Moving to ws2003

176 views

Published on

& concept explained easily

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
176
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Moving to ws2003

  1. 1. Moving to Windows Server 2003 from Windows 2000 Dave Sayers, Senior Consultant Windows Team, Microsoft Services Organisation
  2. 2. Agenda  Benefits of Upgrading from Windows 2000  Upgrading from Windows 2000  Taking inventories  Using ADPrep  Post-installation tasks  Functional Levels  Tips and Tricks
  3. 3. Benefits of Upgrade  Windows Server 2003 Active Directory an evolutionary step  Improvements in the existing feature set  Security fixes  Secure by default  New features  Straightforward upgrade path
  4. 4. Benefits of Upgrade  Cross Forest Kerberos trust  Improved Replication  Link Value Replication, No GC Full Synchronisation  No 5000 member group Limit  Domain Rename  Application Partitions  Branch Office Improvements  KCC, GC Caching  Rapid GC Demotion
  5. 5. Benefits of Upgrade  Schema “Defunct”  Lingering Object Removal  LDAP Improvements  Virtual List View Support  Correct Auxiliary Class Support  InetOrgPerson  Lightweight LDAP authentication  Dynamic Entries  Single Instance Store
  6. 6. Benefits of Upgrade  Resultant Set Of Policy (RSOP)  Planning and Reporting Modes  Many new policy settings  Filtering via WMI query  Dynamically evaluate query and apply GP on result  Group Policy Management Console
  7. 7. Important Active Directory Changes Improved Security Settings  Allow anonymous SID / name translation policy  Clients in NT 4.0 resource domains may experience:  “Account Unknown” in ACL editor  Authentication failure by Microsoft and Outlook clients  Intermittent results as Secure Channels move between 2000 / 2003 DCs  Everyone group
  8. 8. Important Active Directory Changes Improved Security Settings  Pre-Windows 2000 compatible access  If Everyone is in Pre-Windows 2000 Compatible Access group, then:  Anonymous Logon and Authenticated Users are added  Enterprise Domain Controllers is added to Windows Authorization Access group  Everyone may have been removed by the administrator  Common on 2000 domains upgraded from NT 4.0  “ Enforce SMB signing” enabled  Integrity of the client
  9. 9. Upgrade from Windows 2000 Overview  Easy upgrade process  No AD or OU namespace planning required  No DNS namespace, deployment, or delegation conflicts  No user / workstation / profile migration  Windows 2003 Server DCs  Can play any role in Windows 2000 forest / domain  Are fully compatible with Windows 2000 DCs  How to introduce 2003 DCs?  Add new DCs with DCPROMO  Upgrade of existing 2000 DC (Winnt32.exe)
  10. 10. Upgrade Steps  Check domain controllers’ SP level  SP1 with QFE265089 required  SP2 recommended  Inventories  Client/Domain Controller/Schema  Prepare forest  Adprep /forestprep  Prepare domain(s)  Adprep /domainprep  Install Windows Server 2003 Member Server  Run dcpromo  Upgrade other domain controllers
  11. 11. Client Inventory Update Windows 95 and Windows NT 4.0 Clients  Security default on Server 2003 DCs  By default, “Enforce SMB Signing” is enabled  Temporarily relax settings on DCs or update clients  Windows 95  Install DS client or new operating system  Windows NT 4.0:  SP3 or later required, SP6a recommended (DFS)  All other Microsoft network clients  No action required  Latest SPs are always recommended
  12. 12. DC Inventory ADPREP Operations and Mitigation  ADPREP  Adds new permissions, objects, and attributes  Protect Schema update and index rebuild  Schema Delete: fixed in SP2 or QFE  Mandatory  Inefficient replication of schema deltas: SP3 or QFE  Optional for small domains with fast links  Index Replication Delay: SP3 or QFE  Optional for large domains  2000 DCs must have SP2 to source AD from 2003 DC*  * If hosting application partitions
  13. 13. DC Inventory QFE Strategy for 2000 DCs  Guiding principals  Do not let ADPREP drive forest-wide SP installation  Single QFE resolves all ADPREP issues on SP1 → SP3 DCs  Install performance fixes if you cannot tolerate outage  Mixed version domains  The faster you get to all 2003 DC forests, the less you need 2000 SP3  Extended 2000 / 2003 interoperability  Windows 2000 SP3 + SP3 regressions + NTFRS.EXE + NTDSA.DLL QFE  Inventory for DCs with 2003 REPADMIN /SHOWATTR  See KB article 331161 for detailed explanation on QFEs
  14. 14. DC Inventory DC, Domain, and Forest Health  For each domain in the forest verify:  FSMOs  Accounted for and correctly located  Schema + infrastructure used by ADPREP  Event logs  No significant replication, topology, or other events  NETLOGON and SYSVOL  Shares exist and contents synchronized by FRS  DCs applying Policy - 1704 in application log, no 1202s  DCs have free disk space  AD database: Free space = 15-20% of NTDS.DIT size  AD logs: Free space = 15-20% of *.log files  DLT Service (optional)  Stop service and delete object if not used - 312403  System state backups  Backup two DCs in each domain in the forest
  15. 15. DC Inventory Replication Health  Tombstone lifetime (TSL) and AD object deletion model  Goal: Transitive replication of deltas between all DCs in the forest hosting a particular NC  Blockers: Connectivity, DNS configuration, authentication, offline DCs, disjointed topologies, incorrect site or BridgeHead selections, replication errors  Do not decrease this value lightly, and do not increase above default  Demote DCs not replicating OB or IB deltas in TSL days  DCPROMO /FORCEREMOVAL added to W2K in 332199 QFE  Full metadata cleanup in DFS, DNS, FRS, AD, NTDSUTIL, etc.  Exception: All or last DC in domain or alternate replication path  Forest-wide replication check  2003 REPADMIN on XP or 2003 member against 2000 or 2003 DCs  REPADMIN /SHOWREPL * /CSV + Excel Autofilter for drilldown
  16. 16. DC Inventory REPADMIN /REPLSUM
  17. 17. DC Inventory Plans for Non-Replicating DCs  Connection fails for > 60 days  DC3 not replicating IB OB deltas from DC1  Alternate path exists?  Fix error and keep moving  No IB / OB replication > 60 days  DC3 not replicating IB or OB deltas  Replicas for DC3 NCs exists?  Yes - forced demote DC3  No - fix replication, then clean up lingering objects later  Disjoint topology  All DCs report replication success  No “bridge” between site links  Clean up lingering objects later Site Link ABC Site Link DEF DC3 DC3 DC1 DC1 DC2 DC2
  18. 18. Schema Inventory Exchange 2000 and SFU  E2K already installed before 2003 ADPREP?  E2K ADPREP defines two non-RFC attributes  LabeledURI + Secretary  ADPREP /FORESTPREP defines same attributes  Result: Mangled LDAPDISPLAYNAMES  Fix: “Exchangefix.ldf” from SupportTools on 2003 CD  Specify full path and wrap forest root DN in quotes  E2K to be installed before 2003 DCs?  Execute 2003 ADPREP or 2000 InetOrgPerson Kit first  SFU 2  SFU 2 defines UID incorrectly  Adprep cannot extend unless QFE is applied  KB articles: 325379 and 293783
  19. 19. ADPREP /FORESTPREP Preparing the Forest  Client, DC, and schema inventory complete; backups made  E2K / SFU schema conflicts resolved  ADPREP /FORESTPREP  Adds new SDs, attributes, and objects  One time operation in each forest  Run on console of schema FSMO  Enterprise Administrator and Schema Administrators rights required  SYNTAX  X:i386ADPREP /FORESTPREP  Where X is the fully qualified path to the 2003 media  Do NOT execute ADPREP changes manually  Verification  “Command completed successfully” in ADPREP  CN=Windows2003Update in configuration NC for all DCs in forest  IB replication by all DCs in forest  System32DebugAdprepLogs<Latest log>
  20. 20. ADPREP /DOMAINPREP Preparing Each Domain  ADPREP /DOMAINPREP  Adds new SDs in Domain NC and SYSVOL  Changes from ADPREP /FORESTPREP must replicate in  One time operation on infrastructure FSMO in each domain  Requires domain administrator rights in target domain  SYNTAX  X:i386ADPREP /DOMAINPREP  Where X is the fully qualified path to the 2003 media  Verification  “Command completed successfully” in ADPREP  CN=Windows2003Update in Domain NCSYSTEM…  IB replication by all DCs in the domain  System32DebugAdprepLogs<Latest log>
  21. 21. Install from Media Promotions Sourcing AD and GCs from a Local Backup  Overview 1. Create system state backup from existing 2003 DC 2. Restore backup to a LOCAL drive on a 2003 member 3. Run “DCPROMO /ADV”  IFM rules  DC being promoted must be on the network  Only replica DCs are supported for IFM promotion  Backup must be created from a 2003 DC in same domain  Backup must have originated from GC to source that NC  Move / copy rules for NTDS.DIT + log files  Unattended IFM promotions supported
  22. 22. Post Upgrade / Install Operations Verifying the New DC  DC is healthy  NETLOGON + SYSVOL shares exist  DC responds to LDAP, RPC, and logon requests  SRV, CNAME, and A records are registered in DNS  FRS: Add canary file on local + direct replication partner  Active Directory: REPADMIN /SHOWREPS  Policy being applied as noted by Event 1704  Event log clean – may see event 1931 on 2000 upgrades
  23. 23. Admin Tools  Windows 2003 AdminPak.msi installs on:  Windows 2003  XP SP1  Some tools sign and encrypt LDAP traffic between client and domain controller: Active Directory Domains and TrustsActive Directory Domains and Trusts Active Directory Sites and ServicesActive Directory Sites and Services Active Directory SchemaActive Directory Schema Active Directory Users and ComputersActive Directory Users and Computers ADSI EditADSI Edit Dsmove.exeDsmove.exe Dsrm.exeDsrm.exe Dsadd.exeDsadd.exe Dsget.exeDsget.exe Dsmod.exeDsmod.exe Dsquery.exeDsquery.exe Group Policy Management ConsoleGroup Policy Management Console Object PickerObject Picker
  24. 24. Admin Tools  LDAP Signing only available on Windows 2000 SP3 and higher  Windows 2003 Admin Tools administering Windows 2000 SP2 DC:  LDAP signing and encryption of these tools can be disabled – not recommended – KB 325465
  25. 25. Post Upgrade / Install Operations More Best Practices  Backup  Create a new system state backup – mark old backups  FSMO roles  Transition PDC and Domain Naming Master to 2003 DC  Install GPMC  Schedule backups of Group Policy  Test new policy in test domains then import  Deal with DLT  Restart service or delete objects incrementally objects according to KB article 312403  Monitor  To not monitor AD is to fail
  26. 26. Post Upgrade / Install Operations More Best Practices  Account Lockout  Evaluate account lockout settings  SP4 or 812499 (QFE ready; KB pending) on W2K DCs in the domain  Install Resource Kit tools ACCTINFO and LOCKOUTSTATUS  NTDS Quotas  Set using DSadd  Restrict number of objects that can be created in the directory
  27. 27. ACCTINFO Property Page Additional Account Info tab in AD Users and Computers snap-in Domain Password Policy Users computer name used to change password on DC in AD same site
  28. 28. Lockoutstatus.exe Runs as a stand-alone utility or extension to ACCTINFO. Shows bad password count and time across all DCs in domain.
  29. 29. Functional Levels Getting to the Good Stuff  Model to introduce new behavior into the operating system  Advanced by admin when all DCs in “scope” are upgraded  Analogy: Windows 2000 native mode (on steroids)  Levels can only be increased – no rollback  As you advance, earlier DC versions are ignored  Clients are never impacted  Available functional levels  Windows 2003 Server domain functionality  Windows 2003 Server interim forest functionality  Not relevant in this scenario  Windows 2003 Server forest functionality
  30. 30. Domain Functional Levels Domain Functionality Enabled Features Supported DCs in Domain Windows 2000 Mixed  Universal Groups (non-security only) Windows NT 4.0 Windows 2000 Windows2003 Windows 2000 Native All mixed mode, plus:  Group nesting  Universal groups  SIDHistory  Group conversions Windows 2000 Windows 2003 Windows 2003 Server Interim Mixed / Native Same as Windows 2000 Mixed / Native mode – depends on whether domain is Mixed or Native mode Windows NT 4.0 Windows 2003
  31. 31. Domain Functional Levels (2) Domain Functionality Enabled Features Supported DCs in Domain Windows 2003 Server All Windows 2000 Native, plus:  Update logon timestamp attribute  Kerberos KDC version  User password on inetOrgPerson  DC rename with netdom  Redirect users and computers  Authorization Manager can store auth policies  Selective authentication cross-forest Windows 2003
  32. 32. Forest Functional Levels Forest Functionality Enabled Features Supported DCs in Forest Windows 2000 Windows NT 4.0 Windows 2000 Windows 2003 Windows 2003 Server Interim All Windows 2000, plus:  LVR replication  Improved ISTG  New attributes added to GC Windows NT 4.0 Windows 2003 Windows 2003 Server All Windows 2003 Server Interim, plus:  Dynamic aux classes  User to inetOrgPerson change  Schema deactivation and reactivation  Domain rename  Cross-forest trust  Basic and query-based groups (for roles-based authorization)  15 sec. intrasite replication frequency Windows 2003
  33. 33. Goals by Functional Level Run, Don’t Walk!  Forest functional level changes  Link Value Replication for Large group membership  7MM users tested + more efficient deletion  KCC scalability improved  3000 sites a reality  KCC branch office mode  Fault tolerance with a static KCC generated topology  To be documented in 2003 Branch Office Guide  Change from 5 minute to 15 second intrasite replication latency  Why would you not go to FFL as fast as you could?  Application compatibility should be the only reason
  34. 34. Trips and Tricks Good Things to Know  Initial Sync requirements  FSMOs must sync hosting NC before they will function  GC Sync requirements  Must sync all NCs in the forest before advertising  Faster to remove objects than Pre-SP3 2000 DCs  Secedit /refereshpolicy replaced by GPUPDATE  XP and 2003 is “the” management platform  2003 REPADMIN, GPMC, Resultant Policy, 2003 Admin Pack  2003 Admin Pack  ADUC: RAS dial-in tab removed on XP  Installs on XP and 2003 clients only
  35. 35. © 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved. ThisThis presentationpresentation is for informational purposes only.is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESSMICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.OR IMPLIED, IN THIS SUMMARY.

×