Post on 13-Dec-2015
Migrating to Windows 2000 in a Migrating to Windows 2000 in a Large EnvironmentLarge Environment
Migrating to Windows 2000 in a Large EnvironmentMigrating to Windows 2000 in a Large Environment
Background of Active DirectoryBackground of Active Directory DNS in Windows 2000DNS in Windows 2000 Migrating from WINS to DNSMigrating from WINS to DNS Consolidating NT4 DomainsConsolidating NT4 Domains Conducting a Phased MigrationConducting a Phased Migration Next Generation MS-ExchangeNext Generation MS-Exchange
Microsoft Directory EvolutionMicrosoft Directory Evolution
Windows NT user directory Windows 2000
NowNow NowNow ComingComing
SingleSingleenterprise logonenterprise logonCentralCentralmanagementmanagementReplicated/ Replicated/ partitionedpartitioned
E-mail namesE-mail namesand rich attributesand rich attributesX.500 namingX.500 namingMAPI, LDAP MAPI, LDAP supportsupportScalable to Scalable to “millions”“millions”
Integrated DNS, X.500Integrated DNS, X.500Deep integration with OS Deep integration with OS securitysecurityMore standard support: More standard support: X.500 DAP/DSP, ADSI, X.500 DAP/DSP, ADSI, OLE/dB, etc.OLE/dB, etc.Scalable to millionsScalable to millions
Windows NT user directory
Microsoft Exchange Server
directory
What is Active Directory?What is Active Directory?
Windows 2000 directory serviceWindows 2000 directory service Active Directory hasActive Directory has
A hierarchical, flexible namespaceA hierarchical, flexible namespace Partitioning for scalabilityPartitioning for scalability Multi-master replicationMulti-master replication Dynamic extensibilityDynamic extensibility Open and extensible directory Open and extensible directory
synchronization interfacessynchronization interfaces Lightweight Directory Access Protocol Lightweight Directory Access Protocol
(LDAP) as the core protocol for (LDAP) as the core protocol for interoperability interoperability
AD Terminology
NamespaceNamespace NameName DomainDomain Organizational Units (OUs)Organizational Units (OUs) TreeTree SitesSites Global CatalogGlobal Catalog SchemaSchema
Administration DesignatorsAdministration Designators
vsvs
Replication DesignatorsReplication Designators
Differentiation
1.1. First I Create my “Domain” and Give it an First I Create my “Domain” and Give it an Organization NameOrganization Name
2.2. Then I Create Organizational Units within Then I Create Organizational Units within this Domain to Distribute Administrationthis Domain to Distribute Administration
3.3. I then Create Users within the Organizational I then Create Users within the Organizational Units where they BelongUnits where they Belong
4.4. Finally I Group the Users so I can more Finally I Group the Users so I can more Easily set Policies to the GroupEasily set Policies to the Group
Creating Administrative Structures
DomainDomain
Organizational Units Users and
Groups
Creating Administrative Structures
Enterprise is Made of DomainsEnterprise is Made of Domains
Domains can be linked by trustDomains can be linked by trustDomains can be related by nameDomains can be related by nameBoth X.500 and DNS namingBoth X.500 and DNS naming
DC=MyCorp,DC=ComDC=MyCorp,DC=Com
DC=Dev,DC=MyCorp,DC=ComDC=Dev,DC=MyCorp,DC=Com
whatever.eduwhatever.edu
whatnot.whatever.eduwhatnot.whatever.edu
comcom
inacominacom
eduedu
berkeleyberkeley
coursescourses
Domain:Domain:berkeley.edu berkeley.edu
microsoftmicrosoft
PoliSciPoliSci
studentsstudents
AArneyAArneyKBryantKBryant
BSmithBSmithRJonesRJones
Domain :Domain :microsoft.commicrosoft.com
Domain :Domain :inacom.cominacom.com
Active DirectoryGlobal namespace = DNS + LDAP Directories
Windows 2000 DNS Management ServicesWindows 2000 DNS Management Services
Planning Your DNS Strategy
Active Directory is integrated with Domain Active Directory is integrated with Domain Name System (DNS)Name System (DNS)
Therefore, it is important toTherefore, it is important to Determine which DNS server to useDetermine which DNS server to use Determine your DNS rootDetermine your DNS root
DNS Server Options
Implement Microsoft DNS ExclusivelyImplement Microsoft DNS Exclusively Implement Microsoft DNS as a Delegated Sub-Implement Microsoft DNS as a Delegated Sub-
domaindomain Use an Existing DNS ServerUse an Existing DNS Server
Implement Microsoft DNS Exclusively
BenefitsBenefits Tight integration with Active DirectoryTight integration with Active Directory Supports the extended character set, UnicodeSupports the extended character set, Unicode Not dependent on existing DNS ServersNot dependent on existing DNS Servers Will co-exist with other DNS ServersWill co-exist with other DNS Servers Supports multi-master replicationSupports multi-master replication
Implement Microsoft DNS as a Delegated Sub-domain
BenefitsBenefits Requires no upgrade of any existing DNS Requires no upgrade of any existing DNS
serversservers Utilize existing DNS infrastructureUtilize existing DNS infrastructure Minimizes dependency of Active Directory on Minimizes dependency of Active Directory on
existing DNS serversexisting DNS servers
Use a Non-Microsoft DNS Server
BenefitsBenefits Does not require replacing existing DNS Does not require replacing existing DNS
serversservers No DNS changes requiredNo DNS changes required
Existing DNS Server
To Support Active Directory, a DNS ServerTo Support Active Directory, a DNS Server Must support the SRV RR defined by RFC Must support the SRV RR defined by RFC
20522052 Should also support:Should also support:
The Dynamic Update Protocol - RFC 2136The Dynamic Update Protocol - RFC 2136 Incremental Zone Tranfers - RFC 1995Incremental Zone Tranfers - RFC 1995
Multiple Domains/Trees
Sometimes it is necessary to have more than one Sometimes it is necessary to have more than one domaindomain
Multiple domains with a contiguous name space Multiple domains with a contiguous name space are referred to as treesare referred to as trees
tailspintoys.com
europe.tailspintoys.com
marketing.europe.tailspintoys.com
Forest DefinitionForest Definition One or more Windows 2000 TreesOne or more Windows 2000 Trees
Do not form a contiguous namespaceDo not form a contiguous namespace Share a common schema, config., Global CatalogShare a common schema, config., Global Catalog All Trees in a Forest trust each otherAll Trees in a Forest trust each other Does not need a distinct nameDoes not need a distinct name
Microsoft.Com
PBS.Microsoft.Com
NTDev.PBS.Microsoft.Com
Softimage.Com
Finance.Softimage.com
Integrated Security
Safety:Safety: AuthenticodeAuthenticode Driver signingDriver signing
Auth.:Auth.: Priv Key/KerberosPriv Key/Kerberos Public Key/X.509Public Key/X.509 NT4NT4
Protocol:Protocol: SSLSSL IPSECIPSEC RPC/DCOMRPC/DCOM
Base:Base: Crypto APICrypto API Encrypted F-SEncrypted F-S More AuditingMore Auditing
ScenariosScenarios
SingleSingleSign-onSign-on
PrivatePrivateComm.Comm.
SecureSecureBiz TxBiz Tx
SecureSecureDesktopDesktop
•PK Certificates•Kerberos keys
Active Directory
Network Load BalancingNetwork Load Balancing
ClusteringClustering
Goal of Windows 2000 for Enterprises:Goal of Windows 2000 for Enterprises:Reliability and ScalabilityReliability and Scalability
Multilingual user Multilingual user interfaceinterface
Same code runs Same code runs anywhereanywhere
Simultaneous Simultaneous support of multiple support of multiple languageslanguages
Single world-wide Single world-wide APIAPI
Goal of Windows 2000 for Enterprises:Goal of Windows 2000 for Enterprises:World ReadyWorld Ready
What Can be Done with NT4 in What Can be Done with NT4 in Anticipation of a Migration to Windows Anticipation of a Migration to Windows
20002000
Consider Implementing NT4 Workstation Today
Higher level of securityHigher level of security ability to lock down w/s hardware configability to lock down w/s hardware config ability to create and manage set processesability to create and manage set processes
Ability to use global roaming profilesAbility to use global roaming profiles Key to Intellimirror in Windows 2000Key to Intellimirror in Windows 2000 Consolidated DLL model in Windows 2000Consolidated DLL model in Windows 2000
Design, Implement, and Gain Support for System Policies
Globally manage individuals, groups of users, Globally manage individuals, groups of users, or all users the ability to:or all users the ability to: change screen saverchange screen saver change desktop backgroundchange desktop background add applicationsadd applications purposely or accidentally delete applicationspurposely or accidentally delete applications drop to DOS promptdrop to DOS prompt modify workstation configurationsmodify workstation configurations
System PoliciesSystem Policies
Consolidate DomainsConsolidate Domains
Minimize resource domainsMinimize resource domains Develop structure that utilizes fewer Develop structure that utilizes fewer
domainsdomains Create simplified trust modelCreate simplified trust model Document enterprise hierarchyDocument enterprise hierarchy
server/host configurationsserver/host configurations segment addressessegment addresses segment bandwidthsegment bandwidth trust and authentication processtrust and authentication process
Selectively move single ormultiple users from
any Source Domain...
...to any Target Domain!
Fastlane Technologies: DM/ManagerFastlane Technologies: DM/Manager
Flexible migration options...
Setting Rules / Policies for Migration
Conduct Performance Analysis
Evaluate Client to Server Bandwidth Evaluate Client to Server Bandwidth DemandsDemands
Evaluate Server to Server Bandwidth Evaluate Server to Server Bandwidth UtilizationUtilization
Analyze Server System UtilizationAnalyze Server System Utilization Conduct WAN Bandwidth AnalysisConduct WAN Bandwidth Analysis
Bluecurve “Dynameasure” recognized by Bluecurve “Dynameasure” recognized by Microsoft for capacity analysis and Microsoft for capacity analysis and capacity planning capacity planning (http://www.bluecurve.com)(http://www.bluecurve.com)
Server CPU capacity is bottlenecked. All four server CPUs reach maximum
thruput
Performance Analysis
Implement TCP/IP and SMTP as Core Implement TCP/IP and SMTP as Core Communications ProtocolsCommunications Protocols
TCP/IPSMTP
Site A Site B
Implement DNS (in addition to (and in an Implement DNS (in addition to (and in an Windows 2000 environment, in place of) Windows 2000 environment, in place of) WINS)WINS)
WINS needed for Netbios name resolutionWINS needed for Netbios name resolution DNS to be native in Windows 2000 complete DNS to be native in Windows 2000 complete
TCP/IP environmentTCP/IP environment
Implement LDAP for Look-upImplement LDAP for Look-up
MicrosoftMicrosoftManagementManagement
ConsoleConsole
ADSIADSI
Domain ControllerDomain Controller
SAMSAM
DirectoryDirectoryServiceService
LDAPLDAP
NT4 BDCNT4 BDCReplicationReplication
NW3 NW4 NT4 NTDSNW3 NW4 NT4 NTDS
NCPNCP NCPNCP NetNetAPIsAPIs
wldap32.dllwldap32.dll
Windows 2000 M-MWindows 2000 M-MReplicationReplication
Legacy NT4 APIsLegacy NT4 APIs
ClientClient
Create an Windows 2000 Deployment TeamCreate an Windows 2000 Deployment Team
Team Includes:Team Includes: DNS Decision Makers (NT, UNIX, etc)DNS Decision Makers (NT, UNIX, etc) Hardware Implementers and Support Hardware Implementers and Support
PersonnelPersonnel File/Print LAN/WAN Decision MakersFile/Print LAN/WAN Decision Makers Firewall and Internet Security Decision Firewall and Internet Security Decision
Makers (Kerberos, X.509, etc)Makers (Kerberos, X.509, etc) Electronic Messaging GroupElectronic Messaging Group Desktop Support Group (Intellimirror, Desktop Support Group (Intellimirror,
Windows Scripting, Sysclone, SMS)Windows Scripting, Sysclone, SMS)
Migrating from NT4 to Windows 2000Migrating from NT4 to Windows 2000
Migrating Domain ControllersMigrating Domain Controllers
Migrating ServersMigrating Servers
Migrating UsersMigrating Users
MigrationMigration
Any Windows NT domain model can be migrated Any Windows NT domain model can be migrated easily to the Active Directoryeasily to the Active Directory
Mixed environmentsMixed environments Fully supportedFully supported Look and act like Windows NT 4.0 domainsLook and act like Windows NT 4.0 domains Migration to domain tree simpleMigration to domain tree simple
Windows NT 4.x domainWindows NT 4.x domain
““PDC”PDC”
Initial stateInitial state
Migration (Initial State)
BDCBDC BDCBDC
BDCBDCBDCBDC BDCBDC
Upgrade PDC to Windows 2000Upgrade PDC to Windows 2000
Domain replicaDomain replica
Global catalogGlobal catalog
Migration (Step 1)
““PDC”PDC”
DC - GCDC - GC
Upgrade remaining Windows NT 4.x BDCsUpgrade remaining Windows NT 4.x BDCs
Migration (Step 2)
Domain replicaDomain replica
Global catalogGlobal catalog
DCDCDCDC DCDC
““Native” domainNative” domainDomain replicaDomain replica
Global catalogGlobal catalog
Migration (Final State)
DC - GCDC - GC
DCDCDCDC DCDC
MigrationMigrationresource domainsresource domains
Can be upgraded in place and Can be upgraded in place and joined to treejoined to tree
Can be replaced with OUsCan be replaced with OUs Convert in placeConvert in place Join to treeJoin to tree Create OU in parent domainCreate OU in parent domain Drag resource domain contents into OUDrag resource domain contents into OU Delete (empty) resource domainDelete (empty) resource domain
Server Role In Windows 2000
PDCPDC BDCBDC ReplicaReplica
Windows NT 4.0Windows NT 4.0 Only writeableOnly writeable Read-onlyRead-only ----copycopy copycopy
Windows 2000Windows 2000 Writeable copy.Writeable copy. ---- Writeable copyWriteable copyAppears as Appears as PDC to PDC to downlevel clientsdownlevel clients
Windows 2000Windows 2000 Only writeableOnly writeable Read-onlyRead-only Read-onlyRead-onlyMixed domainMixed domain copy (Windowscopy (Windows copycopy copycopy
NT 4.0 orNT 4.0 or (Windows(WindowsWindows 2000)Windows 2000) NT 4.0)NT 4.0)
Next GenerationMicrosoft Exchange 2000
codename “Platinum”
Built on Windows 2000 Active Directory
AD Does Exchange Administration
• More than 1 MDB Per Server
• Smaller MDBs for easier backup/restore
• Separate MDB for NNTP and Internal Public Folders
• Distribute DBs across multiple Storage Area Network (SAN) devices
• Distribute Administration of DB management on a single server
Utilizes Multiple Storage Groups
Exchange Platinum MigrationExchange Platinum Migration Exchange server needs to be migrated, but Exchange server needs to be migrated, but
not the whole organizationnot the whole organization Migration tools included to migrate Migration tools included to migrate
Exchange v5.5 to Platinum (users, org/site Exchange v5.5 to Platinum (users, org/site structure, mailboxes, public folders)structure, mailboxes, public folders)
Active Directory Connector provides a link Active Directory Connector provides a link between non-Active Directory NOSs and between non-Active Directory NOSs and Exchange Platinum (NT4, NDS, LDAP)Exchange Platinum (NT4, NDS, LDAP)
Migration to Exchange Platinum
Upgrade to Exchange v5.5 (if you have not Upgrade to Exchange v5.5 (if you have not already done so)already done so)
Replace Site Connectors with SMTP or Replace Site Connectors with SMTP or X.400 Connectors using InterOrg Directory X.400 Connectors using InterOrg Directory ReplicationReplication
Preparing for Exchange Platinum
Questions ?Questions ?
Rand MorimotoRand MorimotoInacom OaklandInacom Oakland
internet: rand@inaoak.cominternet: rand@inaoak.com(510) 444-5700 ext.100(510) 444-5700 ext.100