Embed Size (px)
DESCRIPTION
& concept explained easily
Citation preview
Moving to Windows Server 2003 from Windows 2000Moving to Windows Server 2003 from Windows 2000
Dave Sayers, Senior Consultant
Windows Team, Microsoft Services Organisation
Dave Sayers, Senior Consultant
Windows Team, Microsoft Services Organisation
AgendaAgenda
Benefits of Upgrading from Windows 2000 Upgrading from Windows 2000 Taking inventories Using ADPrep Post-installation tasks Functional Levels Tips and Tricks
Benefits of Upgrading from Windows 2000 Upgrading from Windows 2000 Taking inventories Using ADPrep Post-installation tasks Functional Levels Tips and Tricks
Benefits of UpgradeBenefits of Upgrade
Windows Server 2003 Active Directory an evolutionary step Improvements in the existing feature set Security fixes Secure by default New features Straightforward upgrade path
Windows Server 2003 Active Directory an evolutionary step Improvements in the existing feature set Security fixes Secure by default New features Straightforward upgrade path
Benefits of UpgradeBenefits of Upgrade
Cross Forest Kerberos trust Improved Replication
Link Value Replication, No GC Full Synchronisation
No 5000 member group Limit Domain Rename Application Partitions Branch Office Improvements
KCC, GC Caching
Rapid GC Demotion
Cross Forest Kerberos trust Improved Replication
Link Value Replication, No GC Full Synchronisation
No 5000 member group Limit Domain Rename Application Partitions Branch Office Improvements
KCC, GC Caching
Rapid GC Demotion
Benefits of UpgradeBenefits of Upgrade Schema “Defunct” Lingering Object Removal LDAP Improvements
Virtual List View Support Correct Auxiliary Class Support InetOrgPerson Lightweight LDAP authentication Dynamic Entries
Single Instance Store
Schema “Defunct” Lingering Object Removal LDAP Improvements
Virtual List View Support Correct Auxiliary Class Support InetOrgPerson Lightweight LDAP authentication Dynamic Entries
Single Instance Store
Benefits of UpgradeBenefits of Upgrade
Resultant Set Of Policy (RSOP) Planning and Reporting Modes
Many new policy settings Filtering via WMI query
Dynamically evaluate query and apply GP on result
Group Policy Management Console
Resultant Set Of Policy (RSOP) Planning and Reporting Modes
Many new policy settings Filtering via WMI query
Dynamically evaluate query and apply GP on result
Group Policy Management Console
Important Active Directory ChangesImproved Security SettingsImportant Active Directory ChangesImproved Security Settings
Allow anonymous SID / name translation policy Clients in NT 4.0 resource domains may
experience: “Account Unknown” in ACL editor Authentication failure by Microsoft and Outlook
clients Intermittent results as Secure Channels move
between 2000 / 2003 DCs Everyone group
Allow anonymous SID / name translation policy Clients in NT 4.0 resource domains may
experience: “Account Unknown” in ACL editor Authentication failure by Microsoft and Outlook
clients Intermittent results as Secure Channels move
between 2000 / 2003 DCs Everyone group
Important Active Directory ChangesImproved Security SettingsImportant Active Directory ChangesImproved Security Settings
Pre-Windows 2000 compatible access If Everyone is in Pre-Windows 2000
Compatible Access group, then: Anonymous Logon and Authenticated Users are
added Enterprise Domain Controllers is added to
Windows Authorization Access group Everyone may have been removed by the
administrator Common on 2000 domains upgraded from NT 4.0
“ Enforce SMB signing” enabled Integrity of the client
Pre-Windows 2000 compatible access If Everyone is in Pre-Windows 2000
Compatible Access group, then: Anonymous Logon and Authenticated Users are
added Enterprise Domain Controllers is added to
Windows Authorization Access group Everyone may have been removed by the
administrator Common on 2000 domains upgraded from NT 4.0
“ Enforce SMB signing” enabled Integrity of the client
Upgrade from Windows 2000OverviewUpgrade from Windows 2000Overview Easy upgrade process
No AD or OU namespace planning required No DNS namespace, deployment, or delegation
conflicts No user / workstation / profile migration
Windows 2003 Server DCs Can play any role in Windows 2000 forest / domain Are fully compatible with Windows 2000 DCs
How to introduce 2003 DCs? Add new DCs with DCPROMO Upgrade of existing 2000 DC (Winnt32.exe)
Easy upgrade process No AD or OU namespace planning required No DNS namespace, deployment, or delegation
conflicts No user / workstation / profile migration
Windows 2003 Server DCs Can play any role in Windows 2000 forest / domain Are fully compatible with Windows 2000 DCs
How to introduce 2003 DCs? Add new DCs with DCPROMO Upgrade of existing 2000 DC (Winnt32.exe)
Upgrade StepsUpgrade Steps Check domain controllers’ SP level
SP1 with QFE265089 required SP2 recommended
Inventories Client/Domain Controller/Schema
Prepare forest Adprep /forestprep
Prepare domain(s) Adprep /domainprep
Install Windows Server 2003 Member Server Run dcpromo
Upgrade other domain controllers
Check domain controllers’ SP level SP1 with QFE265089 required SP2 recommended
Inventories Client/Domain Controller/Schema
Prepare forest Adprep /forestprep
Prepare domain(s) Adprep /domainprep
Install Windows Server 2003 Member Server Run dcpromo
Upgrade other domain controllers
Client InventoryUpdate Windows 95 and Windows NT 4.0 ClientsClient InventoryUpdate Windows 95 and Windows NT 4.0 Clients
Security default on Server 2003 DCs By default, “Enforce SMB Signing” is enabled
Temporarily relax settings on DCs or update clients Windows 95
Install DS client or new operating system Windows NT 4.0:
SP3 or later required, SP6a recommended (DFS) All other Microsoft network clients
No action required Latest SPs are always recommended
Security default on Server 2003 DCs By default, “Enforce SMB Signing” is enabled
Temporarily relax settings on DCs or update clients Windows 95
Install DS client or new operating system Windows NT 4.0:
SP3 or later required, SP6a recommended (DFS) All other Microsoft network clients
No action required Latest SPs are always recommended
DC InventoryADPREP Operations and MitigationDC InventoryADPREP Operations and Mitigation
ADPREP Adds new permissions, objects, and attributes Protect Schema update and index rebuild
Schema Delete: fixed in SP2 or QFE Mandatory
Inefficient replication of schema deltas: SP3 or QFE Optional for small domains with fast links
Index Replication Delay: SP3 or QFE Optional for large domains
2000 DCs must have SP2 to source AD from 2003 DC* * If hosting application partitions
ADPREP Adds new permissions, objects, and attributes Protect Schema update and index rebuild
Schema Delete: fixed in SP2 or QFE Mandatory
Inefficient replication of schema deltas: SP3 or QFE Optional for small domains with fast links
Index Replication Delay: SP3 or QFE Optional for large domains
2000 DCs must have SP2 to source AD from 2003 DC* * If hosting application partitions
DC InventoryQFE Strategy for 2000 DCsDC InventoryQFE Strategy for 2000 DCs
Guiding principals Do not let ADPREP drive forest-wide SP installation Single QFE resolves all ADPREP issues on SP1 → SP3 DCs Install performance fixes if you cannot tolerate outage
Mixed version domains The faster you get to all 2003 DC forests, the less you need
2000 SP3
Extended 2000 / 2003 interoperability Windows 2000 SP3 + SP3 regressions + NTFRS.EXE +
NTDSA.DLL QFE
Inventory for DCs with 2003 REPADMIN /SHOWATTR See KB article 331161 for detailed explanation on QFEs
Guiding principals Do not let ADPREP drive forest-wide SP installation Single QFE resolves all ADPREP issues on SP1 → SP3 DCs Install performance fixes if you cannot tolerate outage
Mixed version domains The faster you get to all 2003 DC forests, the less you need
2000 SP3
Extended 2000 / 2003 interoperability Windows 2000 SP3 + SP3 regressions + NTFRS.EXE +
NTDSA.DLL QFE
Inventory for DCs with 2003 REPADMIN /SHOWATTR See KB article 331161 for detailed explanation on QFEs
DC InventoryDC, Domain, and Forest HealthDC InventoryDC, Domain, and Forest Health
For each domain in the forest verify: FSMOs
Accounted for and correctly located Schema + infrastructure used by ADPREP
Event logs No significant replication, topology, or other events
NETLOGON and SYSVOL Shares exist and contents synchronized by FRS DCs applying Policy - 1704 in application log, no 1202s
DCs have free disk space AD database: Free space = 15-20% of NTDS.DIT size AD logs: Free space = 15-20% of *.log files
DLT Service (optional) Stop service and delete object if not used - 312403
System state backups Backup two DCs in each domain in the forest
For each domain in the forest verify: FSMOs
Accounted for and correctly located Schema + infrastructure used by ADPREP
Event logs No significant replication, topology, or other events
NETLOGON and SYSVOL Shares exist and contents synchronized by FRS DCs applying Policy - 1704 in application log, no 1202s
DCs have free disk space AD database: Free space = 15-20% of NTDS.DIT size AD logs: Free space = 15-20% of *.log files
DLT Service (optional) Stop service and delete object if not used - 312403
System state backups Backup two DCs in each domain in the forest
DC InventoryReplication HealthDC InventoryReplication Health
Tombstone lifetime (TSL) and AD object deletion model Goal: Transitive replication of deltas between all DCs in the
forest hosting a particular NC Blockers: Connectivity, DNS configuration, authentication,
offline DCs, disjointed topologies, incorrect site or BridgeHead selections, replication errors
Do not decrease this value lightly, and do not increase above default
Demote DCs not replicating OB or IB deltas in TSL days DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc. Exception: All or last DC in domain or alternate replication path
Forest-wide replication check 2003 REPADMIN on XP or 2003 member against 2000 or 2003
DCs REPADMIN /SHOWREPL * /CSV + Excel Autofilter for
drilldown
Tombstone lifetime (TSL) and AD object deletion model Goal: Transitive replication of deltas between all DCs in the
forest hosting a particular NC Blockers: Connectivity, DNS configuration, authentication,
offline DCs, disjointed topologies, incorrect site or BridgeHead selections, replication errors
Do not decrease this value lightly, and do not increase above default
Demote DCs not replicating OB or IB deltas in TSL days DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc. Exception: All or last DC in domain or alternate replication path
Forest-wide replication check 2003 REPADMIN on XP or 2003 member against 2000 or 2003
DCs REPADMIN /SHOWREPL * /CSV + Excel Autofilter for
drilldown
DC InventoryREPADMIN /REPLSUMDC InventoryREPADMIN /REPLSUM
DC InventoryPlans for Non-Replicating DCsDC InventoryPlans for Non-Replicating DCs
Connection fails for > 60 days DC3 not replicating IB OB deltas from \\
DC1 Alternate path exists?
Fix error and keep moving
No IB / OB replication > 60 days DC3 not replicating IB or OB deltas Replicas for DC3 NCs exists?
Yes - forced demote DC3 No - fix replication, then clean up
lingering objects later
Disjoint topology All DCs report replication success No “bridge” between site links Clean up lingering objects later
Connection fails for > 60 days DC3 not replicating IB OB deltas from \\
DC1 Alternate path exists?
Fix error and keep moving
No IB / OB replication > 60 days DC3 not replicating IB or OB deltas Replicas for DC3 NCs exists?
Yes - forced demote DC3 No - fix replication, then clean up
lingering objects later
Disjoint topology All DCs report replication success No “bridge” between site links Clean up lingering objects later
Site Link ABC Site Link DEF
\\DC3
\\DC3
\\DC1
\\DC1
\\DC2
\\DC2
Schema InventoryExchange 2000 and SFUSchema InventoryExchange 2000 and SFU
E2K already installed before 2003 ADPREP? E2K ADPREP defines two non-RFC attributes
LabeledURI + Secretary ADPREP /FORESTPREP defines same attributes Result: Mangled LDAPDISPLAYNAMES Fix: “Exchangefix.ldf” from Support\Tools on 2003 CD
Specify full path and wrap forest root DN in quotes E2K to be installed before 2003 DCs?
Execute 2003 ADPREP or 2000 InetOrgPerson Kit first SFU 2
SFU 2 defines UID incorrectly Adprep cannot extend unless QFE is applied
KB articles: 325379 and 293783
E2K already installed before 2003 ADPREP? E2K ADPREP defines two non-RFC attributes
LabeledURI + Secretary ADPREP /FORESTPREP defines same attributes Result: Mangled LDAPDISPLAYNAMES Fix: “Exchangefix.ldf” from Support\Tools on 2003 CD
Specify full path and wrap forest root DN in quotes E2K to be installed before 2003 DCs?
Execute 2003 ADPREP or 2000 InetOrgPerson Kit first SFU 2
SFU 2 defines UID incorrectly Adprep cannot extend unless QFE is applied
KB articles: 325379 and 293783
ADPREP /FORESTPREPPreparing the Forest ADPREP /FORESTPREPPreparing the Forest
Client, DC, and schema inventory complete; backups made E2K / SFU schema conflicts resolved
ADPREP /FORESTPREP Adds new SDs, attributes, and objects One time operation in each forest Run on console of schema FSMO Enterprise Administrator and Schema Administrators rights required
SYNTAX X:\i386\ADPREP /FORESTPREP Where X is the fully qualified path to the 2003 media Do NOT execute ADPREP changes manually
Verification “Command completed successfully” in ADPREP CN=Windows2003Update in configuration NC for all DCs in forest IB replication by all DCs in forest \System32\Debug\Adprep\Logs\<Latest log>
Client, DC, and schema inventory complete; backups made E2K / SFU schema conflicts resolved
ADPREP /FORESTPREP Adds new SDs, attributes, and objects One time operation in each forest Run on console of schema FSMO Enterprise Administrator and Schema Administrators rights required
SYNTAX X:\i386\ADPREP /FORESTPREP Where X is the fully qualified path to the 2003 media Do NOT execute ADPREP changes manually
Verification “Command completed successfully” in ADPREP CN=Windows2003Update in configuration NC for all DCs in forest IB replication by all DCs in forest \System32\Debug\Adprep\Logs\<Latest log>
ADPREP /DOMAINPREPPreparing Each DomainADPREP /DOMAINPREPPreparing Each Domain
ADPREP /DOMAINPREP Adds new SDs in Domain NC and SYSVOL Changes from ADPREP /FORESTPREP must replicate in One time operation on infrastructure FSMO in each domain Requires domain administrator rights in target domain
SYNTAX X:\i386\ADPREP /DOMAINPREP Where X is the fully qualified path to the 2003 media
Verification “Command completed successfully” in ADPREP CN=Windows2003Update in Domain NC\SYSTEM… IB replication by all DCs in the domain \System32\Debug\Adprep\Logs\<Latest log>
ADPREP /DOMAINPREP Adds new SDs in Domain NC and SYSVOL Changes from ADPREP /FORESTPREP must replicate in One time operation on infrastructure FSMO in each domain Requires domain administrator rights in target domain
SYNTAX X:\i386\ADPREP /DOMAINPREP Where X is the fully qualified path to the 2003 media
Verification “Command completed successfully” in ADPREP CN=Windows2003Update in Domain NC\SYSTEM… IB replication by all DCs in the domain \System32\Debug\Adprep\Logs\<Latest log>
Install from Media PromotionsSourcing AD and GCs from a Local BackupInstall from Media PromotionsSourcing AD and GCs from a Local Backup
Overview1. Create system state backup from existing 2003 DC2. Restore backup to a LOCAL drive on a 2003 member3. Run “DCPROMO /ADV”
IFM rules DC being promoted must be on the network Only replica DCs are supported for IFM promotion Backup must be created from a 2003 DC in same domain Backup must have originated from GC to source that NC Move / copy rules for NTDS.DIT + log files Unattended IFM promotions supported
Overview1. Create system state backup from existing 2003 DC2. Restore backup to a LOCAL drive on a 2003 member3. Run “DCPROMO /ADV”
IFM rules DC being promoted must be on the network Only replica DCs are supported for IFM promotion Backup must be created from a 2003 DC in same domain Backup must have originated from GC to source that NC Move / copy rules for NTDS.DIT + log files Unattended IFM promotions supported
Post Upgrade / Install OperationsVerifying the New DCPost Upgrade / Install OperationsVerifying the New DC
DC is healthy NETLOGON + SYSVOL shares exist DC responds to LDAP, RPC, and logon
requests SRV, CNAME, and A records are registered
in DNS FRS: Add canary file on local + direct
replication partner Active Directory: REPADMIN /SHOWREPS Policy being applied as noted by Event 1704 Event log clean – may see event 1931 on
2000 upgrades
DC is healthy NETLOGON + SYSVOL shares exist DC responds to LDAP, RPC, and logon
requests SRV, CNAME, and A records are registered
in DNS FRS: Add canary file on local + direct
replication partner Active Directory: REPADMIN /SHOWREPS Policy being applied as noted by Event 1704 Event log clean – may see event 1931 on
2000 upgrades
Admin ToolsAdmin Tools
Windows 2003 AdminPak.msi installs on: Windows 2003 XP SP1
Some tools sign and encrypt LDAP traffic between client and domain controller:
Windows 2003 AdminPak.msi installs on: Windows 2003 XP SP1
Some tools sign and encrypt LDAP traffic between client and domain controller:
Active Directory Domains and Trusts Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Sites and Services Active Directory Schema Active Directory Schema Active Directory Users and Computers Active Directory Users and Computers ADSI Edit ADSI Edit Dsmove.exe Dsmove.exe Dsrm.exe Dsrm.exe
Dsadd.exe Dsadd.exe Dsget.exe Dsget.exe Dsmod.exe Dsmod.exe Dsquery.exe Dsquery.exe Group Policy Management Console Group Policy Management Console Object PickerObject Picker
Admin ToolsAdmin Tools
LDAP Signing only available on Windows 2000 SP3 and higher
Windows 2003 Admin Tools administering Windows 2000 SP2 DC:
LDAP signing and encryption of these tools can be disabled – not recommended – KB 325465
LDAP Signing only available on Windows 2000 SP3 and higher
Windows 2003 Admin Tools administering Windows 2000 SP2 DC:
LDAP signing and encryption of these tools can be disabled – not recommended – KB 325465
Post Upgrade / Install OperationsMore Best PracticesPost Upgrade / Install OperationsMore Best Practices
Backup Create a new system state backup – mark old backups
FSMO roles Transition PDC and Domain Naming Master to 2003
DC Install GPMC
Schedule backups of Group Policy Test new policy in test domains then import
Deal with DLT Restart service or delete objects incrementally objects
according to KB article 312403 Monitor
To not monitor AD is to fail
Backup Create a new system state backup – mark old backups
FSMO roles Transition PDC and Domain Naming Master to 2003
DC Install GPMC
Schedule backups of Group Policy Test new policy in test domains then import
Deal with DLT Restart service or delete objects incrementally objects
according to KB article 312403 Monitor
To not monitor AD is to fail
Post Upgrade / Install OperationsMore Best PracticesPost Upgrade / Install OperationsMore Best Practices
Account Lockout Evaluate account lockout settings SP4 or 812499 (QFE ready; KB pending) on
W2K DCs in the domain Install Resource Kit tools ACCTINFO and
LOCKOUTSTATUS
NTDS Quotas Set using DSadd Restrict number of objects that can be created
in the directory
Account Lockout Evaluate account lockout settings SP4 or 812499 (QFE ready; KB pending) on
W2K DCs in the domain Install Resource Kit tools ACCTINFO and
LOCKOUTSTATUS
NTDS Quotas Set using DSadd Restrict number of objects that can be created
in the directory
ACCTINFO Property PageACCTINFO Property Page
Additional Account Info tab in AD Users and Computers snap-in
Domain Password Policy
Users computer name used to change password on DC in AD same site
Lockoutstatus.exeLockoutstatus.exe
Runs as a stand-alone utility or extension to ACCTINFO. Shows bad password count and time across all DCs in domain.
Functional LevelsGetting to the Good StuffFunctional LevelsGetting to the Good Stuff
Model to introduce new behavior into the operating system Advanced by admin when all DCs in “scope” are
upgraded Analogy: Windows 2000 native mode (on steroids) Levels can only be increased – no rollback As you advance, earlier DC versions are ignored Clients are never impacted
Available functional levels Windows 2003 Server domain functionality Windows 2003 Server interim forest functionality
Not relevant in this scenario Windows 2003 Server forest functionality
Model to introduce new behavior into the operating system Advanced by admin when all DCs in “scope” are
upgraded Analogy: Windows 2000 native mode (on steroids) Levels can only be increased – no rollback As you advance, earlier DC versions are ignored Clients are never impacted
Available functional levels Windows 2003 Server domain functionality Windows 2003 Server interim forest functionality
Not relevant in this scenario Windows 2003 Server forest functionality
Domain Functional LevelsDomain Functional LevelsDomain Functionality
Enabled Features Supported DCs in Domain
Windows 2000 Mixed
Universal Groups (non-security only)
Windows NT 4.0
Windows 2000
Windows2003
Windows 2000 Native
All mixed mode, plus: Group nesting Universal groups SIDHistory Group conversions
Windows 2000
Windows 2003
Windows 2003 Server Interim Mixed / Native
Same as Windows 2000 Mixed / Native mode – depends on whether domain is Mixed or Native mode
Windows NT 4.0
Windows 2003
Domain Functional Levels (2)Domain Functional Levels (2)
Domain Functionality
Enabled Features Supported DCs in Domain
Windows 2003 Server
All Windows 2000 Native, plus: Update logon timestamp attribute Kerberos KDC version User password on inetOrgPerson DC rename with netdom Redirect users and computers Authorization Manager can store auth
policies Selective authentication cross-forest
Windows 2003
Forest Functional LevelsForest Functional LevelsForest Functionality
Enabled Features Supported DCs in Forest
Windows 2000 Windows NT 4.0
Windows 2000
Windows 2003
Windows 2003 Server Interim
All Windows 2000, plus: LVR replication Improved ISTG New attributes added to GC
Windows NT 4.0
Windows 2003
Windows 2003 Server
All Windows 2003 Server Interim, plus: Dynamic aux classes User to inetOrgPerson change Schema deactivation and reactivation Domain rename Cross-forest trust Basic and query-based groups (for roles-based authorization) 15 sec. intrasite replication frequency
Windows 2003
Goals by Functional LevelRun, Don’t Walk!Goals by Functional LevelRun, Don’t Walk!
Forest functional level changes Link Value Replication for Large group membership
7MM users tested + more efficient deletion KCC scalability improved
3000 sites a reality KCC branch office mode
Fault tolerance with a static KCC generated topology To be documented in 2003 Branch Office Guide
Change from 5 minute to 15 second intrasite replication latency
Why would you not go to FFL as fast as you could? Application compatibility should be the only reason
Forest functional level changes Link Value Replication for Large group membership
7MM users tested + more efficient deletion KCC scalability improved
3000 sites a reality KCC branch office mode
Fault tolerance with a static KCC generated topology To be documented in 2003 Branch Office Guide
Change from 5 minute to 15 second intrasite replication latency
Why would you not go to FFL as fast as you could? Application compatibility should be the only reason
Trips and TricksGood Things to KnowTrips and TricksGood Things to Know
Initial Sync requirements FSMOs must sync hosting NC before they will
function GC Sync requirements
Must sync all NCs in the forest before advertising Faster to remove objects than Pre-SP3 2000 DCs
Secedit /refereshpolicy replaced by GPUPDATE XP and 2003 is “the” management platform
2003 REPADMIN, GPMC, Resultant Policy, 2003 Admin Pack
2003 Admin Pack ADUC: RAS dial-in tab removed on XP Installs on XP and 2003 clients only
Initial Sync requirements FSMOs must sync hosting NC before they will
function GC Sync requirements
Must sync all NCs in the forest before advertising Faster to remove objects than Pre-SP3 2000 DCs
Secedit /refereshpolicy replaced by GPUPDATE XP and 2003 is “the” management platform
2003 REPADMIN, GPMC, Resultant Policy, 2003 Admin Pack
2003 Admin Pack ADUC: RAS dial-in tab removed on XP Installs on XP and 2003 clients only
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This This presentationpresentation is for informational purposes only. is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.OR IMPLIED, IN THIS SUMMARY.
