Transcript Getting off NT4

Getting off NT4…
Raj Natarajan
National Technology Specialist
What this Session Covers
• Upgrade / Migration by Workload
–
–
–
–
Domain / Directory
File & Print
Infrastructure Services
App Server
Prerequisite Knowledge
• Windows NT Server 4.0 administration
• Windows Server 2003 administration
• Virtual PC 2004 or Virtual Server 2005
• & the ability to develop an Operating System!
(NOT)
Preparing to Upgrade OS
• In all cases, first step should be
‘winnt32.exe /checkupgradeonly’
– This provides a detailed report of what will and will
not work with Windows Server 2003.
– Exportable list of what needs to be fixed and what to
do about it.
– If internet connection is present, Winnt32.Exe can
query Microsoft for any important changes since the
installation media was prepared.
Forest / Domain / Tree
considerations
• Forest is the Security boundary
• Number of domains should match password complexity
requirements
• Extranet – Use another forest, not another domain
• Tree – Political / Organisational considerations around
namespace
• If upgrading legacy NT4 domains
– Create Empty Forest Root or Upgrade largest Accounts Domain
to Root Domain in Forest
– Upgrade other Domains as Child Domains in existing forest
– Once upgrade is complete, consider domain consolidation via
Intra-forest migration; ADMTv2 is your friend 
Windows NT 4.0 Domain
Upgrade Preparation
• Know your domain
– Visio Network Discovery or similar tools can be
leveraged for network inventory.
– If Domain Name System (DNS) infrastructure exists,
create a delegation for the first PDC to host the
Active Directory zone.
– LMRepl should be configured on Windows NT 4.0
domain controllers.
– The LMRepl export server should be the last server
upgraded.
Domain Upgrade Strategies
• Windows NT 4.0 Domain Upgrade
– Similar to process for upgrade to Windows 2000
– In-place or Migrate
• Different Approaches for Simplifying Domain
Structure
– Single domain strategy
– Empty forest root strategy
Single Domain Forest Strategy
• Largest Windows NT 4.0 account domain is upgraded to
Windows Server 2003 forest root
– Select Windows 2003 interim forest mode during DCPromo.
• Let DCPromo configure DNS
– DCPromo will read the delegation and prompt to install DNS
locally.
– Forest and domain zones will be created automatically.
• Continue upgrading or retiring backup domain
controllers (BDCs) until all domain controllers run
Windows Server 2003
Multi-Domain Strategy
• Establish forest with empty root domain with a
new Windows Server 2003
• Advance domain to Windows 2003 functionality
level using Domain.msc
• Advance forest to Windows 2003 interim
functionality level
– No UI offered in clean install
– Use ADSIEdit.msc or LDP.exe
• Create delegation in DNS for first PDC to be
upgraded
Multi-Domain Strategy (2)
• Upgrade Windows NT 4.0 PDC and DCPromo to
create child domain of the empty root
– Domain will be automatically set to Windows 2003
Interim Mode
– DCPromo will notice the delegation and prompt to
install DNS
– DNS will create default application partition
– When all BDCs are upgraded, advance domain to
Windows 2003 functionality
Migrating with ADMTv2
• Two Types of Domain Migration
– Interforest: Objects are cloned across domain and
forest boundaries
– Intraforest: LDAP_Move operation after which the
source object no longer exists
• By definition, all Windows NT to Active
Directory migrations are Interforest.
Domain Migration with
ADMTv2
• Objects migrated include:
–
–
–
–
–
–
–
Users
Groups
Computers
Profiles
Network resources
Access control lists
Security identifiers
• Domain controllers cannot be migrated.
Maintaining Access with
ADMTv2
• Windows 2000 introduced the sIDHistory
attribute on Users and Groups in native mode
domains.
• When Users and Groups are migrated, sIDHistory
can be populated with their security identifiers
from the source domain.
• sIDHistory provides a temporary method of
maintaining access to resources during
migration.
• This should not be considered a permanent
solution for access to resources.
ADMTv2 Improvements
•
•
•
•
Interforest Password Migration
More Robust Computer Migration Agents
Group Migration Optimised for Speed
Internal sID Database Allows Source Domains to
be Retired
• Migration Tasks Can be Delegated Rather than
Requiring Domain Administrator Credentials
• inetOrgPerson Support
• Post-Migration User Renaming
ADMTv2 Improvements (2)
•
•
•
•
•
•
Scripting and Command Line Interfaces
Customisable Attribute Exclusion Lists
Enhanced Logging
Account Transition Options
Improved Reporting Wizard
Security Translation and SID Mapping Files
• Available for free from www.microsoft.com
Active Directory Migration Tool
File/Print/Other
•
•
•
•
•
File Server Migration Toolkit
Printer Migration Scripts
DNS/DHCP/WINS easy cut-over
RAS/RADIUS/VPN
IIS – Compatibility Mode?
Application Servers
• Now that takes care of the Domain, Directory, &
Core Infrastructure Servers, what about my App
servers?
Standard IT Answer – It Depends!
Evaluate what you really need!
Virtual Server?
Application Compatibility Mode
• Common Issues in Application Compatibility
– Application Compatibility Toolkit
–
–
–
–
Evaluate what really needs to stay
• Legacy Apps
• Apps replaced by new apps with similar
functionality
• Servers untouched in a corner
• Cobwebs in the power supply!
Status Quo
• Identify Risks
• Put in Mitigation (migration) plans
• Reduce Hardware risk by Virtualising
– Virtualise only where applicable
– Don’t virtualise because you can
Virtual Server 2005
Pros and Cons of Migration
• Pros
– Extends the life of the LOB application
– Re-organisation or consolidation
– Hardware Risk Mitigation
• Cons
– No more stable
– Similar Security Model
– Does not extend Windows NT Server 4.0 support
http://www.microsoft.com/technet/community/
events/vpc/tnt1-97.mspx
Virtual Server 2005
Virtualisation Scenario Overview
Virtual Machine:
Windows NT
Server 4.0
Server
Physical Server:
Windows NT
Server 4.0
Server
Windows 2003
Server
Virtual Server Migration Toolkit
Application Compatibility Mode
Application Compatibility Mode Options
Common Compatibility Issues
on Windows XP
• OS Version Number
• Hard-coding paths to Special Folders
–
–
–
–
•
•
•
•
Temp
Profiles
Documents & Settings
My Documents
Running under non-Administrator Accounts
Installation Failures
Registry Changes
Applications with Platform-Specific drivers
– Common in Anti-Virus, Backup and Partitioning software
– Low-level drivers, 9x drivers, File System Filters, etc.
Windows XP Compatibility
Issues
40%
Broken Kernel Mode Drivers
Platform Specific Apps
App will not install
Version - expects Win9x/NT4x
Uninstall Failure
Path
Cosmetic
Focus
Printer
35%
30%
25%
20%
15%
10%
5%
0%
Breakdown of Issues
Windows Server 2003 Changes
• The new DLL search order:
–
–
–
–
–
–
Application folder.
System32.
System (16-bit system folder).
Windows.
Current working directory.
Previous Windows platforms had
current working directory before System32!
• No Visual Basic 5.0 Runtime
• IIS Not Installed by Default
• Default Permissions & Services Changed
If you want to fix your
application
• Application Compatibility Toolkit v3.0
– Provide tools & knowledge for development
– Testing infrastructure
• Application verifier for new apps
• Application analyser tool (inventory)
Newsgroup – microsoft.public.win32.programmer.tools
Application Analyser
Session Summary
• Active Directory migration is simple with a little
planning
• More mature tools available to move core
Infrastructure services
• Application Compatibility Mode can help push
back costly upgrades
• Virtual Server (and VSMT) can allow you to
continue using legacy LOB applications under
their original environments
For More Information…
• Visit TechNet at
www.microsoft.com/technet
• Infrastructure Special Interest Group – Register at
TechNet Lounge
– http://www.microsoft.com/australia/technet
• FREE: Active Directory Jigsaw and Migration
Roadmap Posters