Integration and Migration: Making the Move to Windows Server 2003 Michael Leworthy Windows Server Product Manager Microsoft Australia Agenda ► Client Integration with Windows Server 2003 ► Update on Functional Levels ► Windows NT 4.0 to Windows Server 2003 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade ► Domain restructuring with ADMT v2 Clients And Windows Server 2003 ► Security improvements change behavior of Windows Server 2003 Domain Controllers ► SMB signing and secure channel encryption enforced ► Adjustments needed for older clients ► Windows NT 4.0 SP4 and higher, Windows 2000, Windows XP clients work without adjustments ► Win95 and Windows NT4 pre-SP4 require changes; either ► Disable enforcement of SMB signing and secure channel encryption ► Install DS Client and/or Service Pack ► Fully documented in the Windows Server 2003 Deployment Kit Update on Functional Levels ► Functional Levels ► Domain Functional Levels ► Forest Functional Levels ► Features without Dependencies ► Best Practices For Functional Levels ► Raising Domain Functional Level ► What Happens with Functional Level Upgrades ► Upgrading the PDC ► Forest switch to Windows Server 2003 Functional Level Functional Levels ► Required in order to introduce non- backward-compatible features ► Admin manually advances functional level when all DCs in forest/domain are upgraded ► Level only increases – no going back ► Legacy DCs blocked from joining/starting Functional Levels ► Available functional levels ► Windows Server 2003 forest functionality ► Windows Server 2003 interim forest functionality ► Allows mixed-mode domains (NT4 BDCs), but no Windows 2000 DCs ► Windows Server 2003 domain functionality Domain Functional Levels Domain Functionality Windows 2000 mixed Enabled Features Windows 2000 native All mixed mode, plus ► Group nesting ► Universal groups ► SIDHistory ►Group conversions ► Universal Groups (non- security only) Supported DCs in domain Windows NT4 Windows 2000 Windows 2003 Windows 2000 Windows 2003 Domain Functional Levels Domain Functionality Enabled Features Windows Server 2003 All Windows 2000 native, plus Windows 2003 ► Update logon timestamp attribute ► Kerberos KDC version ► User password on INetOrgPerson ► DC rename with netdom ► Redirect users and computers ► Authorisation manager can store authorisation policies ► Constrained delegation for computers ► Selective authentication crossforest Supported DCs in domain Forest Functional Levels Forest Functionality Windows 2000 Enabled Features Windows Server 2003 Interim All Windows 2000, plus ► Linked Value Replication ► Improved ISTG ► New attributes added to GC Supported DCs in forest Windows NT4 Windows 2000 Windows 2003 Windows NT4 Windows 2003 Forest Functional Levels Forest Functionality Windows Server 2003 Enabled Features All Windows Server 2003 Interim, plus ► Dynamic aux classes ► User to INetOrgPerson change ► Schema Redefine ► Domain rename ► Cross-forest trust ► Basic and query based groups (for roles based azman) Supported DCs in forest Windows 2003 Features without Dependencies ► Application partitions ► Universal Group Caching ► Install from Media ► No-GC-Full-Sync for PAS schema extensions ► SID History migration delegation ► Concurrent LDAP binds ► Manual trigger of online defrag ► DNS in application partitions ► Single instance store Forest switch to Windows Server 2003 Functional Level ► Domain controllers switch to new replication pause values ► Windows 2000: registry values ► 5 minutes / 30 seconds ► Windows 2003: new default values if registry keys are not set ► 30 secs / 5 secs ► At forest functional switch ► DCs delete registry values if values are Windows 2000 defaults ► Automatically switch to 30 secs / 5 secs Best Practices For Functional Levels ► Windows NT 4 Upgrade ► Motivation to move to Windows Server 2003 interim level ► Linked-value-replication (large group support) ► Improved KCC/ISTG ► Set Windows Server 2003 interim forest level ► Once all NT 4 BDCs are upgraded, advance forest to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level Best Practices For Functional Levels ► Windows 2000 Upgrade ► Do nothing until all DCs are running Windows Server 2003 ► Make sure that no mixed mode domain is left in the forest ► Advance forest level to Windows Server 2003 functional level ► This automatically advances all domains to Windows Server 2003 functional level Windows NT 4 to Windows Server 2003 upgrade ► Upgrading from Windows NT 4 ► Demo: Upgrading the Windows NT 4 PDC Upgrading from Windows NT4 (Step by Step) 1. Inventory clients for compatibility with default security settings ► 2. Either install software (dsclient, SP) or relax settings Inventory domain controllers in domain Hot fixes ► Recommended: SP6a ► DC hardware: Disk space, CPU, memory ► DC health including replication and lmrelp file replication service ► Upgrading from Windows NT4 (Step by Step) 3. Check for services running as local system on all member servers and workstations ► ► ► ► Re-configure service to use user account, or Upgrade server to Windows 2000 Server or Windows Server 2003, or Use “Enable downlevel access” in dcpromo Services which require “Enable downlevel access” include Windows NT 4.0 RAS Upgrading from Windows NT4 (Step by Step) 4. Configure lmrepl export server This will be the last domain controller to be upgraded ► If lmrepl service runs on PDC, either ► Select one BDC to be new lmrepl export server, or ► Move lmrepl to server that will be upgraded as the last DC ► 5. Secure one BDC ► ► ► Sync with PDC Take back-up tape and test restore Take BDC off-line and keep in storage Upgrading from Windows NT4 (Step by Step) 6. Upgrade PDC PDC will not be able to perform PDC role while upgrade and dcpromo run ► No changes possible (no new users, groups, group membership changes) ► Clients and workstations will not be able to change passwords ► Trusts might fail ► Plan for the change freeze / downtime ► 7. Configure security settings Upgrading from Windows NT4 (Step by Step) 8. Verify success ► Verify down-level replication works ► Verify that users can be added and passwords can be changed 9. Install and configure lmbridge ► Windows Server 2003 has no more lmrepl service; it uses sysvol replication (frs) ► Copy all logon scripts and other files from lmrepl export server to PDC emulator ► Configure lmbridge to copy files from PDC emulator to lmrepl export server ► Change files on PDC only Upgrading from Windows NT4 (Step by Step) 10. Continue upgrading BDCs 11. Once all DCs are Windows Server 2003 ► If this was the last domain to join the forest and all DCs in the forest are Windows Server 2003, switch to Windows 2003 forest functional level ► In multi-domain forests, don’t worry about single domain modes, wait until last domain is upgraded Upgrading The Windows NT 4.0 PDC Windows 2000 to Windows Server 2003 upgrade ► Upgrading from Windows 2000 ► Issues with Schema Extensions ► Domain Naming Master ► Domain Upgrade And DNS ► Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrading from Windows 2000 Step by Step Upgrading From Windows 2000 ► Easy and seamless upgrade process ► No restructuring necessary ► No forest, domain, OU or replication planning necessary ► No user / workstation / profile migration Upgrading From Windows 2000 ► Windows Server 2003 DCs fully compatible with Windows 2000 DCs ► Windows Server 2003 DCs can interoperate in Windows 2000 forest / domain in any role ► New DC (dcpromo) ► Upgrade of existing DC ► Preparing forest and domains are separate step from introducing the first Windows Server 2003 DC Issues with Schema Extensions ► Exchange 2000 schema present ► Exchange 2000 schema extensions define three non-RFC conform attributes (houseIdentifier, secretary and labeledURl) ► If Exchange 2000 schema extensions are applied before Windows 2000 InetOrgKit or Windows Server 2003 schema, attributes with mangled names are created ► See KB article Q325379 Issues with Schema Extensions ► Services For Unix version 2.0 ► SFU 2.0 NIS component defines a uid attribute which clashes with the correct interpretation in Windows Server 2003 schema ► Adprep cannot extend the schema unless a QFE is applied ► See KB article Q293783 Introducing The First Windows Server 2003 Domain Controller In Forest ► Once adprep has run, Windows Server 2003 Domain Controllers can join the forest ► Two methods ► Upgrade existing domain controller ► Install Windows Server 2003 as member server and run dcpromo ► Can choose any domain to hold the first Windows Server 2003 DC Introducing The First Windows Server 2003 Domain Controller In Forest ► Upgrade of PDC emulator performs special operations ► Creates group for Terminal Service, internal groups ► Role transfer to Windows Server 2003 DC triggers same operations ► Best practice ► Install Windows Server 2003 as member server and promote to Domain Controller ► Upgrade PDC to Windows Server 2003 early in the process ► Or transfer PDC emulator role to Windows Server 2003 DC, even if temporarily only Upgrading from Windows 2000 (Step by Step) 1. Inventory clients for compatibility with default security settings ► Either install software (dsclient, SP) or relax settings 2. Apply schema fixes for Exchange and SFU if needed Upgrading from Windows 2000 (Step by Step) 3. Inventory domain controllers in forest ► Hot fixes ► Recommended: SP3 ► If not at SP3 please review hotfix and updates required: Q331161 has details ► Disk space ► DC health including AD replication 4. Run adprep /forestprep 5. In each domain, run adprep /domainprep Upgrading from Windows 2000 (Step by Step) 6. Install Windows Server 2003 member server in forest root domain or any other domain of your choice 7. Promote member server to DC – monitor 8. Move Domain Naming Master role to Windows Server 2003 DC Upgrading from Windows 2000 (Step by Step) 9. Upgrade existing Windows 2000 domain controllers 10.In each domain ► Upgrade PDC emulator as soon as possible (or transfer PDC emulator role to Windows Server 2003 DC) ► Once all DNS servers are running Windows Server 2003, move domain DNS data into application partition ►Verify that DNM is still running on Windows 2003 DC Upgrading from Windows 2000 (Step by Step) 11. When all DCs are upgraded ► Switch forest to Windows Server 2003 functional level Domain restructuring with ADMT V-2 ► Migrating To Windows Server 2003 ► Restructure Activities ► Active Directory Migration Tool Version 2.0 Migrating To Windows Server 2003 ► Most migrations from Windows NT 4.0 to Active Directory are a mix of in-place upgrades and restructuring ► See “Best Practice Active Directory Design for Managing Windows Networks” for more information ► http://www.microsoft.com/windows2000/techinfo /planning/activedirectory/bpaddsgn.asp Restructure Activities Activity Part of User migration Account domain restructuring Global Group migration Account domain restructuring Migrating user profiles Account domain restructuring Migrating Exchange mailbox access Migrating workstations Account domain restructuring Migrating resources Resource domain restructuring Resource domain restructuring Active Directory Migration Tool Version 2.0 ► Password migration ► Windows NT 4.0 to Active Directory ► Forest to forest ► Scripting support ► Command line support ► Can also be used to migrate to Windows 2000 Active Directory ADMT Summary ► Windows NT 4 to Windows Server 2003 upgrade very similar to Windows NT 4 to Windows 2000 upgrade ► Windows 2000 Server to Windows Server 2003 upgrade is easy and requires no additional design planning ► ADMT v2 makes restructuring easier Do More With Less © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.