Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft."— Presentation transcript:

1

2 Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft Corporation

3 Agenda Migration Strategy Preparing to Migrate Choose a Migration Path Upgrade Migration Restructure Migration Upgrade and Restructure Migration

4 Migration Strategy Migrate by roles Divide migration into manageable chunks Do high-return migrations first Priority = (Value of migration) x (number of servers) HighLowHigh Priority 1 Priority 3 Low Priority 2 Priority 4 Number of servers Value

5 Value by Role Different for each organization What are your priorities? Reduce capital cost Reduce labor cost Reduce space/labor requirements Increase reliability Deploy new applications High-value upgrades: Application servers Domain controllers File servers

6 Upgrade by Role Examples Example: Major U.S. bank Server role: Application servers Server count: 200 Key innovation: applications can be consolidated; reliability Business value: space and power savings; lower capital cost; higher availability Example: GE Medical Systems Server role: Domain controllers Server count: 70 Key innovation: Active Directory scalability, central management (GPMC) Business value: lower management cost (no need to maintain trust relationships; Exchange integration); higher reliability Example: Microsoft IT Group Server role: Print servers Server count: 16 Key innovation: performance Business value: lower capital cost, lower management cost

7 Preparing to Migrate

8 Identify The Current Environment Identify Current domain model Existing trust relationships Number and location of domain controllers User, group, and computer accounts How user profiles are managed Domain administration Security standards and procedures

9 Migration Terminology Domain Migration – Moving user, group, and computer accounts from a Windows NT 4.0 domain to a Windows Server 2003 domain Source Domain – The domain from which user principals are being migrated Target Domain – The domain into which security principals are being migrated Account Domain – A Windows NT 4.0 domain containing user and group accounts Resource Domain – A Windows NT 4.0 domain hosting file, print, and other services and contain computer and group accounts Consolidate Domains – Restructure a larger number of domains into a lesser number Functional Levels – Provide backward compatibility for different Windows operating systems using Active Directory Clone – Create new accounts in the target domain that mirror accounts in the source domain SID-History – An attribute of Active Directory security principals that stores the former SIDs of moved objects

10 Choose a Migration Path

11 Determine A Migration Path Evaluate upgrade decisions Evaluate restructure decisions Evaluate upgrade and restructure decisions Possible domain migration paths Domain Upgrade Domain Restructure Upgrade and Restructure

12 Reasons To Choose A Path Upgrade Similar domain structures suitable to the needs of the organization Offers lowest risk/shortest time/fewest resources/no new servers Restructure Existing structure does not meet needs Organization cannot tolerate downtime Need optimum domain structure Upgrade and Restructure Similar domain structures Implement AD features as soon as possible

13 NT4.0 File and Print Server Consolidation Name Group Microsoft Corporation

14 Demo Scenario: Trey Research Scenario Trey Research has too many File and Print servers in their Windows NT 4.0 domain Using DFS to enable pilot migration and consolidation of their Atlanta office Objectives Reduce administration costs Migrate NT 4 servers without impacting end-user productivity Improve overall user productivity.

15 1 DFS links to other servers on the network that store the files… Productive Consolidation at Trey Research, using DFS 2 Mitch uses DFS to easily browse to and find Trey.doc. He then happily goes to editing. 3 Once migration is complete, the NT servers are decommissioned—and DFS redirects Mitch to Windows Server 2003! NT 4.0 servers Windows Server 2003 The NT servers are migrated & consolidated to 2003. 4 And Mitch never stopped working!

16 Before and after Consolidation at Trey Research NT 4.0 net before Consolidation After Consolidating to Windows Server 2003

17 Upgrade Migration

18 Clean Up The SAM Database Delete Duplicate user accounts Unused user, group or computer accounts Group accounts for resources that do not exist Disable For accounts not needed in the near term To retain rights, permissions, and group memberships For accounts that own important network resources Consolidate accounts that do the same thing

19 Clean Up The SAM Database Name Group Microsoft

20 The Order Of Upgrade Upgrade account domains first Upgrade an existing account domain to the forest root -or- Create a forest root Upgrade account domains to form child domains in Active Directory Upgrade resource domains

21 Upgrade Account Domains Domains to which you have the easiest physical access Domains that will contain objects from domains restructured early in the process Always balance the risk/benefit of upgrading a domain

22 Upgrade Resource Domains Domains that contain applications requiring features of Windows Server 2003 Domains that will contain objects from domains restructured early in the process Domains with many client accounts

23 Upgrade Domain Controllers Upgrade the PDC first Upgrade BDCs -or- Decommission BDCs and install Windows Server 2003 DCs Upgrade a BDC first if the PDC does not meet installation requirements

24 What Happens During A PDC Upgrade DNS is configured for Active Directory The domain function level is set to Windows 2000 mixed The forest functional level is set to Windows 2000 The upgraded PDC holds the PDC Emulator operations master role

25 Upgrading The PDC Name Group Microsoft

26 Domain Upgrades Effect Trusts Windows NT 4.0 Domains ACCT1ACCT2 RES1 Upgrade Windows Server 2003 Domains Forest root ACCT1ACCT2 RES1 TransitiveTrust TransitiveTrust TransitiveTrust

27 Ensure Reliable DNS Upgrade DNS Upgrade the server Install a new server with Windows Server 2003 DNS Update non-Microsoft DNS servers Minimize the impact of DNS upgrade Use only native tools to manage DNS Define master servers for DNS

28 Restructure Migration

29 Benefits Of Using The Active Directory Migration Tool Why use ADMT? Why use ADMT? Analyzes the migration impact both before and after the actual migration process Tests migration scenarios before you perform the migration Supports migration within a forest and between forests Provides wizards to support the most common migration tasks Migration tasks supported by ADMT Migration tasks supported by ADMT Migrating user, group, and computer accounts between domains Performing security translation on local groups, user profiles, and file and print resources Populating the SID-History attribute with migrated security principals Translating security on computers Resolving the related file, directory, and share security issues

30 ADMT User Migration Options OptionPurpose Translate roaming profiles Copies roaming profiles from the source domain to the target domain for the selected user accounts Update user rights Sets the user rights assigned to the new user account in the target domain to be the same as the user rights of the original user account Migrate associated user groups Migrates the user’s group at the same time as the user account Update previously migrated objects Updates the groups of which the migrated user accounts are members Do not rename accounts Tries to assign the migrated account the same name as the account in the source domain Rename with prefix Adds the specified prefix to the name of each migrated account in the target domain Rename with suffix Adds the specified suffix to the name of each migrated account in the target domain

31 ADMT Password Migration OptionPurpose Complex passwords Automatically generates a complex password for each migrated user account Same as user name Sets the password for each copied user account to the first 14 characters of the user account name Migrate passwords Maintains the user password during the account migration You can use Password Encryption Service to migrate passwords by using the User Account Migration Wizard It is not possible for any password filter to verify the password’s complexity or length because only a hash of the password exists in the source domain Location to store password file Specifies a password file to which the assigned or generated passwords are written

32 Sequence For Collapsing Domains AccountDomain OU ResourceDomain ResourceDomain Source Target OU 1 OU Migrate the account domain 2 Migrate the resource domain

33 Moving Migrated Users Name Group Microsoft

34 Global Groups Migrating Global Groups Group Account Migration Wizard Reads global group objects in the source domain Creates a new object in the target (with a new SID) Adds original SID to the SID-History attribute of the new object Logs events in source and target Domain1 Domain3 Domain2 Windows NT 4.0 Windows Server 2003 Domain New Object New SID SID-History

35 Group Migration Options OptionPurpose Update user rights Copies the user rights assigned in the source domain to the target domain Copy group members Copies the members of the groups you selected to migrate Update previously migrated objects Updates the members of the groups you selected to migrate Migrate group SIDs to target domain Adds the SID of the migrated accounts in the source domain to the SID-History of the new accounts in the target domain Do not rename accounts Tries to assign the migrated group the same name as the group in the source domain Rename with prefix Adds the specified prefix to the name of each migrated group in the target domain Rename with suffix Adds the specified suffix to the name of each migrated group in the target domain

36 Naming Conflicts Options OptionPurpose Ignore conflicting accounts and don't migrate Leaves the account in the target domain unchanged Replace conflicting accounts Changes properties of existing accounts in the target domain to match the properties of the account with same name in the source domain Remove existing user rights Ensures that the account in the target domain does not have more user rights than the account with the same name in the source domain Remove existing members of groups being replaced Ensures that the members of the migrated groups in the target domain are the same as the members of the associated groups in the source domain Rename conflicting accounts by adding the following Adds the specified prefix or suffix to the name of the migrated account in the target domain

37 Account Transition Options OptionPurpose Disable source accounts Disables the original user account in the source domain Disable target accounts Disables the new user account in the target domain Leave both accounts open Leaves both the existing account in the source domain and the new account in the target domain active Days until source account expires Sets the number of days after which the source account will no longer be available Migrate user SIDs to target domain Adds the SID of the migrated accounts in the source domain to the SID-History attribute of the new accounts in the target domain

38 Domain1 Migrating Trusts Domain3 Domain2 Windows Server 2003 Domain Trusts When there is a delay in restructuring domains Manually create new trusts Migrate complex trusts The trust is external, non-transitive, and one-way No migration options, just migrate Windows NT 4.0

39 Migrating Service Accounts Identify service accounts Migrate service accounts Update the services to log on using the migrated accounts Domain1 Domain3 Domain2 Windows NT 4.0 Windows Server 2003 Domain Service Accounts service1service2 service3 service1service2 service3

40 Migrating Computer Accounts Computer accounts include workstations and member servers Workstations and member servers each have their own local SAM database Access granting accounts move automatically with computer accounts Domain1 Domain3 Domain2 Windows Server 2003 Domain Computer Accounts SAM DBs Windows NT 4.0

41 Migrating Local User Profiles For workstations running Windows NT 4.0 Windows 2000 Windows XP Domain1 Domain3 Domain2 Windows Server 2003 Domain User Profiles Windows NT 4.0

42 Profile Migration Options On this wizard page Do this Translate Objects Security Translation Options (1) Security Translation Options (2) Specify the type of objects for which you want ADMT to translate security Select Previously migrated objects to retrieve previously migrated objects for security translation Select Other objects specified in a file to retrieve objects that are specified in a file Select Replace to exchange the SID for the account in the source domain with the SID for the account in the target domain Select Add to include both the old SID and the new SID in the profile list registry key on the client computer running Windows NT 4.0 Select Remove to delete the SID for the account in the source domain

43 Migrating Shared Local Groups To ensure resource access after migration Migrate local groups to Windows Server 2003 Upgrade the domain controller Move it to the same domain -or- Upgrade all domain controllers in the resource domain to Windows Server 2003 Raise the domain functional level Change the group type to universal groups Domain1 Domain3 Domain2 Windows NT 4.0 Shared Local Groups Windows Server 2003 Domain

44 Reconfigure Shared Resource Permissions SID-History attribute maintains resource access Reconfigure to use new security identifiers Clear the SID-History attribute Decrease the size of access tokens Decrease logon time Increase environment performance

45 Maintain DNS Service During Restructure Match Active Directory domains to DNS domains Establish DNS in the Windows Server 2003 domain Make it primary for all AD domains Promote the DNS server to a Windows Server 2003 DC Change DNS zones to AD integrated Create new DNS domains to host SRV records Install DNS in the Windows Server 2003 domain Integrate it with existing DNS servers Move reverse lookup zones

46 Upgrade And Restructure Migration

47 Restructure After Upgrade U P G R A D E Domain1 Domain3 Domain2 R E S T R U C T U R E Windows Server 2003 Domain Windows NT 4.0

48 Migrate System Policies Effects of a domain upgrade Effects of a domain upgrade Group Policy is applied if a Windows Server 2003 domain controller authenticates client computers running Windows Server 2003 System policies are applied if a Windows NT 4.0 domain controller authenticates client computers running Windows Server 2003 System policies are applied if a user account or a computer account is located in a Windows NT 4.0 domain Group Policy is applied if a user account or a computer account is located in a Windows Server 2003 domain Effects of a domain restructure Effects of a domain restructure System policies from the source domain are not automatically processed by migrated client computers System policies are applied if a user account or a computer account is located in a Windows NT 4.0 domain Group Policy is applied if a user account or a computer account is located in a Windows Server 2003 domain

49 Migrate Logon Scripts Effects of a domain upgrade Effects of a domain upgrade User-based logon scripts stored in the NETLOGON shared folder are not affected Client computers running Windows Server 2003 run any user-based logon scripts and any script assigned to the user account or computer account by using Group Policy if user-based logon scripts are stored in the NETLOGON shared folder Effects of a domain restructure Effects of a domain restructure Logon scripts continue to process for cloned and moved user accounts if the logon scripts are migrated to the target domain Logon scripts that are not migrated will not process for accounts that have been cloned or moved to a new domain

50 Microsoft OTG Consolidated 32 NT4.0 Print Servers to 16 Windows 2000 Print Servers then reduced to 4 servers running Windows Server 2003 Reduced administration time by 50 percent Higher performance and I/O throughput provides higher service levels at peak times Print Server Consolidation Customer Experience “Now that we’re running Windows Server 2003, the group who administers our print queues can maintain and monitor in about half the time,” Tomas Vetrovsky, Lead Program Manager of the Microsoft OTG.

51 GE medical Systems Consolidated 70 autonomous NT4 domain to 4 Windows Server 2003 domains with Active Directory forest infrastructure. Effective central management of 40,000 users through the implementation of enterprise-wide standards and policies Distribute and roll out updates and patches faster, with less overhead. 20% reduction in the number of servers Domain Server Consolidation “With Windows Server 2003, we’re building a more automated, robust system that is more secure, stable, and manageable” Ron Brahm Global Infrastructure Program Manager. Customer Experience

52 Call To Action 1. Make the move to Windows Server 2003 – Do More with Less 2. Evaluate Windows Server 2003 and see the benefits it can provide in your enterprise 3. Contact Microsoft and its Partners and leverage them to assist in your deployment and migration projects

53 More Information Windows Server 2003 Website at Microsoft.com www.microsoft.com/windowsserver2003 Top 10 Reasons to move to Windows Server 2003 www.microsoft.com/windowsserver2003/ technologies/security www.microsoft.com/windowsserver2003/ technologies/security Top 10 Features of Windows Server 2003 for Organizations Upgrading from Windows NT Server 4.0 www.microsoft.com/windowsserver2003/ evaluation/whyupgrade/top10nt.mspx www.microsoft.com/windowsserver2003/ evaluation/whyupgrade/top10nt.mspx

54 Microsoft Press Information Introducing Microsoft Windows Server 2003 (0-7356-1245-5) Available now Migrating from Microsoft Windows NT Server 4.0 to Microsoft Windows Server 2003 (0- 7356-1940-9) June 2003

55 MCSE Official Curriculum and Courses MCSA/MCSE Self-Paced Training Kit (Exam 70-292/70-296): Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 Environment for MCSAs and MCSEs Certified on Microsoft Windows 2000 (ISBN TBD) Q4CY03 Available Today: Course 2270: Updating Support Skills from Microsoft Windows NT 4.0 to the Microsoft Windows Server 2003 Family (Beta) Course 2283: Migrating from Microsoft Windows NT 4.0 to Microsoft Windows Sever 2003 (Beta) Available Soon: Course 2208: Updating Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows Server 2003 (August) Workshop 2209: Updating Systems Administrator Skills from Microsoft Windows 2000 to Microsoft Windows Server 2003 (May) Workshop 2210: Updating Systems Engineer Skills from Microsoft Windows 2000 to Microsoft Windows Server 2003 (June)

56 Do More With Less

57 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Making the move to Windows Server 2003 in the Enterprise Doing More with Less Peter J. Meister Product Manager Windows Server Product Management Microsoft."

Similar presentations

Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.

Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
Managing User Settings with Group Policy

Managing User Settings with Group Policy
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.

Similar presentations

Ads by Google