Integration and Migration:
Making the Move to Windows
Server 2003
Michael Leworthy
Windows Server Product Manager
Microsoft Australia
Agenda
► Client Integration with Windows Server 2003
► Update on Functional Levels
► Windows NT 4.0 to Windows Server 2003
upgrade
► Windows 2000 Server to Windows Server
2003 upgrade
► Domain restructuring with ADMT v2
Clients And Windows Server 2003
► Security improvements change behavior of
Windows Server 2003 Domain Controllers
► SMB signing and secure channel encryption enforced
► Adjustments needed for older clients
► Windows NT 4.0 SP4 and higher, Windows 2000,
Windows XP clients work without adjustments
► Win95 and Windows NT4 pre-SP4 require changes;
either
► Disable enforcement of SMB signing and secure
channel encryption
► Install DS Client and/or Service Pack
► Fully documented in the Windows Server 2003
Deployment Kit
Update on Functional Levels
► Functional Levels
► Domain Functional Levels
► Forest Functional Levels
► Features without Dependencies
► Best Practices For Functional Levels
► Raising Domain Functional Level
► What Happens with Functional Level Upgrades
► Upgrading the PDC
► Forest switch to Windows Server 2003 Functional
Level
Functional Levels
► Required in order to introduce non-
backward-compatible features
► Admin manually advances functional level
when all DCs in forest/domain are upgraded
► Level only increases – no going back
► Legacy DCs blocked from joining/starting
Functional Levels
► Available functional levels
► Windows Server 2003 forest functionality
► Windows Server 2003 interim forest
functionality
► Allows mixed-mode domains (NT4 BDCs), but
no Windows 2000 DCs
► Windows Server 2003 domain
functionality
Domain Functional Levels
Domain
Functionality
Windows
2000 mixed
Enabled Features
Windows
2000 native
All mixed mode, plus
► Group nesting
► Universal groups
► SIDHistory
►Group conversions
► Universal Groups (non-
security only)
Supported DCs
in domain
Windows NT4
Windows 2000
Windows 2003
Windows 2000
Windows 2003
Domain Functional Levels
Domain
Functionality
Enabled Features
Windows
Server 2003
All Windows 2000 native, plus Windows 2003
► Update logon timestamp attribute
► Kerberos KDC version
► User password on INetOrgPerson
► DC rename with netdom
► Redirect users and computers
► Authorisation manager can store
authorisation policies
► Constrained delegation for
computers
► Selective authentication crossforest
Supported DCs
in domain
Forest Functional Levels
Forest
Functionality
Windows
2000
Enabled Features
Windows
Server 2003
Interim
All Windows 2000, plus
► Linked Value Replication
► Improved ISTG
► New attributes added to GC
Supported DCs
in forest
Windows NT4
Windows 2000
Windows 2003
Windows NT4
Windows 2003
Forest Functional Levels
Forest
Functionality
Windows
Server 2003
Enabled Features
All Windows Server 2003
Interim, plus
► Dynamic aux classes
► User to INetOrgPerson
change
► Schema Redefine
► Domain rename
► Cross-forest trust
► Basic and query based
groups (for roles based azman)
Supported DCs
in forest
Windows 2003
Features without Dependencies
► Application partitions
► Universal Group Caching
► Install from Media
► No-GC-Full-Sync for PAS schema extensions
► SID History migration delegation
► Concurrent LDAP binds
► Manual trigger of online defrag
► DNS in application partitions
► Single instance store
Forest switch to Windows Server
2003 Functional Level
► Domain controllers switch to new replication pause
values
► Windows 2000: registry values
► 5 minutes / 30 seconds
► Windows 2003: new default values if registry keys are not
set
► 30 secs / 5 secs
► At forest functional switch
► DCs delete registry values if values are Windows 2000
defaults
► Automatically switch to 30 secs / 5 secs
Best Practices For Functional
Levels
► Windows NT 4 Upgrade
► Motivation to move to Windows Server 2003
interim level
► Linked-value-replication (large group support)
► Improved KCC/ISTG
► Set Windows Server 2003 interim forest level
► Once all NT 4 BDCs are upgraded, advance forest
to Windows Server 2003 functional level
► This automatically advances all domains to
Windows Server 2003 functional level
Best Practices For Functional
Levels
► Windows 2000 Upgrade
► Do nothing until all DCs are running
Windows Server 2003
► Make sure that no mixed mode domain is
left in the forest
► Advance forest level to Windows Server
2003 functional level
► This automatically advances all domains to
Windows Server 2003 functional level
Windows NT 4 to Windows
Server 2003 upgrade
► Upgrading from Windows NT 4
► Demo: Upgrading the Windows NT 4 PDC
Upgrading from Windows NT4
(Step by Step)
1.
Inventory clients for compatibility with default
security settings
►
2.
Either install software (dsclient, SP) or relax settings
Inventory domain controllers in domain
Hot fixes
► Recommended: SP6a
► DC hardware: Disk space, CPU, memory
► DC health including replication and lmrelp file
replication service
►
Upgrading from Windows NT4
(Step by Step)
3.
Check for services running as local system on all
member servers and workstations
►
►
►
►
Re-configure service to use user account, or
Upgrade server to Windows 2000 Server or Windows
Server 2003, or
Use “Enable downlevel access” in dcpromo
Services which require “Enable downlevel access”
include Windows NT 4.0 RAS
Upgrading from Windows NT4
(Step by Step)
4.
Configure lmrepl export server
This will be the last domain controller to be upgraded
► If lmrepl service runs on PDC, either
► Select one BDC to be new lmrepl export server, or
► Move lmrepl to server that will be upgraded as the
last DC
►
5.
Secure one BDC
►
►
►
Sync with PDC
Take back-up tape and test restore
Take BDC off-line and keep in storage
Upgrading from Windows NT4
(Step by Step)
6.
Upgrade PDC
PDC will not be able to perform PDC role while upgrade
and dcpromo run
► No changes possible (no new users, groups, group
membership changes)
► Clients and workstations will not be able to change
passwords
► Trusts might fail
► Plan for the change freeze / downtime
►
7.
Configure security settings
Upgrading from Windows NT4
(Step by Step)
8. Verify success
► Verify down-level replication works
► Verify that users can be added and passwords can be
changed
9. Install and configure lmbridge
► Windows Server 2003 has no more lmrepl service; it
uses sysvol replication (frs)
► Copy all logon scripts and other files from lmrepl export
server to PDC emulator
► Configure lmbridge to copy files from PDC emulator to
lmrepl export server
► Change files on PDC only
Upgrading from Windows NT4
(Step by Step)
10. Continue upgrading BDCs
11. Once all DCs are Windows Server 2003
► If this was the last domain to join the forest and all DCs
in the forest are Windows Server 2003, switch to
Windows 2003 forest functional level
► In multi-domain forests, don’t worry about single
domain modes, wait until last domain is upgraded
Upgrading The
Windows NT 4.0 PDC
Windows 2000 to Windows Server
2003 upgrade
► Upgrading from Windows 2000
► Issues with Schema Extensions
► Domain Naming Master
► Domain Upgrade And DNS
► Introducing The First Windows Server
2003 Domain Controller In Forest
► Upgrading from Windows 2000 Step by
Step
Upgrading From Windows 2000
► Easy and seamless upgrade process
► No restructuring necessary
► No forest, domain, OU or replication planning
necessary
► No user / workstation / profile migration
Upgrading From Windows 2000
► Windows Server 2003 DCs fully compatible
with Windows 2000 DCs
► Windows Server 2003 DCs can interoperate in
Windows 2000 forest / domain in any role
► New DC (dcpromo)
► Upgrade of existing DC
► Preparing forest and domains are separate
step from introducing the first Windows Server
2003 DC
Issues with Schema Extensions
► Exchange 2000 schema present
► Exchange 2000 schema extensions define
three non-RFC conform attributes
(houseIdentifier, secretary and labeledURl)
► If Exchange 2000 schema extensions are
applied before Windows 2000 InetOrgKit or
Windows Server 2003 schema, attributes
with mangled names are created
► See KB article Q325379
Issues with Schema Extensions
► Services For Unix version 2.0
► SFU 2.0 NIS component defines a uid
attribute which clashes with the correct
interpretation in Windows Server 2003
schema
► Adprep cannot extend the schema unless a
QFE is applied
► See KB article Q293783
Introducing The First Windows Server
2003 Domain Controller In Forest
► Once adprep has run, Windows Server 2003 Domain
Controllers can join the forest
► Two methods
► Upgrade existing domain controller
► Install Windows Server 2003 as member server and run
dcpromo
► Can choose any domain to hold the first Windows
Server 2003 DC
Introducing The First Windows Server
2003 Domain Controller In Forest
► Upgrade of PDC emulator performs special
operations
► Creates group for Terminal Service, internal groups
► Role transfer to Windows Server 2003 DC triggers same
operations
► Best practice
► Install Windows Server 2003 as member server and
promote to Domain Controller
► Upgrade PDC to Windows Server 2003 early in the process
► Or transfer PDC emulator role to Windows Server 2003
DC, even if temporarily only
Upgrading from Windows 2000
(Step by Step)
1. Inventory clients for compatibility with
default security settings
► Either install software (dsclient, SP) or relax
settings
2. Apply schema fixes for Exchange and SFU if
needed
Upgrading from Windows 2000
(Step by Step)
3. Inventory domain controllers in forest
► Hot fixes
► Recommended: SP3
► If not at SP3 please review hotfix and updates
required: Q331161 has details
► Disk space
► DC health including AD replication
4. Run adprep /forestprep
5. In each domain, run adprep /domainprep
Upgrading from Windows 2000
(Step by Step)
6. Install Windows Server 2003 member
server in forest root domain or any other
domain of your choice
7. Promote member server to DC – monitor
8. Move Domain Naming Master role to
Windows Server 2003 DC
Upgrading from Windows 2000
(Step by Step)
9. Upgrade existing Windows 2000 domain
controllers
10.In each domain
► Upgrade PDC emulator as soon as possible (or
transfer PDC emulator role to Windows Server
2003 DC)
► Once all DNS servers are running Windows
Server 2003, move domain DNS data into
application partition
►Verify that DNM is still running on Windows
2003 DC
Upgrading from Windows 2000
(Step by Step)
11. When all DCs are upgraded
► Switch forest to Windows Server 2003
functional level
Domain restructuring with
ADMT V-2
► Migrating To Windows Server 2003
► Restructure Activities
► Active Directory Migration Tool Version
2.0
Migrating To Windows Server
2003
► Most migrations from Windows NT 4.0 to
Active Directory are a mix of in-place upgrades
and restructuring
► See “Best Practice Active Directory Design for
Managing Windows Networks” for more
information
► http://www.microsoft.com/windows2000/techinfo
/planning/activedirectory/bpaddsgn.asp
Restructure Activities
Activity
Part of
User migration
Account domain restructuring
Global Group migration
Account domain restructuring
Migrating user profiles
Account domain restructuring
Migrating Exchange mailbox
access
Migrating workstations
Account domain restructuring
Migrating resources
Resource domain restructuring
Resource domain restructuring
Active Directory Migration Tool
Version 2.0
► Password migration
► Windows NT 4.0 to Active Directory
► Forest to forest
► Scripting support
► Command line support
► Can also be used to migrate to Windows 2000
Active Directory
ADMT
Summary
► Windows NT 4 to Windows Server 2003
upgrade very similar to Windows NT 4 to
Windows 2000 upgrade
► Windows 2000 Server to Windows Server
2003 upgrade is easy and requires no
additional design planning
► ADMT v2 makes restructuring easier
Do More With Less
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.