (MCSE) track for Windows 2000 is the premier certification for computer industry professionals. Covering the core technologies around which Microsoft’s future will be built, the new MCSE certification is a powerful credential for career advancement. This book has been developed, in cooperation with Microsoft Corporation, to give you the critical skills and knowledge you need to prepare for one of the elective requirements of the new MCSE certification program for Windows 2000 Server. You will find the information you need to acquire a solid understanding of Windows 2000 Server migration, to prepare for Exam #70-222, Migrating from Microsoft® Windows NT® 4.0 to Microsoft® Windows® 2000, and to progress toward MCSE certification.

Why Become Certified in Windows 2000? As the computer network industry grows in both size and complexity, the need for proven ability is increasing. Companies rely on certifications to verify the skills of prospective employees and contractors. Whether you are just getting started or are ready to move ahead in the computer industry, the knowledge, skills, and credentials you have are your most valuable assets. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. The MCP credential for professionals who work with Microsoft Windows 2000 networks is the new MCSE certification. Over the next few years, companies around the world will deploy millions of copies of Windows 2000 as the central operating system for their missioncritical networks. This will generate an enormous need for qualified consultants and personnel to design, deploy, and support Windows 2000 networks. Windows 2000 is a huge product that requires professional skills of its administrators. Consider that Windows NT 4 has about 12 million lines of code, while Windows 2000 has more than 35 million! Much of this code is needed to deal with the wide range of functionality that Windows 2000 offers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxiii

Windows 2000 actually consists of several different versions: Windows 2000 Professional The client edition of Windows 2000, which is comparable to Windows NT 4 Workstation 4, but also includes the best features of Windows 98 and many new features. Windows 2000 Server/Windows 2000 Advanced Server A server edition of Windows 2000 for small to mid-sized deployments. Advanced Server supports more memory and processors than Server does. Windows 2000 Datacenter Server A server edition of Windows 2000 for large, wide-scale deployments and computer clusters. Datacenter Server supports the most memory and processors of the three versions. With such an expansive operating system, companies need to be certain that you are the right person for the job being offered. The MCSE is designed to help prove that you are.

As part of its promotion of Windows 2000, Microsoft has announced that MCSEs who have passed the Windows NT 4 core exams must upgrade their certifications to the new Windows 2000 track by December 31, 2001, to remain certified. The Sybex MCSE Study Guide series covers the full range of exams required for either obtaining or upgrading your certification. For more information, see the “Exam Requirements” section later in this Introduction.

Is This Book for You? If you want to acquire a solid foundation in migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp. If you want to become certified as an MCSE, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows 2000, this book is not for you. This book is written for those who want to acquire hands-on skills and in-depth knowledge of Windows 2000. If your goal is to prepare for the exam by learning how to use and manage the new operating system, this book is for you. It will help you to achieve the high level of professional competency you need to succeed in this field.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxiv

Introduction

What Does This Book Cover? This book contains detailed explanations, hands-on exercises, and review questions to test your knowledge. Think of this book as your complete guide to Windows 2000 Server migration issues. It begins by covering the most basic concepts, such as planning and preparing for the migration. Next, you will learn how to perform important tasks, including:


Setting up target domains




Performing domain upgrades as well as intra-forest and inter-forest migrations




Using migration tools




Backing out of a troubled migration

You also learn how to configure aspects of the Windows 2000 operating system configure protocols and network services, and troubleshoot your migration. Throughout the book, you will be guided through hands-on exercises, which give you practical experience for each exam objective. At the end of each chapter, you’ll find a summary of the topics covered in the chapter, which also includes a list of the key terms used in that chapter. The key terms represent not only the terminology that you should recognize, but also the underlying concepts that you should understand to pass the exam. All of the key terms are defined in the glossary at the back of the study guide. Finally, each chapter concludes with 20 review questions that test your knowledge of the information covered. Two practice exams are included on the CD that accompanies this book, as explained in the “What’s on the CD?” section at the end of this Introduction.

The topics covered in this book map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxv

How Do You Become an MCSE? Attaining MCSE certification has always been a challenge. However, in the past, individuals could acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new MCSE exams, this simply will not be the case. To avoid the “paper-MCSE syndrome” (a devaluation of the MCSE certification because unqualified individuals manage to pass the exams), Microsoft has taken strong steps to protect the security and integrity of the new MCSE track. Prospective MSCEs will need to complete a course of study that provides not only detailed knowledge of a wide range of topics, but true skills derived from working with Windows 2000 and related software products. In the new MCSE program, Microsoft is heavily emphasizing hands-on skills. Microsoft has stated that, “Nearly half of the core required exams’ content demands that the candidate have troubleshooting skills acquired through hands-on experience and working knowledge.” Fortunately, if you are willing to dedicate time and effort with Windows 2000, you can prepare for the exams by using the proper tools. If you work through this book and the other books in this series, you should successfully meet the exam requirements.

Exam Requirements Successful candidates must pass a minimum set of exams that measure technical proficiency and expertise:


Candidates for MCSE certification must pass seven exams, including four core operating system exams, one design exam, and two electives.




Candidates who have already passed three Windows NT 4 exams (70-067, 70-068, and 70-073) may opt to take an “accelerated” exam plus one core design exam and two electives.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxvi

Introduction

If you do not pass the accelerated exam after one attempt, you must pass the five core requirements and two electives.

The following tables show the exams a new certification candidate must pass. All of these exams are required: Exam # Title

Requirement Met

70-216

Implementing and Administering a Microsoft® Windows® 2000 Network Infrastructure

Core (Operating System)

70-210

Installing, Configuring, and Administering Microsoft® Windows® 2000 Professional

Core (Operating System)

70-215

Installing, Configuring, and Administering Microsoft® Windows® 2000 Server

Core (Operating System)

70-217

Implementing and Administering a Microsoft® Windows® 2000 Directory Services Infrastructure

Core (Operating System)

One of these exams is required: Exam # Title

Requirement Met

70-219

Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Core (Design)

70-220

Designing Security for a Microsoft® Windows® 2000 Network

Core (Design)

70-221

Designing a Microsoft® Windows® 2000 Network Infrastructure

Core (Design)

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxvii

Two of these exams are required: Exam #

Title

Requirement Met

70-219

Designing a Microsoft® Windows® 2000 Directory Services Infrastructure

Elective

70-220

Designing Security for a Microsoft® Windows® 2000 Network

Elective

70-221

Designing a Microsoft® Windows® 2000 Network Infrastructure

Elective

70-222

Migrating from Microsoft® Elective Windows NT® 4.0 to Microsoft® Windows® 2000

Any current MCSE electives

Exams cover topics such as Exchange Server, SQL Server, Systems Management Server, Internet Explorer Administrators Kit, and Proxy Server (new exams are added regularly)

Elective

For a more detailed description of the Microsoft certification programs, including a list of current MCSE electives, check Microsoft’s Training and Certification Web site at www.microsoft.com/trainingandservices.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxviii

Introduction

The Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Exam The Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam covers concepts and skills required for migrating Windows NT 4.0 computers to Windows 2000 computers. It emphasizes the following areas of support:


Standards and terminology




Planning




Implementation




Troubleshooting

This exam can be quite specific regarding Windows 2000 requirements and operational settings, and it can be particular about how administrative tasks are performed in the operating system. It also focuses on fundamental concepts relating to Windows NT 4.0’s and Windows 2000’s operation. Careful study of this book, along with hands-on experience, will help you prepare for this exam.

Microsoft provides exam objectives to give you a very general overview of possible areas of coverage of the Microsoft exams. For your convenience, we have added in-text objectives listings at the points in the text where specific Microsoft exam objectives are covered. However, exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s Training and Certification Web site (www.microsoft.com/ trainingandservices) for the most current exam objectives listing.

Types of Exam Questions In the previous tracks, the formats of the MCSE exams were fairly straightforward, consisting almost entirely of multiple-choice questions appearing in a few different sets. Prior to taking an exam, you knew how many questions you would see and what type of questions would appear. If you had purchased the right third-party exam preparation products, you could even be quite familiar with the pool of questions you might be asked. As mentioned earlier, all of this is changing.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxix

In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has introduced adaptive testing, as well as some new exam elements. You will not know in advance which type of format you will see on your exam. These innovations make the exams more challenging, and they make it much more difficult for someone to pass an exam after simply “cramming” for it.

Microsoft will be accomplishing its goal of protecting the exams by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.

Exam questions may be in multiple-choice, select-and-place, simulation, or case study-based formats. You may also find yourself taking an adaptive format exam. Let’s take a look at the exam question types and adaptive testing, so you can be prepared for all of the possibilities.

Multiple-Choice Questions Multiple-choice questions include two main types of questions. One is a straightforward type that presents a question, followed by several possible answers, of which one or more is correct. The other type of multiple-choice question is more complex. This type presents a set of desired results along with a proposed solution. You must then decide which results would be achieved by the proposed solution.

You will see many multiple-choice questions in this study guide and on the accompanying CD, as well as on your exam.

Case Study–Based Questions Case study–based questions first appeared in the Microsoft Certified Solution Developer program (Microsoft’s certification program for software programmers). Case study–based questions present a scenario with a range of requirements. Based on the information provided, you need to answer a series of multiple-choice and ranking questions. The interface for case study– based questions has a number of tabs that each contains information about the scenario.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxx

Introduction

Adaptive Exam Format Microsoft presents many of its exams in an adaptive format. This format is radically different from the conventional format previously used for Microsoft certification exams. Conventional tests are static, containing a fixed number of questions. Adaptive tests change, or “adapt,” depending on your answers to the questions presented. The number of questions presented in your adaptive test will depend on how long it takes the exam to ascertain your level of ability (according to the statistical measurements on which the exam questions are ranked). To determine a test-taker’s level of ability, the exam presents questions in increasing or decreasing order of difficulty.

Unlike the previous test format, the adaptive format will not allow you to go back to see a question again. The exam only goes forward. Once you enter your answer, that’s it—you cannot change it. Be very careful before entering your answer. There is no time limit for each individual question (only for the exam as a whole.) Your exam may be shortened by correct answers (and lengthened by incorrect answers), so there is no advantage to rushing through questions.

How Adaptive Exams Determine Ability Levels As an example of how adaptive testing works, suppose that you know three people who are taking the exam: Herman, Sally, and Rashad. Herman doesn’t know much about the subject, Sally is moderately informed, and Rashad is an expert. Herman answers his first question incorrectly, so the exam presents him with a second, easier question. He misses that, so the exam gives him a few more easy questions, all of which he misses. Shortly thereafter, the exam ends, and he receives his failure report. Sally answers her first question correctly, so the exam gives her a more difficult question, which she answers correctly. She then receives an even more difficult question, which she answers incorrectly. Next, the exam gives her a somewhat easier question, as it tries to gauge her level of understanding. After numerous questions of varying levels of difficulty, Sally’s exam ends, perhaps with a passing score, perhaps not. Her exam included far more questions than were in Herman’s exam, because her level of understanding needed to be more carefully tested to determine whether or not it was at a passing level.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxxi

When Rashad takes his exam, he answers his first question correctly, so he is given a more difficult question, which he also answers correctly. Next, the exam presents an even more difficult question, which he also answers correctly. He then is given a few more very difficult questions, all of which he answers correctly. Shortly thereafter, his exam ends. He passes. His exam was short, about as long as Herman’s test. Benefits of Adaptive Testing Microsoft has begun moving to adaptive testing for several reasons:


It saves time by focusing only on the questions needed to determine a test-taker’s abilities. An exam that might take an hour and a half in the conventional format could be completed in less than half that time when presented in adaptive format. The number of questions in an adaptive exam may be far fewer than the number required by a conventional exam.




It protects the integrity of the exams. By exposing a fewer number of questions at any one time, it makes it more difficult for individuals to collect the questions in the exam pools with the intent of facilitating exam "cramming."




It saves Microsoft and/or the test-delivery company money by reducing the amount of time it takes to deliver a test.

Exam Question Development Microsoft follows an exam-development process consisting of eight mandatory phases. The process takes an average of seven months and involves more than 150 specific steps. The MCP exam development consists of the following phases: Phase 1: Job Analysis Phase 1 is an analysis of all of the tasks that make up a specific job function, based on tasks performed by people who are currently performing that job function. This phase also identifies the knowledge, skills, and abilities that relate specifically to the performance area to be certified.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxxii

Introduction

Phase 2: Objective Domain Definition The results of the job analysis provide the framework used to develop objectives. The development of objectives involves translating the job-function tasks into a comprehensive set of more specific and measurable knowledge, skills, and abilities. The resulting list of objectives—the objective domain—is the basis for the development of both the certification exams and the training materials. Phase 3: Blueprint Survey The final objective domain is transformed into a blueprint survey in which contributors are asked to rate each objective. These contributors may be past MCP candidates, appropriately skilled exam development volunteers, or Microsoft employees. Based on the contributors’ input, the objectives are prioritized and weighted. The actual exam items are written according to the prioritized objectives. Contributors are queried about how they spend their time on the job. If a contributor doesn’t spend an adequate amount of time actually performing the specified job function, his or her data is eliminated from the analysis. The blueprint survey phase helps determine which objectives to measure, as well as the appropriate number and types of items to include on the exam. Phase 4: Item Development A pool of items is developed to measure the blueprinted objective domain. The number and types of items to be written are based on the results of the blueprint survey. Phase 5: Alpha Review and Item Revision During this phase, a panel of technical and job-function experts reviews each item for technical accuracy, then answers each item, reaching a consensus on all technical issues. Once the items have been verified as technically accurate, they are edited to ensure that they are expressed in the clearest language possible. Phase 6: Beta Exam The reviewed and edited items are collected into beta exams. Based on the responses of all beta participants, Microsoft performs a statistical analysis to verify the validity of the exam items and to determine which items will be used in the certification exam. Once the analysis has been completed, the items are distributed into multiple parallel forms, or versions, of the final certification exam. Phase 7: Item Selection and Cut-Score Setting The results of the beta exams are analyzed to determine which items should be included in the certification exam based on many factors, including item difficulty and

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxxiii

relevance. During this phase, a panel of job-function experts determines the cut score (minimum passing score) for the exams. The cut score differs from exam to exam because it is based on an item-by-item determination of the percentage of candidates who answered the item correctly and who would be expected to answer the item correctly. Phase 8: Live Exam As the final phase, the exams are given to candidates. MCP exams are administered by Sylvan Prometric and Virtual University Enterprises (VUE).

Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to merely memorize exam questions passed along by previous test-takers.

Tips for Taking the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 Exam Here are some general tips for taking the exam successfully:


Arrive early at the exam center so you can relax and review your study materials. During your final review, you can look over tables and lists of exam-related information.




Read the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.




Answer all questions. Remember that the adaptive format will not allow you to return to a question. Be very careful before entering your answer. Because your exam may be shortened by correct answers (and lengthened by incorrect answers), there is no advantage to rushing through questions.




On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used.




Use a process of elimination to get rid of the obviously incorrect answers first on questions that you’re not sure about. This method will improve your odds of selecting the correct answer if you need to make an educated guess.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxxiv

Introduction

Exam Registration You may take the exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) and VUE Testing Centers around the world. For the location of a testing center near you, call Sylvan Prometric at 800-755EXAM (755-3926), or call VUE at 888-837-8616. Outside the United States and Canada, contact your local Sylvan Prometric or VUE registration center. You should determine the number of the exam you want to take, and then register with the Sylvan Prometric or VUE registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $100 each. Exams must be taken within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time.

You may also register for your exams online at www.sylvanprometric.com or www.vue.com.

When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Sylvan Prometric or VUE. Microsoft requires certification candidates to accept the terms of a NonDisclosure Agreement before taking certification exams.

What’s on the CD? With this new book in our best-selling MCSE study guide series, we are including quite an array of training resources. On the CD are numerous simulations, practice exams, and flashcards to help you study for the exam. Also included are the entire contents of the study guide. These resources are described in the following sections.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxxv

The Sybex Ebook for MCSE: Windows 2000 Migration Study Guide Many people like the convenience of being able to carry their whole study guide on a CD. They also like being able to search the text to find specific information quickly and easily. For these reasons, we have included the entire contents of this study guide on a CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the contents, as well as the search capabilities.

The Sybex MCSE Edge Tests The Edge Tests are a collection of multiple-choice questions that can help you prepare for your exam. Features:


Bonus questions specially prepared for this edition of the study guide, including 100 questions that appear only on the CD




All of the questions from the study guide presented in a test engine for your review

A sample screen from the Sybex MCSE Edge Tests is shown below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxxvi

Introduction

Sybex MCSE Flashcards for PCs and Palm Devices The “flashcard” style of exam question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam. The Sybex MCSE Flashcards set consists of more than 130 questions presented in a special engine developed specifically for this study guide series. The Sybex MCSE Flashcards interface is shown below.

Because of the high demand for a product that will run on Palm devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).

How Do You Use This Book? This book can provide a solid foundation for the serious effort of preparing for the Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 exam. To best benefit from this book, you may wish to use the following study method: 1. Study each chapter carefully. Do your best to fully understand the

information. 2. Complete all hands-on exercises in the chapter, referring back to the

text as necessary so that you understand each step you take.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Introduction

xxxvii

3. Answer the review questions at the end of each chapter. If you would

prefer to answer the questions in a timed and graded format, install the Edge Tests from the CD that accompanies this book and answer the chapter questions there instead of in the book. 4. Note which questions you did not understand and study the corre-

sponding sections of the book again. 5. Make sure you complete the entire book. 6. Before taking the exam, go through the training resources included on

the CD that accompanies this book. Try the adaptive version that is included with the Sybex MCSE Edge Test. Review and sharpen your knowledge with the MCSE Flashcards.

In order to complete the exercises in this book, your hardware should meet the minimum hardware requirements for Windows 2000. See Chapter 4 for the minimum and recommended system requirements.

To learn all of the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!

Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Sylvan Prometric or VUE, or to get other useful information, check the following resources. Microsoft Certification Development Team www.microsoft.com/trainingandservices Contact the Microsoft Certification Development Team through their Web site to volunteer for one or more exam development phases or to report a problem with an exam. Address written correspondence to: Certification Development Team Microsoft Education and Certification One Microsoft Way Redmond, WA 98052

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xxxviii

Introduction

Microsoft TechNet Technical Information Network www.microsoft.com/technet/subscription/about.htm (800) 344-2121 Use this Web site or number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Microsoft Training and Certification Home Page www.microsoft.com/trainingandservices This Web site provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Palm Pilot Training Product Development: Land-J www.land-j.com (407) 359-2217 Land-J Technologies is a consulting and programming business currently specializing in application development for the 3Com PalmPilot Personal Digital Assistant. Land-J developed the Palm version of the Edge Tests, which is included on the CD that accompanies this study guide. Sylvan Prometric www.sylvanprometric.com (800) 755-EXAM Contact Sylvan Prometric to register to take an MCP exam at any of more than 800 Sylvan Prometric Testing Centers around the world. Virtual University Enterprises (VUE) www.vue.com (888) 837-8616 Contact the VUE registration center to register to take an MCP exam at one of the VUE Testing Centers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Assessment Test 1. What does DNS stand for? A. The Danish Network Society B. The Domain Name Service C. The Domain Name System D. Downsize Network Staff 2. When upgrading NT to Windows 2000 you could install a dual boot,

or you could format and start over on a computer. A. True B. False 3. You are concerned about providing a way to fall back to a stable NT 4

environment in case the network migration fails. What is the best way to do this? A. Hold a backup domain controller in reserve that can be used to

restore the NT 4 configuration. B. Trust your tape backups to restore all of the information. C. Migrations don’t fail. Don’t worry about it. It’s only your job if

you fail. D. Don’t migrate to Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xl

Assessment Test

4. You are migrating your Windows NT network to a Windows 2000

network. The network has two master domains and three resource domains. Master domain Accts has 1500 users, and master domain Accts2 has 4500 users. The resource domains, from smallest to largest, are Research, Sales, and Technical. In which order should you upgrade the domains? A. Accts, Accts2, Technical, Sales, Research B. Accts2, Accts, Technical, Sales, Research C. Accts, Accts2, Research, Sales, Technical D. Accts2, Accts, Research, Sales, Technical 5. When installing Windows 2000 on a single computer, who has per-

mission to run the Setup program? A. Only an IT supervisor B. Helpdesk staff C. Only a member of the local administrators D. Anyone staff member with server access 6. Your migration plan for Windows 2000 calls for existing computers

to be upgraded. You are concerned about the suite of applications already installed on the computers. How can you determine if these applications are compatible with Windows 2000? A. Download and run the Readiness Analyzer utility. B. Check with the manufacturer of the application for compatibility

information. C. Browse Microsoft’s Web site for information. D. Talk to other people who have already run the applications on

Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Assessment Test

xli

7. Which of the following folders cannot be redirected using Folder

Redirection? A. My Documents B. Application Data C. Start Menu D. Program Files 8. You have a user on your network who reports that she is unable to

connect to a server. When you investigate, you discover that you cannot ping by name, but that you can get a response when you ping by IP address. What is the problem? A. The server is only intermittently available. B. Name resolution is failing. C. You probably used the wrong name the first time. D. When you use a server name to connect, it requires NetBEUI for

the communication. 9. What Active Directory object enables you to distribute administration

without giving up central control of the network? A. Forest B. Tree C. Organization unit D. Object 10. A user in your organization is unable to receive the standard logon

script. What should you verify first when troubleshooting this problem? A. That the user’s computer is plugged in B. That the user can connect to the domain controller C. That the user has the Logon to Domain permission D. That the user is logging on to the domain

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xlii

Assessment Test

11. If a user is unable to log on to your Windows 2000 domain, what

is another step you can have him try to make sure his credentials are correct? A. Have the user log on with his UNC. B. Have him type more slowly. C. Have the user log on with his UPN. D. Type the domain information and user name for the user. 12. Which Windows 2000 command will enable you to verify that you

have an IP address configured? A. netdom B. tracert C. ipconfig D. ping 13. You have an NT 4 network using the Single Master Domain model. You

have decided to convert this structure to a single domain as part of the migration to Windows 2000. What type of migration will accomplish this with the least amount of effort? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Assessment Test

xliii

14. You want to upgrade your computer running NT 4 to Windows 2000,

but you receive a message telling you that you do not have permission to run the Setup program. Why not? A. You must be logged on as a user with administrative permissions

to perform the setup. B. You must be logged on with a domain Admin account. C. You must be logged on with a normal user account to perform the

setup. D. Your user account must have the logon as a batch job to perform

the setup. 15. You are trying to replicate your Dfs topology information to Active

Directory, but the option is unavailable. What is the most likely reason for this? A. The Global Catalog server is unavailable. B. The DNS server doesn’t have the correct SRV record for your Dfs

server. C. The Dfs root is on a member server. D. You haven’t changed the Registry settings that control Active

Directory integration of Dfs. 16. True or false: You can have over 40,000 accounts in a Windows 2000

domain that is running in mixed mode. A. True B. False 17. What new feature of Windows 2000 preserves an account’s resource

access even after it is moved to a new location? A. Active Directory B. Microsoft Management Console C. SIDHistory D. ACLhistory

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xliv

Assessment Test

18. Which server in an Active Directory environment keeps track of the

unique portions of Security Identifiers? A. The SID Master B. The RID Master C. The PDC D. One of the BDCs 19. You are testing the application compatibility of the program devel-

oped within your organization to monitor financial transactions. You discover that the program is incompatible with Windows 2000. Where can you go to gain a solution for this problem? A. Microsoft’s Web site. B. The manufacturer’s Web site. C. Your internal software development team. D. You will have to purchase a new version of the program. 20. Which tool enables you to boot to a command prompt and replace

corrupted Windows 2000 files? A. Emergency Repair B. Recovery Console C. Active Directory Recovery Mode D. Safe Mode 21. The Windows 2000 Domain Manager is also known as which tool? A. NETDOM B. Clonepr.dll C. ADMT D. ADSIEdit

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Assessment Test

xlv

22. Target domains are useful for what functions in Windows 2000?

(Choose all that apply.) A. Restructuring B. Migrating C. Upgrading D. Reorganizing 23. Which Windows 2000 migration tool should you use to move user

accounts to the target domain without disrupting the original domain? A. ADMT B. ClonePrincipal C. NETDOM D. User Manager for Domains 24. How can you ensure that your users will still have access to their

resources during a migration to Windows 2000 and Active Directory? A. Use the Update Security Wizard. B. Do nothing; the Windows 2000 migration tools will set the

SIDHistory attribute automatically. C. Use the Transfer DACL Wizard. D. Use the Active Directory Files and Folders console. 25. Which Windows 2000 tool will assist you in testing basic network

connectivity? A. GPResult.exe B. Netdiag.exe C. GPOtool.exe D. Replmon.exe

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xlvi

Assessment Test

26. You have successfully migrated all of your user accounts to the target

domain, but now users are reporting that they cannot receive e-mail. What is wrong? A. Your network has been hacked. B. Probably there’s an e-mail macro virus attacking Exchange. C. The password was reset on the Exchange service account when it

was migrated. D. I don’t know; it’s not my problem. 27. What is ClonePrincipal? A. One of several wizards in the ADMT management console tools

designed to help you migrate information from an NT 4 domain to your Windows Active Directory domain B. A collection of Visual Basic scripts that help copy objects to a new

Windows 2000 domain C. The strategy used to structure Active Directory to provide for fault

tolerance D. The trust that you establish between the source domain and the

target domain 28. How would you back up the Registry and Active Directory on a Win-

dows 2000 domain controller? A. Perform a full backup and include the Registry. B. Back up the System State. C. Use the Recovery Console to back up the Active Directory

database. D. Use the regback.exe utility from the Resource Kit.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Assessment Test

xlvii

29. What type of DNS resource records is most important to Windows 2000

Active Directory? A. Dynamic records B. MX records C. SRV records D. WINS records 30. You must have the Windows Internet Name Service installed in order

to use Active Directory. A. True B. False

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

xlviii

Answers to Assessment Test

Answers to Assessment Test 1. C. DNS is the Domain Name System. It is commonly, and mistakenly,

called the Domain Name Service, but that is incorrect. See Chapter 3 for more information. 2. A. The ability to upgrade from Windows 9x is new to Windows 2000.

Windows 2000 supports FAT32, which makes dual booting easy with either version of Windows, and the Windows 2000 Setup program knows how to upgrade the Windows Registry. See Chapter 1 for more information. 3. A. Using a BDC as a reserve is a good idea. It can be synchronized and

taken offline to provide a safe restore path. If it is needed, promote it to PDC and restore the other domain controllers by reinstalling them with NT 4 as BDCs. See Chapter 3 for more information. 4. B. You should upgrade account domains before resource domains.

When upgrading account domains, upgrade the domains with the most users first, unless there is a pressing need to do otherwise. When upgrading resource domains, choose either domains that have mission-critical applications or the largest domains first. See Chapter 2 for more information. 5. C. When installing Windows 2000 on a single computer, only a

member of the local administrators group can run the Setup program (winnt32.exe). Limiting access to just local administrators can be bypassed during unattended installations, but only administrators can perform a local upgrade. See Chapter 1 for more information. 6. A. While all of these answers have some validity, answer A would be

the best choice. You can run the Readiness Analyzer utility as a standalone application or during the setup of Windows 2000. The manufacturer of the application would undoubtedly have some information about its compatibility with Windows 2000. See Chapter 14 for more information.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Assessment Test

xlix

7. D. The Program Files folder cannot be redirected but always remains

on the local computer. See Chapter 4 for more information. 8. B. If you can communicate with the server using the IP address but not

the name, the networking is functional but name resolution is failing. See Chapter 12 for more information. 9. C. You can designate as organizational units (OUs) sections of your

company to whom you want to delegate administrative control, while still being able to administer the entire network from the enterprise level. See Chapter 2 for more information. 10. B. Start with basic network troubleshooting. Can the user connect to

the domain controller? And if so, can they open a session by mapping a drive to the Sysvol folder? See Chapter 11 for more information. 11. C. Have the user log on with his user principal name (UPN), which

takes the form [email protected]. This form specifies the user account and the domain that houses the account. See Chapter 12 for more information. 12. C. The ipconfig command can be used to display your entire current

TCP/IP configuration for every network interface in the computer. See Chapter 10 for more information. 13. A. You could answer A, B, or C, but answer A would require the least

effort because it is easier to move security principals once the network is fully Windows 2000 and running in native mode. See Chapter 5 for more information. 14. A. Only a user account with administrative privileges on the local

computer can perform the upgrade to Windows 2000. See Chapter 10 for more information. 15. C. To replicate Dfs topology information, the Dfs root must be located

on a domain controller. See Chapter 13 for additional information.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

l

Answers to Assessment Test

16. False. In mixed mode, Windows 2000 must maintain compatibility

with NT, including the limitation of 40,000 accounts per domain. See Chapter 4 for more information. 17. C. SIDHistory is a new feature that maintains a record of the

account’s previous SID as well as the current SID. See Chapter 5 for more information. 18. B. The unique portion of a SID is the Relative Identifier (RID). The

RID Master is the one server in the forest that creates and maintains the pools of available RIDs that can be used to create new SIDs. See Chapter 9 for more information. 19. C. Since the program was developed internally in your organization,

you’ll have to turn to the developers within your organization to fix the incompatibility issue. See Chapter 14 for more information. 20. B. The Recovery Console boots the computer to a command prompt

with a subset of Windows 2000 commands to repair the system. See Chapter 8 for more information. 21. A. The Windows 2000 Domain Manager is Netdom.exe. See Chap-

ter 7 for more information. 22. A and B. Target domains are used in either migrating or restructuring

domains to give your security principals a place to move to. See Chapter 6 for more information. 23. B. ClonePrincipal copies accounts from the source domain to the target

domain without disrupting the original environment. It creates new SIDs for the accounts and stores the original SID in the SIDHistory attribute. See Chapter 7 for more information. 24. B. The SIDHistory attribute is a new feature of Active Directory

that keeps a copy of the old SID for every account that is moved or copied to Active Directory. This will enable your users to still maintain access to their resources during the migration. See Chapter 9 for more information.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Assessment Test

li

25. B. Netdiag.exe can assist in verifying basic network connectivity in

Windows 2000 networks. See Chapter 11 for more information. 26. C. The Active Directory Migration Tool resets passwords on the

migrated user accounts. Either the service account for Exchange must be updated with the new password in Exchange, or the password must be changed back to what it was before the migration. See Chapter 5 for more information. 27. B. ClonePrincipal is a collection of scripts that copy objects from an

existing domain to a new Windows 2000 Active Directory. See Chapter 7 for more information. 28. B. Backing up the System State information backs up all configuration

information, including the Active Directory database. See Chapter 8 for more information. 29. C. SRV records identify well-known network services. Windows 2000

computers use these records to locate domain controllers for logons and authentications. See Chapter 13 for additional information. 30. B. WINS is not required for Windows 2000 or for Active Directory.

See Chapter 6 for more information.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

1

Planning for Deployment MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Evaluate the current environment. 

Evaluate current hardware.



Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.



Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.



Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.


Develop a domain upgrade strategy.
Configure networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.
Develop an operating system upgrade path. Considerations may include operating system version and service packs.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

S

uppose you’ve just been given that most enviable of projects: deploying a new network operating system. What will you do first? Why? A rollout project can be one of the most rewarding efforts of your professional life, or it can be a complete nightmare. The difference between the outcomes is the amount of planning you’re willing to put into the project. Windows 2000 includes several tools that will make the deployment easier, but the success of the project still hinges upon your planning. Toward that end, in this chapter we’ll look at some of the basics that you should cover in your plan. If you have had exposure to good project management practices, the idea of planning a deployment probably isn’t too frightening. If you haven’t…well, that’s what this chapter is for. One bit of advice, before you go any further: Watch out for “project creep.” This problem occurs with many large projects. You develop a solid plan and are entering the final testing phase when someone decides to add a few things to the scope of the project. “As long as you’re already deploying Windows 2000, why don’t we add Office 2000 at the same time?” I watched a client do this for almost a year and a half while trying to deploy Windows NT Workstation. To avoid this situation, get a buy-in from someone in power so his or her authority gives you the ability to say no. In this chapter, you will learn to prepare for upgrading your Windows NT 4 network to Windows 2000. Planning for an upgrade requires careful consideration of the hardware requirements, software needed, and how the upgrade will affect your current infrastructure. By carefully planning for the upgrade, you will ensure the greatest chances of success later. You will learn how to evaluate the current software and hardware present in your network and how Windows 2000 will affect that structure. We will discuss ways that the upgrade can affect the security of your network and how to properly assess application compatibility. We will also discuss how the upgrade will change the current network services in use.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

3

Once we have covered the three basic areas, we will take a step back and learn how to effectively plan a successful upgrade procedure. We will finish by examining the possible upgrade paths for Windows 2000.

Planning the Upgrade

O

ne of the most noticeable features of Windows 2000 is its scalability. Whether you are planning an upgrade for a department server or rolling out Windows 2000 to a world-class data center, the basic planning elements are the same. It is critical to consider three important elements while doing so: your hardware, software, and infrastructure. It is also important to use a methodical approach to the planning phase. This will help you to avoid mistakes and to create contingency plans. When working with any complex system, such as an operating system, things can (and usually do) go wrong. Proper planning helps to minimize the consequences of those problems.




Microsoft Exam Objective

Evaluate the current environment.

Upgrade planning for an operating system normally falls into three basic areas: hardware, security, and application compatibility. Since we are discussing network servers, add network services to that list and you should have all the elements of a well-planned rollout. One of the very first questions you’ll ask in your planning phase is “Can our hardware run the new operating system?” Then you’ll need to determine the effects of the deployment on your existing security structures. And, of course, you’ll need to know if your applications will run on the new operating system. Windows 2000 will assist the use of newer hardware through the introduction of Plug and Play to the operating system. Another benefit is the introduction of the Windows Driver Model (WDM), in which there is one set of drivers for both Windows 98/Millennium and Windows 2000. This should make it very easy to add drivers for new hardware in your Windows 2000 computer.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

4

Chapter 1



Planning for Deployment

There are four versions of Windows 2000 to consider: Professional, Server, Advanced Server, and Datacenter Server. Windows 2000 Professional is intended to be a business desktop operating system and contains optimizations that make it desirable for this role. Professional is an excellent choice for laptop computers with Plug and Play and support for the Advanced Configuration and Power Interface (ACPI). Windows 2000 introduces some new security features for networking. Some of my Unix friends are even impressed by the new network features of Windows 2000, something that was hard to imagine just a few months ago. Windows 2000 uses Kerberos security for all logon validations within a domain, an industry-standard security service that uses encrypted keys for validation. Another new feature is the inclusion of IP Security (IPSec) standards, which allow for various encryption schemes for data transmissions of TCP/IP. Windows 2000 has even addressed application compatibility. With the addition of DirectX 7.0A in the operating system, Windows 2000 will support more of today’s user applications such as games. And many of us will admit that’s the real reason why we run a computer, right? The new network features and security options will support network applications even better than on NT 4. One thing about application support on Windows 2000 that I really love is the commitment Microsoft is making to providing application support patches on their Web site.

Assessing Existing Hardware When determining the suitability of your current computer hardware for Windows 2000, the best place to start is with the minimum hardware requirements. If you’ve used earlier versions of Windows NT, you’ll notice that the hardware requirements for Windows 2000 are significantly higher. This may mean that part of your deployment plan will encompass either the purchase of new computers or the upgrade of the existing systems. Something you will notice on nearly every Microsoft operating system exam is the section on hardware requirements. With Windows 2000, it will also be important to remember the recommended hardware.




Microsoft Exam Objective

Evaluate the current environment. 

Evaluate current hardware.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

5

Fortunately, this time the minimum hardware requirements should also be fairly easy to come by if you are buying new computers. With NT 4, many offices still used 80386 computers. With Windows 2000, you must have a Pentium system, and these are very common in most offices. The server versions differ mostly in the level of hardware support, as Tables 1.1 through 1.4 show. TABLE 1.1

Hardware Requirements for Windows 2000 Professional

Hardware Resource

TABLE 1.2

Minimum Requirement

CPU (Central Processing Unit)

133MHz Pentium Up to two processors supported

Memory

32MB

Hard disk

2GB with at least 650MB free space

Recommended

64MB

Hardware Requirements for Windows 2000 Server

Hardware Resource

Minimum Requirement

Recommended

CPU

133 MHz Pentium Up to four processors supported

Memory

128MB - Up to 4GB supported

256MB

Hard disk

2GB with at least 1GB free space

Requires more free space if installing over a network.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

6

Chapter 1



Planning for Deployment

TABLE 1.3

Hardware Requirements for Windows 2000 Advanced Server

Hardware Resource

TABLE 1.4

Minimum Requirement

Recommended

CPU

133MHz Pentium Up to eight processors supported

Memory

128MB - Up to 8GB supported

256MB

Hard disk

2GB with at least 1GB free space

Requires more free space if installing over a network.

Hardware Requirements for Windows 2000 Datacenter Server

Hardware Resource

Minimum Requirement

Recommended

CPU

Pentium III Xeon Processors or higher Up to 32 processors supported

Memory

128MB - Up to 64GB supported

256MB

Hard disk

2GB with at least 1GB free space

Requires more free space if installing over a network

Microsoft recommends using at least an eight-way capable server for Datacenter. The hardware requirements are tuned for the very high-end servers, as is logical for a product called Datacenter.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

7

With these requirements in mind, you should carefully assess your current hardware on any computer that will be upgraded to Windows 2000. In some cases, you will find systems that need to have one or more resources upgraded before the operating system can be upgraded. Please note that the hardware listed in the tables above shows the minimum requirements or minimum recommended levels. You will achieve significantly better performance if you add higher levels of hardware. Another resource to help you evaluate your current hardware’s suitability to run Windows 2000 is the Hardware Compatibility List (HCL) available from Microsoft’s Web site at http://www.microsoft.com/windows2000/ upgrade/compat/default.asp. On their compatibility Web page, Microsoft has also included an option to download the Readiness Analyzer, shown in Figure 1.1, which is a program that can analyze your system and report on the compatibility of the installed hardware. FIGURE 1.1

The Readiness Analyzer helps you to determine whether your computer is ready to upgrade to Windows 2000.

Microsoft has done their best to help you plan for hardware compatibility. The Windows 2000 Setup program includes the Readiness Analyzer. When installing Windows 2000, you will be notified of most software or hardware incompatibilities that the Setup program can detect at that time. This gives you some of the information you need before you’ve passed the point of no return in an upgrade. The Readiness Analyzer will warn you of

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

8

Chapter 1



Planning for Deployment

incompatible hardware and/or software, and it will notify you whether the incompatibility is something that will cause the setup to fail or is just a device or program that won’t work properly with Windows 2000 after the setup completes. If you just want to run the Readiness Analyzer but not set up Windows 2000, you can run winnt32.exe /checkupgradeonly.

Migration Scenario Your company has been hired to plan and implement the migration of a network from Windows NT 4.0 to Windows 2000. You have been assigned the task of suggesting hardware upgrades or replacements for their existing servers. You have been given the following list of current resources: 

Server1: Pentium 133 MHz, 96MB RAM, two 6GB hard disks. This server currently acts as a file and print server and as a backup domain controller (BDC).



Server2: Dual-Pentium 550MHz, 256MB RAM, RAID5 disk system. This server currently supports both the company e-mail and Web services. It also provides DHCP and DNS services.



Server3: Pentium 133MHz, 64MB RAM, two 9GB hard disks. This server is the primary domain controller (PDC) and supplies WINS services.

Things to consider: 

Does the hardware meet minimum configuration needs for Windows 2000?



Can you suggest any hardware upgrades that will increase performance?



Should any network services be moved to other servers?

Evaluating Other Hardware Needs So you’re in the process of planning to upgrade the operating systems on your network computers. Have you taken a good look at the network hardware itself? Windows 2000 does support many different types of network

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

9

hardware, and like everything else in this world, some of it is better than others. Perhaps this would be the perfect opportunity to upgrade your network to 100Mb or create a new subnet to reduce the load on a segment. These issues could seriously affect the overall performance of your network—and thus your satisfaction with the deployment of Windows 2000. Network Cabling An important element to consider when upgrading is whether to upgrade your cabling at the same time. The cabling in your network carries all of the data that is transmitted from computer to computer. Obviously, the quality of this cabling will be important to the outcome of your network’s performance. This is more than just saying “you get what you pay for,” though; when evaluating the network cabling, you must consider whether it will support your needs for years to come. Why install network cable that is adequate now for 10Mb data transmission but won’t handle an upgrade to 100Mb later down the line? If your business network is likely to grow over the next five years, you should plan to incorporate the fastest network hardware that is practical for your budget. On the other hand, you might want to practice a little restraint. Will you really need gigabit networking anytime soon? For most small networks, 10Mb is just fine, though even a small network would appreciate 100Mb. Larger networks should be quite happy with 100Mb, and the cost versus the speed makes 10 or 100Mb fine for widespread application. Gigabit networking hardware is still pretty expensive. Most existing networks are using some form of Ethernet for their physical network. If your network is one of these, determine if the cable being used is category 3 or category 5. If you are using category 5 cable, your network can easily make the transition to 100Mb.

Ethernet Cables I recently had the opportunity to work in a large data center and ran into an interesting issue regarding network cabling. I was installing 100Mb switching hubs into my classroom to improve the network performance for some Windows 2000-related training I was conducting. To save some money on the upgrade, I was scrounging around for cable from some leftover materials in the data center.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

10

Chapter 1



Planning for Deployment

I found some category 5 cable that someone had custom-made some time before, and I grabbed several lengths to use in my network. When I had installed them, I found that several of the computers were connecting to the network at only 10Mb speeds even though they had 10/100Mb network cards! Upon investigating the cables more carefully, I discovered that they were using only four wires to make the connection from end to end. 100Mb Ethernet requires all eight wires in a category 5 cable to make a connection that is suitable for the full speed rating. I ended up having to go back to the local computer store to purchase category 5 cables that were properly made for 100Mb Ethernet use.

Network Routers and Subnets If you are looking for ways to improve network performance on an existing network, you may want to consider breaking up your network using a router. Experienced network professionals will tell you that one type of traffic that slows down a network more than anything else is broadcast traffic, because every computer that “hears” the broadcast has to process the data contained in it. Many legacy NT network services are broadcast-based, or what many people refer to as “chatty.” By using a router and breaking your network in half, you can effectively cut the broadcast traffic in half, too. Routers are normally configured to block broadcast traffic as a means to reduce the impact of broadcasts upon the entire network. Windows 2000 will help with this somewhat by eliminating many of the broadcasts that NT used, but breaking the network up into subnets with routers is still a good way to improve performance.

Creating a Hardware Inventory So, now that you’re planning this deployment and you’re evaluating your hardware, are you updating your hardware inventory list? What? You don’t have a hardware inventory list? What a wonderful opportunity to create one! Many businesses don’t really keep track of what computer hardware is in use. You will usually find that the accounting department knows what was purchased, when it was purchased, and how much was paid for it, but the network administrators haven’t a clue where that hardware is. Joking aside, you will benefit from creating a list of your current hardware. List things like how many computers you have, what they contain (processors, RAM, disks, etc.), and where they are located. You will need

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

11

this information when creating the automated installation scripts anyway, and getting the information now means that you can create your shopping list for all of the things that will need to be upgraded before you deploy Windows 2000.

Evaluating Security Concerns Planning for network security is extremely important when considering a move to Windows 2000 because so many of the security features have changed from NT 4. Since so many networks today are connected to the Internet, detecting and preventing intrusion is a vital concern for the network administrator. Windows 2000 will help you defend your kingdom well, but you need to know exactly what you are defending and from whom.




Microsoft Exam Objective

Evaluate the current environment. Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.



It is easy to overlook security when planning an upgrade. When upgrading a single computer, security is only a matter of who can run the setup program. But upgrading a network may have serious implications for the entire network’s security, such as domain trusts, folder permissions, and lost access. Maybe even worse than someone losing access is the idea that a user may suddenly have access to resources they shouldn’t be able to see on the network. Evaluating network security needs can be a very time-consuming process. Consider the following points: 

Current domain structures



High-security resources such as employee files, research, and accounting information



Access to applications with limited licensing



Access to or from the Internet



Domain namespaces



Future growth of the network

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

12

Chapter 1



Planning for Deployment

When installing Windows 2000 on a single computer, only a member of the local administrators group can run the Setup program (winnt32.exe). Limiting access to just local administrators can be bypassed during unattended installations, but only administrators can perform a local upgrade. Of course, this won’t stop a user who wants to steal your data from booting the computer into setup either by using the setup floppies or by booting from the CD-ROM. And once they have reinstalled Windows 2000 to a new folder, they will have access to all of the data on the computer.

Current Domain Structures When evaluating security concerns, domains are something you’ll want to plan carefully because they form the basis of all of your security in Windows 2000. You’ll also want to consider where your network is today, as well as where it is projected to go in the next few years. Microsoft recommends that your domain planning take into consideration any planned growth for the next three to five years. The domain functionality in Windows 2000 may change the network a great deal. This really depends on whether you will be implementing Active Directory immediately or running your Windows 2000 Servers in mixed mode. Mixed mode refers to the combination of NT 4 Servers and Windows 2000 Servers making up the domain security model. In NT 4, the domain directory database had a performance limitation of approximately 40,000 objects (groups, users, and computers). In Active Directory, you can easily have millions of objects in a domain, so you need to consider where the security boundaries of your organization need to be. It is possible to collapse almost any multiple-domain structure into a single domain using Active Directory. It may or may not be desirable to do this, based on your network needs. There are a few main reasons for splitting domains in Windows 2000. One, if you want to ensure completely isolated administrative controls, multiple domains may be necessary. Two, if different locations represented in your network have different geographical settings, different domains are the way to go. An example of this second point is an international network. The portion of the network in the United States would use English, whereas the network portion in France would use French. This is a good time to use multiple domains. It’s easy to create a multiple-domain structure using Active Directory in a single security context. But even though the process is relatively easy, the planning takes serious consideration. For instance, if your organization currently has a complete trust model in place, which domain will you pick to

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

13

become the root of the tree? There may be serious political consequences to consider. It may be better to create a new domain whose sole purpose will be to become the root of the tree. We discuss Active Directory planning in detail in Chapter 2, “Planning for Active Directory.”

High-Security Resources If you work in an industry where the security of your research is a high priority, consider these needs carefully while designing your deployment strategy. How you design your domain structure and how you delegate the administrative load may create gaps in your security. An example would be if you intended to delegate administrative control to an Organizational Unit (OU) but instead gave control to the whole domain. Or if that OU contained resources that were inappropriate for the administrator of the OU to have control of, such as employee records. If the high-security resources are contained within a physical location, things will be somewhat easier. In this case, simply create a separate tree to contain all of the resources in this location and administer it as a separate entity. Another consideration that nearly every network will encounter is the need to protect employee files. In this situation, there are people on the network who definitely need access to the files, such as the human resources personnel, and others who definitely should not have access to the files. Identify where these needs exist by talking with people in every department of the organization. Find out which resources they use and which resources they need to protect.

Securing Access to Applications with Limited Licensing Does your company have applications that have been purchased at great expense for limited use? Say, copies of Adobe Photoshop that are used by staff members in your art department? You probably spent quite a bit of money buying full licensed copies of this professional software with the intent that the people who need it are the ones who will install it, right? What about the other users who just happen to find it on a server share and want to install it or take it home? You will often encounter predicaments like this in any network. Software can be very expensive, and you will want to optimize your expenses by limiting your purchases to what is needed. Licenses are often expensive, too. You won’t want to allow just anyone to use up those licenses you have purchased for a specific need.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

14

Chapter 1



Planning for Deployment

Identify where these applications are installed and who has a legitimate need to use them. Keep entries for each of these in your inventory lists. One approach would be to prevent normal users from having access to the files and use Group Policies to install the applications where they are needed. This way, only your IT staff would have direct access to the install files, and only the appropriate users would have the programs installed.

Accessing the Internet Internet access, and how it is used, is a hot topic in network security. Many large networks provide access to the Internet for their users through proxy servers. A proxy server translates network requests from a secure internal network to one real IP address on the Internet. They often provide caching services for content downloaded from the Internet and can even act as a firewall to protect the network from intrusion. Consider this type of access in your deployment plan. Does the proxy software you are using run on Windows 2000? Will all segments of the network require access to the Internet through these proxies? Will all of your users be granted permission to access the Internet from the internal network? Consider as well a plan to monitor what software is in use on the network to prevent users from downloading and running software from the Internet. This can be a source of viruses, licensing violations, and lost productivity.

Domain Namespaces What’s in a name? Probably your whole company if it has an Internet domain name. So many companies have domain names on the Internet now that it’s almost impossible to look at any advertisement without seeing a URL to the company’s Web site. Some large companies have even more than one domain name that they’re responsible for. These domain names, or the domain namespace, for your company will be very important to your Windows 2000 planning because Active Directory is based on Internet-type namespaces. More to the point, when you set up Active Directory it wants a fully qualified domain name (such as somecompanyname.com) to use as the Windows 2000 domain name. Have I confused you yet? Don’t worry, we’ll sort it all out in Chapter 2. Your namespace will probably be the same as your company’s Internet domain name. But do you already have one? You may be planning to get on the Internet soon but haven’t done anything yet. This would be a great time to register your domain name so you can use it to create your Active Directory structure during your deployment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

15

Planning Security for Future Growth Up till now we’ve been talking mostly about software and hardware. Planning for the future growth of your network is mostly about policies and procedures. If your current practices to protect your network security are working, what makes you think they will work in the future as your environment grows larger? As you build an inventory of security needs for your deployment of Windows 2000, think about how the current size of the network affects your decisions. Then try to predict what those decisions would have to be if the network were 5 percent larger or 10 percent larger, and so on.

Assessing Application Compatibility Application compatibility is one of the greatest concerns in any operating system upgrade and one that should be tested thoroughly before the upgrade process. When considering application compatibility, you should be focusing on your servers, all of your line of business applications, and Microsoft Exchange.




Microsoft Exam Objective

Evaluate the current environment. Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.



A variety of methods can be used during this phase of planning: 

Consult the manufacturer’s Web site for Windows 2000 support information.



Use the Windows 2000 Setup program to detect many compatibility issues.



Test the applications in a limited environment before rolling out Windows 2000.

Consider all types of applications in use in your environment, from user applications such as Office 2000 to server applications such as SQL Server or Exchange. Shareware or third-party applications installed on users’

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

16

Chapter 1



Planning for Deployment

computers will complicate your evaluation of compatibility issues. Customwritten line of business applications can also cause difficulties. The Windows 2000 Application Specification defines various levels of software support under Windows 2000. There are four Application Levels: Certified Means that the application meets every requirement for compatibility and that both Microsoft and an independent test laboratory have tested it. This is the highest level of certification an application can achieve. Ready Indicates that the Independent Software Vendor (ISV) has performed Windows 2000 compatibility testing and certifies that the application will run correctly on Windows 2000. The ISV also promises to provide support for their application on Windows 2000. Planned Means that the ISV intends to provide support for Windows 2000 in a future release of the application. Caution Means that you may very well encounter problems with this application on Windows 2000. In this case, there is most likely a known issue that is documented and probably has a workaround or solution. By recognizing these certification levels, you will be better prepared to deploy applications for your Windows 2000 network. Microsoft is committed to application compatibility in Windows 2000. On the Microsoft Web site at http://www.microsoft.com/windows2000/ downloads you can check for periodic updates to the operating system for greater application support. The network administrator should make a point of monitoring this Web page from time to time to see if there are updates that affect applications in their environment. Windows will also do this for you, and it’s included in Windows 2000. A testing environment offers you the chance to fully test these applications before the changes will affect either your network or your users. It will be very helpful if your organization has created standard software configurations for the various computers in use on your network.

Web Services Web services have become very important to most businesses, and they should be a critical component of your assessment. Whether you are serving Web pages to the Internet as a means of selling your product or simply hosting an internal Web site to share information with coworkers, having a stable Web server is probably important to you.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

17

Windows 2000 comes with Internet Information Services (IIS) version 5 right out of the box. Notice that the name has changed slightly: Services instead of Server. IIS 5 does provide backward compatibility for Web services running on earlier versions of IIS, including full support for common Internet standards, as well as Microsoft extensions. This means that there shouldn’t be any compatibility issues, but you should still install a test server to fully evaluate the compatibility with your own Web content. The administration console for IIS has changed, at least in its location. You can find the Internet Services Manager in the Administrative Tools group on the Start menu. This is a standard Microsoft Management Console (MMC) interface, and it supports all of the functionality of IIS 4 while adding features that reflect the increased security of Windows 2000. The Internet Information Services console is shown in Figure 1.2. FIGURE 1.2

The Internet Information Services console lets you manage the IIS properties for multiple webs on your server.

IIS 5 installs support for the FrontPage 2000 Server Extensions, which may or may not be a good thing, depending on your views of FrontPage. You can specify which of the webs hosted on your server will support the FrontPage extensions. This feature will enable you to turn off the extensions for customers who really don’t want anything to do with FrontPage.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

18

Chapter 1



Planning for Deployment

With any Web server installed, it is a good idea to check with the manufacturer to see if there are any program updates or known issues with the installation of Windows 2000. If you are running a third-party Web server, you will want to deselect IIS during the installation of Windows 2000 to avoid breaking the Web service already installed. Also, be aware that the default options for installing IIS during setup include the Simple Message Transport Protocol (SMTP) mail service, in addition to World Wide Web (WWW) and File Transfer Protocol (FTP). You may want to disable the SMTP mail service if your server won’t be handling SMTP mail directly. IIS 5 also includes support for various Web-related network services, such as File Transfer Protocol IIS 5 provides a full FTP server for serving files over the Internet or the local intranet. Network News Transport Protocol NNTP support is included if your Windows 2000 Server will participate in routing Internet News messages. Simple Message Transport Protocol This service provides support for an Internet e-mail server under Windows 2000. Visual Interdev RAD Remote Deployment Support This service enables you to use your IIS server to distribute applications through a Web interface.

Exchange Server Exchange Server 5.5 will run on Windows 2000 and is very common in NT 4 or Windows 2000 networks. Microsoft has integrated the Exchange Directory with Windows 2000’s Active Directory in Exchange 2000. This simplifies the administration of Directory objects such as users and distribution lists by enabling the administrator to manage all objects from a single Microsoft Management Console (MMC) interface. Using Exchange Server with Windows 2000 gives you some very nice administrative abilities, so it’s definitely worth keeping in mind. To fully integrate the Exchange Directory with Windows 2000’s Active Directory, Microsoft has provided the Active Directory Connector (ADC). The ADC integrates the two directory services for user and group administration, which enables you to administer both Active Directory and your Exchange Directory from the same administrative tool. This means that if you are an experienced Exchange admin, but are not very comfortable with the Active Directory tools, you can set up the ADC to let you administer the

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

19

Active Directory from the Exchange Administrator console. Conversely, if you are more comfortable with the Active Directory tools, you can also use them to manage your Exchange Directory. The ADC is installed from the Windows 2000 Server CD-ROM in the ValueAdd\MSFT\Mgmt\ADC folder. The ADC Setup Wizard will walk you through the necessary steps to add the service to your server. The connector itself seems to work best when installed on the first domain controller in the domain. It’s true (mostly) that all domain controllers in an Active Directory domain are equal, but by default the first domain controller installed has some special duties. One of those extra duties is to manage the schema for the entire domain as the Schema Master. A schema is a description of the containers and objects within a directory. Because the ADC will need to modify the schema for the domain, it works best from the Schema Master. The management tool can be installed on any Windows 2000 computer in the domain. The Active Directory Connector Management console is shown in Figure 1.3. Active Directory is described in more detail in Chapter 2. FIGURE 1.3

The Active Directory Connector Management console lets you create and configure connector agreements between Active Directory and Exchange 5.5.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

20

Chapter 1



Planning for Deployment

The ADC can synchronize data from Windows 2000 to Exchange, from Exchange to Windows 2000, or in both directions. If you are synchronizing in both directions or from Windows 2000 to Exchange, you will have the option to create a mailbox when you create a new user account. If your network is using a messaging server besides Exchange that uses a directory service similar to Active Directory, you can expect to see a connector that will link your messaging server into Active Directory like the ADC does for Exchange.

Line of Business Applications Line of business (LOB) applications are typically problematic during upgrades because they are usually highly customized and often poorly documented. LOB applications are usually programs that support a particular industry and are very important to the day-to-day operations of the organization. They include databases, incident tracking, monitoring, and other applications essential to a business. Often they are highly customized for a particular industry or even one business. Obviously, these aren’t applications you will want to take chances with! Proper testing of these programs on Windows 2000 is imperative prior to performing the upgrade. Check with the ISV to see if there are any known issues with running the application on Windows 2000. Be prepared to hear that the program isn’t supported at all on Windows 2000, and have a contingency plan for this situation. Check Microsoft’s Windows 2000 compatibility Web site to see if there are any necessary updates for the program. Line of business applications are a great justification for a test lab prior to rolling out Windows 2000. Allocate several computers (if possible) and try to duplicate as much as you can from the production environment. Run tests on the programs to verify basic functionality. If possible, get a group of users to perform their normal work on the test servers to verify that there are no hidden bugs in the system. Only after testing has been fully completed should you begin upgrading the servers running these applications to Windows 2000. A gradual upgrade process is a good idea with LOB applications. Depending on the architecture of the application, it is often possible to roll out the systems in parallel, one new system operating beside one old system. As they come up successfully, upgrade the remaining servers to Windows 2000. Make certain that there are current backups at every step, so that the LOB servers can be reinstalled under their previous operating system if things go wrong.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

21

Deploying Software in Windows 2000 Windows 2000 uses the new Windows Installer program to install application software. Windows Installer not only installs programs, but also maintains applications by automatically replacing damaged or missing files. Finally, the Windows Installer helps to ensure the clean removal of applications that are no longer being used. The main interface to the Windows Installer is the Add/Remove Software applet in Control Panel, as shown in Figure 1.4. FIGURE 1.4

The Add/Remove Software applet in Control Panel helps you manage applications in Windows 2000.

Windows 2000 makes it easier to deploy new applications by utilizing the Software Installation and Maintenance technology to roll out software to computers on your network. Software Installation and Maintenance uses a new file type for installation packages, the Windows Installer package (a file with an .MSI extension). This file contains the information needed to tell the Windows Installer which files are needed and where to locate them. The .MSI file actually replaces the functionality of the setup.exe program for an application.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

22

Chapter 1



Planning for Deployment

Using this .MSI file, or package, an administrator can deploy the application using Group Policy Objects (GPOs). GPOs allow the administrator the flexibility to assign or publish applications to an entire domain or forest or just a single department. Properly planning the domain and OU structure allows administrators to control which users get which applications on a very granular level. Using Windows Installer packages, administrators can deploy software through the use of GPOs in two common ways: Publishing If an application is published, it is advertised to affected users on the network through Add/Remove Programs in Control Panel. If users want to install the application, they simply find the application they want and double-click it. Published applications can also be organized into functional categories to make administration easier. Applications can be published only to users, not to computers. Assigning You can also deploy applications by assigning them to users or computers. If an application is assigned to a user, an icon for the application will appear in the user’s Start menu. When the user clicks the icon to launch the application, Windows Installer will begin the installation. Once the installation is complete, the application will function. If the application is assigned to the computer, it will automatically install the first time the computer is booted after the GPO is applied. The application will be available for all users of that computer. If you are going to deploy applications for a large number of users (as in everyone), assign the apps to computers, not the users. EXERCISE 1.1

Deploying an Application To deploy a new application, use the following steps: 1. Open Active Directory Users And Computers, and right-click the Organizational Unit (OU). See Chapter 2 for more information on OUs.

2. In the Properties dialog box, click the Group Policy tab to open the list of currently configured policies.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

EXERCISE 1.1 (continued)

3. Select a policy and click the Edit button as shown below. You can also click the New button if you want to define a new policy.

4. In the Group Policy window, expand the New Group Policy Object  Computer Configuration  Software Settings console tree to display the Software Installation object.

5. Right-click the Software Installation object and select New  Package to bring up the Open dialog shown below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

23

24

Chapter 1



Planning for Deployment

EXERCISE 1.1 (continued)

6. Browse for the package (.MSI file) that you want to distribute, then click the file to select it. Click the Open button to bring up the Deploy Software dialog shown below.

7. Select the distribution method you want to use for the package: Published, Assigned, or Advanced Published Or Assigned.

Using Deployments You can use two basic types of deployments with applications (or operating systems, for that matter): the bridgehead and gradual deployment type or the type a former colleague of mine called eye of the needle. The first method is called a bridgehead because you are essentially using military strategy to establish a single presence in new territory by installing the application to a small group of test users. Once this small installation works successfully, you would roll out the software to a larger group. Finally, moving in groups, you would install to the entire organization in a gradual deployment. The second type, the eye-of-the-needle method, refers to the idea of a complete rollout in a very short period of time. While this method has the drawback of requiring intensive planning and administrative effort, it has the benefit of being over in a relatively short period of time. Ideally, you would use this concept to roll out an application to your organization while everyone is away at training for the new application. This way, when they return to their desks with the training fresh in their minds, they have the new software to work with. You can accomplish this method in two ways with Windows 2000 Server: publishing the application or assigning the application.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

25

Assessing Upgrade Implications for Network Services When deciding to upgrade, you should ask yourself and your IT team a couple of key questions: What kind of implications will your network face by upgrading? And why are you upgrading your servers to Windows 2000? Is it simply because it’s the latest and greatest? Or are you perhaps looking to take advantage of the improvements Microsoft has made in networking? The improved network support is one of the biggest areas of impact for an upgrade to Windows 2000. The networking in Windows 2000 is significantly improved from NT 4, which is a good thing, right? Maybe. One of the big problems that you may face in upgrading your network to Windows 2000 is struggling with a mixture of administrative tools. Many of the Windows 2000 tools won’t administer NT 4 servers, and vice versa. Therefore, you need to spend a considerable amount of time evaluating how an upgrade will change your existing network services.




Microsoft Exam Objective

Evaluate the current environment. 

Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

The best approach to evaluating the impact on your network services is to break them down one by one. Examine the configurations of your servers to discover what services they are running. Make an inventory list of these services and determine how they are being used in your network. You may find that some services can be disabled because no one is actually using them. Or you may find that you could benefit from installing a new service to handle a particular need. Let’s take a closer look at some of the primary NT services you might be using.

Domain Name System The Domain Name System (DNS) is required for Active Directory installation. Domain functions and naming are built upon DNS. One of the new additions with DNS in Windows 2000 is the ability to make dynamic updates to the DNS servers. Because of this, DNS can be used to resolve the

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

26

Chapter 1



Planning for Deployment

names of every client on the network with little administrative overhead. Windows 2000 client computers can automatically provide the DNS server with their hostname and IP address when they become active on the network. Down-level clients, like Windows NT and 98, do not support dynamic DNS updates in their client-side TCP/IP stack. In their case, the DHCP server notifies the Windows 2000 DNS server when it gives out an address lease and updates the DNS server’s tables with the new host and address information. DNS resolves hostnames to IP addresses. In the past with NT, this helped only when you were using commands that used sockets to communicate. Windows NT name resolution and resource location was based on NetBIOS naming standards instead of sockets. With Windows 2000, however, DNS is the primary method of resolving names to connect to other Windows 2000 computers. Windows 2000 doesn’t require NetBIOS support to communicate, and the NetBIOS interface can be disabled on Windows 2000 computers. Although Active Directory requires the use of DNS, it doesn’t require the use of Microsoft’s DNS server to operate. However, it is recommended. Active Directory does require support for Dynamic DNS (DDNS) updates using RFC 2136-compliant methods and the use of SRV (Service) records. You can successfully use BIND version 8.1.2 or higher on a Unix system to provide Dynamic DNS support. One large network that I work with on occasion is doing just that, using a Unix system running BIND to provide all of the DNS support for their network, even though they are migrating to Windows 2000. DNS support for your Windows 2000 network also requires the use of SRV records to identify the servers providing well-known services. An important example of this would be the Kerberos servers providing the network logon authentication. This is the mechanism used in an Active Directory domain to locate domain controllers and services. If you are planning to use non-Microsoft DNS servers, BIND versions 4.9.6 and newer support SRV records. Even though Windows NT implementations of DNS most closely resemble BIND version 4.9.6, they do not support the use of SRV records. They also do not support DDNS. This is not to say that you cannot use Windows NT DNS servers in your Windows 2000 Active Directory domain. You can, but the authoritative DNS server for the Windows 2000 Active Directory domain must support both dynamic updates and the use of SRV records. So what do you do with your old Windows NT DNS servers? You have a couple of options. First, you can leave the DNS service installed on them and just make them secondary servers to your Windows 2000 or BIND 8.1.2

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

27

DNS server. You could also reinstall or upgrade the operating system and continue to run DNS. If neither of these options is appealing, donate the computer to a local school; it’s a great tax write-off.

Windows Internet Name Service The Windows Internet Name Service (WINS) provides NetBIOS name resolution in a dynamically assigned IP environment. This can be a very important function in a network that assigns client IP addresses through the use of the Dynamic Host Configuration Protocol (DHCP). The problem with WINS is that it has proven to be somewhat unreliable and often can be difficult to configure correctly. If you have one WINS server, it’s simple to install. Add the service and it starts working. In a larger environment, you need to have more than one WINS server and that requires replication, which can introduce new hassles. Basically, WINS was a great idea, but its implementation has left many professionals frustrated. WINS may not be necessary on your network anymore. WINS provides the ability to resolve NetBIOS names to IP addresses, but in a Windows 2000 network everything is based on DNS names. If you will be running a mixed environment of Windows 2000 and NT or Windows 9x clients, consider running the WINS server service on one or more of your Windows 2000 Servers. However, if the network will consist of only Windows 2000 Servers and clients, leave out WINS and reduce the associated NetBIOS traffic on your network. On a network running only Windows 2000, Microsoft recommends disabling the NetBIOS interface on all computers to further reduce network traffic. WINS is useful for supporting legacy clients or applications that require NetBIOS naming. This is something you should determine during your design and testing phase when planning for a deployment. If at all possible, try to eliminate the need for NetBIOS-based services.

Dynamic Host Configuration Protocol Many TCP/IP network administrators often consider Dynamic Host Configuration Protocol (DHCP) to be the best thing since sliced bread, since it relieves them of the burden of individually configuring each workstation. DHCP is based on the Bootstrap Protocol (BootP) and can be used to deliver

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

28

Chapter 1



Planning for Deployment

the entire TCP/IP configuration a host will need in order to access the network.




Microsoft Exam Objective

Develop a domain upgrade strategy. Configure networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

DHCP in Windows 2000 becomes more important as it works closely with the Dynamic DNS service. When the DHCP service in Windows 2000 has issued a lease to a client computer, it then notifies the DNS server of the lease and updates the database. Now any client using that DNS server can obtain the name resolution for that dynamically addressed client. One significant change with DHCP in Windows 2000 is the requirement to authorize a server before it can begin to assign addresses. This may help to prevent the appearance of rogue DHCP servers in a large network. I was once both horrified and amused to learn after delivering a class on Windows NT Server that one of my students had gone back to his desk and installed a DHCP server with a scope of bogus addresses. Horrified because of what this does to a functional network (you may never see a more efficient way of creating address conflicts) and amused because I now had proof that he wasn’t really paying attention in class. The point is, under NT 4 you could do this easily. Windows 2000 requires that an administrator authorize the DHCP server before it will actually issue any addresses. This should help avoid the situation I mentioned above. EXERCISE 1.2

Authorizing a DHCP Server To authorize the DHCP server, follow these steps:

1. Log on to the server (it’s usually best to log on at the server to be authorized) using an account with sufficient permissions to authorize the service. Authorization requires an Enterprise Administrator, unless the permission has been delegated.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning the Upgrade

29

EXERCISE 1.2 (continued)

2. After installing DHCP on your Windows 2000 Server, open the DHCP console by choosing Start  Programs  Administrative Tools  DHCP.

3. Expand the console tree to view the server name. Highlight the server to be authorized and select Authorize from the Action menu.

Windows 2000 will detect and, wherever possible, disable an unauthorized DHCP server on the network in an Active Directory environment. Your server must be either a member server or a domain controller before it can be authorized to act as a DHCP server in an Active Directory domain. Stand-alone servers will not be recognized for the DHCP service, as they have no status in the Directory. The DHCP service in Windows 2000 uses the DHCPINFORM message to query any other DHCP servers on the local network. It does this first by broadcasting this special message type. A DHCP client sends the DHCPINFORM message when it already has an address but is trying to discover more information about the server. This message type is new with Windows 2000. The DHCP server sending the message collects the data from the other servers it discovers, including such items as the root of the domain or forest and the presence of Active Directory services. If it finds these services, it will query the Directory to see if the DHCP server is listed in the authorized DHCP server list. If so, the service initializes and begins serving addresses to DHCP clients. If the entry is not found in the Directory, the DHCP service is stopped on the server that is making the query.

Remote Access Service Your Windows NT Server may be installed to provide dial-up access for users working from home, and upgrading to Windows 2000 may impact the type and scope of services you can provide. Remote Access Service (RAS) has been replaced with Routing and Remote Access Service (RRAS) in Windows 2000. It offers improved performance for dial-up clients and superior routing capabilities when compared to NT 4. RRAS provides some new protocols to add security to the network: Extensible Authentication Protocol (EAP) Enables the client and server to negotiate the best way to process authentication. Possibilities include generic token cards, Message Digest 5 Challenge Handshake

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

30

Chapter 1



Planning for Deployment

Authentication Protocol (MD5-CHAP), and Transport Layer Security (TLS). EAP is defined in RFC 2284. Remote Authentication Dial-in User Service (RADIUS) RADIUS is typically used in an environment where many users are dialing into the network and security is required, such as an Internet Service Provider. The dial-up server would act as a RADIUS client to query another server (the RADIUS server) to provide secure authentication for the client. The Internet Authentication Service (IAS) in Windows 2000 can act as a RADIUS server. RADIUS is defined in RFCs 2138 and 2139. Internet Protocol Security (IPSec) IPSec provides protection against internal and external IP attacks and is fairly easy to set up and configure. IPSec can be implemented in Windows 2000 as IPSec Policies, which can then be applied to users, groups, or computers. IPSec is described in RFC 1825. Layer 2 Tunneling Protocol (L2TP) The Point to Point Tunneling Protocol (PPTP) gained a lot of use in NT 4 but had some serious security limitations, such as non-secure authentication to establish the tunnel. L2TP provides some advancements that go a long way toward plugging these holes. L2TP can be used with IPSec to provide a very secure tunnel across an IP internetwork, or it can use ATM, X.25, or Frame Relay to provide the IP network. At the time of this writing, L2TP was still in draft phase; you can find it at http://ds.internic.net/internet-drafts/. Bandwidth Allocation Protocol (BAP) Despite sounding like it belongs in a comic book, BAP provides some very cool capabilities for enhancing the use of PPP Multilink. Multilink enables clients to dial up to a server using multiple phone lines to create a single network connection. BAP will sense when some of the phone lines are relatively idle and drop the session on them in order to re-allocate them for other clients. This protocol can dynamically add or remove lines according to where the greatest need is currently. BAP can even trigger a callback to establish an additional line for an existing session. Multilink is described in RFC 1990, and BAP is defined in RFC 2125. Windows 2000 RRAS can provide extensible dial-up services for your network and enhanced security. It also supports the use of PPTP or L2TP to create and manage Virtual Private Networks (VPNs) natively. All of the RRAS functions are managed through the Routing and Remote Access console shown in Figure 1.5.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Developing an Upgrade Procedure

FIGURE 1.5

31

The Routing and Remote Access console lets you manage all of your dial-up and routing configurations.

Developing an Upgrade Procedure

Y

ou’re probably thinking, “I thought we have been developing an upgrade procedure.” In reality, we’ve been looking at all of the points that you will need to consider in your deployment plan, but now you need to consider the actual procedure that should be followed during the deployment. This procedure is also an item that must be planned for and tested before performing the real rollout.




Microsoft Exam Objective

Develop a domain upgrade strategy.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

32

Chapter 1



Planning for Deployment

Before you begin planning, take a moment to remember your upgrade goals. Most of the time, goals center on either business needs or technology needs. You likely decided to upgrade for a specific reason, not just because it sounded like fun. In this planning, always focus on the goals and how to most easily achieve them. Here are some business-related goals that you might want to consider during migration planning, along with features of Windows 2000 that support your goals: Better manageability Windows 2000 provides many enhanced features to ensure that manageability is not an issue. In Windows NT, you had to maintain trust relationships among multiple domains. Windows 2000 provides these trusts automatically among all domains in a forest. Windows 2000 allows you to structure your domain to reflect the physical organization of your company. This, along with the extended ability to nest different groups, allows you more granular control of all resources on your network. The Microsoft Management Console (MMC) provides one interface for administration. This will save you the time of needing to learn multiple interfaces for administration. Greater scalability Windows 2000 Server allows access to up to 4GB of physical memory. Also, Windows 2000 no longer lives by the NT limitation of a 40MB Security Accounts Manager (SAM) database. Active Directory can literally store millions of objects without trouble. Improved security Through the use of Group Policy, administrators can assign very specific restrictions to users, groups, and computers. Windows 2000 also comes with a Security Configuration and Analysis tool to analyze the security policy on a computer and reapply settings if necessary. Microsoft refers to this as a “define once, apply many times” approach to security. Upgrading your network to Windows 2000 is supposed to increase productivity and decrease administrative overhead in the long run. While planning to perform this migration, keep in mind some implications for the migration itself: Minimize disruption to the production environment User access to applications and resources should not be sacrificed. Ideally, there will be no down time during the migration, where users will not be able to access

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Developing an Upgrade Procedure

33

resources they need to perform their jobs. You should also be able to maintain users’ environments during and after migration. Minimize administrative overhead Migrating user accounts, user account settings (passwords), and permissions should not require disruption of resource access. Plan ahead to keep migrations as seamless as possible. New features When migrating to Windows 2000, try to activate the new features as quickly as possible. Also, don’t compromise any security settings or policies during the migration.

Order of Migration In order to make the migration as smooth as possible, it is advisable to perform the following steps in the proper order. You will also want to be sure to carry out the upgrade in a test environment before performing the actual procedure.

Pre-upgrade The ideal situation would be for you to be able to use your current domain controllers as domain controllers for the Windows 2000 domain. In some cases, this may not be possible due to insufficient hardware. The first step, assuming that you want to continue to use the current domain controllers, is to verify that the current hardware is capable of supporting Windows 2000 as a domain controller. Take an inventory of all current domain controllers, and make a computer assignment table. List which computers can be upgraded and which cannot. If needed, purchase additional hardware that meets the requirements of Windows 2000. Once you have validated the existing hardware, you need to secure the domain data. Do this by backing up the PDC as well as at least one BDC. Make sure before you back up the BDC that it has been synchronized with the PDC. You will also want to remove a synchronized BDC from the network and store it. If the migration fails for any reason, you now have a backout machine with which to restore the old domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

34

Chapter 1



Planning for Deployment

Finally, install a Windows 2000 Server into the existing Windows NT domain, and install the DNS service. This DNS service is required for Active Directory. EXERCISE 1.3

Upgrade Procedures Once you have completed all pre-upgrade procedures, you can start the actual migration:

1. Configure a remaining BDC as an LMRepl export server for logon scripts (if needed). This is because the PDC will no longer be able to play the role of export server if you are using replication in the domain. Ideally, this machine you make the export server will be the last domain controller promoted to Windows.

2. Upgrade the PDC to Windows 2000. 3. Verify the DNS configuration on the Windows 2000 member server you installed in the NT domain.

4. Promote the former PDC to a Windows 2000 domain controller as a new domain controller in a root domain.

5. Test the new Windows 2000 environment by creating a user and logging on.

6. Promote the Windows 2000 member server to a domain controller. You want to ensure that there is not one point of failure for your new domain. The quickest way to accomplish this is to promote your existing Windows 2000 member server to a domain controller.

7. Upgrade the Windows NT BDCs to Windows 2000. Just because you upgrade them does not mean they have to be domain controllers in the new domain. That is a decision you need to make here.

8. Switch to native mode once all the domain controllers are migrated.

9. Upgrade the member servers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Developing an Upgrade Procedure

35

EXERCISE 1.3 (continued)

10. Upgrade the client computers. 11. Migrate the global groups, local groups, and users. Once again, it is strongly recommended to attempt the migration in a test environment before performing the actual upgrade.

Upgrading Complex Windows NT Domain Structures Not all of us are lucky enough to have a single-domain NT model currently in place. When upgrading more complex domain models, the process as outlined above generally stays the same. The first question is “In what order do I migrate my domains?” Once I have determined that, I ask, “What type of Windows 2000 domain structure am I going to want to have?” First, migrate the accounts domain as a parent domain in a new forest. Administration will be easier, and it provides for more control of the new Windows 2000 domain structure than if you migrate resource domains first. Once your accounts domain has been migrated, you can then migrate your resource domains. When migrating resource domains, you have a few choices. One choice is to create child domains of the existing parent domain. The other is to restructure and consolidate all domains into one. Before deciding on a plan, consider a few reasons why the resource domains existed: 

The limitation of the domain SAM database size



To provide local administrators with administrative capabilities while not affecting other domains

Windows 2000 has eliminated both of these excuses for having resource domains separate from the accounts domain. There is no longer a limit on the SAM database size. The ability to delegate control of resources to specific user accounts on specific containers allows for desired administrative control. As part of your upgrade plan, you may want to consider restructuring your resource domains as organizational units (OUs) within your new Windows 2000 domain. Since Windows 2000 no longer has a limit on the SAM database size, you will want to strongly consider migrating all user accounts to one domain if you were previously running a master domain model.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

36

Chapter 1



Planning for Deployment

When upgrading resource domains, it may be difficult to decide which domain to upgrade first. Use these guidelines to assist in your decision: 

Choose domains in which new applications will require Active Directory features. Applications like Microsoft Exchange Server 2000 require Active Directory. These applications are often mission-critical, so it is imperative to get them operational as soon as possible.



Choose domains with more clients over domains with fewer clients.



Choose domains that are targets for restructure.

To the list of upgrade steps, I will add one more: a debriefing phase where you and your team examine the things that went well and the things that didn’t. One of the constants in our industry is change. You can bet that your network will be going through another deployment somewhere down the road. Your current experience will benefit whoever is tasked with that job in the future.

Identifying Upgrade Paths

W

hile performing clean installations of Windows 2000 would be the preferred method of upgrading your network, there will likely be times when you will want or need to upgrade an earlier version of NT and keep all of your user settings. For those times, keep in mind the available upgrade paths for Windows 2000. Table 1.5 shows the possible combinations of NT and Windows 2000.




Microsoft Exam Objective

Develop an operating system upgrade path. Considerations may include operating system version and service packs.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Identifying Upgrade Paths

TABLE 1.5

37

The Upgrade Options from NT to Windows 2000 Operating System

Can Upgrade To

Can Become

Windows NT Workstation 3.51 - 4.0

Windows 2000 Professional

User workstation

Windows NT Server 3.51 - 4.0

Windows 2000 Server

Stand-alone server, member server, domain controller

Windows NT 4.0 Enterprise Edition

Windows 2000 Advanced Server, Windows 2000 Datacenter Server

Stand-alone server, member server, domain controller

Windows 95 or 98

Windows 2000 Professional

The ability to upgrade from Windows 9x is new to Windows 2000. With NT you could install a dual boot, or you could format and start over on a computer. Windows 2000 supports FAT32, which makes dual booting easy with either version of Windows, and the Windows 2000 Setup program knows how to upgrade the Windows Registry. Notice in Table 1.5 that versions of NT earlier than 3.51 are not supported for direct upgrades. The following operating systems require a fresh install of Windows 2000: 

Windows NT Server 3.1



Windows NT Advanced Server 3.1



Windows NT Workstation 3.5



Windows NT Server 3.5



Windows NT Small Business Server



Windows NT Server with Citrix WinFrame installed



Windows 3.1

Even though the above operating systems cannot be directly upgraded to Windows 2000, they can be upgraded in a roundabout way. First, upgrade the operating system to one it can be upgraded to. Examples would be

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

38

Chapter 1



Planning for Deployment

upgrading Windows 3.1 to Windows 98 or upgrading NT 3.1 to NT 3.51 or NT 4. Once that upgrade is completed, upgrade the new operating system to Windows 2000. This upgrade path may seem to be a bit of a reach. However, the major advantage of doing it this way is that all user account information and security information is maintained. This will save you the headache of having to re-create all users and groups, as well as reassigning permissions to all resources.

Summary

In this chapter, you learned about the hardware requirements of Windows 2000. You learned to assess the security implications of upgrading to Windows 2000 on your network, and you learned to evaluate application compatibility. You were introduced to the impact of an upgrade on common NT network services, including RAS, DHCP, and DNS. You learned how to authorize a Windows 2000 DHCP server so that it can issue IP addresses in an Active Directory domain. Finally, we discussed how to develop a procedure for deploying Windows 2000 on your network, and we considered the available upgrade paths. Many of the upgrade issues referred to specifics of planning and installing Active Directory, which will be covered in greater depth in Chapter 2.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: domain forest gradual deployment host mixed mode recommended schema

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

39

Review Questions 1. What is the minimum CPU speed and type supported by Win-

dows 2000? A. 66 MHz 80486 B. 400 MHz Pentium II C. 133 MHz Pentium D. 500 MHz Alpha 2. Your network currently uses DNS services provided by BIND version 4

running on a Linux server. Can your Active Directory network use this DNS service? A. Yes B. No 3. What Windows 2000 network service provides dynamic resolution of

TCP/IP hostnames? A. DHCP B. DNS C. RRAS D. NetBIOS 4. You have just deployed Windows 2000 on your network and have

implemented Active Directory. What component must you now install to combine administration of Active Directory and Exchange 5.5? A. DNS B. WINS C. Outlook 2000 D. ADC

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

40

Chapter 1



Planning for Deployment

5. Which new protocol in RRAS enables you to create secure Virtual Pri-

vate Networks? A. PPTP B. L2TP C. IPSec D. BAP 6. When deploying Windows 2000 to a series of line of business appli-

cation servers, it is best to: A. Upgrade them in parallel, leaving one old system in place while

they are tested. B. Upgrade them all at once. C. Don’t upgrade them because Microsoft Line of Business version 4

isn’t compatible with Windows 2000. D. Take the line of business servers offline until the upgrade is com-

plete, then restore them on the network. 7. A user on your network has installed the DHCP server service on their

Windows 2000 computer and configured a scope of addresses that are incorrect for your network. How will this affect your network? A. It won’t affect the network because the DHCP server isn’t autho-

rized on the domain. B. It will cause clients to receive incorrect address leases and thus be

unable to connect to the rest of the network. C. It won’t affect the network because the user authorized the DHCP

service and the clients can safely get addresses from the server. D. Nothing will happen because DHCP doesn’t run on Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

41

8. What must you do to a computer running Windows 3.1 before you

can upgrade it to Windows 2000 Professional? A. Insert the CD-ROM and start the setup. B. Upgrade to either Windows 95 or Windows 98 first, then upgrade

to Windows 2000. C. You have to install Windows NT 3.1 because the upgrade.exe

program can only be run from NT. D. You must install Service Pack 3 for Windows before you can run

the upgrade. 9. Which tool is used to authorize the DHCP service? A. The DHCPCFG.exe command-line utility B. The DHCP console C. The Active Directory Users and Computers console D. The Computer Management console 10. Any user can run the winnt32.exe program in Windows NT 4 to

upgrade to Windows 2000. A. True B. False 11. You are considering installing Windows 2000 Professional on your

computer, but you are unsure whether your video card is supported. How can you find out if the card is supported during setup? A. You can’t, but it’s OK because Windows 2000 looks better in VGA

anyway. B. Consult the HCL for Windows 98 because it uses the same drivers. C. Run the Readiness Analyzer to detect possible issues with hard-

ware or software support. D. If it runs in NT 4, it will work with Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

42

Chapter 1



Planning for Deployment

12. The Windows Internet Name Service (WINS) is required to enable

domain controllers running Active Directory to locate one another on a Windows 2000 network. A. True B. False 13. Windows 2000 can deploy user applications using Group Policy

Objects (GPOs). Which file is used to create the distribution? A. The sms.ini file B. The .MSI file for the application C. The autoexec.bat file D. The install.cmd file 14. You want to install Windows 2000 Advanced Server on your com-

puter. What is the maximum number of supported CPUs that Advanced Server supports? A. 2 B. 16 C. 8 D. 32 15. Which type of resource record must your DNS server support in order

to support Windows 2000 network using Active Directory? A. WINS B. CNAME C. SRV D. HOST

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

43

16. You have a Windows NT 4 Terminal Server in your network that you

want to upgrade to Windows 2000 Advanced Server. The server also has MetaFrame from Citrix installed. How will this affect the planned upgrade? A. It will have no effect whatsoever. Citrix products are fully sup-

ported by Windows 2000. B. You cannot upgrade a server running MetaFrame to Windows 2000. C. You must first disable the MetaFrame service, then perform the

upgrade. D. You must first install Service Pack 4 for MetaFrame, then perform

the upgrade. 17. Your company is considering the purchase of a new server that has

8GB of RAM and 32 processors. Which version of Windows 2000 will support this configuration? A. Windows 2000 Professional B. Windows 2000 Server C. Windows 2000 Advanced Server D. Windows 2000 Datacenter Server 18. Which new protocol in RRAS manages the use of multiple phone lines

in a Multilink connection to add or remove lines? A. IPSec B. BAP C. L2TP D. PPP

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

44

Chapter 1



Planning for Deployment

19. You are planning to deploy applications using Group Policy but are

concerned about the level of Windows 2000 support from the software vendor. Which of the following certification levels would ensure that the application will run on Windows 2000? A. Certified B. Ready C. Planned D. Caution 20. You have been asked to plan the domain namespace for the new

Active Directory domain in your company. You have five domains in a complete trust model. Your company is connected to the Internet and runs its own e-commerce site. What should you use for the Active Directory name? A. The Internet domain name for your company B. Whichever domain has the most political power C. The domain name where your boss’s account resides D. Bob, because you really like the name

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

45

Answers to Review Questions 1. C. Windows 2000 will install and run on a minimum of a 133 MHz

Pentium processor, although a faster processor will yield better performance. 2. B. BIND DNS servers can be used to provide DNS services to Win-

dows 2000 but they must be BIND version 8.1.2 or higher. 3. B. The Domain Name System service provided in Windows 2000

supports dynamic updates. 4. D. The Active Directory Connector (ADC) provides a connection

between the directory used in Exchange 5.5 and Active Directory, enabling you to administer both from a single tool. 5. B. The Layer 2 Tunneling Protocol provides secure authentication for

creating tunnels and can be used with IPSec to encrypt all data transmitted through the tunnel. 6. A. By definition, line of business servers are critical to the daily oper-

ations of a business. Upgrading them in parallel enables you to test the applications on Windows 2000 thoroughly before completing the upgrade. 7. A. All DHCP servers must be listed in Active Directory as being

authorized. If not, the DHCP service will stop, preventing harm to the network. 8. B. There is no direct supported upgrade path from Windows 3.1 to

Windows 2000. You must upgrade Windows 3.1 to Windows 9x or Windows NT 4.0 first. 9. B. You perform all management tasks for the DHCP server service

through the DHCP console in Administrative Tools. 10. B. Only an administrator can start the winnt32.exe Setup program

within Windows NT 4.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

46

Chapter 1



Planning for Deployment

11. C. The Readiness Analyzer reports on the compatibility of detected

hardware and software prior to running setup. In addition to being included in the Microsoft software, it can also be downloaded separately from Microsoft and run on NT 4 or Windows 9x. 12. B. WINS provides NetBIOS name resolution. Active Directory does

not use NetBIOS to locate domain controllers. 13. B. The Windows Installer package file format contains all of the files

necessary to install the application and can easily be distributed through GPOs as Published or Assigned applications. 14. C. Windows 2000 Advanced Server supports up to eight processors. 15. C. The new SRV resource record is required by Windows 2000 and is

used to locate domain-level services such as Kerberos and LDAP. 16. B. Windows 2000 doesn’t support upgrading over Citrix WinFrame

or MetaFrame products. 17. D. Windows 2000 Datacenter Server supports up to 32 processors

and 64GB of RAM. 18. B. The Bandwidth Allocation Protocol helps RRAS to manage multiple

lines for Multilink sessions, dynamically adding or removing lines for efficient use of available bandwidth. 19. A or B. Certified means that Microsoft has tested the application for

Windows 2000 compatibility. Ready means that the software vendor has tested the application for Windows 2000 compatibility. 20. A. Because Active Directory is integrated with DNS, it makes the most

sense to use the existing Internet domain name for your company as the name of the root domain in Active Directory. Bob is a nice name, though.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

2

Planning for Active Directory MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Select the migration type. Types consist of domain upgrade and restructure, domain upgrade only, and domain restructure only.
Plan migration. 

Select domains and establish proper order for migrating them.



Select destination of migrated objects.



Plan for incremental object migrations as appropriate.


Create and configure a pristine environment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

B

efore you begin to implement anything, in any project, planning must take place. Former California Governor Jerry Brown once said, “The reason that everybody likes planning is that nobody has to do anything.” While he has a point (just ask your project manager), planning is the first critical step to a successful implementation. It may not be “doing” anything, but it’s really doing the most important long-term part. When it comes to Active Directory, a lot of options may be new to you— this is, after all, a new technology. You may already have an NT domain. A lot of configuration planning has hopefully been done. But now what? What needs to be done to accomplish what we need done, and what new things can we deploy? Be familiar with the new technology and the new structures possible. Once you are familiar with the technology, brainstorm to figure out how to best apply it to your situation. Every network implementation will be different. So learn, plan, and plan some more.

Understanding Active Directory

A

ctive Directory is arguably the most exciting new feature in Windows 2000. It can also have the largest learning curve when starting out. Basically, Microsoft is replacing the Security Accounts Manager (SAM) database with a new database with much greater capabilities. I still remember how excited I got when I read the first white paper on Active Directory. I knew that the SAM has a performance limit of 40MB, or roughly 40,000

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Understanding Active Directory

49

objects. Now I was reading that the new database behind Active Directory had been tested with several million objects and that they really hadn’t found a limit yet. Very cool, I thought. But the coolest feature is probably the fault tolerance of Active Directory. In the new model, every domain controller maintains an equal copy of the directory database, and each of them can receive updates to the database. This means no more primary or backup domain controllers, only domain controllers. Since all of them are equal, they can all log you on to the domain, create and modify user accounts, and handle the replication of the accounts to their peers. This type of replication model is called a multiple master replication. All of the domain controllers have master copies of the database, and they are equally responsible for replicating any changes in the accounts to the other domain controllers. This means that if a domain controller goes offline for any reason, you have plenty of time to restore it to working order since all of the other domain controllers have equal, working copies of the directory database. Many of you may be thinking that Active Directory sounds a lot like the NetWare Directory Services (NDS) in NetWare 4 or 5. It is a lot like NDS, yes, and actually will integrate with NDS in mixed environments. In fact, Active Directory can be integrated with any directory database system that uses the Lightweight Directory Access Protocol (LDAP) for directory queries. All you will need is a software agent that understands both directories and that can perform the translation between them.

Understanding the Structure of Active Directory This is where we get into the real meat of the matter. Active Directory is built on a logical hierarchy of objects. Wow, sounds technical already, doesn’t it? Active Directory holds two basic types of objects: container objects that, well, contain other objects and settings, and leaf objects. Container objects are things like group accounts, which may hold a number of user accounts within them. A leaf object is an object that cannot contain another object. An example of a leaf object would be a user account. The basic objects in Active Directory include: Forest A forest is the top-level organizational object in Active Directory. Forests are collections of multiple trees and describe an organization or even a group of organizations that are cooperating in their network designs. When you first create a domain tree, you also create a forest.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

50

Chapter 2



Planning for Active Directory

Microsoft typically refers to a forest as a collection of trees that do not share a contiguous namespace. As an example, Microsoft.com and Sybex.com have completely different namespaces. If we were to combine both trees into one logical network, that would constitute a forest. Tree A tree is a group of domains with a single root domain and one or more child domains under it. Trees describe the organizational structure of a company rather well, since there is usually one domain that forms the root (like the corporate headquarters, for example) and other domains that are subordinate to the root (like branch offices). An example would be the Sybex.com domain. Sybex.com would be the root (or parent), and domains like sales.Sybex.com and marketing.Sybex.com would be child domains. They all have the same root domain name of Sybex.com. Trees are often organized departmentally or geographically. Organizational Unit Organizational units (OU) form the basic hierarchy within a domain. If your company uses separate domains for physical locations, but there are several different administrative units at each location, you would create an OU for each administrative unit in a location. You can delegate administrative permissions and rights to a single user or group to manage the OU. This account would then have administrative rights for that OU, but not for any other sections of the tree. Objects In Active Directory terms, an object is something with attributes. In human terms, an object could be a user, a group, a printer, or even an application that has been published to the directory. Actually, to Active Directory, everything is an object. In Active Directory, an object is at the bottom of the hierarchy and is something that doesn’t contain something else. Now, in order to put some of these objects together to form an Active Directory, let’s start with a single domain. I’ll use a fictitious company called Coolcompany for our practice, and I’ll apologize if that name’s already in use. (Have you tried lately to come up with a company name that’s not in use?) Coolcompany has three locations around the country. They currently have a single master domain model, as shown in Figure 2.1.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Understanding Active Directory

FIGURE 2.1

51

The current domain structure for Coolcompany

Account Domain

Resource Domain 1

Resource Domain 2

When asked to design a migration plan for the Coolcompany network, you will be faced with decisions such as whether you will use separate domains for each location, as the company has done under NT 4, or you will combine them into one domain. If you choose to combine them into a single domain, will you maintain centralized administration, or will you choose to delegate authority to local administrators in OUs? In order to make the best decisions when preparing for your migration, you’ll have to be well informed and fully understand Active Directory roles. We’ll return to Coolcompany throughout this chapter for our examples.

Understanding Active Directory Roles Active Directory defines five Flexible Single Masters of Operations (FSMO) roles for domain controllers. Microsoft also refers to these server roles as Operations Masters. These roles play an important part in Windows 2000 domain operations and by default are on the first domain controller installed in a domain. These roles can place an extra load upon the server, so be sure to provide enough hardware for the first domain controller, or even better, create a couple more domain controllers and distribute the load. FSMOs are said to be flexible because the roles can be assigned to other domain controllers within the same domain. This way, you can distribute the load and avoid overloading the first domain controller. One of the shortcomings of Windows NT was the PDC/BDC structure. You always relied on the primary domain controller for all security changes on the network, such as adding users or modifying group memberships. If the PDC failed, many network services were stopped. In Windows 2000, we are not reliant on one

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

52

Chapter 2



Planning for Active Directory

particular machine to provide PDC-type functionality. There are five FSMO roles. Two roles apply to the entire forest. That is, only one computer in each forest can assume the roles. They are: Schema Master The schema is a description of the objects and their attributes that are found within Active Directory. If you wanted to create additional properties for your user accounts, such as attaching a Visio diagram showing the location of their office, you would modify the schema for the domain to include a place for that diagram. The Schema Master is the only computer that can make updates to the schema for a domain. When changes are made to the schema, the Schema Master is responsible for replicating the changes to other domain controllers. Domain Naming Master The Domain Naming Master is the only computer that can add or remove domains from the Directory or create, modify, or remove cross-references to other directory services on the network. When a new domain is added to the forest, the Domain Naming Master ensures no other domains have the proposed name. Within each domain, at least one domain controller must fulfill each of the following Operations Master roles: Primary Domain Controller Emulator Master The PDC Emulator is important if you have any Windows clients other than Windows 2000, as they will need a PDC for operations such as changing passwords. The PDC Emulator functions just like a PDC in an environment with NT 4 domain controllers. In native-mode domains, the PDC Emulator Master functions as the default domain controller for processing logon authentication requests. It also receives preferential treatment when domain security changes are made. Relative Identifier Master The Relative Identifier (RID) Master generates unique Security Identifiers (SIDs) and distributes them to objects within its domain. The SID for each object has two parts: a domain identifier and a relative identifier. The domain identifier for all objects in a domain is, as you might guess, the same. The relative identifier distinguishes that object from other objects. In addition, only the RID Master can move objects out of its domain. It will contact the RID Master for the other domain, which will re-evaluate the SID of the object to be moved.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Understanding Active Directory

53

Infrastructure Master The Infrastructure Master is responsible for notifying other domain controllers whenever a user is added or removed from a group in the domain. Its only purpose is to ensure that group membership information stays synchronized within a domain. When you are creating a new domain to begin your Active Directory network, the first domain controller has all five of the Operations Master roles by default. It is a very good idea to install at least two more domain controllers and distribute some of the roles to take the burden off of that first server. Proper placement of Operations Master servers helps decrease network traffic. You will want to place the servers where the concentration of users is the greatest or in the physical location where most of the administrative work will take place. Operations Master roles can be assigned by opening the Active Directory Users and Computers console, right-clicking the domain name you want to change FSMOs for, and selecting Properties. This displays the Operations Master dialog box shown in Figure 2.2. The Properties sheets show the current master for three of the roles (the only three that are set at the domain level). To change the server for any of these roles, click the Change button on the appropriate tab and enter the full name of the server to be the new master. FIGURE 2.2

Changing the FSMO roles for a domain

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

54

Chapter 2



Planning for Active Directory

There is one other server role that is important to the Active Directory domain: the Global Catalog Server. There can and should be many Global Catalog Servers in a forest. These servers are domain controllers specializing in maintaining a subset of the attributes for every object in the Directory. They’re used when a user browses the Directory looking for an object such as a printer or shared folder. If you are running a domain in native mode, GC servers also contain all information on universal group membership. It’s a very good idea to have a Global Catalog Server in every physical location in your network to cut down on WAN traffic.

In the event of failure to one of the FSMO computers, an administrator can make another domain controller seize its role. If this should happen, the failed computer should not be brought back online.

Choosing the Type of Migration

Well, now you’ve had a look at Active Directory, and it’s time to start applying this information to planning a migration of existing domains to Active Directory. There are several different scenarios to examine when considering the type of migration you are going to have. Most of the time, your migration decision will be based on your current network structure. There are two major concepts to consider when migrating to Windows 2000. First, what machines will be upgraded? Second, what type of restructuring will be involved, if any?

Upgrade Upgrading from Windows NT to Windows 2000 is a fairly common migration scenario. It involves the least amount of risk, and it is easy in the sense that most of your NT system settings and preferences will be retained. Even though you are upgrading the network, you do not need to upgrade all machines on your network. Windows 2000 supports mixed clients (Windows 9x and NT) without problems. However, you should consider upgrading all machines to Windows 2000, as this type of network allows you to use all features of the Windows 2000 operating system.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

55

The most critical step in any upgrade or migration is planning. Proper planning will save the most headaches in the future and will also reduce the amount of real work you need to do during the migration. Microsoft also strongly recommends implementing all new network structures in a test environment that parallels your existing network. This allows you to check functionality and work out any issues you might encounter before implementing a production environment.

Beginning the Upgrade To upgrade your existing domain, upgrade the PDC in the current Windows NT domain to Windows 2000 first, followed by any desired BDCs and member servers. Before upgrading domain controllers, make sure they are all synchronized. When you install Windows 2000 onto your NT PDC, the Windows Installation program will detect the server’s role and automatically prompt you to begin the installation of Active Directory. This will give you the option of creating the first tree in a new forest, installing a new tree in an existing forest, creating a replica in an existing domain, or installing a child domain. If this is the first Windows 2000 network for your company, then you will want to create a new tree in a new forest. The other options will be discussed later in this chapter. A couple of questions come to mind. First, do I need to keep my current PDC as a domain controller for my Windows 2000 network? Also, do I need to run the Active Directory Installation Wizard? To answer the first one, no, you don’t need to keep the current PDC as a domain controller. Other options will be discussed later in this chapter. Secondly, yes you do need to run the Active Directory Installation Wizard. Remember, that’s how Windows 2000 promotes domain controllers. You need to have domain controllers to have a domain.

Upgrading the PDC As mentioned in the last section, installing Windows 2000 on an NT PDC will cause the Active Directory Installation Wizard to begin. The Active Directory installation process will automatically copy the entire contents of the Windows NT Security Accounts Manager (SAM) database into Active Directory. Windows 2000 refers to these objects (users, groups, computers) as security principals.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

56

Chapter 2



Planning for Active Directory

When the Active Directory installation is complete, the domain is running in mixed mode. This means all features of Windows 2000 are not yet available. However, we must continue to run in mixed mode until all domain controllers for our domain are running Windows 2000. At this point, the former PDC is playing the Operations Master role of PDC Emulator Master. It will use Active Directory to store objects but will remain backward compatible with the Windows NT BDCs. This provides us with a couple of additional features: 

The PDC Emulator Master looks like a Windows 2000 domain controller to Windows 2000 computers and an NT PDC to down-level computers.



New objects can be created on the Windows 2000 domain controller and replicated to Windows NT BDCs.



Windows NT and 9x client machines can use the PDC Emulator Master as a logon server.



If the PDC Emulator Master becomes unavailable (crashes), you can promote an NT BDC to PDC for the original NT domain.

Continuing the Upgrade Once your PDC is upgraded to Windows 2000, it’s time to start migrating other computers in the domain to 2000 as well. The next computers that make logical sense are the backup domain controllers. One of your immediate goals in migrating from Windows NT to Windows 2000 should be to get the domain running in native mode as quickly as possible. Only native mode allows the full functionality of Windows 2000. In order to switch to native mode, you cannot have or plan to have any Windows NT BDCs as part of the domain.

Changing from mixed mode to native mode is a one-way process. You cannot switch from native mode to mixed mode.

Switching to native mode causes several things to happen: 

All domain controllers begin using multimaster replication.



You can no longer add Windows NT BDCs to the domain.



New features, such as universal groups, domain local groups, and advanced group nesting, are enabled.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

57

In some cases, you may want to stay running in mixed mode. Mixed mode is the only mode that provides the best in backward compatibility with older network operating systems. There are generally only a few specific reasons to remain running in mixed mode. First, if the BDCs do not have the hardware to support Windows 2000, an upgrade is not possible. Second, if the BDCs are running applications that are not supported by Windows 2000, an upgrade is not possible. Third, if there is a need to be able to fall back on Windows NT for any reason, mixed mode is the only way. You should always have a fallback plan or recovery plan, but there will be a point where you need to let go of the old environment. When referring to mixed mode, the term really only applies to the authentication infrastructure in the domain. A domain running Windows 2000 domain controllers in native mode, along with down-level clients, is referred to as a mixed environment. Native-mode mixed environments allow full functionality of Windows 2000 domain controllers. After upgrading your Windows NT domains, you may want to restructure your network. Restructuring requires additional planning as compared to a simple upgrade. If a structural change is one of your main reasons for migrating, you may want to consider planning a restructure during the migration.

Upgrade and Restructure Performing an upgrade and restructure can take many different forms. This type of migration is typically available only if you currently have more than one domain. While it is possible to take one existing domain and migrate and restructure to multiple domains, it’s probably not a good idea. The reasons for having multiple domains in Windows NT have been addressed in Windows 2000. There is no longer the limitation of size on the SAM database, and delegation of administrative controls can be applied to OUs within a domain. When considering an upgrade and restructure, there are a few different options: 

Restructure NT to Windows 2000



Restructure Windows 2000 to Windows 2000

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

58

Chapter 2



Planning for Active Directory




Microsoft Exam Objective



Inter-Forest Migrations



Intra-Forest Migrations

Select the migration type. Types consist of domain upgrade and restructure, domain upgrade only, and domain restructure only.

The first thing to consider is the existing structure of your network. Is it a Windows NT network? If it isn’t, then some of these decisions will be much easier, since you should be building a parallel network structure and then converting your computers to Windows 2000, as shown in Figure 2.3. But most scenarios will involve upgrading an existing NT 4 network to use Active Directory. FIGURE 2.3

Migrating to Windows 2000 often requires building a parallel domain structure.

Existing Network

Parallel Network

In order to plan the kind of domain restructure that your network needs, you must consider the requirements of the organization, its physical structure, and any projected growth. Is there an existing domain structure that will be maintained? Or will you be performing a complete restructure as part of your migration? If you are planning to restructure, where are the administrative units? And where is the administrative staff for the network? All of these factors will weigh in your decision process for restructuring.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

59

Restructure NT to Windows 2000 If you have an NT network, then this type is for you. Restructuring can mean we are taking multiple NT domains and consolidating them into one Windows 2000 domain, or it can mean we are going to restructure our existing NT domain controllers when performing our migration. Let’s take the case of restructuring domain controllers first. The easiest way to upgrade your NT domain to a Windows 2000 Active Directory domain is to upgrade the PDC, followed by the BDCs and member servers as desired. But what if your PDC cannot be upgraded? If that’s the case, install a new BDC in your existing NT domain. This machine will become the new domain controller for our Windows 2000 domain. Once it’s installed on the NT domain, promote it to the PDC. This process will take the existing PDC and automatically demote it to a BDC. Once this promotion/demotion takes place, install Windows 2000 onto your new PDC. Restructuring of domains usually takes place in one of three situations: post-upgrade, instead of upgrade, and post-migration. Post-upgrade restructuring is used to eliminate network complexity once the initial Windows 2000 domain has been established. If your current Windows NT network is considered unsalvageable, you may just want to scrap the whole thing and install a new Windows 2000 network. Hopefully this is not the case. Restructuring may also take place many years down the road, after the migration is ancient history. Restructuring Multiple NT Domains If you are running a Master Domain model, Multiple Master Domain model, Complete Chaos model, or anything in between, you will want to consider upgrading all existing domains on your network to one Windows 2000 domain. The two main reasons we used these domain models were the limit on SAM database size (40MB) and local administration of resources. Windows 2000 does not have a limit on its security database size. Also, we can now delegate administrative responsibilities to users on organizational units. There are few reasons to need multiple domains. Consider a few advantages of migrating multiple NT domains into one Windows 2000 domain. First, all administration is centralized. Even though you may think this is a disadvantage (after all, more work for the central administrators), it’s nice that the central IT group can administer all resources if necessary. Second, no trust relationships are needed. These were a pain to administrate in Windows NT. Granted, Windows 2000 creates two-way transitive trusts for you between domains, but why deal with them if you don’t

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

60

Chapter 2



Planning for Active Directory

need to? Third, departmental control over resources can still be granted to administrators in individual departments through delegation of control. Lastly, if users are trying to locate resources, they are all in one domain and easier to find. Okay, now that you’re convinced you want to consolidate domains as part of your migration strategy, what’s next? First, migrate your accounts (master) domain. If you have multiple masters, pick the one with the most users first. That new domain will become the root of your Windows 2000 forest. Then, migrate other accounts domains, followed by the resource domains. Within all domains, move the domain controllers first, then member servers, then client computers. When choosing which resource domains to upgrade first into the new restructured domain, there are a few guidelines to follow. First, migrate domains that have mission-critical applications. If the customer service SQL database is not available, that could seriously impact business. Second, migrate the domains with the largest numbers of computers.

Restructure Windows 2000 to Windows 2000 Huh? I just installed a new Windows 2000 domain, and now you want me to do more work? Well, sort of. Windows 2000 restructuring could take place in a variety of settings. Maybe you completed the migration and forgot some things. Maybe you completed the migration and now want to restructure your domains. There could be a number of reasons why you would want to restructure within Windows 2000, and we will look at the two major types: inter-forest restructuring and intra-forest restructuring. Since Windows NT cannot be considered a Windows 2000 domain, and inter-forest migrations literally refer to “between different forests,” we can consider a migration from NT to 2000 an inter-forest migration. Inter-forest Migrations Microsoft has identified two major inter-forest migration scenarios that should meet most businesses requirements. These scenarios will work with either a Windows NT domain or an existing Windows 2000 domain as a source domain and a Windows 2000 domain as a target domain. This is the primary migration scenario when migrating a Windows NT domain to a Windows 2000 domain without simply upgrading. One of your major goals during a migration should be to minimize interruptions to resource access on the network. Ideally, you could perform a migration during off-hours. Ideally, every lottery ticket you buy would be a

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

61

winner, too. An implication of maintaining resource access during the migration is that the production environment cannot be too drastically changed until the migration is complete. To ensure this, you will create a second network, or parallel network, to facilitate proper migration. There are advantages and disadvantages to using inter-forest migrations. Advantages include staged migrations, parallel environments, and fallback security. You can migrate groups of users at a time, test the migration in the old and new environments, and if anything goes wrong, abandon the operation with the old structure still in place. Some disadvantages to using inter-forest migrations include




Microsoft Exam Objective



Cloned users will retain their SID from the previous domain, an attribute called SIDHistory, which could theoretically cause security breaches.



Microsoft cloning tools do not provide for the copying of passwords between forests.



Cloned objects do not have their original GUIDs preserved. This is only an issue when the source domain is Windows 2000.

Create and configure a pristine environment.

When migrating from one forest to another, there are two main classes of objects we need to move: users and resources. The steps to migrate users are as follows: Create the pristine Windows 2000 forest. Create a new Windows 2000 forest using standard procedures. Make sure the new domain meets all current network requirements and future plans for functionality and expansion. You will create all domains needed and run all domains in native mode. Establish trusts to maintain resource access. Using either the Active Directory Migration Tool (ADMT) or NETDOM, find out what trusts currently exist between the target and source domains. Create trusts as necessary. The target and source domains should have a two-way trust established.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

62

Chapter 2



Planning for Active Directory

Migration tools, such as ADMT, NETDOM, and ClonePrincipal, are discussed in detail in Chapter 7, “Migrations Tools.”

Clone all source global groups in the target domain. Once the trusts have been established, clone all global groups. Global groups typically contain users, who need access. This will ensure that we can assign permissions in the new domain while maintaining access in the old domain. You can clone groups using ADMT or ClonePrincipal. Identify and clone sets of users. Once the global groups have been cloned, you can start cloning users. Once again, you can use ADMT or ClonePrincipal for this process. Most of the time you will want to clone users incrementally and test resource access in the new domain before migrating more users. This will eliminate resource access problems once the migration is complete. Decommission the source domain. After all users and groups have been cloned, the final task is to decommission the source domain. This means powering off all BDCs, followed by the PDC. If these machines are to be Windows 2000 Servers, install Windows 2000 now and run the Active Directory Installation Wizard as needed. Each step in the migration process should be tested. Both user logon and resource access should be tested in the new domain before the old domain is decommissioned. If errors occur at any stage, the old domain still exists and production work can continue. Migrating users is not the only process in migrating domains; we must also consider a process for migrating resources. In a domain model where resources are spread among multiple domains, trust relationships are required, and it can be difficult to locate the resource you’re looking for. As part of the resource migration scenario, application servers will become member servers in the target domain. It is assumed that the application servers will be using shared local groups for resource access, and the domain may already contain member servers and workstations. The scenario is as follows: Establish required trusts from the target domain to account domains outside the forest. This step assumes that the resource domains are migrating and that the accounts domain is not—at least not now. The point of

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

63

this step is to ensure that the accounts have access to the resource after it is moved. When dealing with multiple domains, the only way to accomplish this is through trusts. Clone all shared local groups. This will ensure that resource access is maintained while domain controllers and resources may be split. Demote application servers to member servers. Windows NT does not support the demotion of BDCs to member servers. The easiest way to accomplish this is to have previously upgraded the PDC of the resource domain. There are two approaches: 

Upgrade the PDC of the resource domain to Windows 2000, and run the domain in mixed mode. Upgrade the desired BDC. During the Active Directory Installation Wizard, you will be given the choice of making the BDC a domain controller or a member server in the Windows 2000 domain. Choose member server, and your mission is accomplished.



Take the BDC offline in the old domain. Promote it to a PDC. Upgrade the machine to Windows 2000, which will effectively make the offline domain controller a clone to the new mixed-mode Windows 2000 domain. Once the original PDC is upgraded or taken offline, you can run the Active Directory Installation Wizard, make the new Windows 2000 machine a member server, and join the target domain.

Move member servers and workstations. Simple enough—move member servers (including former BDCs) from the source domain to the target domain. Decommission the source domain. Finally, the old domain gets the boot. Remove all remaining BDCs first, then the PDC for the original domain. If desired, upgrade the machines to Windows 2000 as either member servers or domain controllers. Intra-forest Migration If a migration takes place between domains in the same Windows 2000 forest, it is an intra-forest migration. Since Windows NT domains cannot be members of a Windows 2000 forest, this migration type involves only Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

64

Chapter 2



Planning for Active Directory

Like inter-forest migrations, intra-forest migrations have advantages and disadvantages. This migration scenario is typically used after customers have upgraded their domains to Windows 2000 and now want to ease administration by combining the network locations of resources. Advantages of intra-forest migrations include the following: Password preservation Windows 2000 can copy user passwords from one domain to another domain within the same forest. If this security configuration is required, then you must perform an intra-forest migration. GUID preservation If the object is moved intra-forest, the object’s Globally Unique Identifier (GUID) will be retained. This is useful if you have applications that establish user identity by using GUIDs. Like everything else, this type of migration is not for everyone. Disadvantages of intra-forest migrations include the following: Destructive operation When moving objects via intra-forest migrations, the source object is destroyed. Therefore, it is not possible to attempt staged or parallel migrations like you could with inter-forest migrations. Closed sets In order to maintain group membership rules, users and their global groups must be moved together. Since intra-forest migrations are destructive operations, this often means you must move an entire domain. For all their faults, intra-forest migrations have their place. The most important reason to use one is if passwords need to be maintained for users, as to avoid security breaches. In this case, you may want to upgrade your Windows NT domains to Windows 2000 domains in the same forest, then perform an intra-forest migration to consolidate domains. While this may be more work, security concerns are quite relevant.

Selecting the Domains to Restructure Once you’ve decided what type of migration you will perform on your network, you must decide where to start. It is critical that you establish which domains you plan to restructure and the order in which they will be converted. If your current network is implemented as a single domain, then you have an easy job ahead of you. But consider a network that has more than

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

65

one domain, such as our example company, Coolcompany, with three different locations, each maintaining its own domain under NT 4. In this case, you will have to decide which domain will be the first to migrate.




Microsoft exam objective:

Plan migration. 

Select domains and establish proper order for migrating them.



Select destination of migrated objects.



Plan for incremental object migrations as appropriate.

The selection of the first domain has some far-reaching implications for your Active Directory environment. Most important, this first domain will be the root of your forest. All other domains will take their names relative to this root domain. For example, if the root domain will be coolcompany .local, then the Boston location of coolcompany.local would likely be called boston.coolcompany.local. Do you feel a little like you’re looking at the DNS naming scheme for these domains? You are. Active Directory bases its naming on the Domain Name System’s namespace. A major consideration when choosing the new root domain name is whether or not the resources will be available on the Internet. Choosing a name like coolcompany.local may reflect the company’s name and image, but will the resources in that domain be available on the Internet? No. If you want network resources to be available on the Internet, you must choose a root domain name that is supported by the Internet’s root name servers, like .com, .net, .org, or others. If you want to ensure that resources are not available on the Internet, then choosing a .local (or .whateveryouwant) extension is appropriate. Along with choosing a name, remember that Internet names must be unique and registered. Does someone already have coolcompany.com? If so, you must choose another name. It is also possible to host both internal and external names for the same network. An example would be having the domain be both coolcompany.local (internal) and coolcompany.com (external). This causes some additional headaches, like requiring multiple instances of DNS (internal vs. external) and multiple e-mail addresses for users (once again, internal vs. external). Sticking with one name is good practice.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

66

Chapter 2



Planning for Active Directory

The first domain in your Active Directory network should be the root domain of your organization. All child domains and objects will take their names from the name of the root domain. If there is already a domain in your organization that would be a logical choice for this root domain, use it. In most companies, this would be the domain at the company’s headquarters. But what if the three domains in Coolcompany’s network are all fairly autonomous? If they maintain their own administration and operate separately from one another, you may be stepping into a complex political situation trying to decide which domain will be the root. In a case where there are several equally valid choices for the root domain, it may be politically safer (and wiser) to create a new empty domain for the sole purpose of hosting the root of the forest. Figure 2.4 shows a possible migration path for Coolcompany in a scenario like this. In this scenario, the network designer has chosen to create a new root domain and make the Seattle, Dallas, and Boston domains child domains of that new root. This way the domains are all equal in their roles, and no feelings get bruised. FIGURE 2.4

Migrating Coolcompany to a forest with a new root domain

Coolcompany.local

Seattle

Dallas

Boston

Existing Network

Seattle

Dallas

Boston

Parallel Network

Now, in more traditional NT domain models, the migration is more clearcut. Of course, the easiest by far is the single domain model, as you would simply upgrade your domain controllers to Windows 2000 in mixed mode. Once everything is running smoothly on Windows 2000, convert the domain over to native mode and enjoy the full benefits of Active Directory. To migrate a Single Master Domain model to Active Directory, you would typically want to use the master domain as the root domain for the tree and use the resource domains as the child domains. Figure 2.5 shows how this might be accomplished. An alternative is to migrate the master

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

67

domain first as the root domain and consolidate the resource domains into the new root. If resources still need to be controlled by local administrators, migrate the resource domains as their own OUs within the new domain, and delegate control to the appropriate people. FIGURE 2.5

Migrating a Single Master Domain model to Active Directory

Root Domain

Account Domain

Resource Domain 1

Resource Domain 2

Child Domain

Child Domain

Migrating a Multiple Master Domain model can be somewhat more complicated. In this model, there are two or more master account domains and multiple resource domains. You have some alternatives here. First, you could use the master domains as roots of their own trees and combine them into a single forest, as shown in Figure 2.6. FIGURE 2.6

Migrating a Multiple Master Domain model to a single forest with multiple trees

Forest MAD1

MAD2 MAD1 MAD2

R1

R2

R3

R1

R2 R3

Another option is to create a new domain to be the root and add the master domains and their resource domains as child domains beneath the new root. Figure 2.7 shows this option.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

68

Chapter 2



Planning for Active Directory

FIGURE 2.7

Creating a new root domain to migrate a Multiple Master Domain model

Root MAD1

MAD2 MAD2

MAD1

R1

R2

R3

R1

R2

R3

The other options involve combining domains. One such choice would be to combine the master domains into one root domain containing the users and upgrade the resource domains as child domains. Another choice would be to upgrade all domains into one domain, with the old resource domains as OUs in the domain. As you can see, with the Multiple Master Domain model, the choices are almost limitless. The best decision will be based on the needs (political and technological) of the company. On the exam, the case study questions will often present you with choices for which domain should be upgraded first and which domains can have a partial or incremental upgrade. When there is a clear choice for the root domain of the new structure, the choice is easy. But many of the questions aren’t so clear. For these other questions, you must consider the information you have been given as part of the case study. What are the company’s priorities for the migration? Pay particular attention to the information about which computers and/or domains cannot tolerate any disruption. This will guide you in your decisions. If a domain can be upgraded incrementally, this will give you a more structured approach to the migration. You can begin with the domain controllers and immediately switch the domain to Active Directory and nativemode operations. Then you can follow by upgrading the member servers and finally the clients. Incremental domain upgrades are more useful in situations where the servers cannot tolerate very much time offline. This approach gives you the ability to upgrade the domain controllers and the clients without touching the member servers providing line of business (LOB) applications. Your priority for the specific order of machines to upgrade will depend on the business goals of the migration. The only real requirement for upgrading a domain is that the domain controllers be upgraded. The other computers can easily be a mixture of Windows 2000 and Windows 9x or NT.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Choosing the Type of Migration

69

Last tip: When designing a new domain structure, keep the number of parent and child domains to a minimum if possible. You could create a root domain, a child for the physical location, a child for the building, a child for the department, and so on. However, object names start getting ridiculous. Imagine locating an object with the unique name of jsmith.marketing.bldg25 .boston.coolcompany.local. Keep things simpler than that. Keep your life easier than that.

Implementing Organizational Units Organizational units (OUs) are valuable in network design planning. They allow you to create structure within a domain and map your company’s logical network to mirror its physical structure. This enables you to delegate control over smaller sections of your network, like departments, and distribute the administrative burden. One of the buzzwords you’ll come to recognize for Windows 2000 is granularity, which basically means that you can break down a process into as many segments as needed or review something in the most minute detail to ensure clarity and understanding on the user’s part. Windows 2000 enables you (the administrator) to get as granular as you want with permissions and rights. In the case of OUs, you can designate a user to be a local administrator for their department, giving them full control of their OU, but control of nothing beyond that OU. This brings up what I think is an interesting point in domain planning. Remember that example earlier of Coolcompany’s issue with three physical locations and three separate domains? Using OUs, you could consolidate the entire network into one single domain with Active Directory, then implement an OU for each physical location. Delegate administrative rights and permissions to the local administrator team at each location, and you have the best of all worlds! These local admins can now administer everything in their location, but you still retain centralized administration over the entire network using the Enterprise Admins group at the domain level. OUs can be used in many ways, from departments to physical locations. The right way will be different for every network you plan. I’ve found that a solid approach to this process is to decide whether the administration will be centralized or distributed. This decision will be the basis for inheritance. Inheritance refers to the flow of permissions and rights down from the root through all OUs and child domains. The default configuration allows inheritance to flow downward from parent structures to all child containers and objects.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

70

Chapter 2



Planning for Active Directory

If you decide to centralize your administration, you will have very little left to do because the default provides centralized administration. But if you decide that you want to distribute all or part of the administrative load, you will need to configure some OUs or child domains to block inheritance from the root. Of course, the built-in administrators group for the domain can override the authority of an OU’s administrator, and an enterprise administrator can override the authority of any down-level administrator. Three basic tools control the administration of an object in Active Directory: Delegation of Control Wizard This wizard walks you through the necessary steps in delegating the administrative control of an object. Here, object indicates a container in Active Directory such as an OU, or it could be a printer, user, or group.

Security tab of an object’s Properties sheet On the Security tab of almost any object’s Properties sheet, you will find the access to the object’s permissions that you need in order to restrict or grant access to that object. Dsacls.exe This Resource Kit utility gives you control of an Active Directory object’s Access Control List (ACL) from the command prompt. The utility has the ability to manage the ACLs of any object or branch of the Active Directory tree. Used together, these tools will grant you all the granular control you need. See? There’s that buzzword again, but it’s true. Windows 2000 does give you very granular control of all of its objects, both local to the computer and across the network.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: SmartSoft, Inc.

71

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background SmartSoft, Inc. has decided to upgrade their Windows NT 4.0 network to Window 2000. You have been hired to design the domain structure of the new Active Directory environment. SmartSoft, Inc. has two major divisions–one that sells server-based anti-virus software and another that sells server-based firewall software. Both product lines have an established Internet presence on individual Web sites and have developed good reputations in their market segment. Your research includes the following interview comments: Director of IT Services We are set up in a traditional NT Multiple Master Domain model. We have two master domains, one for each of our product lines, and a series of resource domains, each dedicated to one of the masters. We have about 1500 users in each master domain. Director of Marketing Each of our two main products, SS AntiVirus and SS BrickWall, has its own Web site. We do most of our customer support through those Web sites. We have also spent the money needed to ensure that our names come up first on many Web search engines. Director of Research and Development Because we have a constantly changing environment (due to test servers going up and down) and a need for high security, we manage our own resources here in R&D. We would like to continue to be a part of, but not controlled by, the central IS department in both product lines.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

Case Study: SmartSoft, Inc.

CASE STUDY

72

Chapter 2



Planning for Active Directory

Questions 1. Which of the following will best support the needs of the Research and

Development department? A. Roll the R&D domains into their parent domains and mix the

resources with all of the other domains’ resources. Use Windows 2000 and AD security to protect confidential information. B. Roll the R&D domains into their parent domains. Place the R&D

resources in a separate OU to enhance security. C. Keep the R&D domains as child domains. Give the R&D personnel

administrative privileges in their domain. D. Do not upgrade the R&D domains to Windows 2000. Make their

IT personnel responsible for securing their environment. 2. Which of the following is the best migration strategy for SmartSoft, Inc.? A. Create a new Windows 2000 domain named SmartSoft.com, and

place the two master domains under it as child domains. Maintain the same resource domains, with the same relationship to their parent domains. B. Maintain the same domain structure, making one of the two mas-

ter domains the new root domain. C. Make each of the master domains the root of a new AD tree. Tie

them together in a single forest. Maintain all of the resource domains without change. D. Create one new Windows 2000 domain named SmartSoft.com,

and place all resources within it.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: SmartSoft, Inc.

73

dows NT 4.0 domain and trust structure. For each domain, decide if it will be a root domain, be a child domain, or be absorbed into its parent during the migration. Root Domain Child Domain Anti Virus

Brick Wall Absorbed

Acct

R&D

Acct

Sales

Copyright ©2001 SYBEX , Inc., Alameda, CA

R&D

Sales

www.sybex.com

CASE STUDY

3. Drop and connect: The following graphic shows the current Win-

CASE STUDY ANSWERS

74

Chapter 2



Planning for Active Directory

Answers 1. C. An argument could be made for answer B, but the best security will

be to keep the R&D resources in a separate Windows 2000 domain within the SmartSoft forest. 2. C. Since each of the two product lines (AntiVirus and BrickWall)

has an established presence on the Internet, you will want to maintain two separate namespaces. All names start with the root domain, so you will need two trees (and two root domains) in this environment. 3. Root Domain

Root Domain

Anti Virus

Brick Wall

Acct

R&D

Acct

R&D

Absorbed

Child

Absorbed

Child

Sales

Sales

Absorbed

Absorbed

Given the need to maintain two namespaces, SmartSoft will require two AD trees in a forest configuration. Since each tree supports only 1500 users, many of the existing domains will not be necessary after the migration. The only exception is the R&D domains, which will remain to enhance security.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

75

Summary

In this chapter, you learned how to choose the type of migration, including upgrades, restructures, inter-forest restructures, and intra-forest restructures. You saw how to plan the domain restructure, from selecting the domain to be migrated first to knowing when to use an incremental migration. We discussed the basics of Active Directory and showed how this will relate to your planning for organizational units. You can expect to see this material on the exam, so you should pay special attention to the different migration scenarios and strategies.

Key Terms Before you take the exam, be sure you are familiar with the following terms: attributes child container objects forest granularity inheritance multiple master replication organizational unit (OU) schema

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

76

Chapter 2



Planning for Active Directory

Review Questions 1. You have been asked to plan the migration from NT 4 to Windows 2000

for your company’s network. There are three domains in a complete trust model. Which model(s) could you use for the target domain structure? A. Build a complete trust model using three domains. B. Create a single tree with one domain as the root and the other two

as child domains. C. Create three trees in a single forest. D. Create a new empty domain to be the root of the forest, then add

the three existing domains as child domains of the root. 2. Which one of the FSMO roles is responsible for modifying the struc-

ture of the data contained within the Active Directory? A. The Domain Operations Master B. The RID Master C. The Key Master D. The Schema Master 3. What type of migration would include upgrading the domain control-

lers to Windows 2000 and then moving them to new domains within Active Directory? A. Restructure Windows 2000 to Windows 2000 B. Upgrade and restructure C. You can’t do that without formatting and reinstalling. D. Restructure NT to Windows 2000

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

77

4. You have been tasked with planning your company’s migration to Win-

dows 2000. Your network currently has a Multiple Master Domain model. There are nine master domains and twelve resource domains. How many forests must you create to hold this organization? A. Nine B. One C. Twenty-one D. Two 5. Which wizard will assist you in decentralizing your network adminis-

tration by giving control of an OU to another administrator? A. Delegation of Control Wizard B. Decentralization Wizard C. ADMT D. Dsacls.exe 6. You are planning the migration of your network from NT 4 to Win-

dows 2000. Your company has only one physical location, but there are seven different departments that insist on keeping their own administration. How can you provide this while still maintaining some control over the entire organization? A. Create seven different domains and establish a complete trust

model. B. Create a single Windows 2000 domain and use an OU for each of

the seven departments. Delegate control of the OUs to a member of each department. C. You can’t do this with Windows 2000; you should leave them

on NT 4. D. Create a separate tree for each department.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

78

Chapter 2



Planning for Active Directory

7. You have recently migrated to Active Directory in your network. You

have noticed that browsing the Directory for servers is a bit slow across your WAN links. What type of server should you create to help with this problem? A. Primary domain controller B. RID Master C. Global Catalog Server D. Backup domain controller 8. You are migrating your network to Windows 2000 and have success-

fully upgraded all of your domain controllers in each domain to Windows 2000. Now you are reorganizing the domains into a more logical Active Directory structure. What type of migration does this represent? A. Upgrade and restructure B. Inter-forest restructure C. Intra-forest restructure D. Restructure NT to Windows 2000 9. Which Operations Master role is responsible for adding new domains

to the Active Directory forest? A. Schema Master B. RID Master C. PDC Emulator Master D. Domain Naming Master

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

79

10. You are designing a migration plan for a Windows NT Master

Domain model network. The network has three resource domains: Acct, Sales, and Eng. Corp is the accounts domain. All domains have approximately the same number of client computers. The Eng domain contains the company’s research database hosted on a SQL server. Which resource domain should you upgrade first? A. Corp B. Eng C. Sales D. Acct 11. Your Windows NT network is going to be upgraded to Windows 2000.

You currently have two domains, and there is a two-way trust established between them. Management’s primary concern during the migration is security. After the migration is complete, there will be only one domain. How should you migrate the network? A. Combine the NT domains using the NT Resource Kit. After they

are combined, perform a Windows 2000 upgrade. B. Upgrade the existing domains to Windows 2000 domains in dif-

ferent forests. Use an inter-forest migration to consolidate the domains. C. Upgrade the existing domains to Windows 2000 domains in the

same forest. Use an intra-forest migration to consolidate the domains. D. Upgrade the existing domains to Windows 2000 domains in the

same forest. Use an inter-forest migration to consolidate the domains. 12. Which Operations Master role is required in mixed-mode Windows 2000

domains? A. Schema Master B. RID Master C. PDC Emulator Master D. Domain Naming Master

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

80

Chapter 2



Planning for Active Directory

13. What types of migration are best suited for networks in which a

back-out plan is necessary in case the migration fails? A. Upgrade B. Restructure C. Inter-forest migration D. Intra-forest migration 14. You are migrating your Windows NT Multiple Master Domain model

to Windows 2000. It is decided that there will be five domains once the migration is complete. In this new structure, how many Infrastructure Master servers will be on the network? A. One B. Five C. Ten D. Cannot be determined 15. Your Windows NT domain was just upgraded to Windows 2000.

Originally, it was decided that resources would not be available on the Internet. Management recently changed their minds, and now resources must be publicly available. The current domain is named coolcompany.local. One administrator suggests changing the name to coolcompany.local.com. What do you say? A. Sure! Make the change. B. That will work, but we need to change our DNS servers. C. That will work, but we need to change our DNS servers and

update all machines on our network with the new domain name. D. That will not work.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

81

16. Your company is upgrading its network and wants to host the com-

pany Web site from the corporate location. Much discussion has been made about what to call the new domain. You have the registered Internet name of coolcompany.com. Which of the following names are valid for your company’s Web server on the Internet? A. www.coolcompany.local B. today.coolcompany.com C. www.products.coolcompany.com D. www.coolcompany.local.com 17. Which Operations Master role is responsible for ensuring that all

objects within an domain are properly identified with a unique identifier number? A. Schema Master B. RID Master C. Domain Naming Master D. PDC Emulator Master 18. How many domains are required to create a forest? A. Zero B. One C. Two D. More than two 19. How many root domains should you have in a forest? A. One B. Two C. Three D. Cannot determine

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

82

Chapter 2



Planning for Active Directory

20. You are restructuring and upgrading your Windows NT Master

Domain model network to Windows 2000. Currently, your domain has five domains: one master domain and four resource domains. All employees work at the central office in Nashville. When trying to determine an appropriate model for your network, you must take the following into consideration: You need to have overriding administrative control over the whole network, administrators for each department need to be able to create users and administrate resources, and certain security settings will apply to all users. Which structure would be best for your network? A. Create a new forest, with Nashville as the root domain. Create

child domains for each department. Assign administrators from each department to the Domain Admins group for their respective areas. B. Create a new forest for each department, with Nashville as the root

forest. Assign administrators from each department to the Enterprise Admins group for their respective areas. C. Create a single domain. Place all users and resources in the

domain. Delegate control of users and resources to the specific administrators who need the control. Allow administrators to create objects within Active Directory. D. Create a single domain. Create organizational units for each

department within the domain. Place all users and resources within the proper OU. Delegate control of the OUs to the proper administrators.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

83

Answers to Review Questions 1. B, C, D. Any of these three methods could be used. You could establish

a new tree for each of the domains, and if they are in the same forest, users will still be able to communicate. The best model would be either B or D. The simplest method would be to pick one domain to be the root as in answer B. Answer D would be a good solution in a politically sensitive situation, where choosing a root domain would be difficult. 2. D. The schema for Active Directory defines the structure of the data

stored within the Directory. If you wanted to change the definition of an object, or add another type of attribute to an object, you would use the Schema Master to modify the schema for the entire forest. 3. B. An upgrade-and-restructure migration would require that you

upgrade the domain controllers to Windows 2000 and then move them to new domains or OUs within the forest. 4. B. You would need to create only one forest to hold this entire orga-

nization. The master domains could become child domains of a new root domain, or they could each become the root of a separate tree. But there would still be one forest. 5. A. The Delegation of Control Wizard can be used to delegate admin-

istrative rights to a user or group account. 6. B. Creating OUs for the departments would be the easiest approach

since only one domain would be required. You could use answer D, but that would be unnecessarily complicated and might make it more difficult to centrally administer the entire network. 7. C. The Global Catalog Server maintains a copy of the Directory that has

a subset of attributes for every object in the entire Directory. This catalog is used when browsing the Directory for resources. Creating another Global Catalog Server would help clients to find the resources without having to cross the WAN link to find another Global Catalog Server.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

84

Chapter 2



Planning for Active Directory

8. A or C. A would be the best answer here, since the upgrade-and-

restructure migration requires that you upgrade existing domains to Windows 2000, then restructure them into Active Directory. Answer C is also correct but would require the additional step of converting the new Windows 2000 domains to native mode prior to restructuring. 9. D. When domains are added to a forest, the Domain Naming Master is

consulted to make sure the proposed name is unique within the forest. 10. B. The Corp domain should be upgraded first, but that’s not what the

question asked. Among the resource domains, the only one that stands out is the Eng domain because it is hosting a database. Since the database is probably mission-critical, its resource domain should be upgraded first. 11. C. The only way to preserve password information when performing

a Windows 2000 migration is to use an intra-forest migration. Interforest migrations do not provide password-replication services. Intra-forest migrations imply that all domains are part of the same forest. 12. C. The PDC Emulator Master is required in mixed-mode domains to

serve as a PDC to Windows NT domain controllers and act as a possible authentication server for clients in the domain. 13. A and C. In an upgrade, you upgrade the PDC first. If there are prob-

lems, you should have a BDC in the old domain, which you can promote to a PDC. Inter-forest migrations allow you to set up a parallel network, leaving the existing structure in place in the event of a failure. 14. B. There will be one Infrastructure Master per domain. Since there

will be five domains, this means five servers will play this role. 15. D. That will not work unless you own the registered Internet name

local.com. Chances are, that name is already taken. You might want to see if coolcompany.com is taken, and if not, grab it. This change will involve more re-installation. Management should have planned this better.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

85

16. B and C. Only the names with coolcompany.com at the end are valid

for your company on the Internet. Anything with a .local extension is valid for DNS servers, but DNS servers on the Internet are not configured to search for .local names. The last one is invalid because of how the name is structured—it would require you to have the name local.com reserved on the Internet as well. 17. B. The Relative Identifier (RID) Master dispenses unique identifiers for

all objects created within its own domain. It then ensures that all domain controllers are aware of the objects and their corresponding identifiers. 18. B. When you create the first domain in a Windows 2000 network, you

automatically create a tree and a forest as well. Even though forests are typically considered as having multiple trees (domains with a contiguous namespace), one domain (and one tree) is still a forest. 19. A. A forest will always have one domain that is considered the root

domain of the forest. While other domains may have been roots of their respective trees before joining the forest, there will still be only one forest root. 20. D. There are a few points that make the decision of a single domain

clear. First, you need to maintain administrative control. While this is possible in a forest, it’s best to leave it as a single domain. Second, all users will need to be affected by the same policy settings. This is also most easily accomplished by creating a single domain and then applying Group Policy to the domain. Local administrators can still create users and manage resources within OUs if you delegate control to them in the OU.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

3

Preparing for the Migration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Plan migration. 

Develop a pilot migration strategy.


Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate.
Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.
Perform test deployments of domain upgrades.
Perform post-migration tasks.
Verify functionality of network services.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

I

n the last couple of chapters, you learned how to plan for your migration. Now you will see some of the things you will need to consider when preparing for the migration. Do you feel like we’re spending a lot of time talking about planning? Do you think that might indicate that planning is very important for the success of a migration to Windows 2000? You’re right on both counts. Your success in the planning phases will determine your success in the actual migration. Now we’re going to learn about the things to do to get your systems and network ready for the migration. In this chapter, you will learn how to prepare for a migration. In the first portion of the chapter, you’ll learn how to create a test strategy to aid in your planning and then execute a pilot migration to see if your plan works on a small scale. Then you’ll learn how to take steps to prepare your network for readiness remediation. In the second portion of the chapter, you will learn how to install or upgrade the Domain Name System (DNS) service in your network. We’ll talk about why this service is so vital to the success of your Windows 2000 network. In the last section of the chapter, you will explore the steps necessary to protect your network in case things go wrong with the rollout. How will you restore the network services? How will you restore the accounts to working order so that your users can log on to the network and continue with their lives?

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

89

Planning for Pre-Migration Tasks

Okay, this is where we get down to business with the migration…almost. You still need to plan for getting your network ready for the actual rollout of Windows 2000 by performing a series of pre-migration steps. These steps range from setting up a test lab to see if your setup procedures will really work to planning for restoring your current network services if the migration needs to be rolled back for any reason. I will admit to being a flying-by-theseat-of-the-pants type when it comes to installing software on my own computers, but when performing upgrades for clients I am very cautious and ever aware that they depend on these systems to do their jobs.




Microsoft exam objective:

Plan migration.

I suggest a two-phase approach to pre-migration strategy: preparation and recovery planning. In the preparation phase, you would create a test environment to simulate your deployment of Windows 2000 and to test the configurations necessary to support your individual network’s needs. In the second phase, you will take steps to create backups of network service information and user accounts, so the environment can be re-created with a minimum of disruption to your users.

Creating a Test Environment A test environment is something you may already have if you push any software out to users on your network. After all, deploying applications is very much like deploying an operating system. They’re only different in scale. If you don’t currently have a test lab, you should set one up if at all possible. This doesn’t have to be elaborate; just three to five computers that are capable of running the versions of software you plan to deploy should do it in most

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

90

Chapter 3



Preparing for the Migration

cases. I always prefer to use computers just like the servers that I’m going to deploy on to test for hardware issues as well as anticipated software problems.




Microsoft exam objective:

Plan migration. Develop a pilot migration strategy.



Even though you can get by with just a few computers for testing, there are some guidelines to keep in mind: 

Complexity of the planned deployment



Your available budget



What kind of physical space is available for the test lab



Structure of your team, number of testers, and their locations



Services and components that you will be testing



Whether the test lab will be used after the deployment is complete

Other points to consider will reflect the nature of the testing, such as network cabling to be used, routers, and similarity of the test equipment to the planned production equipment. As I said earlier, it is a good idea to use the new production servers for the test phase if it is practical. In many cases, you will be purchasing new servers for the migration, and a small number of them can be purchased early to use for the testing. Remember that you have to walk a fine line when planning the test environment. You need to allocate enough resources to get an accurate view of the deployment, yet you don’t want to spend so much money that the entire project appears too costly to pursue. A software test lab is often viewed as a risk-management facility, that is, it can often identify the problems in a plan when there is still plenty of time to find a solution. Using a test lab to proactively identify the sources of potential issues means that you can also experiment with different solutions and test their effectiveness before the time becomes too short during the deployment. The lab is the proper place to design your recovery process and to test that recovery plan to verify that it will work before you actually need it.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

91

The test lab is also a good place for your IT staff to learn about Windows 2000 and to practice new skills that will be needed during and after the deployment. This phase will often show weak points in your deployment plan and give you an opportunity to refine the plan. Remember that one of your primary goals is to cause the least amount of disruption to the existing network environment while migrating to Windows 2000. If your testing reveals weaknesses in the migration plan, take the time to reexamine the plan, taking the new information into account. For example, you may find that your plan fails to consider resource access. This would be a good time to develop some alternative ideas to correct the situation. EXERCISE 3.1

Designing a Test Lab The process to build a test lab is fairly complex, but planning will make the process livable. Use these steps as a guideline when designing your test lab:

1. Select a test lab strategy. Decide early on in this process whether you will be keeping this lab for use after the migration, or if this is meant to be a temporary lab to test this deployment only.

2. Obtain necessary approval and funding. Get the buy-in of your superiors along with the visible transfer of power that comes from a public announcement by the superiors that you are in charge of the project. This approval eliminates later problems.

3. Create a temporary lab. This temporary setup will help you to do the necessary planning and design for the real test lab.

4. Determine the supported software and hardware. Spend some time examining the compatibility lists for software and hardware on Windows 2000 to help you select the appropriate configurations.

5. Plan the logical design. Decide what the domain structure will look like in the lab, then decide which network services you will run.

6. Plan the physical design. Decide what the physical network layout will be. This design should include any new technologies your network might be adopting as part of the migration.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

92

Chapter 3



Preparing for the Migration

EXERCISE 3.1 (continued)

7. Document your planned design. Create a document that describes the process of building the lab, the parts involved, the people involved, and the estimated time needed to complete the construction of the lab.

8. Acquire the pieces. Gather all of the needed hardware, software, and people resources you will need to assemble the lab.

9. Build and test the physical network. This step includes everything needed to lay out the network, from running cable to connecting hubs and routers. Remember to thoroughly test the network with known good equipment to ensure that it works correctly before proceeding.

10. Build the servers. It was a surprise to me when I worked in my first data center that brand-new servers need to be assembled. Having only really worked with desktop or portable computers prior to that job, I expected that the new server would come out of the box ready to plug in and turn on. Not so! Servers usually need to have their components installed and tested before they can be put into service. This is also a great time to install the operating system and other necessary software.

11. Build the client computers. These may or may not need to be assembled, but you will need to get them into place and properly connected. Make certain that they have the correct software installed to represent your real environment.

12. Test the lab. This is my favorite part, playing with the new equipment. But seriously, try to test as much as possible the connectivity between the clients and the servers. Determine whether or not this lab now represents the real environment accurately. If not, what needs to be changed? If you have completed these steps successfully, then you can congratulate yourself! Your lab is complete!

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

93

The testing itself is another area where you can spend a lot of time planning how things will work. Create test plans for each phase of your migration separately, then in combination. As the plans gain in complexity, they should approach the reality of the migration. That is, when you are at the end of your testing phase, you should be running a full simulation of the deployment in the test lab. EXERCISE 3.2

Planning a Test Scenario Your company has four domains in a master domain model. You are in charge of planning the migration to Windows 2000 for the entire domain model. You have created a vision plan for the migration that states the following points: 

The migration must yield the benefits of Windows 2000 and Active Directory as soon as possible.



There must be no disruption of daily business due to the migration.



The migration will include an upgrade to the existing network from 10BaseT to 100BaseT.

With these points in mind, what can you determine about the test lab that would be necessary for this migration plan?

1. What will you need to provide for the physical network? 2. What is the minimum number of servers you will need to provide? 3. How many client computers should you provide?

In Exercise 3.1, I mentioned the need for a temporary lab. This is really to provide you with as much time as possible to begin learning the new skills that relate to Windows 2000 and Active Directory. If your testing strategy calls for designing a lab that will become a permanent fixture in your network environment, then the temporary lab will just be enough to get you started with the learning phase while you are selecting and ordering the equipment that will be used for the real lab. An interim lab could easily consist of one to three servers and a couple of client computers to test the network services. This equipment would be enough to establish some basic information that will shape your approach to later testing.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

94

Chapter 3



Preparing for the Migration

Justifying the Lab So how do you plan to explain the need for this lab to your project sponsor? If you could simply tell him or her that this book recommends a test lab and get the money, I might want to accept a job with your company. Most managers will need to carefully examine your business case for the test lab before committing themselves to the budget to fund your little kingdom. This is where thoughts of return on investment will pay off. You need to develop a business case document that explains how a proper test environment can detect flaws in a migration plan that would otherwise not be found until it was too late to prevent them. When these issues arise, they can cause severe delays in the migration, along with all of the costs accompanying those delays. Having a test lab means that you have the opportunity to test each step of the deployment plan. The more complete the test environment, the better the job it will do in enabling you to test your plans. When the costs of the lab are compared to the potential costs over time of additional support and administrative overhead, the lab should look like a good investment. You can also point out that an economy of scale might be possible by incorporating the test lab space into a single lab facility. There are likely other projects in your company that would benefit from a test environment. If you can build a lab that is adequate for everyone’s needs, you may be able to save the company money.

Life Span of a Test Lab Your test lab may only be used for this migration, but even so it will be used in nearly every phase. However, it may be used for other areas besides the migration itself. Let’s look at some possibilities: Initial Windows 2000 training This may be an organized training presentation for key staff or simply an opportunity for self-study. Evaluating new features and technologies Reading about the new products in Windows 2000 is one thing, but to really understand how these new features will help your environment, you will need some hands-on time with the products. Prototyping your deployment As you build your migration plan, test the individual steps to reveal potential issues.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

95

Testing network compatibility Test your network services and applications to decide how well they’ll be supported on Windows 2000. Testing the deployment tools Get some experience with the deployment tools prior to using them in the production environment. Testing your rollout procedure As you build your detailed plan for deploying Windows 2000, try it out in the lab to be certain it works as planned. Testing your support procedures Don’t be one of those people who think about the support personnel only after the deployment is complete. Many organizations do, and their only solution then is to hand the help desk staff an instruction manual and tell them the phone is already ringing. Train the help desk staff ahead of time, and let them use the lab for additional experience before the migration. Analyzing any problems and finding solutions Your testing will no doubt reveal some potential issues, which gives you the opportunity to find the solutions as well. Use it wisely. A test lab may have a very long life span. Many companies maintain a test lab for the purpose of testing new software and hardware configurations even when they aren’t going through a migration.

Change Management and the Test Lab For a network infrastructure to be successful, someone must manage the effects of change in the organization. Change management is often overlooked in many IT organizations, but it is a vital part of a successful operation. I have had personal experience watching unmanaged changes being applied to a production server and then seeing that server go down because the person making the change didn’t know about some other conflicting detail. The problem can be software-related, often because of the content being loaded onto a server, or it can be hardware-related. For an environment to be truly stable over a long period of time, there must be a procedure for monitoring what changes are being made to the server configurations and testing these changes for their real impact on the server before they enter the production network. I’ll give you one of the hard truths I’ve learned in data center management: The more people who have access to the servers, the less reliable those servers will be. I recently had the good fortune

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

96

Chapter 3



Preparing for the Migration

to manage a residency-training program hosted in a very large data center. Through the course of my program, I heard many examples of this situation. Software developers or content developers would load new content onto a production server (because they could), and this new content caused the server to crash. It really becomes ugly when that new content also takes down an entire cluster of servers, which can happen. This is when you begin to suffer major downtime and the associated costs. To avoid this problem, the Data Center Management team implemented a team dedicated to monitoring any change that was made to any part of that data center. This Change Management team was the control point for nearly every process in place within that operation. If you wanted a new IP address for your server, you asked Change Management. If you wanted to upgrade your server to Windows 2000, you asked Change Management. And so on. This process worked wonders in the reliability and total uptime of the servers the teams were managing. I highly recommend that a solid change-management policy be implemented in your organization. The benefits of reduced support costs and increased server reliability are well worth the bruised feelings someone may get when they are told their change would cause some problems.

Other Test Lab Considerations Now that you’ve decided what you need a test lab for, and presumably you have the approval and the necessary budget, where are you going to put the lab? If your network stretches across WAN links, you might want to place parts of your test lab in separate locations so that you can also test the feasibility of your rollout plans across those WAN links. Another point to consider along that vein: Where is the test staff located? Do you have enough IT staff at one location to host a successful test lab? How about the one point that causes the most concern for many growing companies: Where do we put that lab? Do you have the real estate to spare for a test lab? How large will it be? A small company might get by with a half-dozen computers in a spare cubicle somewhere, but a larger company with greater resources might want to dedicate a section of an existing data center to the test facility. Some companies may find that their networks are scattered across many geographical areas, and it makes a lot of sense to acquire another location to use for testing because it would also make a perfect disaster recovery site.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

97

After all, you’re going to be making an environment that can simulate the real production environment, right? So take it a little further and combine that simulation capability with the off-site tape storage, and you have a good model for disaster recovery. The absolute best place to put your lab is in a mirrored environment with the existing network. This way, all issues can be worked out with a practice run of the migration before the real thing. Ideally, this means purchasing systems comparable to the ones currently running on the network and installing identical services on those machines. Attempt to simulate the production environment as closely as possible.

Preparing Your Environment for the Rollout Okay, so you’ve done your testing and written your project plans and associated documents. Ready to do some real work? The last step you’ll take before the real full-scale deployment is to conduct a pilot deployment. A pilot deployment presents the opportunity to test your understanding of the migration process by moving a small number of computers and users over to the new system. In your pilot program, you will want to select a number of users in your organization who are fairly competent to move to Windows 2000. You will be upgrading at least some of your servers to provide network services for them and upgrading their workstations to Windows 2000. The pilot gives these users a chance to learn the new features of Windows 2000 and to give you feedback on how these features work for them in their daily environment. This feedback will either confirm your decision to proceed with the full deployment or warn you to back off until you have resolved any conflicts that have been found. In my opinion, pilots are a great idea for one reason: The real environment is never completely simulated in the test lab. It seems that no matter how hard we try, we can never quite get the feel of the production environment. One of the major causes for this is the mixture of software on the users’ computers. Even in companies that tightly control what software can be installed on a workstation, people still manage to slip in some shareware that they’ve

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

98

Chapter 3



Preparing for the Migration

downloaded from the Internet or some personal software that they’ve brought in from home. EXERCISE 3.3

Planning a Pilot Program When you are ready to plan your pilot program, here are some steps to keep in mind:

1. Create your plan. Document your intentions in as much detail as possible prior to beginning the pilot program. This will provide some guidance for your staff and some additional buy-in from your sponsors.

2. Select users and locations. Determine who will participate in the rollout and where they will be located. It is a really good idea to include your IT staff in the rollout so that they have more time to become acquainted with the technology. Users selected for the pilot should be able to reap tangible benefits from their use of Windows 2000 while playing a non-critical role in daily operations.

3. Prepare the users and locations. This is a great time to provide initial training for your staff who will be participating in the pilot. Also take this opportunity to upgrade any hardware that doesn’t meet the minimum requirements for the new software.

4. Deploy the pilot. Install the software on the computers you have selected for the program and have the selected users begin using Windows 2000 in their daily tasks.

5. Monitor the pilot program. Begin gathering feedback from the participants and track this information carefully. Resolve any issues that are encountered and document the solutions for later use.

6. Evaluate the results. Carefully weigh the feedback from your pilot participants and from your deployment staff. Determine from this information whether your deployment is on track or if there are issues that will require you to reevaluate your plans.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Pre-Migration Tasks

99

The users you select for the pilot should be enthusiastic about the Windows 2000 deployment. Such users will help your project’s success in the long term because they will share their experiences with others in the organization who are not yet using Windows 2000. If the pilot is going well (or if not, if you are on top of the issues), these people will be your greatest advocates. These pilot users should also be representative of the typical end users in your organization if possible. They should be performing tasks that will normally be performed with Windows 2000 in the future. Yet, there is also a balance to be struck here: They should be able to absorb some downtime if things go wrong. It’s probably not a good idea to roll over your line of business (LOB) servers as part of the pilot program. Pilots are a great way to prepare for a migration, but they’re not the only step you need to take to prepare your network for migration. You’ll need to prepare the network for the migration in terms of network services and disaster recovery planning. Make sure that you have current backups of all servers prior to performing the migration. This is not to imply any lack of confidence in Windows 2000—I’m just trying to express a cautious approach to migration. The data on your servers tends to be very important to your organization. It’s probably important enough that you don’t want to lose it if something did happen to go wrong. Other points to consider for preparation include user awareness of the migration, status of network services, and training of your systems staff (the ones who will be performing the migration). Your users need to be aware of the migration timetable so that they understand the potential interruptions of service they may encounter. Network services need to be in place to support the migration (here I’m really thinking about DHCP and DNS, but there are others that may help, such as Systems Management Server). The following sections discuss some of the issues surrounding network services. Your staff must be trained and experienced prior to the migration if the deployment is to go smoothly. Ideally, each member of the migration team has spent sufficient time in the test lab trying the procedure. If this is true, then each team member should have a clear idea of what can go wrong and what can be done to recover.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

100

Chapter 3



Preparing for the Migration

Testing Your Deployment

So you think you’re ready for a successful upgrade to Windows 2000, but how can you be sure? There are a number of tools that you can use to test and verify a migration to Windows 2000. Before you begin your upgrade, you will need to test your deployment to be certain that every element has been implemented successfully. You will have to go through and test each of the following areas separately to ensure that they will be deployed properly.




Microsoft exam objective:

Perform test deployments of domain upgrades.

To fully test the implications of your deployment, you must simulate your production environment as closely as possible in your testing. Decide which elements of your deployment to test first, and set up that configuration to begin your testing. I find that focusing on the highest priority portions of the deployment first is a good way to begin. This may vary according to the project goals, but for me that means testing the domain migration first.

The Domain Level You should begin your deployment testing at the domain level. It is important to start here because this is the basic structure of your new network. Testing this area is critical because it will tell you if there are domain-wide issues that must be resolved before they affect your users. EXERCISE 3.4

Testing at the Domain Level To test an upgrade at the domain level, follow these steps:

1. After installing Active Directory in your test environment, check the dcpromo.log file located in %SystemRoot%\Debug to verify that there were no errors.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

101

EXERCISE 3.4 (continued)

2. Use the listdcs.vbs script that is provided with the Windows 2000 Server Resource Kit. This script checks the domain and lists all of the domain controllers. From the command prompt, you can execute the script with a /? switch to get a list of the valid switches.

3. Use the listdomains.vbs script from the Windows 2000 Resource Kit. This script displays a list of all the domain-naming contexts found through LDAP. Note that the commands for this script are case-sensitive. From the command prompt, you can execute the script with a /? switch to get a list of the valid switches.

The Visual Basic scripts used in this section can be executed by the Windows Scripting Host (CScript for the command prompt, or WScript for the GUI version). To change your default scripting program to CScript, type CScript // H:CScript //S and press Enter.

User and Group Accounts The next area of your network where you need to test your deployment plan is your user and group accounts. It is critical to be certain that they will be upgraded successfully because no migration is considered successful if the process adversely affects the users. You are migrating to Windows 2000 in order to provide your users with better services and enhanced capabilities, not to cause them grief.




Microsoft Exam Objective

Perform post-migration tasks. 

Verify functionality of network services.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

102

Chapter 3



Preparing for the Migration

EXERCISE 3.5

Testing User and Group Accounts To test and verify an upgrade for user and group accounts, follow this process:

1. Verify that existing users can still log on to the domain by picking some random user account to test. If you can successfully log on using this account, then you can feel more secure that the rest have been migrated correctly.

2. Compare the list of users and groups that existed in the NT SAM with the users and groups that exist in Active Directory to verify that they were all migrated successfully. If you find discrepancies, then you will need to recover any missing accounts or delete any duplicate accounts.

3. Verify that all commands in the logon scripts are run correctly. When a user account logs on to the domain, all commands in the script should work. Turn off any commands that hide the process and watch the output of the logon script to make certain it is not reporting any errors.

System Polices Finally, you will need to transition your System Policies to Group Policy Objects in Windows 2000. Group Policy can be applied at the site, domain, or OU level in Active Directory. It controls security options for nearly every aspect of Windows 2000 and is much more granular than System Policy in NT. EXERCISE 3.6

Testing System Policies To test and verify the upgrade in terms of your System Policies, follow these steps:

1. Create Group Policy that mirrors the settings used in your System Policy. You would do this by comparing the policy settings in the System Policy Editor in NT to the settings being applied in Group Policy. This ensures that users will receive the same settings whether an NT domain controller or one running Windows 2000 validates them.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

103

EXERCISE 3.6 (continued)

2. Log on as different users that have different System Policy settings. 3. Check Event Viewer for warnings. There may be incompatibilities that show up with various hardware. Your hardware inventory during the planning phase should have found all of these, but some may still slip through. Also check the Device Manager to look for warnings or errors regarding Plug-and-Play hardware.

Once the migration has been completed, the best test of all is to watch the user calls to the help desk. If the trouble tickets being cut indicate issues with the upgrade, you will need to take steps immediately to correct the problems.

Cleaning Up Afterwards If your upgrade went well, there shouldn’t be much left to do afterwards. But there will be some tasks, such as reallocating hardware. You might have discovered in your planning that you will have too many domain controllers after the migration. These servers can be reused elsewhere in your network as file or applications servers.




Microsoft exam objective:

Perform post-migration tasks.

After you have successfully completed the upgrade of a single domain, you may be finished, or you may be just beginning a longer migration plan. In the latter case, you will need to repeat this upgrade process in other domains and perhaps then restructure your domains into a more efficient Active Directory model. You can expect to spend a fair amount of time performing post-migration tasks. If your upgrade was not successful, then you will need to troubleshoot the individual issues. The resolutions will depend upon the issues encountered, but if you prepared for the migration by taking one or more backup domain controllers offline, you could always recover the environment by bringing these servers back online and promoting them to primary domain controllers

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

104

Chapter 3



Preparing for the Migration

for their respective domain. You’ll know that the upgrade wasn’t successful if accounts are lost, users cannot log on to the domain, or if they report other similar catastrophic issues. Most often, the reported issues will be minor and easily resolved without rolling back the migration. One task that you should very definitely spend time on after your upgrade is documenting the process. Run your migration team through a debriefing to gather as much information as possible about what went well and what went wrong. Sooner or later, someone at your company will go through this again. The knowledge you have gained will save those other people a lot of planning and implementation time if they can learn from your experience. Who knows, it may even be you next time.

Preparing DNS The Domain Name System (DNS) is a server-based method of resolving hostnames to IP addresses and is required for Active Directory. A hostname is a human-friendly name assigned to an IP host. A host can be virtually anything that can be assigned an IP address, but we usually think of hosts as being computers. Windows 2000 offers a very good DNS server service. In fact, the service is so useful in a Windows 2000 environment that you might as well consider it required for normal operations. Although you can use BIND 8.1.2 or higher, the benefits of Microsoft’s DNS server justify using it.




Microsoft exam objective:

Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate.

The DNS server in Windows 2000 supports all of the Internet standards for DNS and implements a few new features as well, such as dynamic updates and Service (SRV) records. These features in particular are useful to the Windows 2000 network. The dynamic update capability means that as a client receives its Dynamic Host Configuration Protocol (DHCP) lease, it can notify the DNS server of the IP address and hostname of the client. The DHCP server notifies the DNS server of the reverse lookup record information, and the client itself registers the forward lookup information. The

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

105

information is added to the DNS tables, and then any computer in the network can resolve that client’s address using DNS. The new features of DNS in Windows 2000 include the following: Support for Active Directory The Windows 2000 DNS service can integrate its records with Active Directory to provide greater fault tolerance and security. All zones that are integrated with Active Directory are automatically replicated to all domain controllers in the forest. The new DNS service also acts as a locator service for Windows 2000 domain controllers, so that Windows 2000 clients can locate the domain controllers for logon or other services. Support for dynamic updates With this feature enabled, Windows 2000 clients can notify the DNS server of their hostname and IP address. Dynamic updates eliminate the need for a Windows Internet Name Service (WINS) server to provide name resolution for dynamically addressed clients. Record aging and scavenging This feature prevents the presence of outdated records in the tables. It is especially useful in the case of dynamic updates, when the client computer is unable to un-register its name and address, such as when it is improperly shut down. Secure updates in Active Directory integrated zones If the DNS zone is integrated into Active Directory, then the zone can be configured to accept updates only from an authorized user account. Administration through the Management Console The DNS service in Windows 2000 is fully integrated into the Microsoft Management Console (MMC) for easier administration. There were some interface issues with the DNS Manager tool in NT 4, where using the Tab key took you to new and unexpected places. The interface in Windows 2000 works quite well using the keyboard or mouse. Command-line administration Windows 2000 provides a commandline interface to the DNS server, dnscmd.exe, which can be used to administer to the DNS server directly or be included in batch files for automated administration. Incremental zone transfers In addition to the traditional full zone transfers, the Windows 2000 DNS server can execute partial zone transfers that contain only the changed records. This can help to reduce network traffic generated by DNS zone transfers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

106

Chapter 3



Preparing for the Migration

Support for third-party DNS servers Microsoft has designed the Windows 2000 DNS service to more closely resemble industry standards. Therefore, Windows 2000 DNS servers do a good job when interoperating with other DNS implementations. In order for third-party DNS servers to function as an authoritative DNS server in a Windows 2000 environment, they must support dynamic updates, the use of SRV records, and underscore characters in the name. BIND versions 4.9.6 and newer support SRV records, and BIND versions 8.1.2 and newer support dynamic updates. The newest BIND versions support underscore characters as options, but this is not yet a standard. In NT 4 and earlier Microsoft network operating systems, all computers were identified by their NetBIOS computer name. In Windows 2000, this has changed. Now all computers in a Windows 2000 network will use DNS by default to resolve computer names to IP addresses. In fact, the Windows 2000 domain names are usually DNS domain names that describe the exact location of the domain within the DNS namespace. When designing your Active Directory structure, take care to implement your naming correctly, and then you can use DNS to resolve network names throughout your forest. Windows 2000 creates a NetBIOS name based on the hostname to support legacy applications. However, this should not deter you from using DNS as the primary name-resolution method. Windows 2000 computers use Fully Qualified Domain Names (FQDNs) to communicate. An FQDN is the combination of the hostname with the full domain name. Now there is one other thing you need to know about FQDNs: Always put a dot (.) at the end of the name. This was something of a pain to me when I was first learning TCP/IP that I’d like to spare you. That trailing dot represents the root of the Internet. Figure 3.1 shows a representation of an FQDN. FIGURE 3.1

How a Fully Qualified Domain Name relates to the Internet namespace

coolhost.cooldomain.com

Hostname

Domain name

Copyright ©2001 SYBEX , Inc., Alameda, CA

First tier domain

www.sybex.com

Internet root

Testing Your Deployment

107

Installing DNS If you have not installed DNS during Windows 2000 installation, you can install it through Control Panel  Add/Remove Programs  Add/Remove Windows Components (or install it as part of the Active Directory installation). Double-click Networking Services and select Domain Name System (DNS) from the list, as shown in Figure 3.2. Click OK, and then click Next to install the DNS service. FIGURE 3.2




Microsoft exam objective:

Select Domain Name System from the Networking Services dialog to install DNS.

Install the Windows 2000 DNS service or configure the existing DNS implementation as appropriate.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

108

Chapter 3



Preparing for the Migration

When you first install DNS, no zone files will be configured. That’s the first thing you need to complete before your DNS server will do anyone any good. When you open the DNS console for the first time and expand the entry for your server, you will receive a message instructing you to configure the server, as shown in Figure 3.3. FIGURE 3.3

The DNS console warns you to configure the server before proceeding.

Configuring the server in this case means using a wizard to create a new zone for the server. Click the Action menu for the console and select Configure The Server. The Configure DNS Server Wizard shown in Figure 3.4 opens and walks you through the necessary steps to configure a new zone.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

FIGURE 3.4

The Configure DNS Server Wizard

EXERCISE 3.7

Configuring a DNS Server Use the following steps to configure your DNS server.

1. Click Next on the opening page of the wizard to open the page shown in the graphic below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

109

110

Chapter 3



Preparing for the Migration

EXERCISE 3.7 (continued)

2. This page asks whether you want to configure a forward lookup zone. Click Yes, Create A Forward Lookup Zone, and then click Next to proceed. A forward lookup zone is the file that will resolve FQDNs to IP addresses.

3. The Zone Type page asks—you got it—what type of zone to create. Your available choices will be determined by what role your computer plays in the network. If it is a domain controller, you have the option to create an Active Directory-Integrated zone, which means that the zone files will be stored in Active Directory. If your computer is anything other than a domain controller, you will have only the options to create a Standard Primary or Standard Secondary zone. The Standard Primary zone will contain the resource records in a file stored on this computer. The Standard Secondary zone means that this DNS server will receive its information from a DNS master server. The Zone Type page is shown in the following graphic. Click Next to continue.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

EXERCISE 3.7 (continued)

4. The Zone Name page asks you to enter your DNS domain name. There may be more than one domain managed by this DNS server, so just enter the DNS domain name you are trying to configure and leave the rest for later. When you have typed in the name, including the dot at the end, click Next to continue.

5. The Zone File page asks where the zone information should be stored. This will be shown if you are creating a Standard Primary zone; the other types will already know where to obtain the zone information. A default entry will already be filled in, comprised of your DNS domain name with a .dns file extension. I highly recommend that you accept this default. It just seems to work more reliably that way. This page is shown below. Click Next to proceed.

6. Next, the wizard wants to know if you would like to create a reverse lookup zone. A reverse lookup zone enables your DNS server to provide resolutions from IP address to hostname. Select Yes, and click Next to continue.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

111

112

Chapter 3



Preparing for the Migration

EXERCISE 3.7 (continued)

7. Next, you see the Zone Type page again, this time for the reverse lookup zone. The same guidelines apply here as in step 3 above.

8. The next page is the Reverse Lookup Zone page, which asks you to provide the network identification for the zone. The easiest way to determine your network address is to look at your subnet mask. If the subnet mask blocks out the first two octets (that is to say your mask is 255.255.0.0), then the first two octets of your IP address are your network identification, and the rest of your IP address is the host identification. Enter your network address, and fill the other remaining spaces with zeros. Click Next.

9. The Zone File page will ask you to confirm the name of the zone information file. Confirm the default name provided and click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

113

EXERCISE 3.7 (continued)

10. The Completing the Configure DNS Server Wizard page summarizes your selections. Click the Finish button when you are satisfied with your choices, and the wizard will complete the creation of the zones.

This wizard will provide you with the basic zone files, but it’s up to you to populate them with resource records for your various servers. You can do this is a couple of ways. First, you could use the traditional manual entry of each host record. Second, you could enable dynamic updates for the new zone. EXERCISE 3.8

Enabling Dynamic Updates To enable dynamic updates for your new zone, follow these steps:

1. Open the DNS console and expand the console tree for your DNS server. Open the branch for Forward Lookup Zones.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

114

Chapter 3



Preparing for the Migration

EXERCISE 3.8 (continued)

2. Right-click the zone that you want to switch over to dynamic updates and choose Properties. This opens the dialog shown below.

3. On the General tab, under Allow Dynamic Updates, select Yes from the drop-down list box.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

115

EXERCISE 3.8 (continued)

4. Click the Aging button to open the dialog shown below.

5. Check the box beside Scavenge Stale Resource Records to enable record scavenging. This will help to ensure that the records in your DNS server will always be accurate.

6. Click OK, and OK again to save the settings.

If you already have DNS installed on your NT servers when the upgrade is performed, that information will be carried forward and the DNS service upgraded. You will want to enable the dynamic updates, though, and set the aging rules for scavenging the database for outdated records. One thing to consider when configuring your DNS server is the type of names that are used in your organization. DNS normally uses only naming conventions that comply with the standards listed in Request for Comments (RFC) 1123. The Windows 2000 DNS service supports strict RFC name

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

116

Chapter 3



Preparing for the Migration

checking for compliant name schemes. If you want to use non-standard naming, then you will need to modify this setting in the Advanced Properties for the DNS server to use either the Non-RFC name checking or the Multibyte name checking, which uses the Unicode Transformation Format (UTF-8) feature of Windows 2000 to convert characters that require two bytes to a single-byte format compatible with DNS. There are four separate options for name checking in Windows 2000 DNS: Strict RFC In the Strict RFC name checking, all names stored in the DNS tables must conform to standards-based DNS naming. This means that the names used can contain multiple periods and dashes as well as numbers and letters. All naming must follow the standards outlined in RFC 1123. Non RFC Non RFC name checking permits the use of non-standard name characters such as underscores within fully qualified domain names. This is an option that many people may want to enable when migrating from NetBIOS-based networks where underscores are a common addition to the naming scheme. Multibyte (UTF8) This naming option permits the recognition of characters that use more than eight bytes, such as Unicode characters. Multibyte uses the Unicode Transformation Format feature of Windows 2000 to map the Unicode characters to single-byte representations that can appear in DNS. All Names The final option for DNS naming is to permit all name combinations in the server. Essentially, this option just disables the bad data checking within the DNS service.

What If the Migration Goes Wrong? This is the question you really don’t want to hear, but it’s also one that you need to ask yourself. What will you do to recover from a failed migration? Now, I’m not implying that you will have problems with your deployment of Windows 2000. I’m just recommending that you include this possibility in your deployment planning to be safe. How you plan for all possible scenarios

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

117

in a deployment often determines just how well that deployment will go and what your customers think of your ability afterwards.




Microsoft exam objective:

Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.

So what is your goal in recovery planning? Recovery planning should enable you to restore the original environment as quickly as possible with no lost data. This is why we normally use a pilot migration to test our planning in the real production environment. Nearly every deployment I’ve been a part of has encountered problems when we entered the pilot phase because the production environment always seems to be just a little different than we thought. With a migration from NT to Windows 2000, there are some preventive measures that can be taken that will ensure that you have a safe recovery path. One of the key measures is to update a backup domain controller (BDC) with current copies of all the major network services, then take it offline until the migration is complete. Once everything has migrated successfully, you can then decide what to do with the BDC.

Recovering the Security Accounts Manager Database The easiest way to recover the Security Accounts Manager (SAM) database is to never lose it in the first place. I know this sounds trite, but there really is a good way to do this. Just before you upgrade the domain controllers, select one backup domain controller (BDC) to be your recovery path. Synchronize it with the primary domain controller (PDC) to make certain it has the most recent account information. Once this is complete, shut down the BDC and take it offline. This will become your safety hatch if you need to recover the SAM. If the worst does happen, and you need to quickly move back to your previous network configuration, bring the BDC back online and promote it to primary domain controller. This new PDC will have account information that is current as of the last synchronization prior to the migration. The next

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

118

Chapter 3



Preparing for the Migration

step will be to reinstall Windows NT on your other domain controllers and install them as backup domain controllers to the new (old) domain. It will take some time to perform all of the reinstallations, but no account information will be lost. The exam covers this technique in many of the case study questions. You will have to decide which backup domain controller would be best to synchronize and take offline in order to prepare for disaster recovery during the migration. Select a BDC in a site or location where the absence of a domain controller will have the least impact on the migration. For instance, if you have BDCs in several sites that will be part of a migration, use the BDC in the smallest site for recovery. That way, the other sites with more users will have access to a domain controller for migrating users and processing logons.

Recovering DNS If the BDC that forms the core of your recovery plan is also a DNS server with current zone information on it, you can use the same approach to disaster recovery. Luckily, with the DNS service the information is easier to recover since the zones are stored in simple text files. The DNS server would actually be easy to recover just by copying these files to the BDC before taking it offline. The recovery path would then be used to restore the BDC, promote it, and then install the DNS server on it. Instead of re-creating the zone files, simply create new zones with exactly the same names as the old zones and point them to the existing zone files. The DNS server will come up with the old information intact.

Recovering DHCP This one takes a little more effort to protect the information. You most likely won’t want to back up the actual Dynamic Host Configuration Protocol (DHCP) database with all of its current leases, but you definitely should create copies of the scopes. In terms of DHCP, a scope is a group of addresses. The scope is defined by a starting address and an ending address, a subnet mask, and any excluded addresses within the range. The scope creates a pool of available IP addresses that the DHCP server can issue for that subnet. One method you could use would be to install the DHCP service on the BDC that will be held offline as a backup and create scopes that are exactly like the current scopes prior to the migration. Do not activate these scopes!

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Testing Your Deployment

119

You really don’t want to be handing out duplicate leases on your network. It’s amazing, but users rarely have a good sense of humor about these things. In a recovery situation, bring the BDC online and start the DHCP service if it hasn’t already started automatically. Activate the scopes, and verify that the service is running correctly. Make certain that the other DHCP servers are offline and their scopes are deactivated. Every client will need to release and renew their IP lease to prevent conflicts. On the exam, Microsoft seems to like the approach of having the DHCP database backed up on tape. The tape can then be restored if the domain needs to be recovered. In most cases, this approach makes the most sense. You will very likely be recovering a domain that has several domain controllers. It is wise to perform a thorough backup of all of the servers prior to your migration anyway, so the information should be available from those backups. The Windows 2000 version of DHCP has a new feature that Windows NT did not possess. After restoration of a DHCP backup, the DHCP scope information will be out of date. Therefore, the server goes into “safe mode of operations” for a period of one-half the IP lease duration set in the scope. In this mode, DHCP broadcasts on the network to verify that the address it is about to assign is not currently being used. Although this reduces the chance of having address conflicts, it severely reduces network and server performance and should be halted immediately after the one-half-lease duration period has expired.

DHCP will only go into safe mode when it is recovered from a backup. If you have the service installed on another machine with overlapping scopes, there is no way to ensure that address conflicts will not happen.

Recovering WINS You could approach this in a couple of different ways. Personally I don’t really think it’s worth trying to back up the Windows Internet Naming Service (WINS) database. Entries in the WINS database are made dynamically when WINS-enabled clients boot onto the network and enter their registrations in the database. Perhaps the greater issue is re-enabling WINS on the client computers so that they can once again make use of the service. As they reboot, they will make new registrations in the database, and the information will be reconstructed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

120

Chapter 3



Preparing for the Migration

Recovering the ability to use WINS will be very important when returning to the native NT 4 environment, since this is the primary method clients use to locate the domain controllers for their services. If your current network uses WINS extensively, you may have to recover the WINS replication partnerships to fully restore the service across an enterprise level. You would complete this process by adding the WINS server IP addresses to the WINS Manager utility and then using these addresses to establish replication partnerships. If you are using WINS replication, immediately initiate a replication between servers after restoring the WINS database. Microsoft again seems to like the approach of restoring the WINS database from tape when restoring a domain after a failed migration. This is a wise course of action if there are a number of static entries in the database. Bear in mind, though, that the WINS database will regenerate when the client computers make new registrations as they reboot. Restoring the previous database from tape may help to reduce confusion for the client computers when they reboot, but more likely it will just cause additional work.

Protecting Data Backup. Backup. Backup. Beyond that, you could always run tape backups to protect your data. Sorry for the joking tone here, but running regular backups is so critical to your network stability that I sometimes feel it’s silly to have to mention it at all. Please ensure that your backups are very current and that the data can be recovered safely from those tapes. Remember that a backup is not considered good until you have successfully recovered data from the tapes. The widespread availability of recordable CDs (CD-R) and rewritable CDs (CD-RW) is very promising for securely backing up valuable data. These formats are generally used for storing important data where media integrity is important. The only problem with these methods is that you are limited to a mere 650MB per disk. This may present a problem when your valuable data exceeds multiple gigabytes in size. Tape is quite adequate from the standpoint of size; however, many tape formats are susceptible to spontaneously going bad and losing their data if not stored carefully. Back up the data on every server that will be migrated. This does not express any lack of faith in Windows 2000. It is simple prudence. How much is your company worth to you? Having the data safely backed up gives you many options for recovery in the case of a failed migration.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

121

Summary

In this chapter, you learned how to perform some of the final steps to be taken prior to performing your migration to Windows 2000. You learned how to establish a test lab for testing your plans and learning new technologies in Windows 2000. You also learned how to develop a testing strategy to be used in the lab and how to test the deployment. We examined how to install and configure the new DNS service in Windows 2000 and explained how to enable the dynamic update feature. We closed the chapter by discussing the ways in which you can ensure the safety of your network by planning for recovery options.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Domain Name System (DNS) hostname dynamic update Security Accounts Manager (SAM) backup domain controller (BDC) primary domain controller (PDC) Dynamic Host Configuration Protocol (DHCP) Windows Internet Naming Service (WINS)

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

122

Chapter 3



Preparing for the Migration

Review Questions 1. Which of the following is a new feature of DNS in Windows 2000? A. SRV records to identify common services B. Integration into the management console C. Dynamic update capability D. All of the above 2. A test lab must always be located in a single physical location. A. True B. False 3. You are in charge of the migration from NT 4 to Windows 2000 for

your company. You are concerned about preparing for all possible scenarios and want to have a way to fall back to the original network if things go wrong. What is the best way to prepare for the recovery of the SAM database? A. Restore from tape. B. Dump all of the accounts to a text file. Use the text file to perform

a bulk import back into the PDC. C. You can’t. Once it’s gone, it’s gone. D. Synchronize a BDC and take it offline until after the migration is

complete. 4. You are in charge of planning the migration to Windows 2000. At

what point in the planning should you provide training to your help desk staff? A. At phase 4 of the migration phase. The first three phases your team

should be concentrating on developing the test lab. B. As soon as you establish a test lab. C. After the test lab has proven that the migration will work perfectly. D. Training is not necessary at this level.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

123

5. When you are selecting staff to participate in a pilot program for Win-

dows 2000, which of the following criteria make sense? A. The participants should be in a different location from your IT

staff. B. They should be power users who have proven themselves as users

who can expertly work through computer problems. C. They should be engaged in mission-critical projects that would

benefit most from the support Windows 2000 will provide. D. They should be a mixture of average users and IT staff at a location

where you can monitor them and provide support during the pilot. 6. Why is it important to implement a pilot program for your migration? A. It’s a great way to test your plans in a real production environment

without causing disruption to too many people. B. It’s an opportunity to evaluate costs for your department before

the migration. C. It will give you the opportunity to decide before you actually

migrate whether it is the best plan for your company. D. It provides a backup for the production environment. 7. Why is the Domain Name System (DNS) so important to Win-

dows 2000 networks? A. It provides a method to locate the proxy server for access to the

Internet. B. It provides NetBIOS name resolution for all of the services running

NetBEUI on Windows 2000. C. It provides a method of locating domain controllers and other nec-

essary server resources. D. Because without it, we wouldn’t be able to update information

from intranet resources.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

124

Chapter 3



Preparing for the Migration

8. You are responsible for administering a Windows 2000 DNS server. You

would like to automate the process of adding 100 new server records to your 25 DNS servers throughout the enterprise and have decided a script would be the best solution. Which utility would enable you to do this from a script file? A. Dnsbatch.exe B. Dnscmd.exe C. Dnscmd.bat D. There is no command-line utility for DNS. 9. Your boss is concerned about the amount of network traffic gener-

ated by the zone transfers between the DNS servers running on Windows 2000. What could you tell him that would ease his concerns? A. That the DNS server on Windows 2000 uses incremental zone

transfers, sending only the records that have changed. B. That there really isn’t that much traffic anyway. C. That there really isn’t any replication happening between the serv-

ers, because only Unix servers have DNS replication. D. That DNS servers never communicate between themselves, so

there won’t be any network traffic. 10. You are planning the migration to Windows 2000 for your network. You

are concerned about the possibility of someone on the network making changes to the DNS tables on the domain controllers. How can you ensure that only authorized users can update the DNS records? A. Change the primary zone files to Active Directory-integrated zone

files. B. Lock up the domain controllers to secure physical access to them. C. Use WINS instead of DNS because it is more secure. D. Set the file attributes on the zone files to read only.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

125

11. You are entering the final stages of migration planning and are con-

cerned about the possibility of a migration failure. How can you protect your network’s recovery in terms of the DHCP service? A. Establish DHCP server replication to distribute the lease tables

among different servers. B. Save the dhcp.mdb file onto a floppy disk and lock it in your desk. C. Create a duplicate set of DHCP scopes on the reserved BDC and

activate them if needed. D. DHCP is only available on Windows 2000, so it won’t matter if

you have to restore to NT 4. 12. You can easily use three servers to create a test lab for a migration that

will span 10 domains and 16 sites. A. True B. False 13. You are in charge of a domain migration to Windows 2000. There

have been several incidents of people altering the configuration of servers without telling anyone else, and the changes caused problems for your testing. How can you prevent this from happening in the future? A. Implement a change-management policy that controls everyone’s

access to the servers. B. Disable the servers from all public access. C. That’s just part of the normal way of doing things because it’s vir-

tually impossible to safeguard your servers against this kind of thing. D. Get your superiors to make a policy statement that prevents people

from doing this again in the future.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

126

Chapter 3



Preparing for the Migration

14. You are in charge of the migration from NT 4 to Windows 2000 for

your company. You are concerned about preparing for all possible scenarios and want to have a way to fall back to the original network if things go wrong. What is the best way to prepare for the recovery of the WINS database? (Choose all that apply.) A. Install the WINS service on the reserve BDC and replicate the latest

records to it prior to taking it offline. B. It doesn’t matter; the database will be re-created automatically

once clients are configured to use the WINS server. C. Restore from tape backups. D. Replicate the current information from Windows 2000 to the

NT 4 BDC before restoring the old configurations. 15. The Domain Name System resolves what kind of names to IP

addresses? A. Hostnames B. Domain names C. NetBIOS names D. Computer names 16. What is the primary method that clients use to locate the domain con-

trollers for their services? A. WINS B. DNS C. IIS D. Broadcast

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

127

17. In the event of having to re-enable WINS, when should your client

computers expect to see their information reconstructed? A. 15 minutes later B. 12 minutes later C. When the domain controller reboots D. When the client computer reboots 18. Where is DNS service information stored? A. Text files B. Active Directory C. The Registry D. SQL Server 19. You have just completed the migration of your NT network to Win-

dows 2000. You are trying to decide whether or not to dismantle your test lab. Why should you choose to keep your test lab? (Choose all that apply.) A. Because a test lab is a very costly endeavor, the space should be

maintained as training center for future migrations. B. You may have to restructure the network. C. It would make a good place to test software deployment strategies

before rolling out new programs for your users. D. It provides fault tolerance for the domain controllers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

128

Chapter 3



Preparing for the Migration

20. You have successfully completed your Windows 2000 migration, and

the network has been running fine for some time. Lately, you have noticed that there seems to be a rise in the occurrences of IP address conflicts on your network. What can you do to prevent this? A. Implement DHCP as the only means of assigning IP addresses for

all computers. B. Station security personnel near the DHCP servers to prevent unau-

thorized access. C. Create a Group Policy Object to prevent people from setting IP

addresses. D. Implement a change-management policy and assign a team

of people to monitor any requested changes to the network environment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

129

Answers to Review Questions 1. D. All of these are new features of the DNS service in Windows 2000. 2. B. Test labs can be distributed across multiple sites in your organization. 3. D. If you need to recover the SAM database after a failed migration,

the best way is to have a BDC that can be promoted to become the new PDC of the original domain, then reinstall the other domain controllers as BDCs in the domain. 4. B. It’s best to provide hands-on training as soon as you possibly can,

but having the test lab makes it much easier. 5. D. It makes the most sense to have the participants where you can get

the most benefit from monitoring their use of Windows 2000 and where you can provide support for their problems. 6. A. Because it’s so difficult to fully simulate the real production envi-

ronment, a pilot program lets you test your configurations in the real network without causing too many problems for the people doing the business-critical work. 7. C. Windows 2000 networks use DNS to provide name resolution and

to locate server resources. It is also valuable as the primary method of locating the domain controller for logon authentication. 8. B. The command-line utility Dnscmd.exe enables you to perform

basic administration of the Windows 2000 DNS server from a script or from the command prompt. 9. A. The new DNS service on Windows 2000 has implemented incremen-

tal zone transfers to speed replication and decrease network traffic. 10. A. Active Directory-integrated zones can use domain security to prevent

unauthorized access to the DNS tables. 11. C. The best way to restore DHCP services if necessary is to create

duplicate scopes on the reserved BDC and activate them only if needed after a failed migration.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

130

Chapter 3



Preparing for the Migration

12. B. The test lab should be able to accurately reflect the nature of the

network being migrated. If there are multiple domains, there should be the capability of creating a lab with multiple domains to simulate the production environment. 13. A. Change management is a necessary part of controlling your net-

work environment. Create a policy that requires a central authority to approve any proposed changes to the network. 14. A, B, or C. Answers A, B, or C would actually work. The best answer

for most situations would be A. I have a preference for answer B and would count that as a correct answer too. 15. A. The most correct answer is A. DNS resolves hostnames to IP

addresses. Saying computer names is a bit too non-specific as hostnames and NetBIOS names are both computer names. 16. B. Windows 2000 uses DNS extensively to locate network services.

The DNS server in Windows 2000 accomplishes this through the use of the SRV record type. 17. D. Client computers (and servers) register their network services dur-

ing the boot process. Rebooting the client computers should re-create the WINS database. 18. A or B. Normally, the zone files for a DNS server are stored as simple

ASCII text files on the hard disk of the DNS server. If you have chosen to create Active Directory Integrated zones, then the information is stored in Active Directory. 19. B or C. Having a test lab in available in your organization is extremely

useful for testing software deployment packages prior to rolling them out to the users. It can also be used for planning a domain restructure or for testing service packs and other system updates for the domain controllers. 20. D. Implementing a change-management policy and team ensures that

these types of changes won’t be a problem in the future. If all requested changes go through a centralized authority, there is a single point of control for managing the network.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

4

Upgrading Domains MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Upgrade the PDC, BDCs, application servers, DNS servers, and RRAS servers.
Implement Group Policies.
Implement file replication bridges.
Convert domains to native mode.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

I

n this chapter, you will learn how to upgrade your domain to Windows 2000 and Active Directory. This assumes that you have already done the planning and testing necessary to know what’s going to happen during the deployment phase—or at least have a good idea what will happen. This chapter discusses some of the “nuts and bolts” topics in upgrading your domain from NT 4 to Windows 2000 and will help you understand the necessary steps.

Upgrading Domain Controllers to Windows 2000

S

o now it’s time to upgrade the primary and backup domain controllers to begin the migration to Windows 2000. Most of your servers will be easy to upgrade, with little or no actual preparation required. Application servers, DNS servers, and Remote Access servers (RAS) will be covered in following sections, but we’ll begin with domain controllers.

Upgrade Paths and Required Hardware Before you get started, you will need to consider some of the basic points of an operating system upgrade, such as the possible upgrade paths and the required hardware, just to be sure that your domain controllers can be

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Upgrading Domain Controllers to Windows 2000

133

upgraded. Table 4.1 shows the possible upgrade paths from NT to Windows 2000 for domain controllers. TABLE 4.1

Upgrade Paths for Domain Controllers Upgrade From

Upgrade To

PDC or BDC running NT Server 3.51 or 4

Domain controller running Windows 2000 Server or Advanced Server.

Member server running NT Server 3.51 or 4

Member server running Windows 2000. After the upgrade, the member server can be changed to a domain controller using dcpromo.exe if you choose.

Any computer running Windows NT Advanced Server 3.1 or NT Server 3.5

Must be upgraded to Windows NT Server 3.51 or 4 first, then can be upgraded to either Windows 2000 Server or Advanced Server. Then use dcpromo.exe to promote the server to a domain controller.

Many servers running earlier versions of Windows NT won’t have the necessary hardware resources to run Windows 2000 successfully. Be sure to check that they have the required hardware before attempting to perform an upgrade.

You should keep in mind that all domain controllers in a Windows 2000 environment are equal in their roles and responsibilities. There won’t be any distinction between primary and backup domain controllers after you’ve performed the upgrade. This really has no impact on how your network functions, but it may cause some confusion for administrators who are learning Windows 2000. Having an accurate inventory of computer hardware is especially important when upgrading older domain controllers from NT 3.51 or 4 because the hardware requirements were significantly lower for both of those operating systems. You may find that the first step in upgrading your domain

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

134

Chapter 4



Upgrading Domains

controllers is actually to upgrade the hardware installed in them. Table 4.2 shows the required hardware for Windows 2000 domain controllers. TABLE 4.2

Hardware Requirements for Windows 2000 Domain Controllers Hardware Type

Requirements

Processor

Intel (or compatible) Pentium 166MHz or higher

Memory

64MB minimum 128MB or more recommended

Hard disk

1.2GB of free space on the boot partition 6MB of free space on the system partition

Display

VGA or better

Optional components

CD-ROM or DVD-ROM drive for local installation

Network

Network interface card (NIC) and necessary cables

Other components

Keyboard Mouse or other pointing device

Upgrading Your Domains and Servers Now that you’ve considered these two basic points regarding paths and hardware, you’re ready to begin the upgrade. This is usually the point where I want to tear off the shrink-wrap, slap the CD-ROM into the drive, and shout, “Let the upgrade commence!” My enthusiasm has actually been a problem at times, since I’m bound to forget some key point. Let’s take this in a reasonable order so you don’t encounter any problems.




Microsoft exam objective:

Upgrade the PDC, BDCs, application servers, DNS servers, and RRAS servers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Upgrading Domain Controllers to Windows 2000

135

In this section, we are going to focus on upgrading your primary and backup domain controllers as well as your application, DNS, and RAS servers. This is a very involved process that takes quite a few steps to implement. A key component in a successful upgrade is organization. To make it more manageable, I’ve broken down the process into a logical order.

Create Fault Tolerance One of the most critical elements in the upgrade process is recovery. In order to be certain of recovery, you must create a balance of fault tolerance. Fault tolerance means the ability to continue normal operation in spite of minor failures. In the case of upgrading your domain controllers to Windows 2000, this means having a path to recover your domain information in case the upgrade fails. This is fairly easy to do simply by reserving one of the backup domain controllers (BDCs). Pick one of your BDCs to be the reserve computer and ensure that it is fully synchronized with the primary domain controller. Take this fully synchronized BDC off the network until the upgrade has been completed for all of the other domain controllers. Once everything is operating normally under Windows 2000, you can upgrade this last domain controller. This strategy also works for preserving other network services, as we discussed in Chapter 3, “Preparing for the Migration.” EXERCISE 4.1

Preparing the Domain Controllers There are a few steps to be taken in preparation for the upgrade. Before you initiate the setup program for Windows 2000 on your domain controller, do the following:

1. Disable virus protection. Anti-virus programs wreak havoc on operating system installations. Some of these programs are sophisticated enough to recognize that you’re installing an operating system and they won’t interfere, but don’t take any chances. Disable all of these programs prior to upgrading. Another reason why this is important is that many programs written specifically for NT 4 won’t run correctly on Windows 2000. It would be a real shame to finish the upgrade only to discover that the domain controller now bluescreens every time it boots. To disable your virus protection, follow the manufacturer’s instructions. These programs usually have a monitoring icon that appears in the System Tray. If so, you can rightclick the icon and select Disable from the context menu.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

136

Chapter 4



Upgrading Domains

EXERCISE 4.1 (continued)

2. Disable third-party services. Any system or network services running on the computer that are not part of NT should be temporarily disabled to prevent conflicts during setup. A good example of this would be if you had Client32 from Novell installed on the server to enable it to communicate with NetWare servers. To disable these services, use the Services applet in Control Panel to set the Startup value to Disabled, and stop the service.

3. Disconnect the serial cable from either the UPS or the computer, whichever is easier to reach. Uninterruptible power supplies (UPS) can become confused by the hardware detection that Windows 2000 will perform during installation. Play it safe and disconnect the serial interface during setup, then configure the UPS support later when the installation is complete.

4. Reserve hardware resources for ISA cards. If your domain controllers have any Industry Standard Architecture (ISA) adapters installed, it’s best if you use the computer’s BIOS to reserve the Interrupt Request (IRQ) and Direct Memory Access (DMA) resources prior to installing Windows 2000. You do this by adjusting the settings in the BIOS of the computer. Consult the manufacturer’s instructions for help. This will help to avoid any problems during hardware detection. Honestly, though, I haven’t yet encountered any problems detecting hardware with Windows 2000.

Performing the Domain Controller Upgrade Now that you’ve taken these steps to prepare for upgrading your domain controllers, it’s time to put the CD-ROM into the drive and start the setup. Of course, you can also perform the upgrade across the network from an installation share on another server using the winnt32.exe program. The primary domain controller will be the first domain controller to be upgraded in a domain. When you run the setup program, the current domain information will be maintained along with any local computer settings. When setup completes, the computer will restart automatically and log on as Administrator so that the Active Directory Installation Wizard can run. After Active Directory has been completely installed, you have two options: further

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Upgrading Domain Controllers to Windows 2000

137

configure the domain or upgrade some of the BDCs. Although it may be tempting to keep the migration flowing, it’s good advice to test what you have already accomplished before going on. Try logging on as a user and accessing a resource as an example. When you insert the Windows 2000 Server CD-ROM in an NT 4 computer, the autorun program will display the options seen in Figure 4.1. This screen lets you start the setup program or explore the disk. The upgrade process will save all of the pertinent information from your current domain controller configuration to use with Windows 2000. The upgrade will complete without any further input from you, except for possibly a CD Key. FIGURE 4.1

The autorun program asks if you would like to install Windows 2000, install add-on components, or browse the disk.

Upgrading Application Servers Application servers will be upgraded using almost the same process as the domain controllers but with a few differences. Prepare the server in the same way by disabling any anti-virus programs and third-party services, disconnecting the UPS interface, and reserving hardware resources for ISA cards. After you’ve completed all of the necessary preparations, it’s time to begin the upgrade.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

138

Chapter 4



Upgrading Domains

App servers can cause the most problems during upgrades, especially when dealing with third-party apps. Research the application, and make sure it is fully compatible with Windows 2000.

When you insert the Windows 2000 CD-ROM, you will be presented with the same options seen in Figure 4.1. If you choose to upgrade your server to Windows 2000, the upgrade will proceed without any input from you and will maintain the server’s entire configuration. If you are upgrading an NT 3.51 server, you won’t receive the autorun notice to perform an upgrade as you would in NT 4. Instead, you would run setup.exe in the root folder of the CD-ROM. When you do this, you will receive the same window presented in Figure 4.1. The main difference between upgrading member servers and upgrading domain controllers is the function that they will have when the upgrade is complete. It’s possible that you may decide that you need more domain controllers in your Windows 2000 domain. Base your decision mostly on the efficiency of logons and authentication for clients. If you need faster logon access in a particular subnet, you might decide to promote a member server to be a domain controller. If this is the case, you can run dcpromo.exe to promote the member server to become a domain controller. If the member server is running the Dynamic Host Configuration Protocol (DHCP), the service must be authorized in Active Directory immediately after the upgrade. If the DHCP server is not authorized in Active Directory, it will not be allowed to offer leases to client computers. If the member server is running the DNS service, the zones will be available immediately after the upgrade with no further action from you. You may want to convert the zone files from standard primary files to Active Directory Integrated zone files to take advantage of the secure updates feature. RAS servers will also upgrade with little or no input from you; however, there is some configuration that must be completed after the upgrade. The default RAS permission in Windows 2000 is to deny access to everyone. In order for your RAS users to connect to the server once the upgrade has been completed, you will need to reset the permissions to allow them to connect.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

139

Group Policy

Administrators of Windows NT domains frequently use System Policy to control the actions of users. System Policy works by applying templates to the Registry of a computer to enforce user, group, or computer settings. In the past, these settings were effective for most NT administrators but often led to additional issues because they could not be reliably removed from the Registry. I remember proving a point to a student using System Policy to lock his computer down so that the only thing he could do was run Notepad. The problem was that even after removing the policy, the changes couldn’t be undone. I even went so far as to make changes to his Registry remotely, but to no avail. We finally had to reinstall his computer so he could continue the rest of the course. Now this was an extreme case, but the issue with being unable to remove System Policy is real. The problem just seldom gets this bad. Another footnote to consider is that while Group Policy on Windows 2000 is great, older Windows clients cannot use it. The old System Policy can still be used in Windows 2000 for legacy clients by placing the config.pol or ntconfig.pol file in the netlogon share of a W2K domain controller.

Understanding Group Policy




Microsoft exam objective:

Implement Group Policies.

In Windows 2000, Microsoft has introduced Group Policy to replace the old System Policy. Group Policy is much more extensive than System Policy. It combines the use of Registry templates with scripts for various events and has an automatic refresh capability. Group Policy is implemented in the following ways: Administrative Templates These templates are essentially the System Policies from NT 4, but with more granularity. They can be defined by an administrator and then applied to any user, group, computer, or Organizational Unit (OU). Administrative Templates can be modified to more

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

140

Chapter 4



Upgrading Domains

closely coincide with your past System Policy settings by using your old .adm policy templates to provide the definitions for the Windows 2000 Administrative Templates. However, you should be aware that using the old template files might cause undesirable effects in the Registry, including the annoying old behavior of NT policies where they cannot be removed from the Registry. Security Similar to the file security available in the NT file system (NTFS), these security settings can be applied to local resources just as they could in NT 4, but also to network, computer, and domain security objects. Software Installation The software installation capabilities in Windows 2000 are quite good, if somewhat limited in scope. This function of Group Policy lets you define the software installation parameters for a program and then assign those parameters to a Group Policy Object (GPO). Scripts The scripts in Windows 2000 go beyond the traditional logon scripts. There are now separate scripts for startup, logon, logoff, and shutdown events. Folder Redirection This feature of Group Policy enables you, the administrator, to redirect a group of user folders to a network share. Certain folders can be stored on a network share point and then be accessible from anywhere on the network. In Windows 2000, when you create a new GPO you are creating a virtual storage container for all of the settings that make up that Group Policy. The GPO is made up of a Group Policy Container, which is an Active Directory object that stores the GPO’s attributes and has sub-containers that describe the individual policies that apply to computers, users, or groups. The Group Policy Container holds the following: Version Information Helps to synchronize the current GPO with the Group Policy Template. Status Information Indicates whether the GPO is activated or deactivated. List of Components Contains extensions to the GPO, such as scripts or Registry templates that make up the GPO.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

141

The other component of a GPO is the Group Policy Template (GPT), which is actually a folder hierarchy in the Sysvol folder on every domain controller. The GPT is the container for all of the Group Policy information. The GPTs are stored by the Globally Unique Identifier (GUID) that was assigned to them when they were created.

Group Policy Inheritance GPOs are assigned at various levels in Active Directory. They can be assigned at the local computer, site, domain, or OU levels. When you assign Group Policy, be aware that by default the GPO’s settings will be inherited by the containers below it in Active Directory. This means that when you assign Group Policy at the domain level, the GPO applies to the domain, but also to any OU within that domain, any OUs within those OUs, and so on. If your Group Policy is simple and will be applied to everyone equally across the domain, then assign the GPO at the domain level and allow it to be inherited by all OUs within the domain. But few organizations will use Group Policy that is this simple. More commonly, Group Policy will be defined for several different levels. But then, how do you prevent a change made at the domain level from overwriting your GPO at the OU level? I’m glad you asked that question. You can force inheritance and also block inheritance at any level in Active Directory. If you decide that you need to prevent GPO settings from flowing down through inheritance to your OU, you can set the OU to Block Policy Inheritance. This setting will prevent the OU from accepting any GPO from higher in Active Directory. As an administrator, you might feel that this is a bad thing and so decide to use a No Override setting on your GPO so that administrators lower in the Active Directory hierarchy cannot block the inheritance of your GPO. Inheritance can be set at any level, and you can use whichever method you choose, though you should try to keep it as simple as possible for easy maintenance and troubleshooting later. If Block Policy Inheritance and No Override are both set, No Override will, well, override. There is a problem with inheritance at the site level. If you set a GPO for a site that contains more than one domain, the GPO applies to all of the domains within that site. The GPO, however, is stored in only one domain. This means that all computers in all of the domains within that site must contact one of the domain controllers where the GPO is stored. Take this into consideration when planning for your GPO structure and your network capacity.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

142

Chapter 4



Upgrading Domains

You want to be careful not to apply excessive Group Policies on the network. The more Group Policies linked to the domains and OUs, the longer it will take users to log on. Try to apply Group Policies somewhat sparingly without compromising network security.

Processing Group Policy Because Group Policy is composed of so many different parts in Windows 2000, you’ll need to understand which part is applied first. A GPO may contain scripts, Registry settings, and security settings, or any combinations of these. If you ever find yourself having to troubleshoot these combinations, you’ll want to be familiar with the order of precedence among the components of a GPO. EXERCISE 4.2

Processing Group Policy Group Policy is processed in this order:

1. When the computer starts, the following occur: a. Settings for computers are processed first. These are performed synchronously by default. You can speed the execution of the policy by changing it to asynchronous processing. b. Startup scripts are processed. These too are processed synchronously by default. Each script must complete or fail before the next script can process. Here again, your performance may benefit from asynchronous processing. c. All GPOs that affect the computer must be processed before the logon screen can be displayed.

2. When the user logs on, the following occur: a. Group Policy settings for the user are processed. This too is done synchronously by default. b. Logon scripts are run. The logon script associated with that particular user is run after all other user-level scripts have completed. This time, the processing is asynchronous by default.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

143

EXERCISE 4.2 (continued)

3. When the user logs off, the logoff scripts are processed. These are processed synchronously by default.

4. As the computer shuts down, the shutdown scripts are run.

One of the points that I like the most about Group Policy in Windows 2000 is that you won’t have to wait for a user to log off and log on again to see the effects of a policy change. Windows 2000 can automatically refresh the Group Policy on every client computer every 90 minutes and refresh the policies on domain controllers every five minutes. This is a great feature, especially when you are changing a policy for security reasons. You can protect your environment and still cause minimal disruption to the users on your network. If 90 minutes is too long for you, you can adjust the refresh time through a Group Policy setting. You can also force a refresh of Group Policy at any time. Setting the refresh rate too high can cause superfluous network traffic.

Creating Group Policy I hope that by now you’re sold on Group Policy being useful in your network environment. Let’s take a look at how the GPOs will be created and managed. But before you can do anything with Group Policy, you’ll want to load the Group Policy snap-in in an MMC (Microsoft Management Console). EXERCISE 4.3

Loading the Group Policy Snap-in To load the Group Policy snap-in, follow these steps:

1. Click the Start button and select Run from the Start menu. 2. Type mmc /a to open the MMC in Author mode.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

144

Chapter 4



Upgrading Domains

EXERCISE 4.3 (continued)

3. Select Add/Remove Snap-in from the Console menu to open the Add/Remove Snap-In dialog shown below.

4. Press the Add button to open the Add Standalone Snap-in dialog shown below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

EXERCISE 4.3 (continued)

5. Browse the list for the Group Policy snap-in. Highlight Group Policy and click the Add button. Click Close.

6. The Select Group Policy Object Wizard opens, as shown below. This wizard asks you to define which Group Policy Object you want to focus on. By default, the wizard will be set to focus on the local computer. This will be fine if you are managing the policy for the local computer. However, if you are setting Group Policy for a domain or a site, select the appropriate object by pressing the Browse button. Check the box to allow the focus to be changed when starting from the command prompt, and you will be able to change the focus of the snap-in any time you want to work with other Group Policy Objects.

7. Click Finish to close the wizard and return to the Add Standalone Snap-in dialog. Click Close to close the dialog.

8. Click the Close button to close the Add/Remove Snap-in dialog and return to your console window.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

145

146

Chapter 4



Upgrading Domains

Now you have an MMC console with the Group Policy snap-in installed. You may want to save this console so that you can easily get back to it again. To save it, click the Console menu and select Save. You will be asked for a name for the saved console and the location to save it. The Save dialog will default to Administrative Tools to save the new console. I personally like to create a customized console with all of the snap-ins I use the most and save it on my Desktop. Experiment a little until you find what works best for you. The new console with the Group Policy snap-in expanded is shown in Figure 4.2. FIGURE 4.2

The Group Policy snap-in

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

147

This console you’ve created can be used to manage individual GPOs at any level, but it only works with the specific GPO you linked it to in step 6 by default. EXERCISE 4.4

Creating New Group Policy To create new Group Policy, use the Active Directory Users and Computers console, following these steps:

1. Open Active Directory Users and Computers and expand the console tree to the container to which you want to apply a GPO.

2. Right-click the container you want to apply policy to, and select Properties from the context menu.

3. On the Group Policy tab of the Properties dialog, shown below, click the New button to create a new GPO.

4. Give the new GPO a name to identify it from the others.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

148

Chapter 4



Upgrading Domains

Once you have created the new GPO for a specific container, use the steps listed earlier in this section to create a Group Policy snap-in to manage that new GPO. It’s a good idea to create a custom MMC with snap-ins for each of the GPOs that you are responsible for managing, just to have a convenient way to get to all of them. Another step to use with GPOs is to link an existing GPO to an Active Directory container. When you link a GPO to a container, you are creating an association between the two objects, basically telling Windows 2000 to use this GPO for that container. The steps to link an existing GPO with a container are the same as those for creating a new GPO, except that on the Group Policy tab of the container’s Properties sheet you would browse for the existing GPO and click it to highlight it. When you click the Add button, a link is created. If you want to create or link a GPO for a site object, the process is the same except that you would use the Active Directory Sites and Services console to create it. By default, a GPO defined for a site is stored in the root domain of the forest, but you can define another location when you create the GPO.

Setting Permissions for Group Policy Objects Once you have created a GPO, you can delegate administrative control of the object by setting the appropriate permissions on it. In order for users to be affected by Group Policy settings, they must be granted Read and Apply Group Policy permissions. When you create a new GPO, the default permissions are as follows: Authenticated Users By default, this group has the Read and Apply Group Policy permissions. System This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. Domain Admins This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. Enterprise Admins This account has the Read, Write, Create All Child Objects, and Delete All Child Objects permissions. The individual permissions are set just as they would be for files or other objects in Windows 2000. However, it’s best to use the Allow setting for

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

149

each permission you grant, instead of the Deny setting. Doing so can avoid some complications later when someone who is supposed to be an administrator for a GPO can’t get into that object. If you set the Deny option for a group, the person you want to administer that GPO may be a member of that group. If so, they will be unable to access that GPO. A specific Deny will override a specific Allow. When you decide to delegate control of a GPO to a user or group of users in an OU, they must be given at least Read and Write permissions to the GPO. Anyone with both Read and Write permissions for a GPO can control every aspect of managing the GPO, except to give permissions to someone else, of course. So what do you do in a situation where you have two distinct groups of employees in a single OU and you want to use Group Policy for both of them? Actually, this is surprisingly easy once you understand the permissions on GPOs. Create one GPO and apply it to the OU. Next, create two different security groups, one for each of the employee types, and add the appropriate users to each group. Now apply the Read and Apply Group Policy permissions to each group so that the users in the group can access the GPO. Different permissions can be assigned to different groups on the same GPO. For example, say you have regular employees and contractors in the same OU. Let’s call that OU Training. You want to apply Group Policy to the Training OU such that the contractors are prevented from installing software, and the regular employees have preconfigured links in their Favorites folder for Internet Explorer. You don’t want the regular employees to be restricted by the GPO for the contractors, and vice versa. Create one GPO that restricts software installation. Set permissions on the GPO so that the contractors group has Read and Apply Group Policy permissions. Don’t bother setting permissions on the GPO for regular employees, and you’re finished! If you’re worried that some regular employees are part of the contractors group, you can set permissions for regular employees to Deny Apply Group Policy, just in case. Remember, a specific Deny overrides a specific Allow.

Managing Group Policy Flow Group Policy flows down through Active Directory by default, but it may not give you the control you need if you let it do that. Luckily you can decide

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

150

Chapter 4



Upgrading Domains

whether or not to allow the flow of policy through inheritance. There are three basic ways to control the flow of inheritance for Group Policy: No Override This setting, when applied to a Group Policy Object, tells other GPOs not to override the settings within this policy. It is set on the GPO. Block Policy Inheritance This setting prevents a container from accepting the policies of its parent container. That is to say, if you set the Block Policy Inheritance option for an OU within a domain, the policies of the domain will not be applied to the OU. Processing Order This isn’t a setting like the previous options. Instead, this describes the situation where there is more than one GPO linked to a Container object. When you view the Group Policy tab of the container’s Properties sheet, the GPOs will be listed. The processing order is topdown in that list. The first GPO on the list is the first to be applied. You can rearrange the order of the GPOs in the list to change the order in which they are applied. In addition to changing the inheritance and processing order, you have yet another way to control the use of Group Policy. You may find over time that there are parts of your Group Policy that you no longer need. In this case, you can select a portion of a GPO that you want to disable. You can disable the computer settings, the user settings, or the entire GPO. You can also choose to delete a GPO from a container to either unlink it or permanently remove it. To do this, open the Properties sheet for the container, and click the Group Policy tab. Highlight the GPO you want to remove, and click the Delete button. You will be prompted by the dialog shown below to determine whether this GPO should be unlinked or deleted entirely. Disabling parts of the GPO causes logons to process faster, because the security manager does not need to read the disabled portions.

If you are applying Group Policies at multiple levels, they process in the following order: local GPO, site GPOs, domain GPOs, and OU GPOs. This effectively applies the GPO “closest” to the level of the object, while giving

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

151

administrators blanket control over computers without worrying about local settings.

Configuring Group Policy You can open a GPO in two ways. The first method was described in the “Creating Group Policy” section earlier in this chapter. The second is to open the Properties sheet for a container in Active Directory, select the GPO on the Group Policy tab, and click the Edit button. Either of these methods will open a console similar to Figure 4.3. FIGURE 4.3

Configuring a Group Policy Object

Group Policy is always focused on the PDC Operations Master, or PDC Emulator in a domain. The PDC Emulator provides the same functions as the PDC in a Windows NT network, though mostly for backward compatibility since Windows 2000 doesn’t really need a PDC. The Group Policy is focused on this computer so that the same domain controller is always used to set policy. If the PDC Emulator is unavailable for any reason when you are modifying Group Policy, you will receive an error that gives you the option of saving the Group Policy on another domain controller. Use this option carefully! If another administrator happens to be modifying the same GPO

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

152

Chapter 4



Upgrading Domains

and uses a different domain controller, your changes might be lost. In the case of such a conflict, the last change written is the one that will be kept.

Administrative Templates Administrative Templates are the new and improved version of System Policy that we had in earlier versions of NT. The templates are groups of Registry settings that can be applied to either users or computers. EXERCISE 4.5

Modifying Administrative Templates Administrative Templates can be modified using these steps:

1. Open the desired GPO in the MMC. Use either of the methods described above to open the GPO for editing.

2. Expand the trees for either User Configuration or Computer Configuration and then expand Administrative Templates.

3. Expand the option that you want to set. An example would be Administrative Templates  Network  Offline Files  Enabled.

4. Double-click the option that you want to set to open a dialog similar to the one below. Notice that you can enable, disable, or choose to not configure the option.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy

153

Another cool new feature of Windows 2000 is the introduction of the Explain tab on the Properties sheet for any Administrative Template. This tab will provide an explanation of what the setting is and how it should be used.

Scripts Scripts are an important part of Group Policy. We’ve had the logon script for years, but now we have some additional scripts for Windows 2000: Startup This script executes when the computer starts up (hence the clever name). It will execute whether or not a user logs on. It can be used to set machine-specific options. Logon The perennial favorite, the logon script can be used to set userspecific options. This script executes when the user logs on to Windows 2000. Logoff This script contains items to “clean up” after a user session. It executes when the user selects an option that ends the session, such as Shutdown The Computer. Shutdown This last script executes after the logoff script and during the shutdown process for the computer. It gives you a chance to clean up after a user session and before rebooting the computer. To define the options for scripts, open the GPO in the Group Policy console and expand the Scripts console tree. Right-click the type of script you want to modify (startup, logon, logoff, shutdown) and select Properties from the context menu. The Scripts settings for logon and logoff are found under the User Configuration branch, shown previously in Figure 4.3. The Scripts settings for startup and shutdown are found under the Computer Configuration branch.

Security Settings Every administrator has heard (or maybe even experienced) stories of security breaches in networks today. These are some of the horror stories of our profession, since they are usually accompanied by details of the problems caused by the intruder. Heard any of the stories about credit card information being stolen from “secure” Web sites? The Security settings in Group Policy can help to secure your network against unauthorized use. Group Policy in Windows 2000 includes the following Security options: Account Policies These are the settings governing things like password length, age, uniqueness, and other options that affect user accounts.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

154

Chapter 4



Upgrading Domains

Local Policies These include items such as the local user rights, the granting of user permissions, and the local audit policy. Event Log This option controls the size, access permissions, and the retention period for each of the Event logs. Since the audit information is reported through the Security log, this is a fairly important part of your security settings. Restricted Group This option enables you to control the membership of the built-in group accounts like Administrators and Power Users. System Services This is one that I often don’t associate with security, but many services do run under a user context, and many of those services have the ability to access restricted portions of the operating system. The settings here control the startup options for the service and the user context under which the service will run. Registry This setting enables you to control access to the Registry and configure the security on individual keys. Public Key Policies This option enables you to configure the settings for public key encryption. The Encrypted File System in Windows 2000 makes use of public key encryption. These settings determine where the certificate that is used to establish the public key comes from and, most important, who can act as a recovery agent to recover files that have been encrypted. IP Security (IPSec) This setting controls the various aspects of network security in Windows 2000.

Folder Redirection Folder Redirection enables your users to store some of their data on a network share transparently. That is, they don’t need to know where their share is or even be aware that their data is being redirected. This also serves to make their data available from any computer on the network. The data is not downloaded to the computer they are logging on to, so it doesn’t create any additional logon network traffic. Sounds cool, huh? The only problem I see is training some users to use their My Documents folder to store documents. Many people really prefer to store their data in a folder hierarchy they create on their hard disk. Folder Redirection in Windows 2000 can be used to redirect these folders to a network share: 

Application Data

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Group Policy



Desktop



My Documents



My Pictures



Start Menu

EXERCISE 4.6

Redirecting Folders To redirect folders for users, you will need to apply the settings through the use of a GPO. To apply Folder Redirection, follow these steps:

1. Open the Group Policy console and expand User Configuration  Windows Settings  Folder Redirection.

2. Right-click the folder you want to redirect and select Properties from the context menu to open the dialog shown below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

155

156

Chapter 4



Upgrading Domains

EXERCISE 4.6 (continued)

3. Select the setting for the folder redirection. Possible settings include No Administrative Policy Specified, Basic, and Advanced. Basic enables redirection for all users to the same server location. Advanced enables you to set the target path according to the GPO.

4. Specify the target path. Notice in the graphic above that you can use the system variable %username%, which will replace the variable with the individual user’s name and create a specific folder for that user. This option is recommended because in addition to creating the folder automatically, Windows 2000 will also set the appropriate permissions to enable only that user to access the folder.

5. Use the Settings tab to specify the behavior of the redirected folder when it is created and when the policy is removed. The Settings tab is shown below.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Using Replication Bridges

157

Converting System Policy Now that we’ve seen what Group Policies are capable of, let’s take a look at how to get our Windows NT System Policy settings into these Group Policies. Windows 2000 allows you to use the migpol.exe tool to migrate System Policy settings to Windows 2000 Group Policies. However, it is strongly recommended that you start over and apply desired settings within Group Policy without trying to migrate old System Policies. This is because some settings in NT’s System Policy do not have equivalent settings in Windows 2000, and migrating these policies can cause unexpected results. Microsoft does not provide specific procedures for migrating System Policy settings. My theory is simple: If Microsoft strongly recommends not doing something and doesn’t provide procedures, don’t bother doing it.

Using Replication Bridges

W

indows 2000 Server uses the File Replication Service (FRS) to replicate System Policies and logon scripts stored in the server’s System Volume (Sysvol) share. This Sysvol share is used by clients to locate and process policies and scripts. Because these policy and script settings are necessary to ensure security, it’s critical that all domain controllers have the same information. FRS can also be used to replicate Distributed File System (Dfs) data. FRS is a multithreaded replication engine that replaces the LMRepl service used by Windows NT. Being multithreaded allows FRS to replicate files to different computers simultaneously. Note that FRS is a replication service, not a synchronization service. FRS replicates only whole files and does not guarantee the order in which files will arrive. Because it replicates only whole files, it will replicate an entire file even if only one character is changed. FRS is installed automatically on Windows 2000 domain controllers and is configured to start automatically. On Windows 2000 member servers, it is installed but must be manually started. There is no administrative console for FRS, as Sysvol replication happens automatically. Some features of FRS are 

Multimaster replication of files and folders. This allows for servers to independently update files as necessary.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

158

Chapter 4



Upgrading Domains



Automatic replication of file and folder attributes, including ACL information.



Configurable replication schedules for Sysvol and Dfs replication between sites.

Sysvol The Windows 2000 System Volume is built during promotion of the domain controller using the Active Directory Installation Wizard or DCPROMO. It is a tree of files and folders that need to be synchronized between domain controllers, including 

Sysvol share



Netlogon share



Windows 95, 98, and NT System Policies



Windows 2000 Group Policies



User logon and logoff scripts

Even though FRS acts independently of other Active Directory replication, it uses the same replication mechanisms. Therefore, it uses the same replication schedule for inter-site replication as ADS. However, unlike Active Directory, replication content between sites is not compressed. FRS works with Windows 2000 only because it counts on NTFS 5 to maintain a persistent logged record of file changes on member computers. When performing replication, it will always use the most current file.

Upgrading LMRepl to FRS Okay, now that we know what FRS is and what it does, what does all this mean to you? First of all, FRS was not supported and is not supported by any operating system except Windows 2000. Since we’re talking about migrating, mixed environments could run into problems with the idea of needing FRS. If you upgrade a Windows NT machine to Windows 2000, the LMRepl service will be replaced with FRS. But what about the domain controllers that are still running NT?

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Using Replication Bridges

159

One major fundamental difference between the two replication mechanisms is how they decide what should be replicated. LMRepl used an export folder and import folder mechanism. This means that the administrator had to designate which computers would be export computers and which would import. All changes to files that needed to be replicated had to be made on the export computer, or they would be overwritten when replication occurred. FRS, on the other hand, uses multimaster replication, much like Active Directory-integrated DNS zones. Changes can be made to any member computer (member of FRS, not necessarily member server) and replicated to any other member computer.

Maintaining a Mixed Environment You’re in the process of migrating from NT to 2000. You need to make sure your NT logon scripts and System Policies are properly replicated. What do you do? NT does not support FRS, and 2000 does not support LMRepl. Is it hopeless? Fortunately, no.




Microsoft exam objective:

Implement file replication bridges.

To provide support while upgrading your domain, you need to create a replication bridge between LMRepl and FRS so that both services can operate autonomously. Select one Windows 2000 domain controller, and have it copy files to the Windows NT export server’s export directory. The easiest way to accomplish this is by running a regularly scheduled script. To maintain availability of LMRepl during an upgrade, make sure that the server hosting the export directory is upgraded only after all the other servers hosting import directories have been upgraded. If the server hosting the export directory is the PDC, you should select a new server to host the export directory and then reconfigure LMRepl. Once the migration is complete, replication is no longer an issue.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

160

Chapter 4



Upgrading Domains

Mixed Mode versus Native Mode

During the migration of your network from NT to Windows 2000, there will no doubt be a time when you have a mixture of domain controllers. In Windows 2000 terms, this is a mixed-mode network. Mixed mode refers to having a mixture of NT and Windows 2000 domain controllers. You can easily have NT 3.51 or 4 member servers in a Windows 2000 domain and still be set to what Microsoft calls native mode. At the time of migration, you will have to decide when the most appropriate time to switch to native mode would be. Native mode, as you can probably guess right about now, occurs when you no longer have any NT domain controllers and Active Directory has been set to function as the exclusive security model. When you have determined that all domain controllers are running Windows 2000 and that none of your network applications require the presence of an NT domain controller, it would be appropriate to switch the network to native mode. Windows 2000 is quite able to function in mixed mode, but there are some considerations to keep in mind if you choose to keep your network in mixed mode. Basically, you need to consider these four areas if you decide to stay in mixed mode: 

Logon services



Replication



Remote Access Service



Security

The first area concerns the different logon services provided by NT and Windows 2000. A Windows 2000 client computer will first attempt to use DNS to locate a Windows 2000 domain controller. If it is unsuccessful, it will fall back to the NT-LAN Manager (NTLM) logon protocol and try to contact an NT domain controller. If this is the case, your client computer will not use the Group Policy defined for the network or have the benefit of Windows 2000 scripts. Another consideration is that the File Replication Service used in Windows 2000 is incompatible with the Directory Replication used in NT 4. Directory replication was used primarily for logon scripts and policy files. FRS handles these tasks, among others, in Windows 2000. As a result, you

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Mixed Mode versus Native Mode

161

will need to migrate this service to FRS as soon as possible after the migration or set up parallel replication folders under the two different services. The third consideration in mixed mode is the Remote Access Service (RAS). In NT, RAS logs users on as a special system account called LocalSystem. When a user would log on to the RAS server during a dial-up session, he would use LocalSystem with NULL credentials to establish the session and then log on using NT credentials. Windows 2000 won’t allow anyone with NULL credentials to query the Active Directory properties, so this won’t work. It can work, however, if one of the following happens: The RAS server is an NT BDC. If the RAS server is an NT BDC, it will have local access to the Security Accounts Manager (SAM) database. In this case, authentication is possible. The RAS server contacts an NT BDC. This scenario is very unpredictable but possible. If the RAS server just happens to find an NT BDC for the authentication, then this scenario will work. Security is weakened. An option during the installation of Active Directory is to weaken the security on certain objects in Active Directory in order for them to be compatible with NT. What happens is that the Everyone group is granted Read permission to any user object. This permits the NULL credentials logon to read the user’s information in Active Directory. Security in a mixed-mode environment is the fourth concern. The trust relationships between NT domains were nontransitive. Trust relationships in Windows 2000 are transitive. This means that you must carefully define explicit one-way trust relationships between mixed-mode domains to mimic the transitive relationships of Windows 2000. Failure to do so means that users won’t be able to log on to another domain from a local computer if they are validated by an NT BDC. The Security Accounts Manager (SAM) database is our last cause for concern. In NT, the SAM is limited to approximately 40,000 objects (the real performance limit is the 40MB size of the database when it reaches approximately 40,000 objects). When you install Active Directory on the upgraded PDC, the SAM is migrated to Active Directory. In mixed mode, the PDC Emulator still needs to replicate Directory information to NT BDCs in a way that imitates the former PDC’s synchronization of the SAM. Because of this, Active Directory will be limited to approximately 40,000 objects.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

162

Chapter 4



Upgrading Domains

Choosing between Mixed and Native Modes So when should you switch your domain to native mode? Remember that native mode requires that all domain controllers be running Windows 2000. There can be no NT domain controllers added now or later if you choose native mode. But running in native mode is the only way to take advantage of some of Windows 2000’s best features. Table 4.3 should help you decide when the time is right to move your domain to native mode.




Microsoft exam objective:

TABLE 4.3

Convert domains to native mode.

Mixed Mode versus Native Mode Windows 2000 Feature

Mixed Mode

Native Mode

Multi-master replication

Yes, among the Windows 2000 domain controllers. PDC Emulator provides single-master replication for NT domain controllers.

Yes

Group types supported

Global, Local

Universal, Global, Domain Local, Local

Nested groups

No

Yes

Cross-domain administration

Limited

Full

Queries of Active Directory using Desktop (My Network Places)

Only on Windows 2000 clients

Yes

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Mixed Mode versus Native Mode

TABLE 4.3

163

Mixed Mode versus Native Mode (continued) Windows 2000 Feature

Mixed Mode

Native Mode

Transitive trust relationships

No

Yes

Change/configuration management

Only on Windows 2000 computers

Yes

Password filters

Only if installed on each domain controller individually

Yes, installed automatically on all domain controllers

It’s possible that you would want to keep your domain running in mixed mode if you have an application that must be run on an NT domain controller and it absolutely won’t run on Windows 2000. But that’s kind of a long shot. Most networks should move over to native mode as soon as possible to take advantage of all of the new features and enhanced security. Most often, an application that is running on an NT domain controller requires a specific version of NT, not the presence of an NT domain controller. If this is true of an application in your network, then you have a couple of options to choose from. You could, of course, leave the network in mixed mode and keep that NT domain controller to support your application. Or you could off-load the application to a member server running NT. This would keep the application on a computer that provides the necessary software support and still permit you to switch your domain to native mode. In my honest opinion, although I really love working with Windows 2000 and it has quickly become my preferred operating system, if you’re not going to use native mode to take advantage of the full features of Windows 2000 and Active Directory, why upgrade at all? Most organizations I have been in contact with over the last year or so have stated that Active Directory was the only real driving force to upgrade the network to Windows 2000. Otherwise, why go through the expense and hassle? You could easily choose to upgrade your NT Workstation computers to Windows 2000 Professional and leave it at that.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

164

Chapter 4



Upgrading Domains

Case Study: Think Tank, Inc.

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background Think Tank, Inc. is a company that specializes in creating new procedures for manufacturing companies. One recent client, for instance, needed a way to decrease the cost of moving inventory from one plant to another. The Think Tank personnel looked at the business processes of the company and determined that costs could be reduced by 45 percent through the use of on-time ordering from vendors. Think Tank then acted as the project lead in developing software and vendor relationships to facilitate this goal. Your research includes the following interview comment: CEO Since our major products are intellectual in nature, as opposed to physical, security is paramount to success! We look at an issue with a new perspective and come up with new ways to accomplish old tasks. We provide an invaluable service to our customers—we reduce costs through creating new, more efficient methods for their workplace.

Current Environment Think Tank has a Microsoft Windows NT 4.0 network spread across two locations: Minneapolis and Madison. The Minneapolis location acts as the home to the Research and Development department. The Madison office houses the administrative personnel, the IT staff, and the Accounting department. Both locations have a sales staff on site. All personnel in both the Sales and R&D departments work off-site on a regular basis. There is an NT-based RAS server in both facilities.

Problem Statement Think Tank is currently analyzing the need to upgrade to Windows 2000. You have been assigned the task of designing a series of Group Policy Objects to secure their environment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Think Tank, Inc.

165

Think Tank has decided to use a single domain environment. They will control WAN traffic between their sites through the use of Active Directory site objects. All employees are required to change their passwords on a regular basis, use the company logo as the wallpaper on their computers, and have an intruder warning posted on their computer upon bootup. The R&D staff manages its own resources. The central IT staff provides them with technical support as needed. (IT should have access to R&D resources.) The Sales staff must be locked down tight. In the past, they have been known for installing illegal software, games, and other non business-related files on the network. While they comprise only 22 percent of the staff, they generate over 70 percent of the trouble calls received by the IT department.

Questions 1. Given the project specifications of one domain, how many OUs would

you create for Think Tank? A. one B. two C. three D. four E. five or more 2. Create a Tree: In the following graphic, build the OU structure that

you would implement for Think Tank, Inc. Domain Level

ThinkTank.com

Domain

IT

Top

R&D

2nd

Sales

3rd

Admin

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

Project Requirements

CASE STUDY

166

Chapter 4



Upgrading Domains

3. Create a tree: You have created the following GPOs for Think Tank: 

All_GPO, which mandates password policies, sets the required wallpaper, and publishes applications.



Lock_GPO, which denies access to all system-configuration and registry-editing tools.



Support_GPO, which allows all actions.

On the following graphic, place each GPO next to the AD object with which you would associate it. AD Object

GPO

Domain

All_GPO

Site

Lock_GPO

OU=R&D

Support_GPO

OU=Sales OU=Admin OU=IT 4. Create a tree: Given the scenario in question 4, is there any place in the

structure where you would choose the No Override or Block Policy Inheritance options for a GPO? If so, place the option next to the appropriate container in the table. AD Object: GPO

Option

Domain: All_GPO

No override

OU=Sales: Lock_GPO

Block Policy Inheritance

OU=IT: Support_GPO

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Think Tank, Inc.

167

1. D. The number of OUs would, of course, depend upon your overall

design strategy. With what we’ve been presented here, though, we would need at least one OU for each of the four departments—R&D, Sales, Admin, and IT. This would give us the opportunity to fine-tune the environment based upon departmental needs. 2.

Domain ThinkTank.com Top IT R&D Sales Admin 2nd 3rd The Think Tank, Inc. AD tree does not have to be complex—they really just need a little separation to provide granularity of management. Stay with a domain of ThinkTank.com and place each of the OUs within it.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

168

Chapter 4



Upgrading Domains

3.

AD Object Domain All_GPO Site OU=R&D OU=Sales Lock_GPO OU=Admin OU=IT Support_GPO The All_GPO is assigned to the domain level so that all users and computers will execute it. The Lock_GPO is assigned to the Sales OU to prevent those users from making changes to their systems. The Support_GPO is assigned to the IT OU to ensure that users within the IT department are not affected by GPOs placed higher in the structure. 4.

AD Object: GPO Domain: All_GPO OU=Sales: Lock_GPO OU=IT: Support_GPO Block Policy Inheritance The only place where you would want to control the flow of GPOs would be in the IT organizational unit. On the Support_GPO, choose the Block Policy Inheritance option to prevent the domain GPO (ALL_GPO) from affecting IT users.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

169

Summary

In this chapter, you learned how to prepare for upgrading a domain to Windows 2000. You learned the available upgrade paths for various domain controller configurations and the recommended strategy to use for upgrading the whole domain. You then learned how Group Policy is implemented through components such as scripts, Administrative Templates, permissions, and Group Policy Objects. You learned how to apply GPOs to containers within Active Directory so that you can control users or groups within different levels of the Directory. You learned how to enable Folder Redirection through Group Policy and how a user’s data can be stored transparently on network shares. You then saw how Sysvol replication is accomplished in Windows 2000. Replication is handled through FRS, which uses the same replication mechanism as Active Directory. If you are running a mixed-mode network, you need to create a bridge between FRS and NT’s LMRepl to ensure that logon scripts and System Policies are properly replicated.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Block Inheritance bridges cost fault tolerance Group Policy inherited link mixed mode multimaster native mode No Override PDC Emulator replication System Policy

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

170

Chapter 4



Upgrading Domains

Review Questions 1. Your boss has asked you to upgrade a Windows NT 3.51 domain con-

troller to Windows 2000. The server has a Pentium 200 processor and 64MB of memory. What will you need to do to perform the upgrade? A. Upgrade the memory to 128MB. B. Upgrade to Windows NT 4 first, then upgrade to Windows 2000. C. Add a faster processor. D. Do nothing. 2. One of your colleagues is planning to upgrade an NT 4 member server

to become a Windows 2000 domain controller. Will your colleague’s plan work? A. It won’t work because you can’t upgrade a member server to a

domain controller. B. It will work if he then runs dcpromo.exe to promote the server to

a domain controller. C. Only computers that have been freshly installed with Windows 2000

can be domain controllers. D. It won’t work because you can’t upgrade an NT Workstation to be

a domain controller. 3. You are planning to upgrade your NT 4 domain to Windows 2000.

Your boss is concerned about the loss of user accounts if the upgrade fails. How can you perform the upgrade and still prepare for the worst if the upgrade fails? A. Synchronize one BDC and take it offline as a recovery path. B. Make sure your resume is in order. C. Make a tape backup before the upgrade. D. You can always use the uninstall program to roll back to NT.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

171

4. You have prepared to perform an upgrade of NT 4 to Windows 2000

by inserting the CD-ROM into the drive and running the winnt32.exe program to begin setup. The file copy begins normally, but you receive an error about a virus trying to modify the boot sector. What should you do? A. Immediately turn off the computer because you have a boot-sector

virus. B. Ignore the warning; it probably won’t interfere with the upgrade. C. Disable your anti-virus program before running setup, as Win-

dows 2000 must modify the boot sector during setup. D. Repartition and format your disk. It’s already too late. 5. You are running Windows NT 4 Server with the Client32 software

from Novell installed to give you access to the NetWare 5 server on your network. What should you do to prepare for the installation of Windows 2000? A. Temporarily disable the Client32 software and any other third-

party services. B. Synchronize your NT and NetWare passwords and permissions. C. Windows 2000 won’t run with NetWare. D. Remove the Client32 software and use the Client Services for Net-

Ware instead. 6. You are in charge of planning the upgrade of your domain from NT 4

to Windows 2000. You have completed your rollout plan for everything and are now trying to decide where to actually start the upgrade of your domain controllers. Which computer(s) should be upgraded first? A. Upgrade one of the BDCs and take it offline. B. The PDC should be the first to be upgraded. C. Upgrade the application servers first, then the domain controllers. D. The order really does not matter; you should be able to choose any

of them.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

172

Chapter 4



Upgrading Domains

7. Your network is currently running Windows NT. The primary

domain controller is running Windows NT Advanced Server 3.1 on a Pentium 166 with 64MB of memory. What must you do to upgrade this computer to Windows 2000? A. Install more memory. B. Upgrade it to NT 3.51 or 4 first. C. Install a second processor. D. Run the winnt32.exe program to begin setup. 8. You would like to find a way to help your users store their important

data on a network server. The problem is that many users seem unwilling to cooperate by placing their data on the server. They continue to store their data in the My Documents folder on their own computer. How can Windows 2000 solve this problem? A. Use Group Policy to lock their My Documents folder to force them

to use the network share. B. Use Group Policy to enable Folder Redirection to store their My

Documents folder on a network share. C. Use NTFS permissions to prevent users from accessing their My

Documents folder. D. Use a roaming user profile to redirect their files to a network share. 9. You administer a Windows 2000 network. You would like to clean up

a user’s network sessions by disconnecting the mapped drives whenever the user logs off of Windows 2000. How can you do this? A. Use Group Policy to prevent the user from mapping any drives. B. Use Group Policy to enforce Registry settings through Administra-

tive Templates. C. Use Group Policy to specify a logoff script that disconnects the

user’s mapped drives. D. You cannot do this.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

173

10. You are the administrator for an Organizational Unit in a Windows 2000

domain. The domain administrators have created a Group Policy Object that interferes with the settings in a GPO that you have created for your own OU. How can you prevent the conflict between the two GPOs? A. Set the option on your OU to block inheritance so that your OU

never receives the offending GPO. B. Set the No Override option on your GPO. C. Create a second GPO that undoes everything the domain

GPO does. D. You cannot prevent it because you don’t have permission. 11. You need to apply a GPO to your OU to manage some security set-

tings for your users. A colleague of yours, who administers another OU in your domain, has already created a GPO with all the necessary settings. How can you create a GPO to apply to your OU with the minimum of administrative effort? A. Create a link to your colleague’s existing GPO for your OU. B. Use the File Copy command from Group Policy to create a copy of

the existing GPO. C. Use the Group Policy snap-in to create an IPO for your OU, using

your colleague’s GPO. D. Delete your colleague’s GPO and create one just like it. 12. You have been administering a Windows NT network for some

time. You commonly use System Policy to secure the computers on your network. Recently, you began to test Windows 2000 for deployment on your network. You are unable to locate System Policy in Windows 2000. What is the replacement for System Policy? A. System Policy - the Next Generation. B. System Policy Professional. C. Administrative Templates. D. Windows 2000 doesn’t need System Policy.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

174

Chapter 4



Upgrading Domains

13. You have implemented Active Directory in your organization and

have created two sites for the two physical locations of your company. There are domain controllers for one of the domains in both sites. When implementing inter-site replication, which transport(s) can you use for this network? A. NetBEUI B. SMB over TCP/IP C. SMTP D. RPC over TCP/IP 14. You are the administrator for an NT 4 network with one PDC and

seven BDCs. You have upgraded your primary domain controller to Windows 2000 and now want to make use of the new ability to nest security groups. But no matter where you look, you can’t find any way to do this. Why can’t you nest groups? A. Because Windows 2000 doesn’t permit group nesting. B. Because your domain is still running in mixed mode. C. Because you haven’t upgraded all of your computers to

Windows 2000. D. Because you were probably trying to place a local group inside a

global group. 15. You have upgraded your domain to Windows 2000. During the pro-

cess, you promoted a member server to a domain controller. You suspect that something failed during the promotion. Where can you check for more information regarding the promotion? A. Dcpromo.txt B. Promo.log C. Dcpromo.log D. Eventlog.txt

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

175

16. You are planning to upgrade to Windows 2000. You are currently

running NT 3.51 on your domain controllers. How can you upgrade one of the domain controllers to a Windows 2000 member server? A. You cannot do this without formatting and installing from scratch. B. Upgrade the domain controller to Windows 2000 and do nothing else. C. Upgrade the domain controller to Windows 2000, then un-install

the Domain Server Service. D. Upgrade the domain controller to Windows 2000, then run

dcpromo.exe to demote the domain controller to a member server. 17. You are trying to upgrade your Windows NT 4 domain controller to

Windows 2000, but the setup tells you there isn’t enough disk space. You have over 5GB free on the Boot partition, but the System partition has only 5MB free. Why won’t the installation run? A. You must have at least 6GB free on the Boot partition. B. You must have at least 6GB free on the System partition. C. You must have at least 6MB free on the System partition. D. You must have at least 6MB free on the Boot partition. 18. You have just completed upgrading all of the Windows NT Servers in

your network to Windows 2000. However, your client computers are unable to get DHCP leases. You verify that the computer running the DHCP service is available on the network. What could be wrong? A. You need to install a WINS server. B. You need to authorize the DHCP server in Active Directory. C. You need to authorize the WINS server in Active Directory so it

can begin resolving the name of the DHCP server. D. DHCP can be installed only on a freshly installed Windows 2000

computer; it isn’t supported on an upgraded computer.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

176

Chapter 4



Upgrading Domains

19. You are implementing Group Policy in your Windows 2000 domain.

Your boss is concerned that one of the users on the network might change the policy settings in one of the GPOs. What could you tell your boss to ease her concerns? A. The GPO will be encrypted, and you are the only one who can

decrypt it. B. Access to a GPO is controlled by security settings similar to NTFS

file permissions. C. You will change the default permissions of System Policy Editor to

block any changes. D. GPOs are stored on domain controllers, and no one but an admin-

istrator can access a domain controller. 20. You have implemented some changes to Group Policy in your Win-

dows 2000 domain. The new settings will restrict the user’s ability to access some features of the Desktop. How can you get the new settings to take effect for your users? A. Do nothing. The settings will go into effect at the next refresh

cycle. B. The users must log off and log on again before the settings will be

effective. C. Use the shutgui.exe utility in the Resource Kit to force the

remote computers to shut down and restart. D. Reboot all of the domain controllers in your domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

177

Answers to Review Questions 1. D. The hardware in this server meets the minimum requirements. 2. B. NT Server computers that are installed as member servers can be

upgraded to Windows 2000 member servers. You can then run dcpromo.exe to promote the member server to become a domain controller. 3. A. The easiest way to preserve account information for the domain is

to have a fully synchronized BDC held in reserve. If you need to perform a recovery of the NT account information after a failed upgrade of the domain, all you need to do is bring the BDC online and promote it to PDC. 4. C. Windows 2000 must make modifications to the boot sector dur-

ing setup so that the computer can safely boot into Windows 2000 instead of the previous operating system after installation. Disable the anti-virus program to prevent it from interfering with setup. 5. A. It is always a good idea to disable third-party services prior to an

upgrade. Usually this is just a temporary measure, as the service will run fine with the new operating system, but occasionally the service is written for a very specific version of the operating system and will cause the new version to crash. 6. B. The primary domain controller should be the first to be upgraded

so that the SAM database is properly migrated to Active Directory. 7. B. Windows NT Advanced Server 3.1 must be upgraded to either

NT 3.51 or 4 before it can be upgraded to Windows 2000. 8. B. Folder Redirection is a part of Group Policy in Windows 2000 that

enables you to redirect certain folders, like My Documents, to a specified network share. The redirection is transparent to the user, and the folder can be accessed from any computer on the network. 9. C. Group Policy in Windows 2000 introduces the concept of a logoff

script, which could be used to disconnect mapped drives, among other things.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

178

Chapter 4



Upgrading Domains

10. A. You can block inheritance so that the Group Policy Objects from

higher levels in Active Directory never flow down to your OU. 11. A. Once a GPO is established in Active Directory, it can be linked to

another OU and its policy applied to the OU. 12. C. Administrative Templates apply a set of Registry settings to a com-

puter or a user just like System Policy did in NT 4. 13. D. SMTP is the normal method for replication between sites, but it can

be used only when the sites contain different domains. If there are domain controllers for the same domain in both sites, the only available transport is RPC over TCP/IP. 14. B. The ability to nest security groups is available only in a Windows 2000

network running in native mode. 15. C. The dcpromo.exe program writes information to the dcpromo.log

file during the promotion process. If there were any errors, they would be recorded here. 16. D. The dcpromo.exe utility can be used to either promote a member

server to a domain controller or to demote a domain controller to a member server. 17. C. There must be at least 6MB free on the System partition (where the

files are installed to boot the computer) for Windows 2000 to install its boot files. 18. B. You must authorize a DHCP server in Active Directory before it will

be permitted to serve clients on a Windows 2000 network. 19. B. Security settings are part of Group Policy, and they define the per-

missions for the authenticated users. Only a user with Read and Write permissions for a GPO can alter its settings. 20. A. One of the features of Group Policy in Windows 2000 is the ability

to automatically refresh the policy settings. If the refresh policy is enabled, then all Windows 2000 clients will refresh their Group Policy settings every 90 minutes. Domain controllers refresh their settings every five minutes.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

5

Restructuring Your Network MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Evaluate the current environment. 

Evaluate current hardware.



Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.



Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.



Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.


Perform test deployments of domain upgrades.
Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.
Develop a domain restructure strategy.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

O

ne of the most compelling reasons to upgrade a domain to Windows 2000 is the opportunity to restructure the existing network into something that is more efficient. Restructuring domains in Active Directory is a topic that is emphasized on the exam and is in high demand for consulting jobs. In short, this is a topic you should care about learning. In this chapter, you will learn how to plan your network restructure. This will include examining some planning issues for Active Directory, reallocating hardware resources, and looking at how the restructure will affect your network. These topics will be important because there’s more to restructuring than just moving things around in the Directory. You must carefully plan for the movement of network services or your network may lose functionality. You will also learn about the potential security risks involved with a domain restructure. We will also review the strategies for creating a recovery path in a domain restructure. In earlier chapters of this book, you learned about domain upgrades and recovery. This chapter focuses on the concepts for a successful domain restructure in a new Active Directory environment.

Planning Your Restructure

Why would you want to restructure a domain? This is a question you should ask yourself before going any further with your planning. What do you hope to get out of the restructure process? Many organizations will decide to keep their existing domain structure and just convert it to Active

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

181

Directory. Others will view the migration to Active Directory as an opportunity to correct issues with their structure, or perhaps just to make the structure more efficient.




Microsoft Exam Objective

Evaluate the current environment.

Bear in mind that a domain restructure is not a requirement for transitioning to Active Directory. It is possible to simply upgrade your existing structure. But if you feel that your network would benefit from a new structure, then restructuring is for you. Restructuring can be accomplished over a long period of time, unlike the original migration that takes a relatively short period of time. You can decide to restructure at any pace you choose, making it easier to avoid unnecessary downtime. There are three basic types of restructure to consider: the post-upgrade restructure, the restructure instead of upgrade, and the post-migration restructure. Let’s look at each of them: Post-upgrade restructure This is a very common time to perform a restructure. The first phase of the migration, upgrading the domains to Windows 2000, has been completed, and now the second phase of the migration, performing a domain restructure, is to begin. The upgrade takes care of moving the groups and users into Active Directory so that the restructure can be accomplished in a pure Windows 2000 environment. If you decide to restructure after the upgrade, your goals most likely are to either rework the current domain structure into something more efficient or to bring resource domains that have limited-rights administrators into your Windows 2000 domains in a secure way. Restructure instead of upgrade There are two fundamental reasons to select this method: First, you cannot salvage your current domain structure; second, your environment cannot tolerate any disruption during the migration process. Either way, this method determines that you will create a pristine forest to be the target for the restructured domains. This means that you are creating an ideal forest structure for your organization that is isolated from the production environment. Over time, as more accounts are moved to the pilot network, the pilot network becomes the production environment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

182

Chapter 5



Restructuring Your Network

Post-migration restructure This type of restructure happens after the migration to Windows 2000 is complete, sometimes months or even years later. Usually this method will be selected because of a significant change in the network structure, such as a merger or acquisition. The basic decision of deciding between an upgrade or restructure (or both) depends on your network situation. If you feel that your existing structure is ideal, then simply upgrade. Upgrades are possibly the safest scenario. Restructuring offers advantages if you are unhappy with the way your current network works. Both situations allow for back-out plans in case something goes wrong. Generally, restructuring requires additional hardware, but you wanted to upgrade your servers anyway, right?

Reasons to Restructure A number of reasons exist why an organization might want to restructure its domain environment. Perhaps your company has just acquired another company and you need to merge the two networks into a single cohesive namespace. Or, possibly, you have upgraded your WAN links and now have the available bandwidth to combine two remote sites into a single domain. The list goes on and on, but there are three reasons to consider that you might see on the exam: greater scalability, delegation of administration, and granularity of administration. Greater scalability If you have a very large environment, you may have designed your previous domain structure around the performance limitation of 40,000 objects in the Security Accounts Manager (SAM) database. With Active Directory, you have the opportunity to collapse those domains into a single domain or a more streamlined domain structure. Delegation of administration Most NT domain structures require that administration be done in a centralized location, or at least by a small group of administrators. Windows 2000 and Active Directory enable you to distribute the administrative load as far as you want. You can easily delegate authority for a resource to a user or group of users. Granularity of administration Windows 2000 enables you to use Organizational Units (OUs) instead of separate domains to achieve logical separations for administrative units. Consider a network that has grown through the process of acquisition. Such a network could consolidate its administrative units as OUs within a single domain instead of using separate domains with a high number of trust relationships.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

183

So far, none of these examples requires that you have actually completed an upgrade to Windows 2000. You could be using a domain restructure as a way of migrating to Active Directory. In this situation, you could simply migrate all of the users and groups to a new Active Directory structure without upgrading the original domain. Then, when the migration of resources is complete, you could decommission the old domain controllers and reassign them to the new domains.

Developing a Procedure There are two basic scenarios for restructuring domains. More complicated environments would still use these methods, only on a larger scale. The first involves migrating users from an NT environment to a new Windows 2000 structure. The second involves consolidating Windows 2000 domains into OUs. If you are using the first scenario, your network may be Windows NT 3.51 or 4, or it may have already been migrated to Windows 2000. Either situation will work. If the network is NT, this method will solve your migration needs as well as your restructuring needs.




Microsoft Exam Objective

Develop a domain restructure strategy.

It’s important to devise a procedure for restructuring because this will be some of the most common work done with Windows 2000 in existing networks. Many companies will purchase Windows 2000 just for this purpose, to condense or restructure their old domains into something more efficient. EXERCISE 5.1

Developing a Domain Restructure Strategy As a rule of thumb, when migrating domains to Windows 2000, use the following procedure:

1. Perform preliminary tasks. (These specific tasks are covered in Chapter 1, “Planning a Deployment.”)

2. Perform a dry run of the migration.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

184

Chapter 5



Restructuring Your Network

EXERCISE 5.1 (continued)

3. Migrate accounts domains. 4. Migrate resource domains. The order of migrating accounts and resource domains is covered in Chapter 2, “Planning for Active Directory.”

Migrating Users to a New Domain When you decide to restructure your domains, you are choosing to move users, groups, and computers from an existing domain to a new Windows 2000 domain. A number of new configurations for the old network are possible, so let’s take a look at a few of them. EXERCISE 5.2

Restructuring a Resource Domain The restructure of a resource domain into a Windows 2000 domain follows these basic steps:

1. Establish the trust relationships needed to maintain access to your network resources. You will need trusts from the target domain to any external account domains in order to preserve resource access for your network users during the restructure. You can use NETDOM to query the existing domains to determine their trusts. NETDOM is discussed in Chapter 7, “Migration Tools.”

2. Clone shared local groups. These are the local groups created on the domain controllers for the old domain. Use ClonePrincipal to clone the local groups to ensure that resource access is maintained during the restructure. ClonePrincipal is also discussed in Chapter 7.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

185

EXERCISE 5.2 (continued)

3. Demote old domain controllers to member servers. In this step, you would first upgrade the primary domain controller (PDC) to Windows 2000 and then upgrade each backup domain controller (BDC) that will be moved to the new domain. Leave the domain running in mixed mode for the time being. After you’ve upgraded the BDCs, demote them to member servers and move them to the new domain and/or OU. Essentially, this will leave you with a parallel domain running in mixed mode with only a single domain controller.

4. Move member servers and client computers to new domain or OU. During the transition, use NETDOM to create computer accounts for the computers in the destination domain.

5. Decommission the old domain and reallocate the servers. By now, the only computer that should be left in the old domain would be the former PDC. You can demote this computer and move it to a new location in the new domain structure.

This plan would accomplish a move from a resource domain to an Active Directory domain, but what about moving an account domain to the new Active Directory domain? EXERCISE 5.3

Moving an Account Domain To move an account domain to a new location in a Windows 2000 domain, follow these steps:

1. Create a new Windows 2000 environment. This may be a single domain or a new forest. Either way, the new environment should be completely new, not created by upgrading the existing domains.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

186

Chapter 5



Restructuring Your Network

EXERCISE 5.3 (continued)

2. Establish the trust relationships needed to maintain access to your network resources. You will need trusts from the source domain to any resource domains to preserve resource access for your network users during the restructure. You can use NETDOM to query the existing domains to determine their trusts.

3. Clone all global groups in the source domain. Since typical administrative practice is to access resources through global groups that are added to local groups, make certain that these groups get moved to the target domain. The easiest way is to use ClonePrincipal to move the global groups to the new domain.

4. Select and clone sets of users. In most cases, you will want to move users to the new domain in batches, so you must identify the sets of users you will move and use ClonePrincipal to copy them to the new domain.

5. Decommission the source domain. When all of the accounts and resources have been moved to the new domain, you’ll need to demote all of the domain controllers and reassign them to new roles elsewhere in the network.

Assessing Hardware When you are considering the restructure of your network, you will need to evaluate all of the hardware currently in use for its suitability in a Windows 2000 domain. Essentially, you will be using the same hardware requirements for Windows 2000 that were covered in Chapter 1, “Planning for Deployment.”




Microsoft Exam Objective

Evaluate the current environment. 

Evaluate current hardware.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

187

One difference between assessing hardware for the deployment of Windows 2000 and assessing hardware for the restructure of your domains is that the old servers don’t necessarily have to run Windows 2000. That is, you could be migrating away from NT 4 to Windows 2000 and be planning to replace the old servers with newer technology. If this is the case, then the primary concern for the old servers is their ability to run NT rather than Windows 2000. Your assessment of current hardware should be based upon the restructure method you have chosen. If you are performing a post-upgrade restructure, then your hardware must be able to run Windows 2000 successfully since you will be upgrading and then restructuring. If you are simply restructuring, then you are essentially performing a migration from your existing NT environment to the new Windows 2000 structure. EXERCISE 5.4

Assessing Hardware for Restructure Assume that your company has a standard image for its domain controllers as follows: 

Dual Pentium II 400MHz processors



256MB of memory



9.1GB of hard disk storage

Based on this information, which type(s) of domain restructure will be available to you?

Keep in mind that the domain controllers for the pilot network must be able to bear the full burden of the planned Active Directory structure. The first domain controller will have all of the Flexible Single Master Operations (FSMO) roles by default. To alleviate this situation, install the other domain controllers for that forest as soon as possible and before executing the restructure. Distribute the FSMO roles among several servers for better performance.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

188

Chapter 5



Restructuring Your Network

Planning for Security Security is one area that will be greatly affected by a restructure. Because Windows 2000 makes it possible to move security principals from one domain to another, you need to assess how the restructure will impact your users, groups, and domain controllers.




Microsoft Exam Objective

Evaluate the current environment. Evaluate security implications. Considerations include physical security, delegating control to groups, certificate services, SIDHistory, and evaluating post-migration security risks.



This section will examine the impact on the following areas of security: 

Moving security principals, including domain controllers, users and global groups, member servers, and client computers



Establishing trust relationships



Cloning security principals

Moving Security Principals A security principal is a Windows 2000 entity that is assigned a security identifier (SID). This can be a computer, a user, or a group. One of the greatest benefits implemented as a result of Active Directory is the ability to move security principals from one domain to another or even from one forest to another. You must consider several areas when assessing the security implications of moving security principals: 

Effect on SIDs



Effect on global group membership



Effect on Access Control Lists referencing the user

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

189

Effect on SIDs The security identifier for a user, group, or computer is highly specific to the domain in which it is created. When you move an account to a new domain, a new SID must be assigned to that account. This presents some problems for maintaining resource access during a restructure. In NT’s security model, access to a resource is controlled by the entries in the Access Control List (ACL). The SID of the account trying to access the resource is compared to the list of SIDs stored in the ACL. If the SID matches an entry in the ACL, then access is granted. Under this model, if you move an account to a new domain, you would be creating a new account in the new domain with the same name and properties as the old account. Then you would have to assign permissions for the new account on every resource so that the account would have the same access as before the move. Sounds like a pain, doesn’t it? To illustrate this procedure, let’s use the example company we used earlier in the book, coolcompany.local. Coolcompany.local has three domains in a Single Master Domain model, as shown in Figure 5.1. FIGURE 5.1

The domain model of coolcompany.local

Account Domain

Resource Domain 1

Resource Domain 2

Let’s say there is a user named BobR who uses a database application located on a server in the Resource Domain 2. Typically, you would create a global group in the Acct_Dom domain called DB_Users and add BobR’s account to that group. Then you would create a local group on the server that hosts the database (we’ll call it DB_Local). To give BobR the proper access to the database, you would add his account to the global DB_Users account, then add the DB_Users account to the local DB_Local account and assign permissions to DB_Local. Figure 5.2 shows this process.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

190

Chapter 5



Restructuring Your Network

FIGURE 5.2

Granting access to a user Global Group Local Group

BobR

Permissions DB_Users

DB_Local

Now consider the issues surrounding moving BobR’s account to a new Active Directory location. If you move the account to the new location using any of the migration tools for Windows 2000, a new SID will have to be created for the account to identify it uniquely in the new domain. So when you move BobR to the new domain, Windows 2000 creates and assigns a new SID to his account. At this point, BobR cannot access the database using the new account, because the new SID isn’t in the ACL for the database. BobR is just out of luck until we find a solution for him. Luckily, this won’t be much of an issue for Windows 2000 because it implements a new security feature called SIDHistory. Briefly, the SIDHistory field preserves the account’s old SID alongside the new SID. We’ll discuss SIDHistory in more depth later in this chapter. Effect on Global Groups Global groups have much the same problem as I described above. When you move BobR’s account to the new domain, you’ll be removing him from any global group he belongs to in the Acct_Dom domain. Global groups can contain only user accounts from the group’s domain, so when you move BobR’s account, his new account cannot be a member of any global group in Acct_Dom. To solve this problem, you might create a new global group in the target domain to parallel the old global group, but you would have to assign permissions again for all of the resources to which the old global group had access. This sounds like a lot of work to me. Another possible solution would be to use Windows 2000’s ability to move security principals to relocate the existing global group to the target domain. This would require that you move everyone who belongs to the group to the new target domain, but this solution still has a problem. This time, the SID for the global group would have changed when we moved it to the new domain, requiring you to reassign permissions at all of the resources for the global group. Still a lot of work.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

191

Effect on ACLs Referencing the User If you had assigned any permissions directly to BobR’s account in the past, you will now have the same problem again. When you move his account to the target domain, the account will receive a new SID. Since the ACLs list the user account by its SID, BobR will no longer be able to access the resource using his relocated user account unless you reassign permissions at each resource for the new account. SIDHistory The above scenarios all have similar issues with a change in the SID assigned to an account. Windows 2000 introduces the concept of the SIDHistory. The SIDHistory is a method to store the previous SID for a security principal that has been moved from one location to another. This new feature could solve each of the above scenarios by tracking the previous SID. When using the SIDHistory feature, it is important to always use Windows 2000 utilities to move the security principals. The management utilities that Microsoft provided for Active Directory understand how to update the SIDHistory when you move a security principal and thus avoid the issues of reassigning permissions. During the logon process, Windows NT creates a security token containing the user’s SID and the SIDs for any groups the user belongs to. Windows 2000 takes this one step further by also adding the SIDHistory to the access token. This has the effect of authenticating the user for resource access based on his or her current SID, the SIDs of any groups the user belongs to, and their previous SIDs. The SIDHistory feature makes it possible to easily move a security principal from one location to another in Active Directory without losing any resource access. Windows NT 4 systems should use the security token generated by the Windows 2000 domain controllers without any problems. There is a problem, however, with the way that NT 3.51 systems use this feature. When NT 3.51 builds the security token, it uses only SIDs that are relative to the user’s account domain and the local computer. The upshot of this is that NT 3.51 computers won’t recognize any group SIDs for universal groups or global groups from another domain in your Active Directory structure. Any users attempting access from another domain will receive an access-denied message even if they should have access.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

192

Chapter 5



Restructuring Your Network

Establishing Trust Relationships During your restructure, you may have sets of users in both the source domain and the target domain requiring access to existing resources on your network. To accomplish this access, you will need to establish trust relationships between the existing resource domains and the target domain so that user and group accounts that have been moved to the new target domain can still access the resources they need in the resource domains. You can use the NETDOM tool to enumerate the trust relationships in your current network and establish new trusts where needed, as well as for a variety of tasks in managing domains. NETDOM will be discussed in detail in Chapter 7. Windows 2000 automatically creates two-way transitive trust relationships between all domains in a forest. However, during your migration, you will have a hodgepodge of domains, both Windows 2000 and NT. Before migrating any users or resources to Windows 2000 domains, it is necessary to make sure that trust relationships are in place for resource access. A good rule to remember is that the resource needs to trust the user. As an example, if I trust you with my resource (my car), I will give you my car keys. Does this mean that I can drive your car? Of course not. But you can drive mine. Once the migration is complete, and all users and resources are migrated to Windows 2000, you can remove the trust relationships you created. It’s not a good idea to remove the trusts between Windows 2000 domains in the same forest: Active Directory has created those for a reason.

Cloning Security Principals So far, I’ve described restructuring mostly in terms of moving security principals from one domain to another. But there is another alternative that should be considered: cloning security principals. Cloning offers some great benefits, such as greater reliability during the restructure. Because you are copying the accounts to the target domain, you are leaving the original production environment intact. This gives you a better recovery path since the original domain is still there with all accounts and permissions intact. To clone security principals, you need to use the ClonePrincipal tool, which is made up of a number of Microsoft Visual Basic scripts for cloning accounts. Included in the set are scripts that will migrate user accounts, local group accounts, and global group accounts. ClonePrincipal doesn’t do anything to the source domain, which is a good thing. It simply copies information out of the SAM database and imports it into the Active Directory in the target domain. ClonePrincipal is discussed in detail in Chapter 7.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

193

Whichever strategy you select to restructure your domains, Windows 2000 has a tool for the job. I think that there will likely be more tools coming in the near future from third-party vendors to assist with the migration or restructure of domains. But of course, the exam will be testing your knowledge of the Microsoft tools. If you choose to restructure during a migration, you will be moving security principals from the old source domain to the new target domain. If you are restructuring over time, you will most likely be using ClonePrincipal to move your security principals while maintaining their accounts in the source domain until everything has been verified to work in the new location.

Verify Application Compatibility Application compatibility is something we discussed in detail in Chapter 1. In light of restructuring, application compatibility has some other wrinkles to bear in mind. Some of the features of the application that Microsoft has listed in the exam objective directly relate to new features of a Windows 2000 network that will either enhance usability or just make it possible for the network to function at all.




Microsoft Exam Objective

Evaluate the current environment. 

Evaluate application compatibility. Considerations include Web server, Microsoft BackOffice products, and line of business (LOB) applications.

There are three major areas to consider when assessing application compatibility: Web services, Microsoft BackOffice including Exchange Server, and line of business (LOB) applications. Next, we will discuss each of them in greater detail.

Web Services Windows 2000 comes with Internet Information Services (IIS) version 5 right out of the box. Notice that the name has changed slightly, Services instead of Server. IIS 5 does provide backward compatibility for Web services running on earlier versions of IIS, including full support for common

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

194

Chapter 5



Restructuring Your Network

Internet standards as well as Microsoft extensions. Windows 2000 will use IIS to enhance replication of Active Directory between sites. Specifically, Windows 2000 will use the SMTP service for asynchronous replication between sites comprising a different domain. If you plan to implement sites and want to use SMTP for the transport, you must install IIS and the SMTP service. IIS 5 includes support for Web-related network services such as these: HyperText Transfer Protocol (HTTP) This service provides the basic Web services for IIS, enabling you to serve Web pages and files through HTTP. File Transfer Protocol (FTP) IIS 5 provides a full FTP server for serving files over the Internet or the local intranet. Network News Transport Protocol (NNTP) NNTP support is included if your Windows 2000 Server will participate in routing Internet News messages. Simple Message Transport Protocol (SMTP) This service provides support for an Internet e-mail server under Windows 2000. This service is very important to inter-site replication using the SMTP protocol. Windows 2000 will use the SMTP service in IIS by default for the replication messages between sites. Visual Interdev RAD Remote Deployment Support This service enables you to use your IIS server to distribute applications through a Web interface.

Exchange Server In Chapter 1, we discussed the use of the Active Directory Connector with Exchange Server 5.5 to unify the administration of your Windows 2000 environment and your Exchange Directory. This application offers many benefits to administrators and will help mostly while you are waiting for Exchange 2000, which is fully integrated with Active Directory. Until you choose to migrate to Exchange 2000, you will need to maintain full functionality in your current Exchange structure. Exchange Server is a server application that requires the use of a dedicated service account in order for its various services to start and communicate with the other Exchange Servers in your enterprise. Service accounts will have many of the same issues with SIDs changing when the account is moved to another domain, and they will have the same solutions to the problem.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

195

To support Exchange Server on Windows 2000, there are some restrictions to keep in mind. Only Exchange Server versions 5.5 and 2000 are supported on Windows 2000 at the moment. Older versions of Exchange will need to be upgraded prior to installing Windows 2000. In addition, Exchange Server 5.5 requires Service Pack 3 in order to run on Windows 2000. Service Accounts A service account is a user account that has been created for the sole purpose of supporting a service running on NT or Windows 2000. Many server applications designed for Windows NT/2000 use service accounts to log on to the local server or to communicate with other servers across the network. Special care must be taken to ensure that your service accounts are migrated correctly to the new environment. After all, the one network service everyone wants is e-mail. If the service account for your Exchange Server is broken or lost during the migration, no one will be getting any e-mail through Exchange. Fortunately, the Active Directory Migration Tool has a wizard designed to migrate service accounts from your source domain to the target domain. The Service Account Migration Wizard, shown in Figure 5.3, will help you to identify and migrate your service accounts to the target domain. FIGURE 5.3

The opening page of the Service Account Migration Wizard

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

196

Chapter 5



Restructuring Your Network

This wizard looks very much like the other wizards we’ve used except that it must collect information regarding your specific service accounts. The wizard prompts you to provide the names of the computers that will provide the service account information and then dispatches an agent to each computer to gather the information. It can take some time to perform an analysis, but it’s worth the wait. Be careful not to cancel the agent process before it has completed, or you won’t be able to complete the migration successfully. When the information has been collected from the source domain, the wizard will then perform the migration.

Exchange and the Active Directory Connector I know it seems strange to be reading a book about Windows 2000 and suddenly find a section devoted to Exchange Server, but there is a method to my madness. Some migration issues surrounding Exchange will appear on the exam, including using the Active Directory Connector (ADC) to map migrated user accounts to existing mailboxes. Believe me, you do not want to be the person responsible for the migration when it causes the Exchange Server to fail or people to not be able to retrieve their e-mail. The ADC is a Windows 2000 service that forms a replication bridge between Active Directory and the Exchange Directory. There are some distinct advantages to using the ADC: Single source administration Using the ADC, administration of both Active Directory and the Exchange Directory can be combined into a single tool. If you are more familiar with the Microsoft Management Console (MMC), you can set up the ADC to replicate all information from Active Directory to Exchange, or if you are more familiar with the Exchange Administrator, you can replicate from Exchange to Active Directory. Granular administration and delegation control Windows 2000 provides delegation of administrative control that is granular to the attribute level. In plain English, you can delegate administrative authority down to an attribute of an object, like the phone number associated with an account. Using the ADC, you can extend this granularity to Exchange. Interoperability Exchange Server is able to synchronize directory information with other messaging servers. You can set up your ADC connections so that Exchange Server synchronizes with a third-party messaging server, then replicates that information back to Active Directory.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

197

Setup Requirements for the Active Directory Connector The hardware requirements for the ADC are simple: You must be able to run Windows 2000 or Exchange Server 5.x on the computer. There are no other special requirements, though you will want to have plenty of RAM for processing the replication information. The software requirements are also pretty straightforward: 

You need at least one Windows 2000 Server.



You must have at least one Exchange Server 5.x with Service Pack 1 or higher installed.

The only other suggestion I can make for your setup is that the server running the ADC, the Windows 2000 domain controller, and the Exchange Server computer should all be on the same segment of the Local Area Network (LAN). This will prevent the replication from impacting other segments of the network and increase the efficiency and reliability of the connection. The security requirements are mostly for the initial installation of the ADC. For the first ADC installation in a forest, the account you use for the process must be a member of the Schema Admins group, since the Schema will be modified for the entire forest with information from the Exchange Server schema. EXERCISE 5.5

Installing the Active Directory Connector The ADC is provided on the Windows 2000 Server CD-ROM, in the folder \ValueAdd\MSFT\MGMT\ADC. Use these steps to install the Active Directory Connector:

1. Browse to the ADC folder on your Windows 2000 Server CD-ROM and double-click Setup.exe. This will start the Active Directory Connector Setup Wizard. Click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

198

Chapter 5



Restructuring Your Network

EXERCISE 5.5 (continued)

2. The Component Selection page prompts you to decide which ADC components you will be installing on the local computer. ADC can be installed on a domain controller or a member server, but it should be on a Windows 2000 Server. The page shown in the following graphic asks whether you want to install the service, the management tools, or both. Click Next once you make your choice.

3. The Install Location page asks you to select a location in which to install ADC. The full space requirement for ADC is approximately 9MB. Click Next.

4. The wizard then asks you to specify which service account the ADC will use to log on to the servers. Enter the name of the service account you have chosen, then click Next.

5. Now the Setup Wizard begins copying files and configuring the system to run the ADC. Once the file copy is complete, you will be prompted to click Finish to exit the Setup Wizard.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

199

Configuring the Active Directory Connector The functionality of the ADC depends on Connection Agreements between the Active Directory and the Exchange Directory. Connection Agreements define a connection between the two directory architectures in a network. Typically, you will be picking one domain controller and one Exchange Server to act as Bridgehead Servers, that is, the initial points of replication between the two directories. The Connection Agreement then sets the properties for the communication between these two servers. The Active Directory Connector Management console is installed in the Administrative Tools group on the Start menu. When you open the console, there is only a single node displayed for the Active Directory Connector <ServerName>, where ServerName is the name of the Windows 2000 Server where the ADC is installed. Right-click this node and select New  Connection Agreement. This will open the Properties sheets for a new Connection Agreement. Figure 5.4 shows the General tab of the Properties sheets. FIGURE 5.4

The General tab of the Connection Agreement Properties

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

200

Chapter 5



Restructuring Your Network

On the General tab, you need to assign a name for the connection and then decide in which direction the replication will occur. If you will be replicating directory information to the Exchange Directory, the service account you specify on the next tab must have the ability to write to the Directory. The Connections tab specifies the servers that will become the bridgeheads for the replication. You will be specifying the name of the server and the service account to use for logons. When you click the Modify button for the account, you will be prompted for the account name (which you can browse for) and the password. The Connections tab is shown in Figure 5.5. FIGURE 5.5

The Connections tab defines the servers and account names used for the connection.

The Schedule tab determines when the Connection Agreement is available for replication. You can click Never, Always, or Selected Times for the availability. If you choose the last option, you will need to select the times for availability in the day and time grid. This tab also provides you with a checkbox that will force the replication of the entire Directory on the next

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

201

replication event. This ability can be useful if you have a corrupted Directory and need to re-populate it manually. The Schedule tab is shown in Figure 5.6. FIGURE 5.6

The Schedule tab determines the availability of the connection.

Next you have two tabs that are nearly identical: the From Exchange tab and the From Windows tab. These tabs ask you to define the directory containers and attributes that will be replicated across the connection. On the From Exchange tab, you need to define the location (expressed as a DN) of the Recipients container that will be replicated. Click the Browse button to make this task easier. Then you must select the default location in which to place the replicated information. The From Windows tab asks you to define the OU(s) that will be replicated to Exchange. Again, you need to define the default destination for the replicated information once it reaches the Exchange Directory. The From Windows tab is shown in Figure 5.7.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

202

Chapter 5



Restructuring Your Network

FIGURE 5.7

The From Windows tab

The Deletion tab defines the default behavior to use when an account is deleted from either directory. The default behavior is to save the deleted information in a temporary file so that the deleted objects can be retrieved if something goes wrong. You can also click the radio button to delete the object immediately, defining this option separately for Exchange and for Windows 2000. The final tab in the set of Properties sheets is the Advanced tab. On the Advanced tab, you can define how many replication entries will be sent per page. A page is a unit of replication containing a set number of objects. Larger pages mean that fewer replication frames will be sent across the network, but they also mean that the ADC computer must work harder and use more memory to process the pages. You will then need to determine whether this agreement will be a primary Connection Agreement for Windows or Exchange or both. A primary Connection Agreement means that the server will be enabled to make changes to the Directory for which it is responsible. If the Exchange side of the Connection Agreement is primary, then that Exchange Server will be able to enter new account information that it receives from Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

203

The final setting on the Advanced tab determines what will happen when you replicate mailbox information for an account that does not exist in Active Directory. The default behavior is to create a Windows Contact entry for the mailbox recipient. You may want to define other behaviors based on your administrative plans for the ADC. If you will be performing your administration primarily from the Exchange Administrator console, then select Create A New Windows User Account from the list box. This will automatically create a Windows 2000 user account and enable it for use in the forest. The other option you’ll find in the pull-down menu is Create A Disabled Windows User Account. If chosen, it will create the account but leave it disabled until the Administrator enables it. The Advanced tab is shown in Figure 5.8. FIGURE 5.8

The Advanced tab of the Connection Properties

In closing, use the Active Directory Connector to simplify your directory administration if you have both Exchange Server and Windows 2000 in your environment. ADC gives you the ability to manage either directory structure from a single administration tool based on your preference.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

204

Chapter 5



Restructuring Your Network

Line of Business Applications The compatibility issues for line of business (LOB) applications are mostly centered on the service accounts and resource access for users. In a restructure, you must maintain access to the resources used on a daily basis by your users. LOB applications certainly fall into the category of daily use and by their definition are important to the normal functioning of the organization. Think of LOB applications as any program that is critical to maintain dayto-day operations of your company. Customer service databases are a good example. Because the function of these applications is so critical, little or no downtime can be tolerated. Migration to the new environment, then, can be difficult. In many cases, you can create a new copy of the application in the target domain and replicate any data the application uses to the new copy of the program. This is a simple scenario but is actually one that you won’t see very often. Most LOB applications use live data of some kind. If you replicate an image of the data to the target domain, the data will be out of date by the time the users move to the new domain. Typically, you will have to move the LOB applications last in the migration. This means maintaining resource access for your users to the LOB applications while performing the restructure. It is good to upgrade the servers running the LOB applications to Windows 2000 if possible, as this makes moving them to the new domain easier. If the applications won’t run on Windows 2000, you have the opportunity to move the server by joining the new domain if the LOB applications are running on a member server. In this case, you could simply move the server to the new domain with minimal downtime for the applications. If your LOB application is not supported by Windows 2000, Microsoft recommends contacting the vendor to see if an upgrade or workaround is available. If one is, go with it. If not, the worstcase scenario is that you will need an older server running in your mixed Windows 2000 environment.

Assessing the Impact on Network Services If you have any experience administering SQL Server or Exchange Server, you’ll shudder at the thought of moving service accounts around. This is an area where a restructure can get very interesting. Service accounts are used

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

205

by, well, services to log on to both the local server and a remote server for any transactions that need to be made between them.




Microsoft Exam Objective

Evaluate the current environment. 

Evaluate network services, including remote access functionality, networking protocols, DHCP, LAN Manager Replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

Restructuring service accounts is very sensitive because in order to ensure a high success rate, you must assess all of the implications that your restructure will have on your network services.

Remote Access Service Some of the concern with RAS in a Windows 2000 restructure is the default permission. In mixed mode, the default permission is to allow all authenticated users to access the RAS server; in native mode, the default is to deny that access. When you move users from an NT domain over to the nativemode Windows 2000 domain, you will need to reset the permissions for their accounts to permit dial-up access. You may also run into some SID issues as the accounts are transferred from the source domain into the target domain, but here again the SIDHistory feature should come to the rescue with the previous SID in hand.

Network Protocols Windows 2000 supports all of the network protocols that NT does, and in fact includes newer versions with enhanced functionality. But the main concern in terms of network protocols is that you must use TCP/IP if you want to use Active Directory. Native Windows 2000 networks require TCP/IP for many of the new features in the operating system. But perhaps the greatest reason most companies will have for migrating to Windows 2000 is to use Active Directory to streamline their domains. This whole discussion of restructuring domains in Windows 2000 depends on having TCP/IP. OK, are you getting the point that TCP/IP will be important for your network? Good.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

206

Chapter 5



Restructuring Your Network

If you have applications or other network clients or servers that require other protocols, you may need to keep a mixed-protocol environment. But since most, if not all, network operating systems support TCP/IP today, this shouldn’t be too much of an issue.

Dynamic Host Configuration Protocol The Dynamic Host Configuration Protocol (DHCP) provides dynamic IP addressing for clients that are configured to use the service. DHCP becomes more important in Windows 2000 since it works closely with the DNS server. When the DHCP service in Windows 2000 issues a lease to a client computer, it then enters the reverse lookup information for the client in the reverse lookup zone on the DNS server. The client will update its own DNS record with the DNS server. Now any client using that DNS server can obtain the name resolution for that dynamically addressed client.

The DHCP server can be configured to update both A and PTR records, which can be beneficial to networks having Windows computers that do not support Dynamic Update.

One significant change with DHCP in Windows 2000 is the requirement to “authorize” a server before it can begin to assign addresses. This requirement may help to prevent the appearance of rogue DHCP servers in a large network. Windows 2000 requires that an administrator authorize the DHCP service before it will actually issue any addresses. EXERCISE 5.6

Authorizing the DHCP Service To authorize the DHCP service, follow these steps:

1. Log on to the server (it’s usually best to log on at the server to be authorized) using an account with sufficient permissions to authorize the service, i.e., an Enterprise Administrator, unless the permission has been delegated.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

207

EXERCISE 5.6 (continued)

2. After installing DHCP on your Windows 2000 Server, open the DHCP console by clicking Start  Programs  Administrative Tools  DHCP.

3. Expand the console tree to view the server name. Highlight the server to be authorized and select Authorize from the Action menu.

Windows 2000 will detect and, wherever possible, disable an unauthorized DHCP server on the network in an Active Directory environment. Your server must be either a member server or a domain controller before it can be authorized to act as a DHCP server in an Active Directory domain. Stand-alone servers will not be recognized for the DHCP service, as they have no status in the Directory. The DHCP service in Windows 2000 uses the DHCPINFORM message to query any other DHCP servers on the local network. This special message type is new with Windows 2000. A DHCP client sends the DHCPINFORM message when it already has an address but is trying to discover more information about the server. The DHCP server sending the message collects the data from the other servers it discovers, including such items as the root of the domain or forest and the presence of Active Directory services. If the DHCP server finds these services, it will query the Directory to see if it is listed in the authorized DHCP server list. If so, the service initializes and begins serving addresses to DHCP clients. If the entry for Active Directory services is not found in the Directory, the DHCP service is stopped on the server that is making the query. During a restructure of the network, you may also change the physical subnets. In this case, you will need to update the scopes in your DHCP servers to reflect the new distribution of addresses.

LAN Manager Replication This area will be a concern during the restructure since Windows 2000 doesn’t use the LAN Manager replication (LMRepl) service. We used to call this “Directory Replication” in NT 4, but Windows 2000 is changing all of the terms around, so we can’t use that name anymore. Windows 2000 uses the File Replication Service (FRS) to move logon scripts and policy files between domain controllers and also to assist in the Active Directory replication.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

208

Chapter 5



Restructuring Your Network

You will very likely have to set up parallel replication systems between the domain controllers of the source domain and the domain controllers of the target domain to ensure that your users will have their files. Windows 2000 does not support LMRepl in native or mixed mode. Therefore, you need to set up a strategy for replication between the new FRS and LMRepl. The major difference between LMRepl and FRS is how they initiate replication. LMRepl uses one computer as an export server, with others acting as import computers. FRS uses the same replication mechanism as Active Directory, which allows for the use of multimaster replication. In order to continue replication in a mixed environment, designate one Windows 2000 Server as an export computer and import its replication information (scripts and policies) to the export NT computer. This is known as a “replication bridge.” Then the NT computer will export the desired information to other NT domain controllers. To achieve this 2000-to-NT replication, create a batch file that schedules the necessary copying. Microsoft has a sample batch file available for this purpose.

Windows Internet Name Service The Windows Internet Name Service (WINS) provides NetBIOS name resolution in a dynamically assigned IP environment. This can be a very important function in a network that assigns client IP addresses through the use of the Dynamic Host Configuration Protocol (DHCP). The problem with WINS is that it has proven to be somewhat unreliable and often can be difficult to configure correctly. If you have one WINS server, it’s simple to install. Add the service and it starts working. In a larger environment, you need to have more than one WINS server, and that requires replication, which can introduce new hassles. Basically, WINS was a great idea, but its implementation left many professionals frustrated. Remember that a pure Windows 2000 environment doesn’t need WINS, since it doesn’t use NetBIOS naming. But if you will be running a mixed environment of Windows 2000 and NT or Windows 9x clients, you should consider running WINS on one or more of your Windows 2000 Servers. If the network will consist of only Windows 2000 Servers and clients, leave out WINS and reduce the associated NetBIOS traffic on your network. During the restructure of your network, you will likely still be using WINS to resolve NetBIOS names for your network clients. During the restructure, the WINS database will contain entries for all of the existing domains. If you configure the domain controllers of the target domain to use

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning Your Restructure

209

the WINS servers, then the new domains will begin to appear in the database as well, making it easier for users to find the new domain.

NetBIOS NetBIOS is not required in a native-mode Windows 2000 network, though you may still need its services if you have applications that require it. Possibly you will have older network computers that still require NetBIOS, especially if any NT or Windows 9x computers are left on the network after the migration to Windows 2000. Client computers that are still using NetBIOS must have WINS present to provide NetBIOS-name-to-IP-address resolution, or they will have to be configured with an LMHosts file to provide that resolution.

Domain Name System The Domain Name System (DNS) is absolutely required for a native Windows 2000 network to function. The domain functions and naming are built upon DNS. One of the new additions with DNS in Windows 2000 is the ability to make dynamic updates to the DNS servers. Because of this, name resolution using DNS can encompass every client in the network that receives its address through the Dynamic Host Configuration Protocol (DHCP). DHCP notifies the Windows 2000 DNS server to update the reverse lookup zone when it gives out an address lease, and the DNS server places the host and address information into its tables. The client computer is normally responsible for updating the forward lookup zone with its DHCP information. DNS resolves hostnames to IP addresses. In the past with NT, this helped only when you were using commands that used sockets to communicate. With Windows 2000, however, DNS will be the primary method of resolving names to connect to other Windows 2000 computers. In addition, Windows 2000 doesn’t require NetBIOS support to communicate. DNS support for your Windows 2000 network also requires the presence of the new SRV (Service) record to identify the servers providing well-known services. An example of this would be the Kerberos servers providing the network logon authentication. This is the mechanism used in an Active Directory domain to locate domain servers and services. The latest versions of BIND (version 8.1.2 and later) also support the SRV record type as it is defined in RFC 2052. Microsoft recommends the use of BIND 8.2.2 if you decide to maintain Unix-based DNS solutions, as 8.2.2 is the current version and supports all of the necessary features for Active Directory. For the exam,

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

210

Chapter 5



Restructuring Your Network

you may face questions in which the version of BIND is important information. Use the following information to assist with your planning decisions: 

BIND 4.9.6 added support for the SRV record type. SRV records are required by Windows 2000 to locate LDAP and Kerberos services used during logon to a domain.



BIND 8.1.2 added support for dynamic zone updates. Active Directory does not require this feature, but it does help your Windows 2000 domains to work more smoothly.



BIND 8.2.1 added support for incremental zone transfers (IXFR). This means that instead of replicating the entire zone database to a secondary server, only the changed records are transferred. This lowers the impact on network traffic due to zone transfers.

The DNS service in Windows 2000 includes support for all of these features. And while it is true that you can integrate Windows 2000 domains with existing non-Microsoft DNS solutions, Microsoft does seem to prefer that you implement their version of DNS instead. In many cases, I would agree that this would give you a better solution, but integrating with BIND does work just fine. BIND is a product of the Internet Software Consortium, and more information about integrating BIND and Windows 2000 can be found at their Web site at http://www.isc.org/products/BIND/. In a restructure, you may need to redefine your network’s DNS structure. This is especially true if the restructure is due to a merger or acquisition of another company with its own namespace. This is also true if you plan to use a different namespace within your organization—that is, if your Internet presence has a different namespace than your internal organization.

Testing the Restructure

T

esting the deployment, or in the case of this chapter, the restructure, will involve the activities of your users.




Microsoft Exam Objective

Evaluate the current environment. Perform test deployments of domain upgrades.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Planning for Recovery

211

As the restructure progresses, pay attention to any difficulties reported by the pilot users who have already been moved to the new environment. They are the ones who will most likely experience problems. At each step of the restructure, you should perform tests to determine whether the security principals that are being moved to the target environment still have resource access. If these accounts can access everything they need without problems, then you’re probably doing all right. On the other hand, if they run into access-denied messages when trying to access the resources they need to do their jobs, then you must reexamine the trust relationships from the old resource domains to the new account domain. NETDOM will be a valuable tool during this phase of testing since it can be used within scripts to automate the process. NETDOM can examine the status of the trust relationships and help you to map them out to ensure that they meet the needs of your organization during the restructure.

Planning for Recovery

T

he same recovery planning you did for a migration will work for a restructure. Having a backup domain controller (BDC) held offline during the process gives you a way out if things go wrong.




Microsoft Exam Objective

Develop and deploy a recovery plan. Consider implications for Security Account Manager (SAM), WINS, DHCP, Windows 2000 DNS Server service, and existing DNS service.

Your recovery plans will vary based on the restructure type that you’ve chosen: Post-upgrade restructure This type of restructure will require that some of the BDCs be held offline to provide a recovery path, since you are actually moving security principals from the source domain to the target domain. Restructure instead of upgrade This is the easiest type to plan a recovery for, since the original production environment is left largely intact throughout the restructure. You are using a parallel domain structure in this method and cloning security principals from one to the other.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

212

Chapter 5



Restructuring Your Network

Post-migration restructure This type of restructure happens after the migration to Windows 2000 is complete, sometimes months or even years after. In this method, you will need to keep a domain controller offline during the restructure for a recovery path. In a restructure from an NT environment to Windows 2000, the offline BDC will contain a current copy of the SAM database containing all of the user and group accounts. If you need to recover your network, bring this BDC back online and promote it to PDC, which will recover the accounts for that domain. If this BDC is also a WINS, DHCP, and DNS server, it will provide recovery paths for these services, too. Really, though, the DNS server is the only one of those three that I would care about recovering. The WINS server will regenerate its information as client computers log on to the network and register their services in WINS. The DHCP scopes are important to protect, but the database isn’t since you could require all clients on the network to reboot and acquire new leases from DHCP. See Chapter 3, “Preparing for the Migration,” for more information on recovery plans.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Widgets, Inc.

213

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background Widgets, Inc. has decided to make the move to Windows 2000. Due to the critical nature of the network (and the fact that much of the current hardware is out of date), the design team decided to create a pristine Windows 2000 environment and move users from the current NT network to the new one at a slower pace. You have been given the assignment of planning those moves.

Current Environment The current network supports 2700 users spread out over five locations. The domain structure follows the multimaster model, with two master domains and five resource domains. Widgets, Inc. has facilities in Orlando, Tampa, Ft. Lauderdale, Ft. Meyers, the corporate headquarters in Jacksonville, and a large sales office in Dallas. The two master domains are named M_Jack and M_Dallas. Each site is represented by a resource domain named with the following standard: R_<Site name>. The M_Jack domain has approximately 1500 user accounts, with the remainder defined in M_Dallas.

Pristine Environment Based upon research and testing, Widgets, Inc. has decided to go with a twodomain design. The root domain is named Widgets.com (to match their registered Internet name), and the only child is named Dallas (for a full name of Dallas.Widgets.com). All resource domains will be absorbed into the two remaining domains.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

Case Study: Widgets, Inc.

CASE STUDY

214

Chapter 5



Restructuring Your Network

Questions 1. Which of the existing domains do you suggest be migrated first? A. M_Jack B. M_Dallas C. R_Jack D. R_Dallas 2. Build a list: You have been given the task of creating a generic proce-

dure for migrating an NT master domain into a Windows 2000 domain. On the following graphic, place the steps in the correct order. Task

Task Clone shared local groups. Move member servers. Establish trusts. Demote domain controllers. Decommission remaining servers.

3. Build a list: You have been given the task of creating a generic proce-

dure for migrating an NT resource domain into a Windows 2000 domain. On the following graphic, place the steps in the correct order. Task

Task Decommission old domain. Clone global groups. Establish trusts. Create Windows 2000 domain. Clone users.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Widgets, Inc.

215

1. A. M_Jack contains the bulk of the user accounts for the Widget envi-

ronment. Moving those users to the pristine environment first will get the majority of your users into the Windows 2000 system, allowing you to use the new features and benefits as quickly as possible. 2.

Task Establish trusts. Clone shared local groups. Demote domain controllers. Move member servers. Decommission remaining servers. 1. Establish Trusts. Trusts are needed to maintain access to network

resources during the migration. 2. Clone shared local groups. Use ClonePrincipal to ensure that

resource access is maintained. 3. Demote domain controllers to member servers. Upgrade each

domain controller in the old domain to Windows 2000 and demote them to prepare for the next step. 4. Move member servers. Move the member servers to the new

domain. 5. Decommission remaining servers. All that should be left in the old

domain are the remaining PDC and any servers that will not be making the move. For more details, see the text of Chapter 5.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY ANSWERS

Answers

CASE STUDY ANSWERS

216

Chapter 5



Restructuring Your Network

3.

Task Create Windows 2000 domain. Establish trusts. Clone global groups. Clone users. Decommission old domain. 1. Create a new Windows 2000 domain. This domain is the target

for resources. 2. Establish trusts. Trusts between the sources and target domain

will ensure resource access during the process. 3. Clone global groups. Use ClonePrincipal to ensure that resource

access is maintained. 4. Clone users. Use ClonePrincipal to move users to the new domain. 5. Decommission old domain. Demote the old domain controllers

and reallocate them. For more details, see the text of Chapter 5.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

217

Summary

In this chapter, you learned how to perform a restructure of a network using Active Directory. You learned about planning for a network restructure in terms of current hardware, security, application compatibility, and network services. You saw how NETDOM and ClonePrincipal can be used in the restructure process to preserve account information. You also learned about the role that the new SIDHistory feature plays in preserving resource access during a restructure.

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Access Control List (ACL) Active Directory Connector (ADC) Bridgehead Servers Connection Agreements delegation of administration granularity of administration greater scalability post-migration restructure post-upgrade restructure restructure instead of upgrade security identifier (SID) service account SIDHistory

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

218

Chapter 5



Restructuring Your Network

Review Questions 1. Your company has recently agreed to acquire another company. The new

company has its own Internet namespace being used for its Windows 2000 network. Your company has recently migrated to Windows 2000 and is using its Internet name as the namespace for the forest. How can you integrate the two networks into one forest? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure 2. You are planning to restructure your domains as part of your migra-

tion to Windows 2000, but your management is concerned about the downtime required to do this. They have set a goal of no downtime for the restructure phase. How can you perform the restructure, yet still provide an assurance of uptime for your management? A. Use a post-upgrade restructure, and create a new Active Directory

structure in parallel for the new domains. B. Use a post-migration restructure, and create a new Active Direc-

tory structure in parallel for the new domains. C. Connect your domains in series using trust relationships, then per-

form the restructure. D. There is no way to guarantee that there won’t be any downtime,

since you must reboot all of the servers at once to complete the restructure. 3. You are preparing to complete a restructure instead of upgrade of

your Windows NT 4 network while moving to Windows 2000. Using this method, which migration tool would let you move security principals without disturbing the original domain? A. NETDOM B. ClonePrincipal C. CloneVB D. ADMT

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

219

4. You are preparing to complete a restructure instead of upgrade of

your Windows NT 4 network while moving to Windows 2000. Using this method, which migration tool would let you enumerate the existing trust relationships in your NT 4 network? A. NETDOM B. ClonePrincipal C. CloneVB D. ADMT 5. While you are planning your domain restructure, you decide to imple-

ment an empty root domain for your forest where you want to move all of the other domains. You are planning to install a Pentium II computer with 128MB of memory as the first domain controller in the root domain and then start the restructure. Why isn’t this a good idea? A. Intel processors aren’t able to properly handle the load of a root

domain controller. Use an AMD processor instead. B. The first domain controller will have all five of the FSMO roles. C. This configuration would actually be fine for the root domain

controller. D. The first domain controller should have at least 256MB of

memory. 6. During the logon process on a Windows NT 3.51 computer, how are

the SIDs evaluated for a user? A. All SIDs for the user and every group the user belongs to are com-

bined into the access token that grants the user access to resources. B. Only the SIDs relative to the user, the user’s account domain, and

local groups on the domain controller performing the logon are processed. C. Only the user’s SID is placed into the access token. D. Only the user’s SID and the SID for the local groups on the com-

puter performing the authentication are included in the access token.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

220

Chapter 5



Restructuring Your Network

7. When you move a security principal to a new domain during a restruc-

ture, a new security identifier is assigned to the account in its new location. What new feature of Windows 2000 makes it possible to maintain access to resources with this account even though the SID has been changed? A. Active Directory B. Microsoft Management Console C. SIDHistory D. ACLhistory 8. You are restructuring your Windows NT 4 domain to a Windows 2000

Active Directory environment. Today, you moved a set of 100 user accounts from the source domain to the target domain by exporting the accounts to a text file, then doing a bulk import of the accounts into the new domain. Later in the day, you receive phone calls from upset users telling you that they cannot access their resources. SIDHistory should have preserved their ability to access the files. Why did the access fail? A. You did not use a Windows 2000 migration tool to move the

accounts. B. You did not reset their SIDHistory variable in the import process. C. The import file was most likely corrupted during the transfer of the

accounts. D. You should have exported the accounts into a binary file, not a

text file.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

221

9. You are performing a restructure of your NT 4 domain and have just

completed moving a set of user accounts to the target domain. You test the success of the move and discover that none of the accounts can access resources in the old resource domain. What should you have done prior to moving the accounts to ensure that they would still have access to the resources? A. You should have used a Windows 2000 migration tool. B. You did not reset their SIDHistory variable in the import process. C. You should have created the appropriate trust relationships

between the resource domains and the new target domain. D. You should have migrated the Primary Domain Controller of the

resource domain prior to moving the user accounts. 10. You are attempting to determine the nature and number of trusts in

your current domain. You want to use NETDOM for this task. If the domain name is Acct_Dom, the user name for the query is Administrator, and you want to be prompted for a password, what would you type at the command prompt? A. NETDOM /Domain:Acct_Dom /Username:Administrator /

PasswordD:* B. NETDOM /Domain:Acct_Dom /UserD:Administrator /

PasswordD:* C. NETDOM /Domain:Acct_Dom /Username:Administrator /

Password:* D. NETDOM /Domain:Acct_Dom /UserD:Administrator /

PasswordD:prompt 11. You are planning to restructure your Windows 2000 domains into a

single domain. Your network is operating a time-critical application that will not allow for any downtime during the restructure. Which migration tool would be best suited to help with this restructure? A. ADMT B. Move Tree C. ClonePrincipal D. NETDOM

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

222

Chapter 5



Restructuring Your Network

12. You have just completed your migration to Windows 2000. Your net-

work is deployed across three different physical locations, each with its own domain, and these domains have been implemented as Active Directory sites. You are planning to use a third-party Web server and have just removed Internet Information Services from all of your domain controllers. Your sites can no longer replicate. Why not? A. Active Directory depends on the presence of IIS to operate. B. Intra-site replication depends on the HTTP service for transport. C. Active Directory replication uses the FTP service in IIS for replication. D. Inter-site replication depends on the SMTP service for transport. 13. You have recently completed the upgrade of your domain to Win-

dows 2000. Your domain is running IPX/SPX as its exclusive network protocol. You want to install Active Directory, but the Install Wizard refuses to run. What is the problem? A. You need to install the NetBEUI protocol. B. You need to install the AppleLink protocol. C. You need to install TCP/IP. D. You need to install NetBIOS. 14. You are planning to migrate your Windows NT 4 network to Win-

dows 2000. Your network currently uses a complete trust model with over 20 domains for the 10 physical locations in your company. There are nearly 5000 users on the network, and there is a newly established administration team in the main office. Management would like to have the administrator take centralized control of the network. Which type of migration should you choose? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

223

15. You work for a company with over 100,000 employees in a central-

ized campus. You currently have a Windows NT 4 network using a Multiple Master Domain model. Your proposed plan calls for streamlining this structure as much as possible. Which type of migration should you choose? A. Upgrade and restructure B. Restructure instead of upgrade C. Post-migration restructure D. Migration and restructure 16. You are in the process of restructuring your network after upgrading

to Windows 2000. Which tool would you use to create new computer accounts in the target domain? A. ADMT B. Move Tree C. ClonePrincipal D. NETDOM 17. You are planning to migrate from Windows NT 4 to Windows 2000

using a restructure instead of upgrade method. What are the hardware requirements for the domain controllers in the source domain? A. Pentium 166, 64MB RAM B. 486DX, 16MB RAM C. Pentium II, 128MB RAM D. Dual AMD Athlon, 256MB RAM

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

224

Chapter 5



Restructuring Your Network

18. On which computer should you install the Active Directory Connector? A. The Exchange Server B. The Windows 2000 Schema Master C. Any Windows 2000 Server computer D. The Windows 2000 PDC Emulator 19. What is the relationship between replication partners called in

the ADC? A. Replication Agreement B. Connection Agreement C. Replication Set D. Connection Set 20. What are the servers called that define the endpoints of a Connection

Agreement? A. Replication Partners B. Connection Endpoints C. Bridgehead Servers D. Primary Connectors

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

225

Answers to Review Questions 1. C. In this scenario, the two networks are already using Windows 2000.

You can easily restructure by creating an empty root and moving the security principals to the new forest. 2. A. In a post-upgrade restructure, the restructure is part of the migra-

tion to Windows 2000 but is completed after the domains have been completely upgraded to Windows 2000 and switched to native mode. Using an empty target domain lets you move security principals by cloning them, leaving the production environment untouched until all accounts are ready to switch over to the new domain. 3. B. ClonePrincipal is a set of Visual Basic scripts that enable you to

copy security principals from an NT or Windows 2000 domain to a Windows 2000 domain without disturbing the original environment. 4. A. NETDOM can be used to enumerate the existing trusts in an NT or

Windows 2000 domain environment. 5. B. The first domain controller installed in a forest will have all five of

the Flexible Single Master Operations roles by default. You should install at least two other domain controllers with this one and distribute the FSMO roles among them in order to even the load. 6. B. The SIDs relative to the user and global groups from their account

domain, as well as any local groups from the computer performing the authentication, are included in the SID. This means that an NT 3.51 computer will not recognize any universal groups or global groups from other domains. 7. C. SIDHistory is a new feature of Active Directory that enables an

access token to carry not only the user’s current SID but also the previous SID assigned to the user. This permits resource access even though the SID has changed. 8. A. The migration tools provided with Windows 2000 or in the

Resource Kit understand the SIDHistory feature and maintain the original SID during the transfer to a new location in the target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

226

Chapter 5



Restructuring Your Network

9. C. Establishing trust relationships between the resource domains and

the new account domain will maintain the user’s ability to access the resources. 10. B. NETDOM can be used to enumerate trusts for a given domain. To

do this, use the /Domain switch to specify the domain to query, the /UserD switch to specify the user name, and the /PasswordD switch to specify the password. Placing an asterisk after the /PasswordD switch tells NETDOM to prompt you for the password. 11. C. ClonePrincipal enables you to clone security principals to a new

location without disrupting the original environment. 12. D. Inter-site replication between sites comprising different domains

uses the SMTP service for its transport protocol. 13. C. Active Directory requires TCP/IP as its primary network protocol. 14. B. I would recommend using the restructure instead of upgrade

method because the complete trust model is too ungainly for centralized administration. In addition, there aren’t enough users to require more than one domain. Even if you decide to use one domain per location, you could still accomplish this using a single tree. It would be more efficient to build a parallel structure to migrate to and then decommission the old network. 15. A. First upgrade the existing domains to Windows 2000. Then

restructure the network into a single domain. 16. D. NETDOM can do many things besides enumerating trusts. You

can use this tool to create new computer accounts in the target domain. 17. B. In this scenario, your domain controllers in the source domain must

be capable of running Windows NT 4. Answer B has the minimum hardware requirements for NT 4. 18. C. The Active Directory Connector can be installed on any Win-

dows 2000 Server on the network.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

19. B. The Active Directory Connector uses Connection Agreements to

define the relationships between Exchange and Windows 2000. 20. C. Bridgehead Servers are the primary routes for replication traffic

between Exchange and Windows 2000. Bridgehead Servers are defined by the properties of the Connection Agreement.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

227

Chapter

6

Using Target Domains for Migration MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Create or configure the Windows 2000 target domain or domains. 

Create appropriate trusts.



Create organizational units (OUs).



Implement a given site design.



Implement group policies. Configure remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

N

ow you’re ready to examine some hands-on methods for performing your migration. One of the tasks that I’ve referred to throughout this book has been the use of a target domain to aid in the migration. Let’s take a look at what this really means. In this chapter, you will learn about creating a target domain for your migration. You’ll learn how to establish trust relationships to maintain current resource access patterns for your users. We’ll discuss how to create an appropriate structure within the target domain to hold your objects. You’ll learn how to reapply policies to maintain your domain security during the migration. Finally, you will see how to reconfigure domain network services to provide connectivity during the migration.

Creating a Target Domain

T

arget domains are useful for migrations because they give you a chance to create a sensible domain structure. Earlier chapters in this book describe ways that target domains can be used for migrating to Windows 2000 or restructuring your existing domains after the migration. Essentially, a target domain is simply a place to move your security principals to when migrating or restructuring. When you look at it this way, it hardly seems like a big deal. However, there are a number of things that you will need to do to implement a target domain successfully.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

231

To create a target domain, you will need at least one computer to become a domain controller. When you decide to use a target domain, make certain you have planned your namespace and migration strategy carefully. Do I really need to say it again? Planning will save you a lot of time and effort in the long run. Make sure you know what the namespace should be for the target domain. Will this be a new root domain? Or will it be added to an existing forest? In a perfect world, you should install several domain controllers to distribute the load for the target domain. In the real world, you may not have the available servers until you are at least partially through your migration. It is a good idea to make sure that the first domain controller has lots of memory and processor power, as it will be handling all of the Operations Master roles. Windows 2000 in native mode uses Multiple Master replication, but for some functions to work there must be a single authority. This functionality is provided by the Operations Master roles. The Operations Masters are server roles that help an Active Directory network function. For example, the PDC Emulator (one of the roles) provides the services of a Primary Domain Controller to Windows NT domain controllers or applications that require communication with an NT PDC. Placing all roles upon the first domain controller in the forest can be a burden, so if possible install a couple more domain controllers and distribute the roles among them. Many companies view a migration as the perfect time to add additional servers to their network or to upgrade the type of servers being used. If this is true in your situation, then you will most likely have some extra servers to work with. EXERCISE 6.1

Creating a Target Domain Follow these basic steps to create a target domain:

1. Install Windows 2000 Server on a suitable computer. 2. Use the Active Directory Wizard to install Active Directory and make the server the first domain controller in a new domain. Your migration plan will determine whether this domain is a new forest, tree, or new domain in an existing forest.

3. Switch the target domain to native mode.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

232

Chapter 6



Using Target Domains for Migration

EXERCISE 6.1 (continued)

4. Install additional servers if possible. 5. Create an appropriate Active Directory structure within the target domain. If you will need more than one target domain to establish your new network (such as when restructuring), you may need to duplicate these steps to create the full target environment.

6. Install the Windows Internet Name Service (WINS) in the target domain to assist computers in resolving NetBIOS names during the migration.

7. Establish trust relationships between the new domain and the existing resource domains so that as client computers are migrated to the target domain they will continue to have proper resource access.

8. Reestablish your System Policies using Group Policy Objects to maintain security after the move.

Following these steps will create a target domain. Creating a full target environment just involves repeating these steps with each new domain, though instead of creating a new forest or tree when installing Active Directory, you will be joining the existing target environment.

Using Trusts Trust relationships were always one of my least favorite areas when learning Windows NT. Now, however, years of experience have made them second nature. With Windows 2000, trusts are changing from what we’ve become comfortable with in the past. Fortunately for those of us who’ve had trouble with trusts in the past, Windows 2000 handles trusts within a forest automatically. But what about trusts between your existing network and the

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

233

target domain? This is an area where you will need to manually establish trust relationships with Windows 2000.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains. 

Create appropriate trusts.

A trust is a secure channel of communication between domains. Without these lines of communication in an NT network, you wouldn’t be able to scale the network beyond the 40,000-account limitation of Windows NT. Trusts let you assign permissions to accounts from another domain so those accounts can access resources in your domain. Logically, it’s as if the account is traveling across the trust. In reality this doesn’t happen, but it’s still a useful image. If your existing network is using either a Single Master or Multiple Master Domain model, your users are most likely using resources located on servers in the resource domains. During your migration or restructure, you will need to ensure that the users still have this access. The solution is to create trust relationships from the existing resource domains to the new root domain (assuming that the user accounts will be moving to the root domain). If the accounts will be moving to a domain other than the root, create the trusts from the resource domains to that new domain (where the accounts will be located). Figure 6.1 describes this process. FIGURE 6.1

Establishing new trusts

Acct_Dom

Sprockets.local

Target Domain Resource1

Resource2

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

234

Chapter 6



Using Target Domains for Migration

To create trusts in Windows 2000, you have a couple of options. You can use the NETDOM utility from the command prompt, or you can use the Active Directory Domains and Trusts console. We’ll explore NETDOM more fully in Chapter 7, “Migration Tools,” but for now let’s take a look at how to create trust relationships with Active Directory Domains and Trusts. ADDT provides a nice graphical user interface (GUI) for the creation of trusts. EXERCISE 6.2

Creating a Trust Using the Active Directory Domains and Trusts Console To create a trust using the Active Directory Domains and Trusts console, follow these steps:

1. Open the Active Directory Domains and Trusts console by clicking Start  Run and typing in mmc /a. Click the Console menu and use the Add/Remove Snap-In command to add Active Directory Domains and Trusts. The window should look like the following graphic.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

EXERCISE 6.2 (continued)

2. Expand the console tree for Active Directory Domains and Trusts to display the domains in your Active Directory structure.

3. Right-click the target domain and select Properties from the context menu.

4. Click the Trusts tab. It should look something like the following graphic.

5. Click the Add button beside the Domains That Trust This Domain list, and type in the domain name of the resource domain. You can also specify a password for additional security.

6. Click OK to apply this change. You can add more than one trust at a time using the same steps.

7. In the NT resource domain, open User Manager for Domains and click the Policies menu.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

235

236

Chapter 6



Using Target Domains for Migration

EXERCISE 6.2 (continued)

8. Click Trust Relationships. 9. Click the Add button beside Trusted Domains and type in the name of the target domain. If you provided a password in step 5, enter it again. Click OK to attempt to complete the trust.

When creating trusts between NT and Windows 2000, the NT domain must have a method of resolving the NetBIOS name of the target domain. This may be an entry in the LMHosts file or a static entry in the WINS server’s database.

Now let’s see how to customize the Microsoft Management Console (MMC). EXERCISE 6.3

Customizing the Microsoft Management Console In this exercise, you will add the Active Directory Domains and Trusts snap-in to an empty MMC console. You can use this technique to create a customized administration tool that includes all of the tools you most commonly use.

1. Click Start  Run, and type in mmc /a. This opens an empty MMC in author mode (meaning that you can change it).

2. Click the Console menu, and select Add/Remove Snap-In. 3. The Add/Remove Snap-In dialog contains a list of the currently installed snap-ins for this MMC. Click the Add button.

4. The Add Standalone Snap-In dialog opens. This dialog contains a list of all of the available snap-ins on the computer. Scroll down the list and select Active Directory Domains And Trusts. Click Add, and then click the Close button.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

237

EXERCISE 6.3 (continued)

5. Click OK to close the Add/Remove Snap-Ins dialog. You can repeat these procedures to add as many snap-ins as you want to your custom console. When you are satisfied with the console, click the Console menu and select Save to save your customized MMC. You may choose to save it to your Desktop, so that all you have to do to open this console is double-click its icon on your Desktop.

Creating Organizational Units Your target domain may be used in the restructuring process, as outlined in Chapter 5, “Restructuring Your Network.” If this is the case, then you might be planning to collapse a large domain model into a single target domain with multiple organizational units (OUs). An OU is a sub-container of a domain and can be used to create an administrative hierarchy within a single domain. OUs enable you to apply a logical structure within your target domain to receive users, groups, and computers.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains. 

Create organizational units (OUs).

As an example, our fictitious company, Coolcompany Inc., is restructuring from a Master Domain model to a single Windows 2000 domain. Your company wants to maintain the current administration units within the new network. To accomplish this, you have already established the target domain, which is the root and only domain in the coolcompany.local namespace, and now you need to create OUs to map the existing domains to. Figure 6.2 shows your plan.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

238

Chapter 6



Using Target Domains for Migration

FIGURE 6.2

Planning to restructure into a single Windows 2000 domain

IT

IT OU

Sales

Accounting

Original Domain

Accounting OU

Sales OU

Target Domain

When you perform your restructure, you will be using one of the methods described in Chapter 5 to move security principals from their existing locations to the appropriate OU in the target domain. Alternatively, you could simply move all of the security principals to the default containers in the target domain and then after the move divide them into OUs. EXERCISE 6.4

Creating an Organizational Unit in a Target Domain To create an organizational unit in your target domain, use the following steps:

1. Open Active Directory Users and Computers by clicking Start  Programs  Administrative Tools  Active Directory Users And Computers.

2. Expand the console tree for your target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

239

EXERCISE 6.4 (continued)

3. Right-click your target domain and select New  Organizational Unit from the context menu. This opens the following graphic.

4. Type in the name of the new OU, and click OK to save it and return to the Active Directory Users and Computers console.

Creating OUs is actually very simple. It’s the planning portion that is more difficult. You can create single OUs off the root of your domain, or you can nest them within other OUs, whichever seems most appropriate for your network’s needs. You can create an OU only inside a valid container, which can be a domain or an OU. If you plan on nesting OUs, Microsoft recommends going no more than four layers deep. Notice in Figure 6.3 that the Users container has a different icon than the Domain Controllers container. This is because the Domain Controllers container is an OU, and the Users container is not. Typically, you will always create your OUs off the root of the domain and not within the built-in containers, so this shouldn’t become an issue.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

240

Chapter 6



Using Target Domains for Migration

FIGURE 6.3

The Active Directory Users and Computers console contains both OUs and built-in containers.

As an illustration of these points, let’s look again at our fictitious company, Coolcompany Inc. For this example, let’s say it has three physical locations—Boston, Seattle, and Dallas—with a domain in each. We’ll make Seattle the headquarters, and Boston and Dallas are each semi-autonomous operations. Where the physical locations are roughly equal in importance, it might be politically unwise to pick one of them to be the root domain and the others to be child domains. With this in mind, you decide to create a single Windows 2000 domain and will create separate OUs for each of the physical locations. Using this plan, you create a single domain, coolcompany.local and create a Seattle OU to contain the Seattle accounts, a Boston OU for the Boston accounts, and a Dallas OU for the Dallas accounts. You could then use either ClonePrincipal or the Active Directory Migration Tools to move the user accounts to the appropriate OU, and there you are. These tools are covered in depth in Chapter 7.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

241

Creating Sites Many companies today operate across multiple physical locations with wide area network (WAN) links to connect the locations. In this scenario, it might be useful to create Active Directory sites to help optimize the traffic across those WAN links. In Active Directory terms, a site is one or more well-connected TCP/IP subnets organized for security and replication topology. In this definition, well-connected means fast and reliable connections. A dial-up modem link would not be considered well-connected, but a T1 would.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains. 

Implement a given site design.

It’s easy to create sites in Active Directory, but there are some planning issues to consider first. Sites are often used to assist in building a more efficient replication topology. Remember that all domain controllers must replicate with each other, and if the replication would have to go across WAN links, that could cause problems. With sites, the replication will occur locally, and then you can schedule when replication will happen across the WAN link. The transport protocols available for inter-site replication include Remote Procedure Calls (RPCs) over TCP/IP and the Simple Mail Transport Protocol (SMTP). RPCs enable fast, synchronous replication, while SMTP provides asynchronous replication that is often more efficient across slow or unreliable connections. Replication links can be scheduled, and the interval at which replication occurs between sites can be configured. But in order to use SMTP for the replication transport, you must have certificates enabled. SMTP is an inherently insecure protocol.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

242

Chapter 6



Using Target Domains for Migration

On the exam, Microsoft typically refers to RPCs over TCP/IP as simply “IP replication.” They assume that you know what they mean.

EXERCISE 6.5

Creating a Site To create a new site for your forest, follow these steps:

1. Open Active Directory Sites and Services by clicking Start  Programs  Administrative Tools  Active Directory Sites And Services. The console shown in the following graphic opens.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

243

EXERCISE 6.5 (continued)

2. Expand the console tree to display the Sites container. Right-click the Sites container and select New Site from the context menu. The dialog shown in the following graphic opens.

3. Type in the name of the new site, and click OK to apply the new site.

So, now you’ve created a new site. That was easy, but there is one other thing we really should take care of while you’re in this console. Active Directory enables you to assign specific IP subnets to your sites. If you do this, any new computers installed in Active Directory will automatically become members of a site based on their IP address. For example, if SiteA has the assigned subnet of 10.5.0.0/16, and you create a new server with the IP address of 10.5.0.36, that server will automatically be made a member of SiteA.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

244

Chapter 6



Using Target Domains for Migration

Windows 2000 uses a different format for describing IP addresses. Instead of the IP address and the explicit subnet mask, you will now see the IP address followed by the number of bits to be used for the mask. For example, instead of writing 10.1.0.0 with a mask of 255.255.0.0, you would write this subnet address as 10.1.0.0/16. This is a format used by most Unix systems including Linux, and it marks Microsoft’s effort to become more standardized in its IP networking. Get used to this format, as all of the Windows 2000 exams use it.

Going back to the example I made earlier with coolcompany.local and the three locations in Seattle, Boston, and Dallas, we could take the solution a little further by creating sites for each of the physical locations. You could then assign the IP subnets for the sites so that any computers installed will automatically be assigned to the correct site based on the IP address they are configured with. The user accounts are organized into OUs and are still available at any one of the sites.

Reapplying Policies and Rights If your NT network has been using System Policy and logon scripts for assigning security to your users, you will need to maintain this functionality during and after the migration to Windows 2000. This includes creating the same effect in your target domain. Windows 2000 uses Group Policy Objects (GPOs) to assign security to objects in the Active Directory. To maintain your network security during a migration or restructure, you will need to properly assign GPOs to the target domain or OUs.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains. 

Implement group policies.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

245

I found when I started working with Windows 2000 Server that the best way for me to learn Group Policy was to experiment. The online Help for Windows 2000 Server has a lot of valuable information for Group Policy and will be a good resource to study before taking the exam. As I stated in the opening of this section, Group Policy is assigned through the use of a GPO. This object contains all of the policy settings that you define. The GPO is then linked to a specific container. GPOs can be used for distributing software and controlling the change management of that software, they can be used for assigning user rights, and they take the place of the System Policy from NT. Group Policy is an improvement over System Policy in that System Policy could be difficult (or impossible) to undo when you wanted to change the settings. Group Policy can be easily assigned, changed, even removed from the Registry. In Windows 2000, when you remove or change an existing policy, the settings are actually removed from the Registry correctly, as opposed to the method that NT used. NT was notorious for leaving System Policy settings in the Registry after they had been removed. As an example of two policies that should be implemented in your network with System Policy, let’s use the policy to not display the last logged on user name and the policy to display a logon banner in the following exercise. In System Policy Editor in NT 4, you would set these policies under the Default Computer Policy  Windows NT System options, and you would check Logon Banner and Do Not Display Last Logged On User Name. For the Logon Banner settings, you would also define the text to display for both the title bar and the content of the banner window. EXERCISE 6.6

Implementing Group Policies To accomplish the same policies on Windows 2000 in your target domain, do the following:

1. Open Active Directory Users and Computers by clicking Start  Programs  Administrative Tools  Active Directory Users And Computers.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

246

Chapter 6



Using Target Domains for Migration

EXERCISE 6.6 (continued)

2. Right-click the container for which you want to create a GPO. This can be a domain, a site, or an OU. Select Properties from the context menu.

3. Click the Group Policy tab. 4. Click the New button to create a new GPO. Type in the name for the new GPO and press Enter. The dialog should now look something like the following graphic.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Creating a Target Domain

EXERCISE 6.6 (continued)

5. Highlight the new GPO and click the Edit button. This will open a new Group Policy console, as shown in the next graphic.

6. To edit the policies used for our example, expand Computer Configuration  Windows Settings  Security Settings  Local Policies  Security Options.

7. Double-click Do Not Display Last User Name In Logon Screen to open the Security Policy Setting dialog, and place a check mark in the Define This Policy Setting checkbox. Click the Enabled radio button, and then click OK to return to the Group Policy console. The Security Policy Setting dialog can be seen in the following graphic.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

247

248

Chapter 6



Using Target Domains for Migration

EXERCISE 6.6 (continued)

8. Double-click Message Text For Users Attempting To Log On to open the Security Policy Setting dialog for this setting. Check the Define This Policy Setting checkbox and enter the message you want to display in the text box provided. Click OK when you are satisfied with the message.

9. Repeat the last step for the Message Title For Users Attempting To Logon policy setting, and enter the text you want to appear in the title bar of the logon banner window. Click OK to save the setting.

10. Close the Group Policy console to return to the Group Policy tab of the container Properties dialog. Highlight the new GPO and click the Add button.

11. Click the Links tab. Use the drop-down list box to display the name of the target domain, and then click Find Now. This will display the list of containers to which you can link this GPO. Highlight the container that you want to link this GPO to, and then click OK.

12. Click Close on the container’s Properties dialog. You’ve just assigned a GPO to a container in your target domain!

Configuring Network Services

R

emember that when you’re using a target domain, you are trying to maintain users’ access abilities during the migration and/or restructure. To accomplish this, you must configure some of your network services to provide access for users who are being transitioned from their old domain to the target

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Network Services

249

environment. In the following sections, we will examine these requirements for each of the major network services that will be affected by the move.




Microsoft Exam Objective

Create or configure the Windows 2000 target domain or domains. 

Configure remote access functionality, networking protocols, DHCP, LAN Manager replication, WINS, NetBIOS, Windows 2000 DNS Server service, and existing DNS service.

The network services affected by a migration or restructure will vary from network to network, but these sections cover the principal issues that will be covered on the exam.

Configuring RAS In Windows NT, the only permissions you could set on the Remote Access Service (RAS) was to grant or deny dial-up permission through User Manager for Domains or the RAS Administration Tool. Windows 2000 has this ability but also adds Remote Access Policies for additional security control. RAS gives you the ability to provide dial-up service to your remote clients and provides only basic security. RAS depends on the operating system to provide security. That’s where the Remote Access Policies come in. Windows 2000 provides sophisticated security for RAS through the use of Remote Access Policies, which can define a person’s ability to access the RAS server and the network beyond. RAS policies are available only when running in native mode. Both the Routing and Remote Access Service (RRAS) and the Internet Authentication Service use Remote Access Policies to determine whether they should accept connection attempts. Remote Access Policies are used to authenticate connections on a per-call basis. In order for a user to be granted dial-up access to a Windows 2000 Server, they must first have the dial-up permission granted in their user account, and then they must meet at least one of the Remote Access Policies defined for that RRAS server. If these conditions are met, the user will be granted access.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

250

Chapter 6



Using Target Domains for Migration

Remote Access Policies are always stored locally on the RRAS server and not elsewhere in the domain or in Active Directory. EXERCISE 6.7

Creating or Modifying Remote Access Policies To create or modify Remote Access Policies, use these steps:

1. Open Routing and Remote Access by clicking Start  Programs  Administrative Tools  Routing And Remote Access.

2. If this is the first time you’ve opened this console, you will need to activate RRAS. To do this, right-click your server name in the left pane of Routing and Remote Access, and select Configure And Enable Routing And Remote Access. If a domain controller is present on the network, RRAS will attempt to register itself in the Active Directory. The window should look like the following graphic.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Network Services

EXERCISE 6.7 (continued)

3. Click Remote Access Policies to view the currently installed policies. By default, there is only one policy defined, and that is Allow Access If Dial-in Permission Is Enabled.

4. Double-click the policy to open the Settings dialog for this policy. Notice that the default schedule is to allow 24x7 access, but that the default action is to deny access. This configuration means that even if your account has been granted dial-in permission, you will be denied access by default. The Settings dialog is shown in the following graphic. Note that this is different than Windows NT, which gave users dial-in permissions once their account was granted access. Windows 2000 provides this additional step as an increased security measure.

5. For the purpose of your target domain, you will most likely want to change the radio button to Grant Remote Access Permission if you still want to control RAS access through the account permissions as users are moved to the target environment.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

251

252

Chapter 6



Using Target Domains for Migration

Take a look at the other possible settings while you’re examining the Remote Access Policies. You can set policies to control individual user access through RRAS, control the time of day that they can log on, and even set the amount of time that they can be connected. During the migration or restructure, the most important aspect of RAS is to continue to provide the same level of access that users currently have.

Configuring Protocols Network protocols are somewhat simpler in Windows 2000: You must have the Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is the industry-standard suite of protocols that powers the Internet and is the most widely adopted set of protocols in networking today. If you are going to use Active Directory, you need to install and configure TCP/IP, as all of the services supporting Active Directory require TCP/IP to communicate. Of course, you can still use other protocols on your servers and client computers if you wish, but the servers need TCP/IP. Most networks that I have worked with in the last couple of years have been running TCP/IP exclusively, but this may not be the case on your network. If not, then you will want to either convert the entire network to TCP/IP or install it on the servers alone. When configuring TCP/IP, consider things like subnetting, routing, and Internet access. Will you be taking advantage of the new features of TCP/IP networking in Windows 2000, such as IPSec? If so, then you will need to have a plan of action for the implementation.

Configuring DHCP The Dynamic Host Configuration Protocol (DHCP) is an important part of your network services in most networks. DHCP can be implemented on an NT Server, Windows 2000 Server, other operating system server such as Linux or Unix, or even a router. Whichever method you choose, you should implement a DHCP server that supports the Dynamic DNS Update functions. The Domain Name System (DNS) resolves Internet host and domain names to IP addresses. Windows 2000 uses DNS almost exclusively for name resolution. DHCP plays a part in supporting the Dynamic DNS service found on Windows 2000 by reporting the inverse lookup (PTR) record for a client computer to the DNS server when the client obtains its address lease. The client will then notify the DNS server (if the client understands Dynamic

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Network Services

253

DNS Update) of its forward lookup information. If the client operating system doesn’t support Dynamic DNS Update, then the DHCP server should be configured to inform the DNS server of both the forward and reverse lookup information. EXERCISE 6.8

Configuring DHCP to Support Dynamic DNS Updates To enable the Windows 2000 DHCP server to support Dynamic DNS updates for all clients, use these steps:

1. Open the DHCP console by clicking Start  Programs  Administrative Tools  DHCP.

2. Right-click the entry for your DHCP server name in the right pane, and select Properties from the context menu.

3. Click the DNS tab to open the dialog shown in the graphic below.

4. The default setting of Automatically Update DHCP Client Information In DNS should be checked. Click the second radio button under it to Always Update DNS.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

254

Chapter 6



Using Target Domains for Migration

EXERCISE 6.8 (continued)

5. Place a check in the box for Enable Updates For DNS Clients That Do Not Support Dynamic Update. This will cause the DHCP server to provide all dynamic information to the DNS server for every client that gets an address from it.

6. Click the OK button to apply the changes and exit the Properties dialog.

The other major consideration for Microsoft DHCP servers is that they must be authorized in Active Directory before they can issue any client addresses leases. Windows 2000 uses the DHCP_INFORM packet to query DHCP servers for information. If the server is not listed in Active Directory, the local Windows 2000 Server will tell that DHCP service to stop. What this means is that if you fail to authorize your DHCP servers, no one will get addresses from it. To authorize your Microsoft Windows 2000 DHCP server, right-click the server name in the left pane of the DHCP console, and select Authorize from the context menu.

Configuring Directory Replication Windows 2000 does not support the Directory Replication service in NT, also known as LAN Manager Replication. Windows 2000 uses a service called the File Replication Service (FRS) to accomplish all replication. Every Windows 2000 domain controller has a folder called Sysvol, for System Volume. The Sysvol contains replicated information that is shared among all domain controllers. Unlike NT’s LAN Manager Replication, in which any NT computer could act as an import computer, only domain controllers can participate in FRS. Because the two services are incompatible, you will need to plan a way to support both during the move to the target environment. Your target domain is most likely going to be a native-mode Windows 2000 environment, and if so you will be using the FRS exclusively. If this is the case, then you need to use the appropriate scripts to convert your logon scripts from NT to Windows 2000 capabilities through the use of Group Policy. But if your replication is being used to move data files from one location to another, or if

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Network Services

255

you need to maintain a mixed environment of Windows 2000 and NT computers participating in replication, then you need to form a replication bridge. To assist with this process, Microsoft recommends creating a batch file called L-bridge.cmd to copy the contents of one folder to another, which can then be scheduled to run at regular intervals. First of all, determine which NT Server is the export server and which Windows 2000 domain controller will push files to that server. You would then use a batch file containing something similar to the following: Xcopy \\coolcompany.local\SYSVOL\coolcompany.local\scripts \\Server5\Export\Scripts /s /D The /s switch tells Xcopy to copy all subfolders unless they are empty, and the /D switch tells it to copy only new files. This helps to create a current image and to optimize the process by copying only new files and not overwriting existing files. A sample of an L-bridge.cmd file is included on the Windows 2000 Server Resource Kit CD-ROM.

As an alternative to Xcopy, Microsoft has provided a utility called ROBOCOPY. ROBOCOPY’s biggest asset is its ability to synchronize folders automatically.

Microsoft recommends that you disable the Directory Replication service prior to upgrading a server to Windows 2000, so that there won’t be any legacy services once the upgrade is complete.

Configuring WINS and NetBIOS One of the things I’ve been looking forward to most with Windows 2000 has been the opportunity to remove NetBIOS services from my network. Windows 2000 requires NetBIOS only for its clustering service. NetBIOS isn’t needed at all for a pure Windows 2000 environment, though you should carefully check to see if you are using any network applications that require the presence of NetBIOS. Also be aware that if you wish to restrict users to specific workstations, you will be required to keep the NetBIOS service. The Windows Internet Name Service (WINS) provides a method of NetBIOS-name-to-IP-address resolution for client computers that have been dynamically addressed through DHCP. WINS also helps clients to browse a multiple-segment network by storing browse information for different domains. These services are most likely in use on your current NT network,

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

256

Chapter 6



Using Target Domains for Migration

especially if you have Windows 9x clients. WINS also serves one more purpose that Dynamic DNS doesn’t—WINS prevents duplicate computer names on the network. DDNS doesn’t care if two computers with the same name are on the same network. When configuring your target environment, you should still be using NetBIOS and WINS to support client computers and users who are being moved to the new domain. WINS in particular will assist network clients to access existing resources in NT domains. NT networks use NetBIOS names to communicate with each other. Maintaining that support is easy in Windows 2000 and will help your users make a smoother transition. When everyone has been migrated to the target environment, and all services and applications are running fine, you can consider disabling NetBIOS and WINS in your network. There is also another possibility for reducing the use of NetBIOS over your Windows 2000 network: The DHCP server in Windows 2000 provides the advanced option to disable NetBIOS services for all Windows 2000 computers that receive an IP address from that DHCP server. You would find this option under the properties for the Server Options in the DHCP console.

Configuring Third-Party DNS Many organizations are using Unix servers to provide their DNS services and plan to continue doing so after they migrate to Windows 2000. While there are definite benefits to using the DNS server in Windows 2000, there is absolutely nothing wrong with using a third-party DNS server. Remember, though, that Active Directory really wants to have the dynamic update capability (defined in RFC 2136) in DNS and requires support for the new SRV record type for services. Fortunately for you Unix fans out there, the latest versions of BIND (versions 8.1.2 and higher) are capable of supporting dynamic updates and the SRV record type. This means that you can successfully integrate Unix computers running BIND into your Windows 2000 environment.

For test purposes, BIND version 8.1.2 is sufficient to support a Windows 2000 domain. However, you should strongly consider using the most current BIND version available.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Network Services

257

The only difficulty I have encountered with this plan is supporting the special sub-domains that Windows 2000 uses for Active Directory. The problem arises from the use of the underscore (_) character in the name of the subdomain. The sub-domains are named as follows: _msdcs Contains information to assist Active Directory servers in locating other domain controllers. _sites Contains sub-domains for each site in Active Directory. _tcp Maintains SRV records for TCP-specific services. _udp Contains, you guessed it, SRV records for UDP-specific services. Together these sub-domains support the DNS functions of Active Directory and are crucial to its successful operation. The Internet Software Consortium (ISC) maintains all development for BIND and has a wonderful set of documentation discussing the configuration of BIND on their Web site. The Frequently Asked Questions (FAQ) pages in particular are useful in resolving this issue with Windows 2000. ISC recommends that these subdomains that are required by Active Directory be created as separate zones and that the default name-checking value be set to ignore the name of the zone. To accomplish this, you can place code similar to the following in your /etc/named.conf file: zone "_msdcs.sprockets.local" { type master; file "_msdcs.sprockets.db"; check-names ignore; allow-update { localnets; }; }; This code identifies the name of the new zone as _msdcs.sprockets .local and that it is a master (primary) zone. The file statement identifies the actual file containing the zone information as _msdcs.sprockets.db. Check-names ignore turns off the default name-checking behavior for this zone, and allow-update tells the server to accept dynamic updates for this zone. For more information, consult ISC’s Web site at http:// www.isc.org/products/BIND/. To migrate your third-party DNS servers to Windows 2000 DNS servers, install Windows 2000 and configure the DNS server service with a secondary zone. Once the zone has been transferred, you can reconfigure the secondary zone as a primary zone and redistribute DNS replication as needed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

258

Chapter 6



Using Target Domains for Migration

Migration Strategy You work for a large network integration firm. Your internal design consultants have determined that the best way to upgrade to Windows 2000 is to create a pristine environment and then move users and resources into it in an orderly manner. You have been given the task of creating a checklist for field technicians that they can use to ensure that all necessary steps have been taken. Things to consider: 

What hardware is necessary for the first Windows 2000 domain controller?



Should additional domain controllers be mandated in the pristine environment?



What trusts need to be established during the migration period?



Is WINS necessary and, if so, how should it be configured?



Is the client using Windows 2000–based DNS, and if not, is their current DNS service adequate?

Summary

I

n this chapter, you learned how to create and configure a target domain for use in migrating or restructuring to Windows 2000. You then learned about trusts and how to create organizational units and sites in Active Directory to give your target environment structure. Later in the chapter, we discussed how to convert System Policies from NT to Group Policy in Windows 2000. Last, we examined how to configure your network protocols and services for the target environment. Those services include RAS, DHCP, Replication, WINS, and DNS.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

259

Key Terms Before you take the exam, be sure you’re familiar with the following terms: File Replication Service Group Policy Objects L-bridge.cmd linked organizational unit (OU) Remote Access Policies Remote Access Service Remote Procedure Calls Simple Mail Transport Protocol sites target domains Transmission Control Protocol/Internet Protocol trust relationships wide area network (WAN)

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

260

Chapter 6



Using Target Domains for Migration

Review Questions 1. When is it useful to create a target domain? (Choose all that apply.) A. For use in restructuring a network B. When changing the name of a Windows 2000 network C. When migrating to Windows 2000 D. To support your Unix servers 2. Why is it a good idea to install additional domain controllers in the

target domain before migrating/restructuring? A. To distribute the WINS load. B. To distribute the FSMO roles. C. It’s always a good idea to have backup domain controllers in a

domain. D. To establish Active Directory replication. 3. Your network currently uses Unix servers running BIND version 4.9.7.

You are planning to migrate to Windows 2000 and are concerned about compatibility. What must you do to support Windows 2000? (Choose all that apply.) A. Reinstall all of those Unix servers with Windows 2000. B. Upgrade to BIND version 8.1.2 or higher. C. Use the Unix servers as secondary or caching DNS servers. D. Place all of the Unix servers on their own subnet.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

261

4. You are creating a target domain for use while migrating your net-

work from NT 4 to Windows 2000. You are concerned about maintaining resource access for your users. What should you do to ensure that migrated users would have proper resource access during the migration to the target domain? A. Create explicit trusts from the resource domains to the target

domain. B. Create explicit trusts from the target domain to the resource

domains. C. Create implicit trusts from the root domain to the target domain. D. Create a transitive trust between the target domain and the NT 4

account domain. 5. You are migrating your network from NT 4 to Windows 2000. You

want to implement dial-in policies for users that are accessing the network remotely. What must you do to enable Remote Access Policies on your network? A. Grant users dial-in access. B. Enable Remote Access Policies in Active Directory Users and

Computers. C. Convert the domain to native mode. D. Convert the domain to mixed mode. 6. What service does Windows 2000 use to replicate files and Active

Directory information between servers? A. LMRepl B. EFS C. Dfs D. FRS

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

262

Chapter 6



Using Target Domains for Migration

7. You are upgrading your Windows NT domain to Windows 2000.

The security specialist at your company is concerned that the security policies applied in Windows NT will not be carried over to Windows 2000. What can you say to make the security specialist less concerned? A. Nothing. Windows 2000 does not provide the same level of secur-

ity through policies as Windows NT did. B. You can convert your Windows NT System Policies to Win-

dows 2000 Group Policies through the use of POLEDIT. C. Windows 2000 provides Group Policies that can enforce the

desired security settings. D. Windows 2000 provides System Policies as well, which can enforce

the desired security settings. 8. You are tired of opening and closing all of the different Active Direc-

tory consoles to administer your Windows 2000 domain. You would like to customize the Microsoft Management Console to hold all of the snap-ins that you commonly use. What command will enable you to do this? A. mmc /change B. mmc /custom C. mmc /c D. mmc /a 9. You are trying to create a Group Policy Object for the Users container

in Active Directory Users and Computers. When you open the Properties for the Users container, there is no Group Policy tab. Why not? A. The Users container is not an OU. B. The Users container must first be set to author mode. C. You don’t have permission to create a GPO. D. You should be using the Active Directory Group Policy console

instead.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

263

10. You are migrating from NT 4 to Windows 2000. You have a number

of users with dial-up permission that allows them to access a RAS server from home. When you migrate to Windows 2000, what will their default RAS access be? A. They will be set to Access Controlled by Remote Access Policies. B. They will be set to Deny Access. C. They will be granted access by default. D. The users with dial-up permission in their user accounts will have

access, but no one else will. 11. You are planning to migrate your network to Windows 2000. Your

network is currently using the NetBEUI protocol. What must you do before you can install Windows 2000? A. Install TCP/IP. B. Remove NetBEUI. C. Install a routable protocol. D. Do nothing. 12. You are planning to migrate your network to Windows 2000. Your

network is currently using the NetBEUI protocol. What must you do before you can install Active Directory? A. Install TCP/IP. B. Remove NetBEUI. C. Install a routable protocol. D. Do nothing. 13. Windows 2000 Active Directory requires the presence of what type of

resource record in a DNS server? A. SERV B. CNAME C. SRV D. DYNAMIC

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

264

Chapter 6



Using Target Domains for Migration

14. You have created three sites for your single domain network. You are

trying to configure inter-site replication to use asynchronous SMTP transports for replication, but you cannot. Why not? A. You should be using POP3 instead. B. You don’t have the Internet Information Services installed to pro-

vide SMTP. C. SMTP is used only for intra-site replication. D. You have domain controllers for a single domain in all of the sites. 15. You have just upgraded your primary domain controller to Win-

dows 2000. The PDC was configured to be an export server for Directory Replication. You notice that since the upgrade was completed, the logon scripts aren’t being replicated. Why not? A. Windows 2000 can only be an import server for Directory

Replication. B. The Directory Replication service is not supported on Win-

dows 2000. C. Directory Replication must first be authorized in Active Directory. D. You must restart the Directory Replication service after the

upgrade. 16. When a client receives an address lease from DHCP in Windows 2000,

how is the DNS server updated? (Choose all that apply.) A. The client updates the forward lookup zone. B. The client updates the inverse lookup zone. C. The DHCP server updates the forward lookup zone. D. The DHCP server updates the inverse lookup zone.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

265

17. You are migrating from NT to Windows 2000 and are trying to create

a process to help Directory Replication and FRS coexist. What file should you use to assist with this process? A. LM-bridge.bat B. L-bridge.bat C. L-bridge.cmd D. LM-bridge.cmd 18. What purpose does the Windows Internet Name Service (WINS) play

in Active Directory? A. It resolves the NetBIOS names of the domain controllers for

replication. B. None at all. C. It provides hostname resolution for domain controllers. D. It enables client computers to find the domain controllers. 19. Which administrative tool should you use to create an OU in your tar-

get domain? A. Active Directory Sites and Services B. Active Directory Organizational Units C. Active Directory Users and Computers D. Active Directory Domains and Trusts 20. Why is it useful to assign IP subnets to your sites? A. It helps to be more organized. B. Sites can only contain a single subnet. C. Any new computer you install will automatically be assigned to a

site based on its IP address. D. If you assign the subnets to a site, you will be able to use SMTP for

inter-site replication.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

266

Chapter 6



Using Target Domains for Migration

Answers to Review Questions 1. A and C. Target domains are useful for either restructuring or migrat-

ing to Windows 2000, as they give you a place to move your security principals to. 2. B. By default, the first Windows 2000 domain controller in an Active

Directory network will have all five of the Operations Master roles. It’s a good idea to distribute this load for better performance during the restructure or migration. 3. B or C. Upgrading to BIND 8.1.2 or later would be the preferred

alternative for most organizations, though you could easily delegate these servers to a secondary or caching server role. 4. A. Creating trust relationships so that the resource domains trust the

target domain will ensure that any security principal moved to the target domain will still be able to access resources in the resource domains. 5. C. Remote Access Policies are available only in domains running in

native mode. 6. D. LMRepl is the replication service used by Windows NT and is not

supported by Windows 2000. EFS and Dfs, while supported by Windows 2000, do not specifically deal with Active Directory replication. The only correct answer is FRS, or the File Replication Service. 7. C. Windows 2000 replaced the antiquated System Policy structure

with Group Policies. Group Policies are more easily applied and removed than System Policies and offer a wider variety of security options. 8. D. mmc /a will open an empty console in author mode, which will

enable you to add and remove snap-ins to create a customized console tool. 9. A. GPOs can only be assigned to domains, sites, or OUs. The Users

container is not one of these.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

267

10. B. The default combination of permissions in Remote Access Policy is

to permit 24x7 access, but also to deny access. The effective permission is Deny Access by default for all users. 11. D. In this case, doing nothing is correct. You can install Windows 2000

on a network that is using NetBEUI. 12. A. Active Directory requires the presence of the TCP/IP protocol suite

in order to install or function. 13. C. The SRV resource record is a service locator and is used by Win-

dows 2000 to locate various network services such as Kerberos. 14. D. You must have IIS installed to make SMTP available for replication

in your domain. 15. B. The Directory Replication service has been replaced by the File

Replication Service and is not supported on Windows 2000. 16. A and D. The dynamic update process default behavior is for the

DHCP server to update the inverse lookup zone and the client to update the forward lookup zone. 17. C. Microsoft recommends the use of a script by the name of

L-bridge.cmd for the purpose of copying files from the Sysvol folder on the Windows 2000 domain controller to the Export folder on the NT computer. 18. B. Windows 2000 doesn’t require the presence of NetBIOS and does

not use WINS for name resolution. 19. C. You would use Active Directory Users and Computers to create

OUs within a domain. 20. C. When IP subnets are assigned to specific sites, new computers will

be automatically placed in the sites based on their IP address.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

7

Migration Tools MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools.
Migrate global groups and user accounts.
Migrate local groups and computer accounts.
Troubleshoot tool issues for domain restructures. Considerations include ADMT, ClonePrincipal, NETDOM, MoveTree, and Windows 2000 Resource Kit tools.
Perform post-migration tasks. 

Verify success of object migrations.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

S

o after all this talk about planning for your migration, you’re probably still wondering how to use some of those neat tools. Fret no longer! This is the chapter you’ve been waiting for. In this chapter, you will learn how to install and configure the migration tools for Windows 2000. You will also learn how to troubleshoot problems that may arise while using these tools. The migration tools play a vital part in your migration—and in some cases, even restructuring your network. You will need to be very familiar with them before using them in a production environment. You will also need to be familiar with them to pass the exam.

Selecting the Right Tools for the Job

You could choose a number of tools for the job of migrating your network to Windows 2000, but then again, you knew I’d say that. Microsoft has provided some tools with the Windows 2000 CD-ROM, and more are available on Microsoft’s Web site for free download. There will also likely be many more tools available from third-party software vendors over the coming months that will enhance the planning and testing of your domain migration, so watch for those. For the exam, Microsoft wants you to be aware of some of the key tools that they provide, such as Active Directory Migration Tool, ClonePrincipal, MoveTree, and NETDOM. In this chapter, we’ll take a closer look at these tools and show how they can be used to migrate to Active Directory.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

271

Configuring Your Migration Tools

In an effort to get you better acquainted with the tools, we will review their specifications one by one, discuss how to use them alone as well as in different settings, and then move into the last section and tackle troubleshooting.




Microsoft Exam Objective

Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools.

While reviewing this next section, it’s important to pay attention not only to how to configure these tools but also to all of their components. It’s critical that you know the tools as well as how to configure them. Passing the exam is only the first step to real-life application and migration.

Active Directory Migration Tool (ADMT) Heads up! This topic may be one that causes a lot of problems on the exam. The exam objectives call for knowledge about Active Directory Migration Tool (ADMT), but the normal courseware and self-study guides offered by Microsoft don’t cover the tool. ADMT is a Microsoft Management Console (MMC) composed of several wizards to help you migrate information from an NT 4 or earlier domain to your Windows 2000 Active Directory domain. The opening window of ADMT is shown in Figure 7.1. This tool can be a great help in a complex move, but it has some difficulties of its own. The online help for ADMT is fairly complete, but I found that I had to read between the lines in order to solve some of the problems that I encountered when using the tool for the first time.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

272

Chapter 7



Migration Tools

FIGURE 7.1

The Active Directory Migration Tool

The ADMT wizards perform most of the work associated with the actual migration from your source domain to the new Windows 2000 environment. The wizards include the following: User Migration Wizard This wizard migrates user accounts from the source domain to the target domain. It can move a single account or a large number of accounts at once. The User Migration Wizard includes options to rename accounts for easy identification after the migration or to assist with preventing name conflicts. Group Migration Wizard As the name implies, this wizard migrates groups from the source domain to the target domain. Note that it will not migrate the built-in group accounts, since this would cause a Security Identifier (SID) conflict. Built-in accounts have the same SID on all domains, so the ADMT wizards will ignore these accounts. Computer Migration Wizard This wizard moves the existing NT computer accounts from the source domain to the target domain. Security Translation Wizard This wizard translates the existing security policies for the source domain into the format used by Windows 2000 and migrates them to the target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

273

Reporting Wizard The Reporting Wizard includes several options for creating reports that aid in planning the real migration. Options include a report on potential name conflicts, expired computer accounts, and accounts that can be safely migrated. Service Account Migration Wizard This wizard migrates any accounts used for services. An example of this would be the user account that SQL Server uses to communicate with other SQL Servers for replication. Exchange Directory Migration Wizard This wizard aids in bringing accounts from Exchange Server into Active Directory. The Exchange Directory can be used to populate your Active Directory if you so desire, though this may not be the best way to fill your Directory since the Exchange Directory won’t have the same properties for the accounts. Undo Wizard This is great! It’s like an eraser for a migration. The Undo Wizard will attempt to undo a migration action. If it can, it will move accounts back to the source domain. Retry Tasks Wizard So you accidentally exited out of a wizard before it had a chance to complete its work? This wizard will attempt to complete the tasks that were cancelled. If this doesn’t work, perhaps you will want to consider the Undo Wizard. Trust Migration Wizard This wizard migrates existing trusts to the target domain. This is really useful when migrating an NT 4 domain to a Windows 2000 target domain. When complete, the target domain will have the same trust relationships that the source domain had, thereby preventing any failed permissions issues across the trusts. Group Mapping and Migration Wizard This wizard helps you prepare your existing group accounts in the source domain for the migration to the target domain. It helps prevent name conflicts by merging two groups with the same name. The first step in preparing to use ADMT is to create a target domain structure, where all of your existing domains will be migrated. Be sure to pick computers that have enough hardware resources to handle the load of being the first domain controllers in the target domain. Remember that the first domain controller in a domain will have all five of the FSMO roles by default. You can read more about ADMT at http://www.microsoft.com/ WINDOWS2000/guide/server/solutions/admt.asp.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

274

Chapter 7



Migration Tools

Installing ADMT The next step is to install Active Directory Migration Tool. ADMT must be installed on a domain controller in the target domain. You must ensure that the domain controller has at least the following minimum hardware requirements to run ADMT: 

Pentium II or later CPU



Adequate memory for the migration process: minimum of 10MB of available RAM for the process and 4KB per user to be migrated



At least 35MB of free disk space for the tool itself (around 7MB) and for the data and log files

To install the ADMT software on your target domain controller, execute the self-extracting file ADMT.exe and answer the prompts. About the only real decision you will be asked to make (aside from accepting the license agreement) concerns the folder location to install to. This Setup Wizard is really very simple. You can just accept all of the defaults and be very happy with the results in most cases. ADMT works by transmitting an Agent to the old domain controller. The Agent is initiated by your logged-on user credentials (which must have administrator rights on the local and source domains), and then it is sent to the source domain. The Agent will run there as a system process, then write data back to the target domain. The ADMT Agent can run on the following operating systems: 

Windows NT 3.51 with Service Pack 5 (Intel and Alpha platforms)



Windows NT 4 with Service Pack 4 or higher (Intel and Alpha platforms)



Windows 2000

Just to be very clear, and to help you avoid a problem that caused me grief for a while, you need to establish a two-way trust between the source and target domains and then add yourself to the built-in local administrators group on the source domain. That way, when you log on to the computer where you will be running ADMT in the target domain, your account will also have administrative permissions on the source domain. Since the migration process will be run using your user credentials on both domains, your account needs administrative rights on both domains.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

275

ADMT is not included with the Windows 2000 product. Instead, you will need to download it from Microsoft’s Web site at http://www.microsoft .com/windows2000/downloads/deployment/admt/default.asp. EXERCISE 7.1

Installing Active Directory Migration Tool To perform this exercise, you must first download ADMT from the URL listed above. This exercise will lead you through the necessary steps to install ADMT on your computer. Note the hardware requirements for ADMT listed earlier in this chapter and make sure that your computer meets these requirements. The computer should be a domain controller, but ADMT will install on a member server.

1. Open My Computer and browse to the location where you saved the ADMT.exe self-extracting archive file.

2. Double-click the file to begin the extraction and installation. 3. Click Next on the opening banner page for the Active Directory Migration Tool Setup Wizard. The second page is the license agreement. Click the radio button to accept the license agreement, then click Next.

4. Select an installation path for the program. The default is to install it in your Program Files folder. Click Next to proceed.

5. Click Next to begin the installation. The files will now be copied to your hard disk. When Setup completes, click Finish to exit the Setup Wizard. Now that you have installed ADMT, let’s verify that it is working on your computer.

6. Open Start  Programs  Administrative Tools  Active Directory Migration Tool. You will most likely find this at the bottom of the Administrative Tools  Group menu.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

276

Chapter 7



Migration Tools

EXERCISE 7.1 (continued)

7. Click the Reports icon in the console tree. If you now see a set of instructions in the right pane of the Migrator console describing the Reports Wizard, you have correctly installed ADMT.

Configuring ADMT Once you’ve installed the ADMT software on a domain controller in the target domain, you are ready to configure the software to work with the source domain. Again, remember that you need to establish a two-way trust between the source and target domains. Also, add the Domain Admins global groups from each domain to each other’s local Administrators group to ensure that you have administrative rights on both domains. These are critical steps. Most of the configuration of ADMT falls into the category of preparation. Before attempting any kind of migration, be sure to synchronize the system clocks on all domain controllers. Very likely, you already do this on your network, but if not you can use the following command to synchronize the clock on a computer with a time server (a computer whose time will be used as the guide for all other computers): net time \\computername /set, where computername is the name of the time server. This is a good command to place in your logon scripts for clients and a good command to schedule on your domain controllers. Another interesting pre-migration step for ADMT is to empty the Recycle Bin for all user accounts that are to be migrated before performing the migration. This will prevent the accounts from generating an error that the Recycle Bin is corrupted. The error is generally considered harmless, in that you can simply delete the contents of the Recycle Bin and everything will be fine. But to avoid the errors, simply empty the Recycle Bin prior to performing the migration. To use ADMT successfully, the following items must be configured: The target domain must be in native mode. ADMT requires the use of the SIDHistory feature to correctly migrate security principals from the source domain to the target environment. SIDHistory is available only in native mode.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

277

The source domain must either be an NT 4 domain or be in the same forest. The source domain can be either an NT 4 or Windows 2000 environment. If it is Windows 2000, it can be in either native or mixed mode, but it must be in the same forest as the target domain. A new local group should be created in the target domain. ADMT will create a group called SourceDomainName$$$ in the source domain if it can, but Microsoft recommends that you create the group manually. The group should be a local group on the domain controller where ADMT is being run. The name is the name of the source domain plus the three dollar signs ($$$), so if the source domain is Boston, the local group name would be Boston$$$. Disconnect any active sessions. There must not be any current drive mappings, browse lists, or anything else that will generate a network session between the source and target domain controllers. If there is a current session, ADMT may fail with a credentials conflict. Edit the Registry on the source PDC. The PDC or PDC Emulator should have an entry added to the Registry to enable Local Security Authority (LSA) to use TCP/IP. The setting is HKLM\System\CurrentControlSet\ Control\LSA. The Value name is TcpipClientSupport, the type is REG_ DWORD, and the data is a hexadecimal 0x1. Enable auditing on the source and target domains. You should enable auditing for the success and failure of user and group management on the source domain. Also enable auditing for the success and failure of audit account management on the target domain in the Default Domain Controllers policy. EXERCISE 7.2

Enabling Auditing To enable auditing on a Windows NT 4 domain, follow these steps:

1. Open User Manager by clicking Start  Programs  Administrative Tools  User Manager For Domains.

2. Click the Policies menu and select Auditing. 3. Click Audit These Events, and then place check marks in the Success and Failure checkboxes beside User And Group Management.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

278

Chapter 7



Migration Tools

EXERCISE 7.2 (continued)

4. Click OK to apply the changes. To enable auditing on a Windows 2000 domain, follow these steps:

5. Click Start  Programs  Administrative Tools  Active Directory Users And Computers.

6. In the console tree in the left pane of the console, right-click the Domain Controllers container and select Properties from the context menu.

7. Click the Group Policy tab. 8. Highlight Default Domain Controller Policy, and then click the Edit button.

9. In the left pane of the Group Policy console, expand the Audit Policies tree.

10. Right-click Audit Account Management and select Security from the context menu.

11. Check the Success And Failure checkbox and then click the OK button. You can wait for the normal replication cycle to replicate this policy to all domain controllers, or you can force the replication using Active Directory Sites and Services.

These settings will handle most of the issues that may arise while using ADMT. You need to keep a few other items in mind for security. For example, you must have administrator rights in the source domain in order to migrate the security principals. You can accomplish this in a couple of ways. First, you can establish a temporary two-way trust between the source and target domains. Second, you can add an administrator account to each and every computer where resources exist that must be migrated. Obviously, adding the Domain Admins group to each local administrators group would be tedious at best. However, if resources on member servers need to be migrated, you need administrative privileges on those machines as well.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

279

The final steps for configuring ADMT include enabling auditing and verifying that administrative shares exist on all computers to be migrated. You will need to use auditing for User and Group Management (in Windows NT 4) or Account Management (in Windows 2000) for both success and failure events. This enables you to track the progress of the migration and determine when accounts have not migrated successfully. You will need to ensure that the administrative shares (such as C$, Admin$, and so on) are enabled on source computers so that ADMT will have access to resources to be migrated. This can be done through System Policy in NT 4 or Group Policy in Windows 2000. If you are using ADMT to perform an intra-forest migration, there are some additional considerations. When performing an intra-forest migration, ADMT must be in communication with the Relative ID Master (RID Master is one of the FSMO roles). The RID Master assists with creating Security Identifiers (SIDs) in a domain by distributing Relative Identifiers (RIDs) to other domain controllers. RIDs are unique numbers that describe a security principal. The RID is combined with the domain SID to create a unique SID for a security principal that identifies the domain to which the security principal belongs and uniquely identifies the security principal itself. Because ADMT must communicate heavily with the RID Master during a migration to create new SIDs for all of the security principals, it is best to install ADMT on the RID Master. This enables ADMT and the RID Master to communicate without involving network traffic.

Using ADMT Now that you understand just what ADMT is and have it configured properly, you’re ready to begin using ADMT. So let’s get started by opening Active Directory Migration Tool from the Administrative Tools group. The first time you open ADMT, the console is pretty empty. The only entry under the console root is Reports. The Reports branch of the console tree will be populated as you run the various report utilities and migration wizards that make up ADMT. When you click Reports, you will receive some useful information, as shown in Figure 7.2.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

280

Chapter 7



Migration Tools

FIGURE 7.2

The Reports tree is unpopulated by default but gives you information to get started.

Let’s start with the Reporting Wizard. The Reporting Wizard generates reports that detail the tasks necessary to complete your migration to the target domain. To run the wizard, right-click the Active Directory Migration Tool icon in the left pane of the Migrator console and select Reporting Wizard from the context menu. The second page of the wizard asks you to define the source and target domains, as shown in Figure 7.3.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

FIGURE 7.3

281

The Reporting Wizard prompts you for the source and target domains.

If everything is configured correctly, ADMT will be able to open information from both the source and the target domains. This is the point at which an error will be generated if there is no trust between the domains or if the account you are using doesn’t have administrative permissions in both domains. You will also receive an error if the target domain isn’t in native mode. Assuming that everything is configured correctly, you will be prompted for the location to store the report information, as shown in Figure 7.4.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

282

Chapter 7



Migration Tools

FIGURE 7.4

ADMT prompts for a location to store the reports.

The next page presents you with a list of the possible reports the wizard can generate for you, as shown in Figure 7.5. You will need to pick the report(s) you want from the list before proceeding with the next step. The first time you run the wizard, none of the reports have ever been run, and the status under Date/Time Last Created is Not Created. Select all of the reports, and then click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

FIGURE 7.5

283

The Reporting Wizard gives you a list of possible reports.

The Reporting Wizard then requests your account information for the source domain. You will be prompted to supply a user name, password, and the source domain name, as shown in Figure 7.6. The account you use must have local administrator rights, which should be taken care of by the trust you created in preparation for using ADMT. Hopefully, you remembered to add your global Domain Admins group from the target domain to the local Administrators group on the source domain; if not you’ll want to do that right away.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

284

Chapter 7



Migration Tools

FIGURE 7.6

Provide user credentials for the source domain.

After your credentials have been verified on the source domain, the Reporting Wizard asks you to identify the computers that have the security principals you wish to move. Typically, you will pick the primary domain controller of the source domain when you reach this page in the wizard, shown in Figure 7.7. Highlight the server that contains the accounts you want to move and click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

FIGURE 7.7

285

Select the computer that contains the security principals you want to move.

After you have completed these steps, the Reporting Wizard summarizes your choices on the final page of the wizard, shown in Figure 7.8. Once you click Finish on this summary page, the Reporting Wizard will run the reports you specified and return the information to the Migrator console window. FIGURE 7.8

The Reporting Wizard summarizes your choices on the last page.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

286

Chapter 7



Migration Tools

While the Reporting Wizard is running, you will be able to view the current status in the Active Directory Migration Tool Agent Monitor, shown in Figure 7.9. Most of the other utilities in ADMT will operate in a similar fashion. If the Reporting Wizard can run successfully, then you know that your configuration is correct. I’ve found that no matter how I try to configure my domains ahead of time, I always seem to forget one detail or another. ADMT will prompt you with surprisingly helpful error messages, often telling you specifically how to fix the error condition. FIGURE 7.9

The ADMT Agent Monitor provides current status messages during reporting.

I feel that the Reporting Wizard is the best place to start, as it will provide helpful information about the accounts that are going to be migrated. It also helps you to iron out any bugs you may have in your configuration. Once you have proven that the configuration is solid, you can move on to the other utilities in ADMT. The next step will depend on the type of migration you are performing. Some migration types will require more steps than others— and perhaps even a different order of events.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.3

Using ADMT in an Inter-Forest Resource Domain Migration The basic steps to use when performing an inter-forest resource domain migration include the following:

1. Use the Trust Migration Wizard to help you to identify and recreate trusts between resource domains and the target domain. The wizard first identifies all of the existing trusts between a given resource domain and its account domains, then gives you the option of creating parallel trusts from the resource domain to the target account domain.

2. Use the Service Account Migration Wizard to identify service accounts used on specific computers in the source resource domain. You will be asked to specify the computers that are using service accounts, and then the wizard will examine those servers for all service accounts. These accounts will then be included when you later migrate user accounts.

3. Use the Computer Migration Wizard. Resource domains frequently hold the computer accounts for user workstations and application servers. The Computer Migration Wizard will migrate the local computer information and account for each of the workstations and member servers in the resource domain. ADMT dispatches an agent to each of the computers to be migrated. At the completion of the agent’s duties, it will force the computer to shut down and restart.

4. Use the Security Translation Wizard to translate the local user profiles on the computers that have been migrated to the target domain from the original SID of the user to the new SID of the user in the target domain. On the Translate Objects page of the wizard, select User Profiles as the object to translate.

5. Use the Group Migration Wizard at this point to migrate shared local groups from the resource domain to the target domain. On the Group Options page, make sure you select Migrate Group SIDs To Target Domain and also Do Not Rename Accounts.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

287

288

Chapter 7



Migration Tools

EXERCISE 7.3 (continued)

6. Use the User Migration Wizard to migrate service accounts to the target domain. Be aware that while the service accounts themselves will be migrated, some applications must be modified to use the new accounts in the target domain. Exchange Server 5.5 is a good example of this. ADMT cannot change the service account settings within Exchange, so you must change the service account manually in the Exchange Administrator console.

7. Use the Security Translation Wizard to update the service account user rights. Be sure to select the domain in which the service account resides and not the domain of the computer on which the service account is being used (if they are different). On the Translate Objects page of the wizard, select Local Groups and User Rights as the options to translate.

After these steps have been completed, you are ready to upgrade the domain controllers to Windows 2000 (if they aren’t already running Windows 2000) and move them into the target domain. ADMT cannot migrate the domain controllers for you using the Computer Migration Wizard as it can the member servers and workstations, but you can use all of the other ADMT tools on them. Once the domain controllers have been migrated, you can successfully decommission the old resource domains. EXERCISE 7.4

Using ADMT in an Inter-Forest Account Domain Migration In this scenario, you will be moving resources from an existing account domain to a new target account domain. To perform an interforest account domain migration using ADMT, you must follow these steps:

1. Create the Windows 2000 Target Domain. Consult Chapter 6, “Using Target Domains for Migration,” for more information on creating a target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

289

EXERCISE 7.4 (continued)

2. Use the Trust Migration Wizard to establish proper trust relationships between the source account domain and the target domain. You can also use NETDOM for this task.

3. Use the Group Migration Wizard to migrate the domain global groups from the source domain to the target account domain. If the global group you are migrating contains a large number of users, it can take quite a while to process all of the members. This will also cause a heavy impact on your network traffic. Consider using the option to migrate the user accounts with the group instead.

4. Use the User Migration Wizard to move the accounts incrementally, using a pilot group first. This enables you to test your migration planning while affecting only a small group of users at one time. If a large number of user accounts are in the source domain, it will take quite a while to build the list of user accounts to migrate, which will cause a heavy impact on network performance.

After these steps have been successfully completed, you can either move on to migrate your resource domains or decommission the source account domain, according to your migration plan. EXERCISE 7.5

Using ADMT in an Intra-Forest Resource Domain Migration This migration type is very similar to the inter-forest resource domain migration, so I will be brief in describing each step. Using the wizard, follow these steps to complete the intra-forest resource domain migration:

1. Use the Service Account Migration Wizard. ADMT cannot determine whether a service account is used by more than one service. You will need to do this yourself. You will be asked to specify the computers that are using service accounts, and then the wizard will examine those servers for all service accounts. These accounts will then be included when you later migrate user accounts.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

290

Chapter 7



Migration Tools

EXERCISE 7.5 (continued)

2. Use the Computer Migration Wizard. Resource domains frequently hold the computer accounts for user workstations and application servers. The Computer Migration Wizard will migrate the local computer information and account for each of the workstations and member servers in the resource domain. ADMT dispatches an agent to each of the computers to be migrated. At the completion of the agent’s duties, it will force the computer to shut down and restart.

3. Use the User Migration Wizard to migrate service accounts to the target domain. Remember that you might have to manually reset some service accounts for applications.

4. Use the Group Migration Wizard at this point to migrate shared local groups from the resource domain to the target domain. On the Group Options page, make sure you select Migrate Group SIDs To Target Domain and also Do Not Rename Accounts.

From here, your steps will be dictated by your migration plan. You will either decommission the resource domain or migrate other domains. EXERCISE 7.6

Using ADMT in an Intra-Forest Account Domain Migration Here again, the process is very similar to the inter-forest account domain migration, so the descriptions will be brief. Because this type of migration is within a forest by definition, you won’t need to establish trust relationships. All domains within a forest have transitive trusts by default. To perform an intra-forest account domain migration, complete the following steps:

1. Use the Group Migration Wizard to migrate the domain global groups from the source domain to the target account domain. If a high number of users are in the global group you are migrating, it can take quite a while to process all of the members. This will also cause a heavy impact on your network traffic. Consider using the option to migrate the user accounts with the group instead.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

291

EXERCISE 7.6 (continued)

2. Use the User Migration Wizard to migrate both user accounts and their roaming user profiles. On the User Options page of the wizard, make sure you check the Translate Roaming Profiles and the Update User Rights checkboxes.

3. Use the Security Translation Wizard at this point to translate the local user profiles on the computers that have been migrated to the target domain from the original SID of the user to the new SID of the user in the target domain. On the Translate Objects page of the wizard, select User Profiles as the object to translate.

After completing these steps, you can manually migrate a domain controller from the source domain to the target domain and decommission the source domain.

Migrating User Accounts with Active Directory Migration Tool ADMT is a great tool for analyzing the progress of your migration. It includes a number of wizards for reporting the account conflicts between the source and target domains, as well as wizards for migrating trusts and security principals.




Microsoft Exam Objective

Migrate global groups and user accounts.

The Microsoft strategy for selecting the “proper” migration tool suggests that you would only copy security principals with ClonePrincipal and migrate them with ADMT. In the course of preparing this chapter, I discovered that like so many other Microsoft tools, ADMT is actually capable of performing both roles. The exam is likely to prefer the official strategy, so if you’re preparing for the test, keep that in mind. In the real world, ADMT is much easier for most of us to use.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

292

Chapter 7



Migration Tools

To migrate user accounts with ADMT, you will be using the User Account Migration Wizard, as shown in Figure 7.10. FIGURE 7.10

The User Account Migration Wizard

EXERCISE 7.7

Migrating User Accounts To migrate some user accounts from your source domain to the target environment, follow these steps:

1. Open ADMT by clicking Start  Programs  Administrative Tools  Active Directory Migration Tool. Right-click the Active Directory Migration Tool node in the console and select User Account Migration Wizard from the menu. Click Next to start the wizard.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.7 (continued)

2. Decide whether you will migrate users or only perform a test migration. The test migration won’t actually move any accounts; it will only test the possibility. The Test Or Make Changes page is shown in the following graphic. Click Next.

3. Select the source and target domains for the migration, as shown in the following graphic. Click Next when you’re ready to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

293

294

Chapter 7



Migration Tools

EXERCISE 7.7 (continued)

4. Now you’re ready to select some user accounts for the migration. You may use any criteria you’ve chosen in your migration plan to choose a set of user accounts or migrate all of them at once. The Select Users page is shown here. Click the Add button.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.7 (continued)

5. The Select Users dialog shows the source domain chosen for the Look In field. You should see a list of all the user accounts in the source domain, from which you can select individuals or sets of users. When you have selected the users’ accounts, click the Add button to move their accounts to the bottom text box of the dialog, as shown in the following graphic. When you’re satisfied with your selections, click OK.

6. Now you will verify that the correct user accounts are displayed in the user list. Then click the Next button.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

295

296

Chapter 7



Migration Tools

EXERCISE 7.7 (continued)

7. The Organizational Unit Selection page opens and prompts you to provide the OU in the target domain where the accounts should be created. The entry should be listed by the distinguished name (DN). If you are unsure of the DN for the target OU, click the Browse button to display the dialog shown in the following graphic. Here you can easily browse for the proper OU. Click OK to return to the Organizational Unit Selection page, and then click Next to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.7 (continued)

8. On the Password Options page, you must determine what the initial password will be for each migrated account. You can select either Complex Passwords or Same As User Name as the password option to assign. Either way, the list of user accounts and the matching passwords will be stored in the local file path specified in the Location To Store Password File list box. The Password Options page is shown here. Click Next when you’re ready to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

297

298

Chapter 7



Migration Tools

EXERCISE 7.7 (continued)

9. The Account Transition Options page prompts you to decide how to handle the user accounts when they are migrated. Your options include Disable Source Accounts, Disable Target Accounts, and Leave Both Accounts Open. The last option will leave the accounts in both domains active and available for users to log on to. This has the same effect as using ClonePrincipal to clone the user accounts. Check the box for Days Until Source Account Expires to cause the account in the source domain to automatically become unavailable at the end of the specified day. Check the box for Migrate User SIDs To Target Domain to have ADMT copy the current SID to the SIDHistory field of the new account. The Account Transition Options page is shown in the following graphic. Click Next to proceed.

10. If you chose to have the SIDHistory created, the User Account page will prompt you to supply a user account with local Administrator rights on the source domain controller. Enter the appropriate information, then click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.7 (continued)

11. The User Options page, shown here, provides some options governing how user account names should be handled and what information will be migrated with the account. You have three options for related information: Translate Roaming Profiles, Update User Rights, and Migrate Associated User Groups. This last option will migrate any group that the user account belongs to. It has a suboption that lets you update any of the groups that may have already been migrated with this account’s information. The rest of the page is dedicated to the naming of the migrated user accounts: Do Not Rename Accounts, Rename With Prefix, and Rename With Suffix. Click Next when you’re ready to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

299

300

Chapter 7



Migration Tools

EXERCISE 7.7 (continued)

12. The Naming Conflicts page lets you resolve any duplicate names that might be created by migrated accounts. Built-in accounts won’t be migrated anyway, so don’t worry about those accounts. This page defines how to handle user accounts that have the same name as one that has already been created in the target domain. As shown in the following graphic, you can choose to ignore the conflict, replace the conflicting accounts in the target domain with the account being migrated, or rename the migrated account with either a prefix or a suffix to keep the names unique.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

301

EXERCISE 7.7 (continued)

13. You’ve finally completed the wizard! The last page of the wizard displays a summary of your selections. Click the Finish button when you are satisfied with the options, or click the Back button to go back and change any of the options. When you click the Finish button, the User Account Migration Wizard will run and perform the tasks you selected. During the migration process, you will see the status of the operation displayed in the Migration Progress dialog, as shown in the following graphic.

That’s really all there is to migrating user accounts using ADMT. I’d recommend using the testing option of the wizard until you receive no error messages in the process. I also like the option to leave both accounts open after the migration and copy the current SID to the SIDHistory value of the new account in the target domain. This gives you a way out if there are any serious problems later with the migration. The users will still have the ability to log on to their original accounts if necessary.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

302

Chapter 7



Migration Tools

Migrating Group Accounts with Active Directory Migration Tool Migrating group accounts is handled very much like we did the user accounts. Here you can use either ClonePrincipal to copy the group accounts or Active Directory Migration Tool to move the accounts to the target domain. If you want to migrate groups from one tree to another within a single forest, try using Move Tree. If you would rather copy the groups into the target domain, then you should be using ClonePrincipal. ADMT can be used to migrate group accounts in addition to user accounts.




Microsoft Exam Objective

Migrate global groups and user accounts.

EXERCISE 7.8

Migrating Group Accounts To migrate groups using Active Directory Migration Tool, you will be using the Group Account Migration Wizard within ADMT. Let’s walk through the steps required to migrate the global groups from our example Seattle domain to the Seattle OU of coolcompany.local.

1. Open ADMT by clicking Start  Programs  Administrative Tools  Active Directory Migration Tool.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.8 (continued)

2. Right-click the Active Directory Migration Tool node in the console and select Group Migration Wizard from the context menu. This opens the Group Account Migration Wizard shown here.

3. Decide whether you will migrate users or only perform a test migration. The test migration won’t actually move any accounts; it will only test the possibility. Click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

303

304

Chapter 7



Migration Tools

EXERCISE 7.8 (continued)

4. Select the source and target domains for the migration, as shown in the following graphic. Click Next when you’re ready to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.8 (continued)

5. Now you’re ready to select some group accounts for the migration. You can use any criteria you’ve chosen in your migration plan to choose a set of group accounts, or you can migrate all of them at once. The Group Selection page is shown below. Click the Add button to browse for groups to add, and click OK when you’ve finished. Click Next to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

305

306

Chapter 7



Migration Tools

EXERCISE 7.8 (continued)

6. The Organizational Unit Selection page opens and prompts you to provide the OU in the target domain where the accounts should be created, as shown in the following graphic. The entry should be listed by the distinguished name (DN). If you are unsure of the DN for the target OU, click the Browse button to display a dialog where you can easily browse for the proper OU. Click OK once you have selected the appropriate OU, and then click Next to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.8 (continued)

7. On the Group Options page, shown here, you will find some options to control how the groups are migrated. For example, you can copy the group’s SID to the SIDHistory of the new group account in the target domain. You can also choose to copy the members of each group to the new location at the same time the group is migrated. Then click Next to proceed.

8. If you chose to have the SIDHistory created, the User Account page will prompt you to supply a user account with local Administrator rights on the source domain controller. Enter the appropriate information, then click Next.

9. The Naming Conflicts page lets you resolve any duplicate names that might be created by migrated accounts. This page defines how to handle user accounts that have the same name as one that has already been created in the target domain. You can choose to ignore the conflict, replace the conflicting accounts in the target domain with the account being migrated, or rename the migrated account with either a prefix or a suffix to keep the names unique. Click Next to proceed.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

307

308

Chapter 7



Migration Tools

EXERCISE 7.8 (continued)

10. If you chose to have the group members copied to the target domain, you will be prompted to set the password options to decide how a password will be assigned to the new accounts and where the password file will be written. Then you will need to decide whether the accounts will remain active in both domains or disabled in one or the other. The Group Member Options page is shown in the following graphic. Click Next to proceed.

11. Finally, the wizard displays a summary of all the options you selected during the previous steps. When you click Finish, the wizard will run and complete the steps.

You will use these same steps to migrate either global or local accounts from the source domain. The Group Account Migration Wizard will enable you to migrate either type of group account individually or all together. You can mix ’n match to your heart’s content.

Migrating Computer Accounts The best way to accomplish the migration of your computer accounts is to use Active Directory Migration Tool’s Computer Migration Wizard. This wizard

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

309

helps to automate the tasks required to migrate the computer accounts from your source domain to the target Windows 2000 environment.




Microsoft Exam Objective

Migrate local groups and computer accounts. Perform post-migration tasks. Verify success of object migrations.



The process of migrating computer accounts is almost identical to migrating user accounts with ADMT. Instead of selecting user accounts, you will be selecting computer names from the list of all the computers in the source domain. You need to determine the destination to which the computer accounts will be migrated. This is expressed as a distinguished name (DN) and can be determined by browsing for the appropriate container or OU in the target domain. An interesting difference between migrating computer accounts and migrating user accounts is the Translate Objects page, where you decide which properties of the computer will be translated. Translation is the process of mapping the current object’s SID to the SIDHistory of the new account. The objects that can be translated for computers include the following: 

Files and folders



Local groups



Printers



Registry



Shares



User profiles



User rights

The SID information for the objects you select on the Translate Objects page will be updated to accept the same user accounts in their new incarnation within the target domain. This is a necessary step if you want the

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

310

Chapter 7



Migration Tools

migration to be as seamless as possible for your users. The translation process provides three different methods for applying the translated security: Replace This option replaces the SID of the source domain security principal with the SID of the equivalent target security principal. Add The Add option adds the SID for the equivalent security principal in the target domain to the Access Control List (ACL) of the object and leaves the SIDs of the original security principals in place. Remove The Remove method adds the new SID information for the target security principals and then deletes the original SID information. Because the migration of a computer account to a new domain requires restarting the computer, this process is included in the Migration Wizard. You must set the number of minutes that the computer will wait after completing the migration before it restarts and uses the new computer account in the target domain. You will also be given the same options for handling the renaming of the computer accounts when they are migrated as you saw when migrating users and groups. You can then determine how any duplicate names will be resolved, and then you will receive a summary of the selected options before the migration tasks are run.

ClonePrincipal The second tool that we will be looking at is ClonePrincipal, which is another of the deployment and migration tools supplied with Windows 2000. Unlike ADMT, which actually moves objects from a source domain into the Active Directory target domain, ClonePrincipal works by creating a copy of the object in the new domain. Essentially, it makes a clone of the original object in the new location. ClonePrincipal is especially useful when you want to incrementally move users from the source domain to the new target domain. The ClonePrincipal tool is a series of Visual Basic script files that perform various migration tasks. Included in the set are scripts that will migrate user accounts, local group accounts, and global group accounts. ClonePrincipal doesn’t make any changes to the source domain, which is a good thing. It simply copies information out of the SAM database and imports it into Active Directory in the target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

311

Since ClonePrincipal is made up of Visual Basic scripts, the individual scripts can be used easily in migration scripts. This makes it possible to completely script your migration and execute it as a series of phased rollouts. Once the accounts have been cloned and are being used successfully in the target domain, you should delete the original accounts. The scripts that make up ClonePrincipal are installed with the Support Tools from the Windows 2000 Server CD-ROM. The Support Tools are installed from the Support Tools folder on the CD-ROM; simply browse for the folder and then double-click the setup.exe file. Benefits of using ClonePrincipal include the following: 

Users can log on to the clone account in the new domain but still have an emergency fallback account in the old domain.



The source domain isn’t disrupted during the migration of accounts to Windows 2000.



You can shift users to the new environment in small groups. If there are problems, fewer people are involved, and you can easily move them back to their original accounts.



You don’t have to modify the Access Control Lists on shared resources in order to preserve the user’s ability to access them. ClonePrincipal will use the SIDHistory feature to maintain both the new and the old SID for a security principal.



You can upgrade a backup domain controller (BDC) to Windows 2000, then use the Active Directory Wizard to demote the server. Once demoted to a member server, the computer can be migrated to the new domain without having to change the local groups or permissions assigned to local resources. This is particularly useful if the server is acting as a resource server for applications or file storage.



Multiple groups from different domains can be merged into a single group in the target domain.

The ClonePrincipal script syntax is fully documented in the clonepr.doc file that is installed in the Support Tools folder under Program Files. This

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

312

Chapter 7



Migration Tools

document contains notes on the use of the tool and examples of how the scripts might be used in a batch file.




Microsoft Exam Objective

Select and configure tools, including ADMT, ClonePrincipal, MoveTree, NETDOM, and the Windows 2000 Resource Kit tools.

EXERCISE 7.9

Installing Support Tools To install the Support Tools, do the following:

1. Insert the Windows 2000 CD-ROM in a drive on your computer. Many of the support tools are designed to be run on a domain controller, so keep that in mind when selecting a computer.

2. Browse the CD-ROM to the Support Tools folder, and double-click the Setup.exe program. The Windows 2000 Support Tools Setup Wizard opens, as shown in the following graphic. Click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

EXERCISE 7.9 (continued)

3. Enter your name and organization, and click Next. 4. Select the type of installation you want to perform, either Typical or Custom, as shown in the following graphic. Click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

313

314

Chapter 7



Migration Tools

EXERCISE 7.9 (continued)

5. If you selected a Custom setup, you will be presented with the page shown in the following graphic. Notice that you can only select to install the whole package or nothing at all. The Custom setup does allow you to choose the install path, however.

6. Click Next to begin the installation. When the setup is complete, you will see the final page in the wizard, summarizing the steps you have completed. Click Finish to close the wizard.

Once the Support Tools are installed, they will be saved to the Program Files\Support Tools folder, and shortcuts are placed on the Start menu. The folder contains a copy of the Deployment Planning Guide from the Windows 2000 Server Resource Kit in electronic Help format, as well as Help files for the tools themselves. To use ClonePrincipal, however, you will work from the command prompt. ClonePrincipal supports some custom development capabilities, though you won’t be tested on this information. ClonePrincipal consists of a dynamic link library, clonepr.dll, which implements a Component Object Model

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

315

(COM) object called DSUtils.ClonePrincipal. This COM object has a single interface, ICloneSecurityPrincipal, which supports these three methods: Connect This method enables you to create secure connections to both the source and target domains. AddSIDHistory This method copies the existing Security Identifier (SID) of a security principal to the SIDHistory value of a new security principal in the target domain. CopyDownLevelUserProperties This method copies all of the properties of an existing NT 4 user account to the new security principal in the target domain. While this information may not be very useful on the exam, it will be very helpful if you decide to customize the use of ClonePrincipal in your own environment.

If your target domain was recently upgraded from NT to Windows 2000, neither ClonePrincipal nor ADMT will properly add the SIDHistory of objects to the destination domain. To resolve this, delete and rebuild the trust relationships between your source and target domains before using ClonePrincipal or ADMT.

ClonePrincipal includes five sample Visual Basic scripts that provide the basic functionality for your migration needs. These scripts can be used to clone accounts from the source domain to the target domain, or they can be used as guides to create your own scripts. The five scripts are: Sidhist.vbs This script copies the SID of a security principal from the source domain to the SIDHistory attribute of an existing security principal in the target domain. Clonepr.vbs This particular script is a sample script that clones a single security principal from the source domain to the target domain. It will create the destination account if it doesn’t already exist and copy the SID to the SIDHistory attribute. If you are cloning a user account or a global group, it will also create the memberships in the target domain. If you are cloning a local group, then it will also clone all of the members to the target domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

316

Chapter 7



Migration Tools

Clonegg.vbs This script clones all of the global groups in a given domain to the target domain. Cloneggu.vbs Rather than cloning from a given domain, this script clones all global groups and user accounts from the source domain to the target domain. Clonelg.vbs This last script clones all of the shared local groups on the domain controllers in the source domain to the target domain.

Preparing to Use ClonePrincipal Now that we’ve installed ClonePrincipal with its support tools and reviewed the various scripts, we’re ready to get started. ClonePrincipal accesses two different domains for some very sensitive work in terms of security. For this reason, you must have administrator permissions in both domains, and trusts must be established between the domains. SIDs must be unique within a forest whether they are the primary SID or the SIDHistory. Because of this, the source domain must be in a different forest than the target domain. The target domain must be in native mode because the SIDHistory attribute is required for the destination accounts. ClonePrincipal must be run on the console (at the command prompt) of a domain controller in the target domain. This should be the PDC Emulator for best results, but it can be any Windows 2000 domain controller. The tool cannot be run on a remote workstation. The PDC of the source domain should be the focus of operations for the source domain. The source PDC must be running Windows NT 4 with Service Pack 4 or later, or it can be running Windows 2000. Again, the PDC Emulator should be chosen if the source domain is Windows 2000 because the auditing will then be generated on only one computer. The PDC or PDC Emulator should have an entry added to the Registry to enable Local Security Authority (LSA) to use TCP/IP. The setting is HKLM\System\CurrentControlSet\Control\LSA. The Value name is TcpipClientSupport, the type is REG_DWORD, and the data is a hexadecimal 0x1. ClonePrincipal requires a group called SourceDomainName$$$ in the source domain. The group should be a local group on the domain controller where ADMT is being run. The name is the name of the source domain plus the three dollar signs ($$$), so if the source domain is Boston, the local group name would be Boston$$$.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

317

The last step in preparing for ClonePrincipal is absolutely required, and that is to enable auditing in both the source and target domains for account management. You will need to use auditing for User and Group Management (in Windows NT 4) or Account Management (in Windows 2000) for both success and failure events. This enables you to track the progress of the migration and determine when accounts have not migrated successfully. It also gives administrators a way of determining when this procedure has been run on their domain, helping to prevent unauthorized use of ClonePrincipal. EXERCISE 7.10

Configuring an Environment for ClonePrincipal To configure your environment for ClonePrincipal, perform the following steps:

1. Make certain the source domain PDC is running the required operating system level, Windows NT 4 with Service Pack 4 or higher.

2. Establish a trust from the source domain to the target domain. Optionally, use a two-way trust between the two domains.

3. Edit the Registry on the source domain controller to include the value TcpipClientSupport REG_DWORD 0x1 at this location: HKLM\System\CurrentControlSet\Control\LSA. This change enables the use of Remote Procedure Calls over TCP/IP.

4. Create a new local group on the source domain controller named <SourceDomainName$$$> where SourceDomainName is the name of your source domain. This group name is used for the auditing of the ClonePrincipal operations in the NT 4 domain.

5. Enable auditing in both the source and the target domains. Audit for both success and failure of account management events. In NT 4, this would translate to User and Group Management.

6. It is also possible that you would have to register the clonepr.dll file if you installed ClonePrincipal manually. To register the .dll file, execute this command at a command prompt: regsvr32 clonepr.dll.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

318

Chapter 7



Migration Tools

Using ClonePrincipal You can choose to use ClonePrincipal with the sample scripts provided by Microsoft, or you can write your own scripts. If you decide to write your own scripts, consult the white paper for ClonePrincipal, clonepr.doc, which is provided on the CD-ROM with the tools. Otherwise, if you want to go ahead and use the samples that have been included with the tool, here is some syntax to use: Sidhist.vbs This script copies the current SID of one account to the SIDHistory attribute of one destination account. Its syntax is Cscript sidhist.vbs /srcdc:<source PDC> /srcdom:<source domain> /srcsam: /dstdc: /dstdom: /dstsam: Clonepr.vbs To clone a single account from the source domain into the target domain, use Clonepr.vbs. Its syntax is Cscript clonepr.vbs /srcdc:<source PDC> /srcdom:<source domain> /srcsam:<source account> /dstdc: /dstdom: /dstsam: /dstDN:<destination Distinguished Name> Cloneggu.vbs This script clones all global groups and users from the source domain to the target domain. Its syntax is Cscript cloneggu.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonelg.vbs The task of this script is to clone shared local groups from the source domain controller to the destination domain controller. Its syntax is Cscript clonelg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonegg.vbs This script clones all global groups from the source domain to the target domain. Its syntax is Cscript clonegg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU>

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

319

An example of how to use ClonePrincipal to copy user accounts from the source domain in our fictitious company, Coolcompany Inc., to the target domain of coolcompany.local would be to use cloneggu.vbs to clone all global groups and users from the Seattle domain of Coolcompany Inc. to the coolcompany.local target domain. To accomplish this move, we must have some more information. The source domain name is Seattle, and the PDC of the Seattle domain is Seattle_dc. The target domain is coolcompany.local, but the NetBIOS name of the domain is coolcompany. The target PDC is Cool_dc. We will clone the users and groups into the Seattle OU container within coolcompany.local. The command line for this would be Cscript cloneggu.vbs /srcdc:seattle_dc /srcdom:seattle /dstdc:cool_dc /dstdom:coolcompany /dstOU:OU=Seattle,DC=coolcompany,DC=local This command will clone all of the users and global groups from the Seattle domain to the Seattle OU of coolcompany.local. For this command to work properly, the organizational unit (OU) of Seattle must already exist in the coolcompany.local domain.

Migrating User Accounts With ClonePrincipal If your plan calls for migrating users with minimum impact to the production environment and maximum fault tolerance, you should choose to use ClonePrincipal. If anything goes wrong, the user accounts are still intact in the original source environment. The users can simply log on to their old accounts and continue working while you go about figuring out what went wrong.




Microsoft Exam Objective

Migrate global groups and user accounts.

ClonePrincipal gives you the opportunity to perform a gradual, controlled migration to Windows 2000 and Active Directory. If your plan calls for migrating small groups of users at one time, with maximum reliability and minimum disruption to the production environment, ClonePrincipal is the tool you should use. Most migration plans describe moving user accounts,

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

320

Chapter 7



Migration Tools

rather than cloning them. If you are going to be moving accounts to the target domain, and you don’t want the added fault tolerance of creating clones of your security principals, then you should be using Active Directory Migration Tool.

The online help for ClonePrincipal and Active Directory Migration Tool both refer to creating a special local group in the source domain to use for the migration with the name DomainName$$$, where DomainName is the name of the source domain. If you receive an error that the specified local group does not exist, verify that this group exists in the source domain.

You can choose to use ClonePrincipal with the sample scripts provided by Microsoft, or you can write your own scripts. If you decide to write your own scripts, consult the white paper for ClonePrincipal, clonepr.doc, which is provided on the CD-ROM with the tools. Otherwise, go ahead and use the samples that have been included with the tool. To clone user accounts from the source domain in our fictitious company, Coolcompany Inc., to the new Active Directory environment, we’ll use the Clonepr.vbs script to copy single accounts across. This could potentially be very slow if you were to type in the script commands for each user that you wanted to clone. Instead, I would suggest creating a batch file that calls this script repeatedly to clone single user accounts. This way, you can clone groups of user accounts in a gradual, controlled fashion. EXERCISE 7.11

Creating a ClonePrincipal Batch File In this exercise, you will create a batch file to clone several user accounts from your source domain to the target domain. If you don’t actually have a test environment set up, you can still create this file using names that you define for the domains and users. The exercise will use the names from the coolcompany example.

1. Open Notepad by clicking Start  Programs  Accessories  Notepad.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

321

EXERCISE 7.11

2. Beginning at the first line, enter your command line for ClonePrincipal. Repeat the commands for each user that you want to clone, making sure you press Enter after each command line. For example, to clone User1 from the Seattle domain of coolcompany to the Seattle OU of coolcompany.local, use this command: Cscript clonepr.vbs /srcdc:SeattleDC /srcdom:Seattle /srcsam:User1 /dstdc:sea-1 /dstdom:coolcompany.local /dstsam:User1 /dstDN:CN=User1,OU=Seattle,OU=coolcompany,OU=local This command should be entered entirely on one line, with a return at the end of the line so that you can enter the next command. The example assumes that the PDC of the source Seattle domain is named SeattleDC, that the target domain controller is named Sea-1, and that the Seattle OU already exists.

3. Enter the next line for User2. Replace the User1 account in the above example with User2.

4. Repeat for several more users (e.g., User3, User4, User5, etc.). 5. If you have a test environment, execute the batch file in the Support Tools folder of the destination domain controller.

A batch file is a great way to call clonepr.vbs to clone individual user accounts from the source domain to the target domain. Of course, the cloneggu.vbs script would be even better if you wanted to clone all of your global groups and users at the same time.

Migrating Group Accounts with ClonePrincipal Migrating group accounts is handled very much like we did the user accounts. Here again you can use either ClonePrincipal to copy the group accounts or Active Directory Migration Tool to move the accounts to the target domain. If you want to migrate groups from one tree to another within a single forest,

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

322

Chapter 7



Migration Tools

try using Move Tree instead of ClonePrincipal. If you are planning to move the groups into the target domain, then you should be using ADMT.




Microsoft Exam Objective

Migrate local groups and computer accounts.

Migrating groups from the source domain using ClonePrincipal is easier than migrating user accounts. The sample scripts included with ClonePrincipal provide a method to clone all groups of a specific type at one time. For instance, the Clonegg.vbs script will clone all global groups from the source to the target domain, and Clonelg.vbs will do the same for domain local groups. Clonegg.vbs This script clones all global groups from the source domain to the target domain. Its syntax is Cscript clonegg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> Clonelg.vbs This script clones shared local groups from the source domain controller to the destination domain controller. Its syntax is Cscript clonelg.vbs /srcdc:<source PDC> /srcdom:<source domain> /dstdc: /dstdom: /dstOU:<destination OU> To use these scripts in our example company’s migration, first we’ll migrate the shared domain local groups using Clonelg.vbs. Consult Table 7.1 for the configuration. TABLE 7.1

Configuration for the Coolcompany Example Configuration Option

Source Domain

Target Domain

Domain name

Seattle

coolcompany.local

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Configuring Your Migration Tools

TABLE 7.1

323

Configuration for the Coolcompany Example (continued) Configuration Option

Source Domain

Target Domain

Domain controller

SeattleDC

Sea-1

Administrator account

Administrator

Administrator

Administrator password

Password

Password

Organizational Unit

N/A

Seattle

So, to clone the domain local groups from the PDC of the Seattle domain to the Seattle OU in the coolcompany.local target domain, you would use this script: Cscript clonelg.vbs /srcdc:SeattleDC /srcdom:Seattle /dstdc:Sea-1 /dstdom:coolcompany.local /dstOU:OU=Seattle,DC=coolcompany,DC=local Notice the use of the distinguished name (DN) for the destination OU. If you don’t use this format, the script will be unable to attach to the correct location in the target Active Directory. The special local group you created when setting up the computers for ClonePrincipal, for this example the group Seattle$$$, will also be cloned when you run this script. As the script runs, you will be able to watch its progress on the screen because it will print out the information for each group as it is cloned. When you use this script, use the earlier example as a guide and modify the necessary parameters for your own environment. To clone your global groups from the source domain, the process is very similar. For our coolcompany example, the command line would look like this: Cscript clonegg.vbs /srcdc:SeattleDC /srcdom:Seattle /dstdc:Sea-1 /dstdom:coolcompany.local /dstOU:OU=Seattle,DC=coolcompany,DC=local Now, there is a “gotcha” involved in running either the Clonegg.vbs or the Cloneggu.vbs script. These scripts, by default, will also attempt to clone the built-in global groups. Windows NT/2000 sees these groups as well-known RIDs, because these groups exist on all NT/2000 domain

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

324

Chapter 7



Migration Tools

controllers and always have the same Relative Identifier. If you intend to clone the source groups onto the existing global groups in your target domain (for instance, to give them access to all resources the original group has through the SIDHistory feature), then the problem is that the built-in groups are not located in the destination OU. You can move the groups temporarily to the destination OU, or you can change the script. Fortunately, this edit in the script is very simple. You will be searching for a block of code near the end of the script that will prevent the script from cloning the well-known RIDs, leaving it free to concentrate on the groups you have created in the source domain. To edit the script, open it either by using the File  Open command in Notepad or right-clicking the file and selecting Edit from the context menu. Use the Edit  Find command in Notepad (I’d suggest searching for the first line of text only) to locate the following block of code: 'To Stop Cloning Well Known Sids Uncomment 4 lines below ' if HasWellKnownRid(sidString) then ' ShouldCloneObject = False ' exit function ' end if Once you’ve found the code, remove the leading single quotes (') from those lines, then save the file and run the script using the previous example as a guideline. When you run the script in a production environment, change the command syntax to include the names that are appropriate for your network.

Move Tree

T

he Active Directory Object Manager (MoveTree.exe) is a commandline utility for moving objects from one Active Directory domain to another. It can be used to move user accounts or even entire OUs from one domain to another in the same forest. This tool will be most useful once you have begun your migration and have integrated some of the old domains into the new Active Directory structure. Be aware that there are some objects that Move Tree cannot migrate to another domain: 

System objects, such as the built-in special groups Everyone, System, or Interactive

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

NETDOM

325



Any objects located in the domain’s special containers: Builtin, ForeignSecurityPrincipal, System, and LostAndFound



Domain controllers or any object whose parent is a domain controller (such as a local account on a domain controller)



Any object that has the same name as an object in the target domain

You might have noticed that Move Tree is described as doing pretty much the same thing as ClonePrincipal. So why did Microsoft give us two tools to do the same thing? They didn’t. While the two tools appear to fulfill the same function, they do have some basic differences: 

Move Tree is designed to work within a single forest, whereas ClonePrincipal is exclusively designed to move objects from one forest to another. Move Tree is intraforest and ClonePrincipal is interforest.



Move Tree actually moves the objects it works with. This means that they are copied to the new domain and then destroyed in the original domain. ClonePrincipal copies the object to a new domain and leaves the original intact.



Move Tree maintains the users’ current passwords after the move operation is completed. ClonePrincipal does not keep the users’ passwords.



Move Tree maintains the object’s Globally Unique Identifier (GUID) after the move, while ClonePrincipal does not.

For a complete listing of the command syntax to use with Move Tree, consult the online help file for the Support Tools.

NETDOM

F

inally, let’s spend some time on our last tool, NETDOM. The Windows 2000 Domain Manager, otherwise know as NETDOM, is extremely useful for creating trusts, querying domains for their existing trusts, and adding or removing computers from Windows 2000 domains. Gone are the days when you could create trusts only by getting another administrator on the phone while configuring the trusts from both ends. Using NETDOM, you can easily configure two-way trusts between NT 4 domains and Windows 2000

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

326

Chapter 7



Migration Tools

domains. You can create shortcut trusts between domains in different trees of the same forest to expedite browsing. Being a Windows Icon Mouse Person (WIMP), I prefer to use the graphical user interface tools myself, but I know many NT (and Unix) administrators who believe that the command prompt is the only true form of administration. If you fall into this category, then NETDOM.exe was made for you. There is too much syntax for this command to cover fully here, but I’ll explain the basic commands that you are likely to use during a migration. NETDOM can be used for the following functions: Add Windows 2000 computers to a domain. NETDOM can add Windows 2000 computers to Windows 2000 or NT 4 domains and can be used to specify the destination OU for the computer account in Windows 2000 domains. Establish trust relationships. NETDOM can create one-way or twoway trusts between NT 4 domains and Windows 2000 domains. It can also create transitive trusts between Windows 2000 domains to be used as shortcuts between domains in the same forest for faster browsing of Active Directory. Verify and/or reset the secure channel between computers. This one is a little more arcane. NETDOM can verify or reset the secure channel of communication between either member servers and workstations within a domain or BDCs with the PDC in NT 4 domains. Manage trust relationships. NETDOM can be used to enumerate all trusts that currently exist for a given domain, including indirect trusts within a Windows 2000 forest. NETDOM is installed as part of the Windows 2000 Support Tools. If you followed the steps in the ClonePrincipal section of this chapter to install the Support Tools, then you already have NETDOM installed. To use NETDOM to add a computer to a domain, use this syntax: Netdom ADD /d:<domain name> /OU: If the OU is not specified, then the computer will be added to the Computers container in the domain. If you want to add the computer to an OU other than the default Computers container, you will need to include the /OU switch and specify the full distinguished name for the OU.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

NETDOM

327

To use NETDOM to join a computer to a domain, use this syntax: Netdom JOIN /d:<domain name> /OU: To remove a computer from a domain using NETDOM, the syntax is very similar to that for adding a computer: Netdom REMOVE /d:<domain name> /ud:<domain\user name> /pd:<password> To move a computer account from one domain to another without having to first remove the account from one domain and then create the same computer account in the new domain, use this syntax: Netdom MOVE /D:<domain name> /OU: /Ud:<destination domain user> /Pd:<destination password> /Uo:<user for the computer to be moved> /Po:<password for computer to be moved> /Reboot When moving a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. Thus, a failure during the operation could leave the computer in a limbo state where it doesn’t belong to any domain. When moving a computer to a new domain, the old computer account in the previous domain is not deleted. If the prior domain is a Windows 2000 domain, the old computer account is disabled. The act of moving a computer to a new domain creates an account for the computer in the target domain, if it does not already exist. To reset the secure channel between a computer and its domain, use this syntax: Netdom RESET /d:<domain name> For the following command, it doesn’t matter which OU the computer is in, as the secure channel is between the computer and the domain itself, not the OU: Netdom QUERY /D:<domain name> /Ud:<user name> /Pd:<password> [/Verify] [/Reset] [/Direct] {WORKSTATION | SERVER | DC | OU | PDC | FSMO | TRUST}

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

328

Chapter 7



Migration Tools

This syntax retrieves membership, trust, and other information from a domain. The WORKSTATION, SERVER, DC, and OU commands query the domain for the lists of, respectively, workstations, servers, domain controllers, or organizational units under which the specified user can create a computer object. PDC, FSMO, and TRUST query the domain for, respectively, the current primary domain controller, list of FSMO owners, or list of its trusts. NETDOM QUERY is a very powerful command. This option will provide you with much of the information you need while planning your migration from NT 4 to Windows 2000. It will very likely appear on the exam in some form. It will certainly be a valuable tool in the real world. To query the trusts for a given domain, use the following command with NETDOM: NETDOM query trust /Domain:<domain name> /UserD:<user name> /PasswordD:<password or *> This command queries the domain named with the /Domain switch to determine the trusts in use. The /UserD switch gives the name of the user to use for the query, which should normally be an administrator account. When you use the /UserD switch, you should accompany it with the /PasswordD switch. With /PasswordD, you can either enter the actual password of the user account or enter an asterisk (*), which tells NETDOM to prompt you for the password in a more secure format. NETDOM can be used to change the time settings of servers within a domain using the following syntax: Netdom TIME /D:<domain name> /Ud:<user name> /Pd:<Password> /Uo:<user name> /Po:<password> [/Verify] [/Reset] [WORKSTATION] [SERVER] The WORKSTATION and SERVER switches verify or reset the time for, respectively, all the workstations or domain controllers in a domain. And of course, I’ve saved the best for last. To use NETDOM to manage and configure trust relationships, use this syntax: Netdom TRUST <trusting domain name> /D:<trusted domain name> /Ud:<user name> /Pd:<password> Uo:<user name> /Po:<password> [/Verify] [/Reset] [/PasswordT: [/Add] [/Remove [/Force]] [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

NETDOM

329

This syntax establishes, verifies, or resets a trust relationship between domains. The /PasswordT switch is used to define a relationship with a new non-Windows Kerberos realm. A realm is an area of authority controlled by a Kerberos server for security. The /Kerberos switch itself is used to specify that Kerberos authentication should be used to establish the trust if one of the domains is not a Windows 2000 domain. Let’s look at an example of NETDOM creating a trust between Resource1 and the root domain of sprockets.local. To create this trust, use the following syntax with the NETDOM command: NETDOM TRUST /d:sprockets resource1 /ADD /Ud:sprockets\administrator /Pd:* /Uo:resource1\administrator /Po:* This command consists of the following parts: TRUST Tells the NETDOM command that you are working with a trust relationship. /d:sprockets This is the name of the target domain in the new Active Directory structure. In the example, the name of the root domain is Sprockets, so that is the name I used. Resource1 This is the name of the resource domain in the old network, or the “trusting” domain. /ADD Tells NETDOM that you want to create a trust between these two domains. /Ud: sprockets\administrator Specifies the user name to use for the target domain end of the trust. /Pd:* Tells NETDOM to prompt for the password for the sprockets\ administrator account. /Uo:resource1\administrator Specifies the user name for the resource domain end of the trust. /Po:* Tells NETDOM to prompt for the password for the resource1\administrator account. The NETDOM TRUST command will establish a one-way trust from Resource1 to sprockets so that user and group accounts in sprockets can

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

330

Chapter 7



Migration Tools

access resources in the resource1 domain. If you want this trust to be bidirectional, add the /TWOWAY switch immediately after the /ADD switch. For more information regarding the specific use and syntax of the NETDOM command, please consult the online Help files for the Windows 2000 Support Tools. EXERCISE 7.12

Migrating Accounts Using the Migration Tools This exercise assumes that you have access to at least two computers capable of running Windows 2000 Server. One may be installed with NT 4 Server as a PDC. The other should have Windows 2000 Server installed as a domain controller of its own domain. The specific instructions for installing and configuring these tools can be found throughout this chapter.

1. Install ADMT on the Windows 2000 domain controller using the directions provided earlier in this chapter.

2. Install the Windows 2000 Support Tools using the directions provided earlier in this chapter.

3. Use NETDOM to create a two-way trust between your two domains.

4. Configure auditing in both domains for Account Management success and failure.

5. Add the special local group on the Windows NT domain controller, domain_name$$$.

6. Create some test user accounts and global groups in the source domain using User Manager for Domains if running NT or Active Directory Users and Computers if running Windows 2000.

7. Use ADMT to run the Reporting Wizard to determine the name conflicts between the domains. The only conflicts should be the built-in groups and accounts.

8. Use ClonePrincipal to copy the global groups and users from the source domain to the target domain using the Cloneggu.vbs script.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Troubleshooting the Migration Tools

331

EXERCISE 7.12 (continued)

9. Verify that the users were migrated successfully by logging on to the target domain using one of the cloned accounts. Then log on to the source domain using the same accounts to verify that they still work in the source domain.

Troubleshooting the Migration Tools

M

ost of the troubleshooting you will have to use with these migration tools will be related to the configuration required for each tool. For instance, when installing and configuring ADMT, you must install the tool on a domain controller in the target domain. Failure to do so will generate some errors that may be difficult to track down.




Microsoft Exam Objective

Troubleshoot tool issues for domain restructures. Considerations include ADMT, ClonePrincipal, NETDOM, MoveTree, and Windows 2000 Resource Kit tools.

To protect you from errors that could impede migration, let’s look individually at each of the tools introduced in this chapter. The following portion of the chapter is probably just as important as the section on understanding how to configure the tools themselves. More often than not, we find ourselves having to work out glitches to keep projects moving smoothly.

Troubleshooting ADMT Active Directory Migration Tool comes with a fairly thorough Help file, which actually contains a useful Troubleshooting section. There are 22 different troubleshooting scenarios listed in this Help file, and nearly all of them have to do with improper ADMT configuration. This leads me to believe that if you are receiving any kind of error with ADMT, you should spend some time verifying the setup of the tools. You should also check your spelling, as the computer will take your command literally, as computers usually do.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

332

Chapter 7



Migration Tools

The troubleshooting that I had to do while working with ADMT the first few times always involved authenticating the user accounts I was using for the operations. Please make certain that you have correctly established the trusts to communicate between your domains. You will need to have administrator accounts and/or permissions in both domains. If you have Exchange Server installed in your domain, you will have an additional issue to configure. When ADMT migrates the service account for Exchange, it correctly updates all of the information for the account, including the SIDHistory attribute. But Exchange Server will fail to start after the migration because the service account must also be updated within Exchange Server. Use the Exchange Administrator console to update the service account to the new account within the target domain.

Troubleshooting ClonePrincipal ClonePrincipal won’t be quite as troublesome from one point of view: It works by copying the accounts to a new location. You can always fall back to using the old accounts on the source domain if something goes wrong with the new accounts. But if something does go wrong, you will have two main sources of information. First of all, ClonePrincipal logs all operations. The log file is located in %SystemRoot%\debug and is called clonepr.log. Check this file for more detailed information if and when you have a problem with ClonePrincipal. The other source of information at your disposal is the Security log in Event Viewer. Since one of the configuration requirements is to enable auditing on both the source and target domains, you will have an audit trail of everything that ClonePrincipal did while cloning accounts. ClonePrincipal directs quite a bit of information to stdout, or your monitor screen, while it is running. It is possible, and recommended, to redirect this output to a file for later review in case of problems. You can redirect the output by using cscript script.vbs options > scriptname.txt. The greater-than (>) operator tells the command prompt to also send the output of a command to another location, in this case a text file. Using this method enables you to save any messages that are generated by ClonePrincipal while it is running.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

333

Troubleshooting NETDOM The troubleshooting for NETDOM falls under the heading of simple network troubleshooting. Sort of. If you are using NETDOM to manage or create trusts, you will need to verify the configuration requirements for trust relationships. Check that the domain controllers and the domains have unique SIDs and that the PDC and/or PDC Emulators can communicate across the network. Also make sure that they don’t have a current network session established. The only other troubleshooting to be done with NETDOM is to make sure that you entered the correct syntax and user credentials. Accurate typing is vital, especially since you have to deal with potentially long command lines. I find it useful to double-check my spelling and syntax before pressing the Enter key. Spending a little time up front being careful can actually save quite a bit of time in the long run. Consult the online Help for the Support Tools for more detailed descriptions of the syntax for the NETDOM command.

Summary

In this chapter, you learned how to install, configure, and use some of the migration tools for Windows 2000. We started by talking about Active Directory Migration Tool (ADMT), which will probably be one of your most important tools during your migration. We then explained how to use ClonePrincipal for copying security principals from one domain to another, updating the SIDHistory attribute of the accounts while leaving the original accounts intact. You also learned how to migrate user and group accounts from a source domain to a Windows 2000 target domain. You learned how to use ClonePrincipal to copy user and group accounts to the target domain without disrupting the original accounts. Then you learned how to use Active Directory Migration Tool to migrate user and group accounts to the Windows 2000 target domain. We finished the chapter by looking at troubleshooting techniques for the major migration tools.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

334

Chapter 7



Migration Tools

Key Terms Before you take the exam, be sure you’re familiar with the following terms: Active Directory Migration Tool ClonePrincipal NETDOM realm Relative ID Master Relative Identifier (RID) translation

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Consultants R Us

335

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background You have been given the task of migrating your network from Windows NT 4.0 to Windows 2000 Server. After doing some research, you decide to build a pristine Windows 2000 environment and use ADMT to perform the migration.

Current System Your current network consists of 750 users in three NT domains spread out over three locations. Each location has at least two servers (a PDC and a BDC) that are capable of supporting Windows 2000 Server. The trust relationships follow a complete mesh model.

Goal Your Windows 2000 design calls for merging the three NT domains into one Windows 2000 domain.

Questions 1. You want to confirm and document the trust relationships currently

configured on your network. Which of the following tools would you use? (Choose all that apply.) A. ADMT B. ClonePrincipal C. NETDOM D. Windows NT User Manager for Domains

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

Case Study: Consultants R Us

CASE STUDY

336

Chapter 7



Migration Tools

2. You have been rather lax in applying service packs to your Win-

dows NT 4.0 Servers. What is the earliest version of the service pack necessary to allow the ADMT agent to run? A. 2 B. 3 C. 4 D. 5 3. Build list and reorder: You have put together a list of tasks that must

be accomplished to prepare for running ADMT. Place them in the order that they should be performed. Task

Task Disconnect any active sessions between domains. Run the Reporting Wizard. Edit the Registry on the source PDC. Place the target domain in native mode. Create <SourceDomainName>$$$ local group in the source domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Consultants R Us

337

1. C, D. Which tool you choose is really dependent upon your personal

tastes—NETDOM is a command-line utility and User Manager for Domains is GUI-based. 2. C. ADMT requires Service Pack 4 or greater on NT 4.0 Servers and

Service Pack 5 or higher on NT 3.51 Servers. 3.

Task Place the target domain in native mode. Create <SourceDomainName>$$S local group in the source domain. Edit the Registry on the source PDC. Disconnect any active sessions between domains. Run the Reporting Wizard.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY ANSWERS

Answers

338

Chapter 7



Migration Tools

Review Questions 1. You are planning to use Active Directory Migration Tool (ADMT) to

assist with your migration from NT 4 to Windows 2000. Where should you install ADMT? A. On the PDC of the source domain B. On the PDC of the target domain C. On any domain controller in the source domain D. On any domain controller in the target domain 2. You’ve read that it’s important to synchronize the time on your servers

when using ADMT. What happens if you fail to do this? A. The migration will fail. B. The audit records will be inaccurate. C. Directory replication will fail. D. Nothing will happen; operation will continue normally. 3. How does ADMT work with remote systems in the source domains? A. It dispatches SMTP messages that tell the system administrator

what to configure. B. It sends RPCs over TCP/IP to directly edit the Registry on the

remote system. C. It dispatches a software agent to perform the assigned tasks. D. It uses DHCP and DNS to update the system entries in WINS.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

339

4. Which component of ADMT will enable you to switch the current set-

tings for local profiles to use the new SID of the migrated user account? A. User Migration Wizard B. Security Translation Wizard C. Trust Migration Wizard D. Group Migration Wizard 5. What kind of scripting does ClonePrincipal use by default? A. Java B. ActiveX C. Visual Basic D. Perl 6. Which of the sample scripts provided with ClonePrincipal could you

use to clone just the global groups from a source domain to a target domain? A. Cloneggu.vbs B. Clonepr.vbs C. Clonegg.vbs D. Clonesec.vbs 7. How can NETDOM assist with the migration process? (Choose all

that apply.) A. It can synchronize the system clocks of servers. B. It can enumerate the existing trusts for a given domain. C. It can add or remove trust relationships. D. It can migrate user accounts from NT 3.51 to Windows 2000.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

340

Chapter 7



Migration Tools

8. You suspect that the secure channel of communication has been bro-

ken between an NT 4 Workstation computer and its Windows 2000 domain controller. Which tool should you use to reset this secure channel? A. ChannelReset B. ClonePrincipal C. NETDOM D. ADMT 9. You have been trying to use ClonePrincipal to copy some user

accounts to your target domain. You suspect that the SIDHistory attribute has not been updated. What could be the reason for this? A. The target domain is not in native mode. B. The source domain is not in native mode. C. The target domain is not in mixed mode. D. The source domain is not in mixed mode. 10. You are using ClonePrincipal and are having random errors during

the processing of some user accounts. Where can you look for greater detail in error reporting for ClonePrincipal? A. The Windows 2000 Resource Kit B. The clonepr.log file C. The System log in Event Viewer D. The online Help file for Windows 2000

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

341

11. You want to move an existing Windows 2000 computer into your

Windows 2000 domain, in an OU created specially to hold your computer accounts in the Research department. Which migration tool could you use to do this? A. NETDOM B. ClonePrincipal C. Move Tree D. ADSIEdit 12. You are planning to perform an intra-forest migration using ADMT.

On which one of the Flexible Single Masters of Operations roles should you install ADMT? A. The PDC Emulator B. The RID Master C. The Infrastructure Master D. The Schema Master 13. You are planning to use ClonePrincipal to assist with your network

migration. Which group should you create to assist with the auditing process during the cloning? A. A global group called target_domain$$$ B. A global group called source_domain$$$ C. A local group called target_domain$$$ D. A local group called source_domain$$$ 14. Which migration tool would you use to create trust relationships

between two Windows NT 4 domains? A. ADMT B. User Manager for Domains C. NETDOM D. ADSIEdit

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

342

Chapter 7



Migration Tools

15. You are attempting to use Active Directory Migration Tool to migrate

some user accounts from the source domain to the new target domain, but something has gone wrong and the migration is interrupted before it can complete. What should you do next? (Choose all that apply.) A. Try using the Undo Wizard to roll back the changes that have

been made. B. Try using the Retry Tasks Wizard to complete the migration. C. There’s no way to recover the accounts; you’ll need to re-create

them in the target domain manually. D. You have tape backups, don’t you? 16. You are planning to migrate your company network to Windows 2000,

but you are concerned about the wisdom of moving the accounts to the new Windows 2000 domain and not providing some kind of fallback position in case the migration fails. Which tool could help to create new accounts in Windows 2000 without destroying the old accounts? A. ADMT B. ClonePrincipal C. Move Tree D. NETDOM 17. You have successfully migrated all of your domains to Windows 2000.

Now you want to collapse some of your network structure into a single domain. Which command-line tool will assist you in collapsing your domain structure? A. ADMT B. ClonePrincipal C. Move Tree D. NETDOM

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

343

18. You are migrating to Active Directory and are trying to move user

accounts used by services to a new Windows 2000 domain. Which tool would safely migrate these accounts to a new domain? A. Move Tree B. Service Account Migration Wizard C. User Migration Wizard D. Exchange Directory Migration Wizard 19. When using Active Directory Migration Tool to migrate user

accounts, how will duplicate accounts be handled? A. That depends on the configuration selected during the wizard. B. All duplicate accounts will be deleted. C. All duplicate accounts will be renamed. D. Windows 2000 permits accounts to have the same names, because

it uses the account’s SID to tell the difference. 20. Which of the following are benefits of using ClonePrincipal to copy

user accounts to a target domain? (Choose all that apply.) A. There is no disruption of the production environment. B. Security access is maintained automatically using the SIDHistory

feature. C. Duplicate accounts are automatically deleted. D. Multiple groups from different domains can be merged into the

same target group.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

344

Chapter 7



Migration Tools

Answers to Review Questions 1. D. ADMT must be installed on a domain controller in the target domain.

Since Windows 2000 uses multi-master replication, any domain controller will do. 2. B. Auditing is required in both the source and the target domains

when using ADMT. Having the system clocks synchronized helps to ensure that the audit records will be accurate. 3. C. ADMT dispatches an agent to perform various tasks on the remote

system, using the supplied user credentials. 4. B. The Security Translation Wizard will change the SID used by the

local computer profiles to the new SID of the migrated account in the target domain. 5. C. ClonePrincipal uses the Visual Basic Scripting Edition for its

default scripting language. 6. C. The clonegg.vbs script will enable you to clone all of the global

groups from the source domain to the target domain. 7. A, B, C. NETDOM can perform all of the tasks outlined in answers A,

B, and C. 8. C. NETDOM can verify or even reset the secure communication chan-

nel that exists between member servers or workstations and the domain. 9. A. The SIDHistory attribute is supported only in Windows 2000

domains running in native mode. 10. B. ClonePrincipal creates a detailed log file of its operation. The

clonepr.log file is located in %SystemRoot%\debug.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Answers to Review Questions

345

11. A. NETDOM would enable you to join the computer to the domain

by creating a new computer account and then installing the necessary shared secret so that the computer would assume its new role as a member of your Windows 2000 domain. 12. B. ADMT will have to communicate extensively with the RID Master

while creating new SIDs for migrated accounts. It’s best if you can install ADMT on the RID Master to avoid a heavy impact on network traffic. 13. D. For auditing purposes, you must create a local group in the source

domain with the name of the source domain followed by three dollar signs ($$$). 14. C. NETDOM can also create and manage trust relationships for NT 4

domains. 15. A or B. Answer B would be the best option at this point, as the Retry

Tasks Wizard may be able to safely complete the migration. If this doesn’t work, then answer A would be appropriate—to attempt to roll back the changes. 16. B. ClonePrincipal works by copying the original accounts to a new

Windows 2000 domain, leaving the original accounts intact. 17. C. Move Tree enables you to move sections of an Active Directory tree

to new locations elsewhere in the same tree. This means you could easily move an OU from one domain to another in the same tree, collapsing the structure into a single domain if you wish. 18. B. The Service Account Migration Wizard will move the service

accounts to the new domain without losing the passwords or necessary rights and permissions. 19. A. You must tell the wizard how to handle the duplicate entries.

Options include aborting the migration of those accounts, overwriting the target account, and renaming the new account. 20. A, B, and D. All three of these answers are features of using Clone-

Principal.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Chapter

8

Planning for Disaster Recovery MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Perform test deployments of intra-forest migrations and inter-forest migrations.
Implement disaster recovery plans. 

Restore pre-migration environment.



Roll back implementation to a specific point.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

I

t’s never much fun thinking about all of the things that can go wrong with a project. But in the case of an operating system migration, you need to have a contingency plan just in case the unthinkable happens. Have you ever found yourself in the position of knowing the hard disk in your computer just failed and wondering how current your backups are? Or maybe you were wondering if you even had backups. This chapter will examine some of the methods you can use in Windows 2000 to prepare for disaster recovery. You will learn how to use the Recovery Console to recover from various problems with your Windows 2000 Servers. You’ll also learn how to prepare a recovery plan for your Windows 2000 migration, including how to give yourself a way to return safely to the original configuration of your network.

Avoiding the Unknown

D

isaster recovery is an interesting specialty in the Information Technology (IT) field. When you are planning for disaster recovery, you are trying to plan for the unknown. You are attempting to think of any possibility for failure in your systems and to find a way to handle the problem just in case it really happens. Consider for a moment just how bad this can get. In this day of .com startups and initial public offerings of stock, these companies frequently have a product that exists solely as a set of data on their server. What if such a company were performing daily tape backups of all of this data, believing this made them safe? When their drives failed in the server

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

349

one day, they’d think, “No problem, we’ll just restore from tape,” only to discover that their tapes were blank.




Microsoft Exam Objective

Implement disaster recovery plans. 

Restore pre-migration environment.



Roll back implementation to a specific point.

No backup is ever good until it has been tested by a trial restore. I actually heard of a company where the previous example happened. In their case, they were diligently performing every necessary step to back up every day. But they never tested the tapes, and when they needed them they lost everything the company had because the tapes didn’t record the data. What would help in this situation, from a disaster-recovery standpoint, would be to ask yourself, “What could go wrong?” Once you’ve thought of everything that could possibly go wrong, try to think of some more things that could happen to interfere with your process. This is merely a “nutshell” description of disaster recovery, since you could easily write whole books devoted to the topic, but it will serve as a starting point to discuss the features in Windows 2000 that can help you recover your network from a failed migration. First, let’s take a look at some areas that will affect your overall migration planning.

Reviewing Your Plans You’ve heard me say it before: Plan things out. When referring to disasters, it’s impossible to plan when or what they will be. However, it is possible— and suggested—to plan as much prevention and recovery as possible. There are two ways to deal with disasters: disaster prevention and disaster recovery. Most of the time, they are very interrelated. Even the best-laid disaster-prevention plans don’t prevent crashes—they just hope to minimize the damage. When reviewing migration plans for disaster prevention and recovery, I find it helpful to break the plan down into four categories: hardware, software, infrastructure, and personnel. Whether this system works for you or not will be a matter of experience. However, I believe that a structured approach to disaster-recovery planning will help you to avoid overlooking some important detail.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

350

Chapter 8



Planning for Disaster Recovery

Hardware There are numerous ways to protect your systems with hardware, from redundant hardware devices (such as hard disks, fans, and even CPUs), to RAID, to clustering. This is an area that will quickly go beyond the scope of this single book, but a few topics should be introduced here. Most will be highly dependent upon the server hardware you have chosen and will be supplied by the computer vendor. But we do need to discuss Redundant Arrays of Inexpensive Disks (RAID). RAID is oftentimes more proactive (preventive) than reactive (recovery), but it is a valuable part of any network and needs to be considered during migration. RAID has several levels of protection and can be implemented in either hardware or software. The Windows 2000 Server family (Server, Advanced Server, and Datacenter Server) supports software RAID. All versions of Windows 2000 support hardware-based RAID, since the operating system would see the disks only as described by the RAID controller. For the exam, you will need to understand the software implementation of RAID as provided by Windows 2000. Windows 2000 provides RAID levels 0, 1, and 5. Table 8.1 describes some of the properties of the different levels. TABLE 8.1

Properties of RAID Levels Supported by Windows 2000 Property

RAID 0

RAID 1

RAID 5

Fault tolerance

No

Yes

Yes

Minimum number of disks

2

2

3

Maximum number of disks

32

2

32

File systems supported

FAT, FAT32, NTFS

FAT, FAT32, NTFS

FAT, FAT32, NTFS

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

351

RAID 0 is called disk striping. Striping provides very high performance for both reading and writing since the data is layered across multiple physical disks at the same time. Because the layers, or stripes, are distributed across multiple physical disks, Windows 2000 can retrieve multiple pieces of data, one from each physical disk, without having to wait for each request to be fulfilled. Striping gives you the fastest performance of any volume type available in Windows 2000, but it is not fault tolerant. Fault tolerance is the ability to sustain an error (fault) or complete failure of a single disk while still maintaining the data in an accessible form. If you are using RAID 0 and one disk fails, you will lose all of the data on the RAID 0 set. RAID 1 is called mirroring because it uses two physical disks to create mirror images of the data. Mirroring is a good form of fault tolerance because if a single disk fails, the other disk in the mirror set still has the exact same data. You can install and operate Windows 2000 on a mirrored disk. Because of this, mirroring is the only form of software-based fault tolerance available to Windows 2000 system and boot files. You might also see the term disk duplexing. Disk duplexing is the same as mirroring, but instead of the drives being on the same physical controller, they are on different controllers. Windows 2000 does not differentiate between mirroring and duplexing, as they provide essentially the same level of fault tolerance. Just know that if you create a mirror set but the drives are on different controllers, you are really creating a duplex. Many people consider RAID 5 the king of fault tolerance because it combines high performance for disk reads and superior fault tolerance. RAID 5 is called striping with parity because the data is layered across multiple physical disks, just like striping, but each stripe also has a block of error-correction data called parity that can be used to reconstruct the data in the event of a single disk failure. Writing tends to be slower than for other volumes because Windows 2000 must compute the parity information for each stripe that it writes. Read performance is outstanding because RAID 5 reads just like a stripe set and the parity doesn’t matter. If a single disk fails in a stripe set with parity, the remaining data and the parity information combine to re-create

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

352

Chapter 8



Planning for Disaster Recovery

the missing data on the fly. If multiple disks fail in a stripe set with parity, you must restore from a backup. EXERCISE 8.1

Creating a Fault-Tolerant Disk Set To create a fault-tolerant disk set in Windows 2000, follow these steps:

1. Open Computer Management by clicking Start  Programs  Administrative Tools  Computer Management.

2. Expand the Storage node in the left pane and click Disk Management. You should see something similar to the following graphic.

3. Right-click an area of unallocated disk space and select Create Volume from the context menu. This will open the Create Volume Wizard. Click Next to proceed.

4. Specify the type of volume to create. Click Next.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

353

EXERCISE 8.1 (continued)

5. Select the disks that will participate in this fault-tolerant set. Windows 2000 will accept any areas of unallocated space to become new volumes, but the number of areas selected will determine the type of volume that can be created.

6. Enter the volume size. This will set the amount of space used on each disk to create the set.

7. Assign a drive letter or a path to the new fault-tolerant set. Windows 2000 will permit you to use a path instead of a drive letter if you wish. To do this, the path must exist on an NTFS volume and point to an empty folder.

8. Format the volume with whichever file system you plan to use for the set. NTFS has the most fault-tolerant properties of the supported file systems and should be used in most cases. Fault-tolerant sets created in Windows 2000 will not be available to any other operating system on the computer.

RAID can also be implemented in hardware, which is by far the better solution. When Windows 2000 is responsible for managing the fault tolerance, it places an additional load on the system. A hardware RAID solution, on the other hand, manages the fault tolerance entirely on the hardware disk controller. A RAID controller typically has a dedicated processor and memory to handle the fault-tolerance operations of reading and writing to the sets. The operating system on a computer with hardware RAID sees only the volumes that the hardware controller has already created and treats each of those sets as a single volume. Why doesn’t everyone use hardware RAID if it’s so much better than software RAID? The answer is simple—hardware is expensive, and the software version is free. Windows 2000 also incorporates new types of partitions, though the changes appear to be mostly semantic at first. Windows 2000 still supports the original partitioning that we’ve used for years but calls those partitions basic disks. On a basic disk, you can have a maximum of four partitions.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

354

Chapter 8



Planning for Disaster Recovery

These partitions can be a mixture of primary and extended partitions, though there can be only one extended partition per disk. The reason for the limitation is that the partition information is stored in the partition table, which is contained in the Master Boot Record (MBR) of the disk. Because the space is limited in the MBR, we have a limitation on the number of partitions allowed. The new types of partitions in Windows 2000 are called dynamic disks. The dynamic disk can support an unlimited number of volumes. A volume is a logical division of a dynamic disk similar to a partition. Dynamic disks can have a larger number of divisions because the partitioning information is stored in a space at the end of the drive. When you convert a basic disk to a dynamic disk, you must leave 1MB of free space at the end of the drive to contain the partition information for the dynamic disk. Another way that Windows 2000 supports unlimited volumes on a dynamic disk is that you are no longer required to use a drive letter for a partition. Windows 2000 enables you to mount a volume on any empty folder on an NTFS volume. This means that what appears to be a folder on your NTFS volume may actually be a RAID 5 array. Windows 2000 supports mirror sets and RAID 5 stripe sets with parity on computers that have been upgraded from NT 4. There are some limitations, however. You can repair, break, or delete mirror sets on a basic disk, but you cannot create a mirror set on a basic disk. The same is true of RAID 5 stripe sets with parity. To create either a mirror volume or a RAID 5 volume, you must create them on a dynamic disk in Windows 2000. If you have upgraded your server from NT 4 to Windows 2000, you can convert your basic disk RAID sets to dynamic disks without losing data. EXERCISE 8.2

Converting a Mirror Set to a Dynamic Disk To convert a mirror set to a dynamic disk, use the following steps:

1. Open Computer Management in the Administrative Tools group.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

EXERCISE 8.2 (continued)

2. In the left pane of the Computer Management screen, expand the Storage node.

3. Click Disk Management. The Computer Management console should look similar to the following graphic.

4. Right-click the disk label beside the disk you want to convert. The disk label is in the right pane to the left of the partition information and contains the information that describes the physical disk. Select Upgrade To Dynamic Disk from the context menu.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

355

356

Chapter 8



Planning for Disaster Recovery

EXERCISE 8.2 (continued)

5. The Upgrade to Dynamic Disk dialog box shown in the following graphic opens. Place a check mark beside the basic disks you wish to convert to dynamic disks. Click OK.

6. The Disks to Upgrade dialog opens to ask for confirmation on the actions to be taken. If you are satisfied with the actions that it reports, click OK. Your basic disks will now be converted to dynamic disks.

Windows 2000 can attempt to repair a damaged mirror volume or RAID 5 volume. If a single disk has gone offline, Disk Management will display the offline disk with the status of Missing, Offline, or Online (Errors). If the disk in one of your RAID sets displays any of these messages, right-click the damaged disk and select Reactivate Disk from the context menu. Windows 2000 will attempt to correct any errors on the disk and bring it back online as part of your RAID set. If this doesn’t return the status of the disk to Healthy, you will have to repair the RAID set by replacing the failed disk. If one of the physical disks in a RAID 5 volume fails, replace the physical disk and right-click the RAID 5 volume in Disk Management. Select Repair Volume from the context menu to start a wizard that will enable you to pick a new disk to replace the failed disk. If one of the disks in a mirror volume fails, right-click the failed disk in Disk Management and select Remove Mirror from the context menu. This will break the mirror volume association between the two physical disks. Replace the physical disk that has failed. In Disk Management, right-click the remaining disk from the original mirror set and select Add Mirror from the context menu. This will start a wizard that will enable you to select the new disk to replace the failed disk.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

357

It is important to remember that mirror volumes and RAID 5 volumes can only be created in Windows 2000 using dynamic disks.

Software Even when implementing fault-tolerant solutions like RAID, you must still take other measures. When we talk about disaster recovery in terms of software, we’re usually talking about backup programs. Windows 2000 contains an improved Backup program. You can start the program by clicking Start  Programs  Accessories  System Tools  Backup. The window shown in Figure 8.1 appears, giving you immediate access to the Backup Wizard, the Restore Wizard, and the Emergency Repair Disk. FIGURE 8.1

The Windows Backup opening dialog

This edition of the Backup program in Windows 2000 is actually quite good, with many improvements over the old NT Backup. For instance, you can now back up to any available drive, even network drives and removable media. You can schedule backup operations using the integrated graphical

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

358

Chapter 8



Planning for Disaster Recovery

schedule utility. I love that part the most. The ability to back up to removable media means that your rewritable CD is now a valid backup device without additional third-party software. The information that you really need for the exam involves the backup and restore of the system using the Windows Backup program. Backing up data works pretty much the same way that it did in the old NT Backup utility. If you want to perform a manual backup job (as in not using the wizard to set up the job), click the Backup tab, as shown in Figure 8.2. Here you can check the boxes beside any drive you want to back up, or you can expand drives to back up individual files and folders. FIGURE 8.2

The Backup tab of the Windows Backup utility

The checkboxes have three states. That is, they indicate three separate selection types. A white background with no check mark means that nothing is selected. A white background with a check mark means that everything within that drive or folder will be backed up. And a check mark on a gray background means that some of the contents of the drive or folder are selected, but not all of them. You can back up and restore any drive that can be accessed by Windows 2000, including network drives. The most important aspect of backup and restore for servers is a new option to back up or restore the

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

359

System State. The System State is the current configuration of the server, including the following: Active Directory This is the heart of the domain information for a domain controller—or maybe even the entire forest. This database contains all of the objects in the Active Directory: all users, computers, groups, and policies. Boot files These are the files required to boot Windows 2000 and are typically located in the C:\ folder. Specifically, they include NTLDR, NTDETECT.COM, and the BOOT.INI files. COM+ Class Registration Database This database contains the registration information for program components that follow the Component Object Model programming specifications. Registry This database holds configuration information for the local computer and users. It contains all of the information needed to run Windows 2000 on the local computer. Sysvol This shared system folder exists on all Windows 2000 domain controllers. It contains scripts and some of the Group Policy Objects (GPOs) for the domain. The system information must be backed up as a single unit; you cannot back up a single component of the System State. With the System State information safely backed up, you can recover your domain controller from a complete failure. You would have to reinstall Windows 2000 Server on your computer after repairing whatever hardware caused the failure and then use the Backup program to restore the System State information. This will bring the domain controller back to the state it was in when the System State information was backed up. Any system information that was changed after that time will be lost.

Microsoft references show only the items in the previous list as parts of the System State backup. However, when I ran a backup of the System State on my domain controller, I was surprised to discover that it backed up nearly 300MB of system data! It appears to also back up all of the contents of the Winnt folder and subfolders. This is good in that it will provide a more complete restore, but it isn’t described in the reference materials. Be aware of this discrepancy when you take the exam.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

360

Chapter 8



Planning for Disaster Recovery

Restoring data is just as easy as backing up. There is a wizard that will walk you through all of the necessary steps, or you can perform the restore manually. The Restore tab of Windows Backup is shown in Figure 8.3. To select data to be restored, simply check the boxes for the drives or folders that you want to restore. These checkboxes have the same three state functions that the checkboxes on the Backup tab have. FIGURE 8.3

The Restore tab of the Windows Backup utility

The other main feature of the Windows Backup program is the integrated graphical scheduling program. This feature enables you to create a backup job and schedule it to occur once or at recurring intervals. To schedule a job, double-click the date you want the job to run, and the Backup Wizard will open to help you create the backup job. You will have to specify a set of user credentials to use for the backup job in order to schedule it. The Schedule Jobs tab of the Backup utility is shown in Figure 8.4.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

FIGURE 8.4

361

The Schedule Jobs tab lets you create backup jobs that will run at a later date and time.

Infrastructure Planning for disaster recovery should always include plans for the infrastructure of your server room. Even if you don’t have a real server room, just a couple of servers stuck under someone’s desk, you still should think about the infrastructure support for these machines. Things like power, dust, and most of all heat can affect server performance. For any computer that you want to depend on, you should install some sort of power protection. The more important the computer, the more protection you should provide. An uninterruptible power supply (UPS) is a great idea. A UPS contains enough battery power to help the computer continue until either the main power is restored or the computer can be shut down safely. One of my favorite stories to tell in the classroom involves a server that was going down mysteriously every night around 10:00 P.M. The support staff spent several weeks trying to troubleshoot various possibilities, but to no avail. Finally someone was asked to sit by the computer to see what happened each night. At 10:00, the door opened and the janitor walked in, unplugged the server, and plugged in his vacuum cleaner. If they’d had a suitable UPS, this wouldn’t have been as much of a problem.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

362

Chapter 8



Planning for Disaster Recovery

This does bring up another good point, however. No one should be able to simply walk in and turn off a server. Again, if the server is important to your network, then it’s worth protecting. Physical access to important servers should always be restricted for security and reliability reasons. If you do have a server room, then you’re probably aware that temperature is one of your main concerns. Computers generate a great deal of heat, and they don’t respond well to rises in temperature. In a data center, one of the greatest concerns is how to apply air conditioning to prevent heat buildup. If you have the server stuck under someone’s desk, does it receive proper ventilation? Or does that person pile papers and personal belongings on top of the server until it melts? And as for dust, the big reason for eliminating dust is that it acts like a blanket inside the computer, causing an evergreater increase in temperature.

Personnel In my opinion, the most commonly overlooked area of planning for disaster recovery is personnel. Who will take over the work if your team is suddenly out of the picture? I know this isn’t a pleasant topic. Far from it in fact, but you need to consider it if you are to do a good job at disaster-recovery planning. Disaster recovery in terms of personnel means cross training your staff so that there are no jobs that only one person can do. This is usually a tough battle to fight, since people want to feel that they are valuable and that the company could never afford to let them go. These people will deliberately avoid sharing skills and knowledge with others because they need to feel irreplaceable. I’ve seen this attitude often in well-established teams of people. Maybe that’s why so many high-tech companies have embraced the mantra of “Change is good.” But aside from the gloom of thinking about a valued co-worker not coming back some day, remember that people need to take vacations from time to time. They also get sick. Or their kids get sick. Whatever the cause, you may eventually find yourself short staffed. How will you handle it?

Testing the Deployment We created a test lab for the migration in Chapter 3, “Planning for the Migration.” Your test lab will play a vital part in testing your disaster-recovery

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Avoiding the Unknown

363

schemes as well as the deployment itself. It gives you an opportunity to perform some trial backups and restores to test your disaster-recovery plan.




Microsoft Exam Objective

Perform test deployments of intra-forest migrations and inter-forest migrations.

In the case of creating a disaster-recovery plan, remember that no backup should be considered good until it has been tested. Once you have created a plan for backups, try it out in the test lab where you have created an image of the production environment. This will enable you to back up the system states on your domain controllers and practice restoring them from complete failures. Document your experiences here, as they will be valuable if and when it becomes necessary to perform a real recovery of a domain controller. It will also be a good idea to spend some time working on tape storage procedures. It’s been my experience that tape can go bad at the worst possible moment simply because the moon’s at an unfavorable phase. I’ve told my students to be careful not to have impure thoughts while standing within 10 feet of their tape backups or the tape will go bad. Now, I’m joking with this, sort of. Many types of tape media will go bad easily if not stored correctly. However, there are types of tape that are much more resilient than the older formats. All tapes must be treated carefully if they are to be of any use when the need arises. Periodically, even after the migration to Windows 2000 is complete, pull out a set of backup tapes and use one of the servers in the test lab to perform a trial restore. Verify that your procedures work to restore the full image of the server and also that your tape storage methods are working.

Preparing for the Worst Okay, so you’re preparing for a migration of your network to Windows 2000. It will work fine, right? Probably so. But what if something goes wrong? The mark of a true professional is how well he or she prepares for all possible outcomes. If the server goes down and you find a small mushroom cloud rising from the server rack, people will judge you by how well you recover from adversity. Had enough of the soapbox lecture?

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

364

Chapter 8



Planning for Disaster Recovery

Here are some recommendations for preparing your environment for possible problems encountered during a migration to Windows 2000: Keep one backup domain controller offline. Pick one of your backup domain controllers to fully synchronize before the PDC is upgraded, then take it offline. This will provide a means of recovery for the domain in case you need to roll back the migration. Perform a full backup of every server before it is upgraded. A full backup preserves not only the system information, but also the data the server may contain. This measure will provide a safe way to restore the original environment. Follow your migration plan. You’ve spent a lot of time preparing documents that detail every step of the process. Makes sense to use them, right? Document any deviation from the migration plan. In some cases, you will find reasons to change the plan. Decide whether this will be a temporary departure from the migration plan or if the plan needs to be modified. Either way, document your changes. Set expectations. Let your users and your management know what to expect during the migration. If problems are encountered, keep them informed of the status as well as when they can expect a resolution. EXERCISE 8.3

Creating a Disaster-Recovery Plan This exercise will be fairly esoteric because we all have different environments to plan for. With that in mind, create a disaster-recovery plan for a single-server upgrade to Windows 2000. Use the following criteria: 

You are upgrading a Windows NT 4 primary domain controller. There are two backup domain controllers elsewhere in the building.



There are 500 users in the single domain.



The server has a locally installed tape drive.



The server is located in your office, which is accessible to many people during the day. It is normally locked at night, but the janitorial staff has keys so that they can get in to clean the office.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Restoring the Original Environment

365

EXERCISE 8.3 (continued)

Create a plan that provides the highest level of preparedness for every possible problem you can foresee. Use the following questions to get started:

1. How can you protect the user accounts from loss during the upgrade?

2. How can you protect the data from loss during the upgrade? 3. How can you protect the server from a power failure?

Restoring the Original Environment

N

ow we need to consider the unthinkable: what to do when your migration fails. For most of you, this will merely be a thought exercise, since you won’t have any problems at all. But some of you will encounter problems during the migration. Frankly, I’d be very surprised if a migration went perfectly as planned, though I’m always happy when it does.




Microsoft Exam Objective

Implement disaster recovery plans. 

Restore pre-migration environment.



Roll back implementation to a specific point.

This section looks at ways that you can recover a failed server or even a failed network migration. If you have taken steps to provide a way out of a failure during an upgrade or a migration, then you will be in good shape. If not, then this section may also give you some ideas of things to do to recover your server or your network.

Using Disaster-Recovery Tools Earlier in this chapter, you learned about the Backup utility in Windows 2000 and how it can be used for backups. You also learned about preparing for migrations by taking a fully synchronized backup domain controller offline

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

366

Chapter 8



Planning for Disaster Recovery

prior to the upgrade. Now you will learn some of the ways that Backup and the Recovery Console can be used to restore a server after a partial or complete failure.

Windows 2000 Backup Windows Backup can be used to restore data, but you already know that. It can also be used to recover deleted objects from the Active Directory. You can use Backup to restore the System State information, restore the entire computer image, or just replace one object that was accidentally deleted from the Active Directory. We’ll examine three basic scenarios in turn: a failed domain controller, a damaged Active Directory database, and an authoritative restore of a single object in the Directory. Restoring a Failed Domain Controller In the event of a partial or total failure of a Windows 2000 domain controller, you must first make sure that the computer is able to run Windows 2000. This may entail reinstalling the operating system, or it may mean repairing some files to get the machine booting again. You may have to replace hard drives or just believe in my favorite saying, “Fdisk is your friend.” (I’ve never met a software problem that couldn’t be solved with Fdisk.) Starting fresh with a new format on the disks is a good idea when recovering a server. This is, of course, assuming that you have a recent backup from which to restore. Once Windows 2000 is reinstalled and running correctly, use Windows Backup to restore the System State and all data. Doing so will restore the domain controller to the state it was in when the last backup was run. After the restore has completed, Windows 2000 will perform a couple of tasks when it is rebooted: Consistency check Windows 2000 will perform a consistency check on the Active Directory database. The database will be verified and re-indexed. Replication The Active Directory services will replicate with the replication partners in the domain to bring the version of the Directory up to date. This will give it a chance to replicate any changed data and make its version of the Directory current. The File Replication Service will also replicate with its partners to get a current version of any scripts being replicated between servers. When these steps have been completed, your domain controller will be restored.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Restoring the Original Environment

367

Restoring a Damaged Directory This scenario occurs when the Windows 2000 installation is running normally but the Active Directory database is damaged on that one computer. In this case, you don’t have to repair or restore the computer or the operating system, but you do need to restore the Active Directory database. Restart the computer and select Directory Services Restore Mode from the Advanced Options menu, as shown in Figure 8.5. You get to the Advanced Options by pressing the F8 key during boot. FIGURE 8.5

Press F8 during boot to access the Advanced Options menu.

Once the computer is restarted in Directory Services Restore Mode, use Windows Backup to restore the latest System State information from the backup. When you restart the computer, Windows 2000 will re-index the Directory database and replicate current information from the other domain controllers. Performing an Authoritative Restore An authoritative restore marks the newly restored information as the correct copy to be replicated to all domain controllers. Without this mechanism, any Directory information that had been deleted and then restored would simply be deleted again when replication occurred. With an authoritative restore,

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

368

Chapter 8



Planning for Disaster Recovery

you have a very similar situation to the damaged database discussed previously. What’s unique here is that the operating system and the Directory are operating normally; you’re just trying to replace one or more objects that have been deleted from the Directory.

Before you do an authoritative restore, make sure the data you are restoring needs to overwrite more “current” data on the network.

Restart the computer and select Directory Services Restore Mode from the Advanced Options menu, as shown previously in Figure 8.5. (You get to the Advanced Options by pressing the F8 key during boot.) Once Windows 2000 is running in Directory Services Restore Mode, restore the most recent System State information that contains the objects you want to restore. Now you have to tell Active Directory that these objects should stay and not be removed when the next replication event occurs. EXERCISE 8.4

Marking Objects to Remain during a Replication To mark the objects, follow these steps:

1. At a command prompt, run Ntdsutil.exe. 2. Type authoritative restore at the command prompt. This indicates to Ntdsutil.exe that you want to mark recently restored Directory information as authoritative, that is to say that the restored copy is the real copy and should be replicated to the other domain controllers.

3. Use the command restore subtree to mark the restored object as authoritative for the Directory. For example, if you had accidentally deleted the Seattle OU of our example company Coolcompany, you would use the command restore subtree OU=Seattle,DC=coolcompany,DC=local to mark the Seattle OU that had been restored from tape as authoritative. This will cause the restored OU to be replicated to other domain controllers instead of being deleted again when replication occurs.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Restoring the Original Environment

369

Backing up the System State is as simple as placing a check in a box. However, not doing it could be disastrous if your domain controller crashes. EXERCISE 8.5

Backing Up System State Information This exercise assumes that you have a Windows 2000 computer set up as a domain controller and that it has over 300MB of free space on a local hard disk.

1. Open Backup by clicking Start  Programs  Accessories  System Tools  Backup.

2. Click the Backup tab. 3. Expand the My Computer node in the left pane of the Backup window if it isn’t already expanded. Place a check mark in the box beside System State.

4. Click the Browse button next to the Backup Media Or File Name field at the bottom left of the dialog.

5. Browse for a local hard drive location that has at least 300MB of free space. Name the file System.bkf and click Open. This will return you to the Backup dialog.

6. Click the Start Backup button to begin the backup operation. Make note of the information provided on the various dialogs during the backup operation. Once you have successfully performed a backup of the System State, try it again using the Backup Wizard.

The Recovery Console Windows 2000 includes a number of enhancements that will help your troubleshooting. One of the best of these is the Recovery Console. Unfortunately, Microsoft decided not to install this utility by default, perhaps for security reasons, but it is easy to install. The Recovery Console is a commandprompt version of Windows 2000 to which you can boot your computer if it won’t boot to the graphical version of Windows 2000. It is an add-on to the Safe Mode options available from the Advanced Options.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

370

Chapter 8



Planning for Disaster Recovery

To install the Recovery Console, place the original Windows 2000 CD-ROM in your local CD drive and run the following command: D:\i386\ Winnt32 /cmdcons where D:\ is the letter assigned to your CD-ROM drive. This command will run a mini version of the Windows 2000 Setup program that will install the Recovery Console. The Recovery Console can also be accessed through the Repair process. If you need to use the Recovery Console and have not installed it ahead of time, you can access it by booting the computer with the Windows 2000 startup disks or by booting with the Windows 2000 CD-ROM. When the Setup program prompts you to choose between setting up Windows 2000 and performing a repair, select Repair. When you reach the Repair menu, one of the options presented to you will be to run the Recovery Console.

The Windows 2000 startup floppies can be created with the MAKEBOOT.EXE and MAKEBT32.EXE programs in the Bootdisk folder on the Windows 2000 CD-ROM.

The Recovery Console is almost like a small version of MS-DOS, except that the commands are native to Windows 2000. But the concept is the same—you’re booting the computer to a command prompt where you can perform various tasks using the commands built into the Recovery Console. Those commands are listed in Table 8.2. TABLE 8.2

Commands Supported by the Recovery Console Command

Description

Chdir (cd)

Changes the current folder, or if typed without parameters it will display the current folder path.

Chkdsk

Checks the hard disk for errors and displays a status report of its findings.

Cls

Clears the screen display.

Copy

Copies a file from one location to another. Can be used to copy the file to a new filename in the same folder.

Delete (del)

Deletes one or more files.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Restoring the Original Environment

TABLE 8.2

371

Commands Supported by the Recovery Console (continued) Command

Description

Dir

Displays the contents of the current folder.

Disable

Disables a device driver or system service.

Enable

Enables a stopped device or service.

Exit

Exits from the Recovery Console and restarts the computer.

Fdisk

Manages partitions on the fixed disks in your computer.

Fixboot

Writes a new copy of the boot sector to the active partition.

Fixmbr

Writes a new Master Boot Record to the boot drive’s first physical sector. Repairs the partition table contained in the MBR.

Format

Formats a disk with any of the supported file systems in Windows 2000.

Help

Displays the list of commands available within the Recovery Console. If you type in help , you will receive additional help specific to that command.

Logon

Logs you on to an existing Windows 2000 installation on the local computer.

Map

Displays current drive mappings.

Mkdir (md)

Creates a new folder.

More

Displays a text file one screen at a time.

Rmdir (rd)

Deletes an empty folder.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

372

Chapter 8



Planning for Disaster Recovery

TABLE 8.2

Commands Supported by the Recovery Console (continued) Command

Description

Rename (ren)

Renames a file.

Systemroot

Changes the current folder to the systemroot folder of the Windows 2000 installation you are logged onto. For example, if Windows 2000 is installed in C:\winnt, then the systemroot command will change directory to C:\winnt.

Type

Displays a text file without breaks for pages.

You can use the Recovery Console to repair Windows 2000 if the problem you are working on involves corrupted or missing files or services and devices that are misbehaving. The Enable and Disable commands in particular will be useful for resolving issues with services and devices. If your problem involves the Registry or Active Directory, then the Recovery Console won’t be of much help. However, Registry issues that prevent your Windows 2000 computer from booting will often involve some new software service or device driver that you’ve installed. From that standpoint, the Recovery Console will be of great use.

Restoring Network Services Restoring network services in the event of a failed network migration will be possible if you took precautions before beginning the migration to Windows 2000. This means that you prepared backups of your network servers and that you held one server offline with current copies of your network service databases. To restore your network services, you can use either of two basic approaches, depending on your preparation: 

Reinstall NT and restore system data and the Registry from the tape backup. This will give you a very clean restore of the original environment, but it does take time to perform a separate reinstallation of the operating system and restore from tape on every server.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Restoring the Original Environment



373

Bring the offline server back online. If you prepared a single server with current versions of your network services under NT, then bringing this server back online may be all that you need to do to restore the original services.

Restoring your DHCP services may be more difficult to accomplish by restoring from tape. It is very possible that the address leases stored in the backup version of the database do not match the current leases. One of the easiest ways to resolve this would be to bring the DHCP server back online and then have your client computers release and renew their IP addresses. Alternatively, you can manually release all of the leases from the DHCP server and then have your clients release and renew their addresses. Restoring the WINS servers is something that I feel is best done from scratch. Restore the servers that will be running the Windows Internet Name Service (WINS) and then delete all of the entries in the WINS database. When your clients reboot their computers, they will create new entries in the database automatically. Restoring the Domain Name System (DNS) servers can be done simply by restoring the system from tape. DNS databases are held in static text files, and they won’t have changed since they were backed up, except for the dynamic information entered by Windows 2000. Since earlier versions of NT cannot use this dynamic information, you really aren’t losing much when you lose the dynamic information.

Restoring Accounts Restoring accounts to your network is simple if you prepared a backup domain controller before the migration. If you did not take that precaution, then your work to restore the original environment will be somewhat more difficult. EXERCISE 8.6

Restoring Accounts Using a Backup Domain Controller To restore your domain accounts using a backup domain controller from the original domain, follow these steps:

1. Shut down all running Windows 2000 domain controllers for the upgraded domain.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

374

Chapter 8



Planning for Disaster Recovery

EXERCISE 8.6 (continued)

2. Bring the BDC connected to the network online. 3. Promote the BDC to become the primary domain controller for its domain. This means that the copy of the domain user database that the BDC had is now made writable and is the master copy of the database.

4. Reinstall some of the other domain controllers with NT as backup domain controllers for the original domain.

5. Move server computer accounts into the original domain. 6. Move client computer accounts into the original domain.

Using these steps, your user accounts are intact, just as they were when the BDC was last synchronized prior to the migration. Adding the other computer accounts back into the domain makes them and the resources they contain accessible to the users. Be sure to carefully check user permissions and rights when moving back to the original domain environment, as you won’t have the luxury of the SIDHistory to help maintain user access. Restoring user accounts without a BDC held in reserve will take more legwork since you will have to visit every computer that needs to be reinstalled and then perform the tape restore on each of the servers, but in some ways it’s easy. EXERCISE 8.7

Restoring User Accounts without a Reserved Backup Domain Controller To restore your user accounts without a reserved BDC, follow these steps:

1. Pick a server to become the primary domain controller for the restored domain. Reinstall NT Server on this server.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Summary

375

EXERCISE 8.7 (continued)

2. Restore the last tape backup of the primary domain controller onto this server, including the Registry.

3. Verify that this computer comes online as the PDC of the original domain.

4. Repeat these steps with the other domain controllers. 5. Move server computer accounts into the original domain. 6. Move client computer accounts into the original domain. The member servers and workstations may remain on Windows 2000 or they can be returned to NT, whichever will best suit your needs.

I hope that everything will go well for your migration and that you will never have to resort to these methods to roll back the migration. But it is required knowledge for the exam, and it should be a required skill set for anyone who is going to manage a Windows 2000 migration project.

Summary

I

n this chapter, you learned how to implement hardware and software RAID to protect data. You learned how to use Windows Backup to back up and restore system data and the System State information. We discussed how planning should take into account your hardware, software, infrastructure, and personnel to provide a reliable disaster-recovery plan. In the last portion of the chapter, you learned how to restore your network to its condition prior to the migration. We examined the rollback of the migration, including domain controllers, network services, and user account information.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

376

Chapter 8



Planning for Disaster Recovery

Key Terms Before taking the exam, make sure you are familiar with the following terms: authoritative authoritative restore basic disk disk striping disk duplexing dynamic disk fault tolerant mirroring parity Recovery Console Redundant Arrays of Inexpensive Disks (RAID) striping with parity System State

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Consultants R US (CRU)

377

Take about 10 minutes to look over the information presented and then answer the questions at the end. In the testing room, you will have a limited amount of time; it is important that you learn to pick out the important information and ignore the “fluff.”

Background Your consulting company is bidding for a contract to perform a large migration from Windows NT 4.0 to Windows 2000. The RFB (Request For Bid) mandates that the proposed solution include a complete disaster-recovery plan in the event of a field migration. You have been assigned the task of building this plan.

Questions 1. Which of the following is the easiest and quickest way to ensure that

the old user and group account can be restored? A. Perform a complete backup of the PDC before upgrading it. B. Just before performing the upgrade of any domain, force replica-

tion and take the BDC offline. C. Document the environment before upgrading so that accounts can

be re-created. D. Back up the Registry of each domain controller before it is

upgraded.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY

Case Study: Consultants R US (CRU)

CASE STUDY

378

Chapter 8



Planning for Disaster Recovery

2. Build list and reorder: You need to document the process involved in

recovering a failed Windows 2000 domain controller. Place the tasks in the appropriate order. Task

Task Install Windows 2000. Fix or replace hardware. Restore data. Restore the System State information.

3. You want to suggest the most fault-tolerant and best-performing solu-

tion for any new servers that the client might need. Which one of the following would meet these criteria? A. Have all disks mirrored by Windows 2000. B. Wherever possible, utilize Windows 2000’s RAID 5 disk configuration. C. Wherever possible, utilize disk striping. D. Implement hardware-controlled RAID.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Case Study: Consultants R US (CRU)

379

1. B. In the event of a failed upgrade process, you can take all of the new

Windows 2000 domain controllers offline, bring the BDC online, and promote it to PDC. 2.

Task Fix or replace hardware. Install Windows 2000. Restore the System State information. Restore data. 3. D. Hardware-controlled RAID provides the best combination of fault

tolerance and performance.

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

CASE STUDY ANSWERS

Answers

380

Chapter 8



Planning for Disaster Recovery

Review Questions 1. RAID stands for what? A. Redundant Arrays of Individual Disks B. Removable Arrays of Individual Disks C. Redundant Arrays of Inexpensive Disks D. Redundant Arrays of Expensive Disks 2. Which RAID levels are supported in hardware for Windows 2000

Professional? A. All of them B. None of them C. RAID levels 1 and 5 D. Depends on the RAID controller 3. Which software RAID level can be used in Windows 2000 to protect

the operating system files? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 4. You have decided to implement a RAID 5 set to protect your data.

How many disks must you use to create the set? A. one B. two C. three D. four

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

381

5. You need to perform a backup of your server’s data on Tuesday at

10:00 P.M., but you will be unable to come into the office at that time. How can you perform the backup? (Choose all that apply.) A. Write a batch file that starts Ntbackup, and schedule the file with

the AT command. B. Use a batch file for the Backup program, and schedule the batch

file with the System Scheduler. C. Use the integrated scheduling utility in Windows Backup to sched-

ule the backup job. D. Call in one of your junior Windows 2000 administrators to per-

form the backup. 6. Which of the following is not backed up as part of the System State? A. DNS database files B. Active Directory database C. COM+ Registration database D. Sysvol 7. How would you prepare for the possible loss of your user accounts

during the migration to Windows 2000? A. Perform a tape backup of the PDC prior to the migration. B. Use ClonePrincipal to copy the accounts from the Windows 2000

domain to the NT 4 domain. C. Synchronize one of the member servers with the PDC before the

migration. D. Synchronize one of the BDCs with the PDC before the migration,

then keep it offline in case you need to roll back the migration. 8. Which Windows 2000 tool would you use to recover a single user

account that was deleted from Active Directory? A. Backup B. Ntdsutil.exe C. Adsiedit.exe D. ClonePrincipal

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

382

Chapter 8



Planning for Disaster Recovery

9. You are unable to boot your computer running Windows 2000. You

suspect that the problem is being caused by an incorrect Registry entry. Which tool should you use? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe 10. How would you reset the Master Boot Record so that it boots Win-

dows 2000? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe 11. Which file systems are supported on a RAID 1 mirror set under Win-

dows 2000? (Choose all that apply.) A. FAT B. FAT32 C. NTFS D. HPFS 12. Which Windows 2000 tool should you use to create a RAID 5 fault-

tolerant set? A. Fdisk B. Computer Management C. Active Directory Users and Computers D. Recovery Console

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

Review Questions

383

13. You want to back up your system configuration. Which option

should you pick in Backup to accomplish this? A. Include Registry B. System State C. Systemroot D. Full Backup 14. You are adding a new fault-tolerant set to your Windows 2000

Server but don’t want to use a drive letter for the volume. How can you do this? A. Assign a drive path to the volume using an empty folder on an

NTFS volume. B. Install it on another computer and connect to it using a UNC path. C. You must use a drive letter. D. Assign a drive path to the volume using an empty folder on a FAT

volume. 15. Which software RAID levels can be used in Windows 2000 to protect

your data files? (Choose all that apply.) A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10 16. How would you reset the boot sector so that it boots Windows 2000? A. Advanced Startup Options B. Recovery Console C. Ntdsutil.exe D. Adsiedit.exe

Copyright ©2001 SYBEX , Inc., Alameda, CA

www.sybex.com

384

Chapter 8



Planning for Disaster Recovery

17. How would you restore an object in Active Directory without having

the other domain controllers delete it again? A. Perform an authoritative restore. B. Use ClonePrincipal. C. Use Active Directory Migration Tool. D. Use the Active Directory Undo Wizard. 18. You are trying to perform an authoritative restore and have already

restored the objects from tape using Windows Backup. What command should you use next? A. adsiedit add