DEP313Active Directory Restructuring with ADMT v-2Lothar ZeitlerSnr. ConsultantMicrosoft Services Germany

AgendaRestructuring scenariosADMT v-2Restructuring processInter-Forest migrationIntra-Forest migrationSummary

What is RestructuringProcess that moves users between domainsDomains can be in different forest or same forestSingle users, organizational unit or entire domainIncludes moving additional objects with usersGroups needed to access resourcesWorkstationsResource servers

Restructuring ScenariosMergers and Acquisitions / Spin-offsOne-off projectMulti-forest deploymentsUser moves happen on a regular basisCollapsing domains to reduce number of domainsI.e., after network upgrade

Inter-forest vs. Intra-forestSourceTarget

Restructuring: Alternative SolutionsMulti-forest deploymentTwo or more forests with user accounts and resourcesResource access through trust relationshipsGC synchronization through MMSSeparate or unified DNS namespaceEasier with Windows 2003Cross-forest trustsKerberos between forestsUPN routhingDNS: conditional forwardingSynchronized Exchange forestsExchange resource forestMigrate Exchange mailboxes only

Restructuring vs. Multi-ForestReasons for restructuringM&A: IT of acquired company fully integratedLong-term acquisitionHigh level of collaboration requiredSpin-off from single forest deploymentLowering TCO for AD deploymentReasons for multi-forest deploymentIndependent IT organizationsM&A: Results in independent business unitAcquisition might not be long termCollaboration might be restricted to messaging and calendaringAvoid higher cost attached to restructuringReview Chapter 2 of Windows 2003 Deployment Kit

Business Goals for RestructuringNo service impactLittle end user impactRoll-back planLow TCO for restructuring operation

ADMT v-2 OverviewSingle tool to perform all migration operationsUser, group, computer movesSecurity translationsProfile translationsMultiple user interfacesGraphical wizardsScripting interfaceCommand line interfacePassword migrationNew delegation modelAttribute exclusion listSID mapping file for security translationsAnd many more

User Migration BackgroundUser Security ID (SID) tied to domainSID used to grant access to resourcesMost resource access happens through group membershipsUser accounts grouped in Global GroupsLocal Groups protect resourcesGlobal Groups added to Local Groups to grant access rights to resourceLocal Groups store SIDs of Global GroupsBusiness goal: Preserve user access to resourcesSID history accomplishes thisSIDs need to be migrated for users and groups

How sIDHistory WorksBobs Access Token on HB-RES-MEM:User: hb-acct\Bob SIDGroups: HB-ACCT-ROW\Bob HB-RES-MEM\TechEditors SIDHB-RESWC-WS1sIDHistory:HB-ACCT-ROW\Bob

User Moves: ProfilesLocal profilesRoaming profilesOptions for profile managementUnmanagedRoaming profilesMigrate local profilesCombine migration with hardware refresh

Migration ScenarioStarfleetStarfleet.comSanFrancisco.Starfleet.comDS9.Starfleet.comDelta QuadrantDeltaQ.comVoyager.DeltaQ.comStep 1: Create target domainsStep 2: Migrate users and resourcesStep 3: Decommission source domains / forest

User

user

User

user

User

user

User

user

User Migration with SID History demo

SID FilteringRiskTrusted domain DC returns SIDs during authenticationTrusting domain DC accepts all SIDsCannot check that SIDs are legitimateAttack needsService admin rights in trusted forest, orPhysical access to domain controller in trusted forestSolutionSID filteringSystem builds authoritative list of Domain SIDsAuthenticationFail authN if users account domain NOT in listRemove SIDs not relative to listConfigurable on all trust relationships

When to use SID FilteringSteady-state multi-forest deploymentIf reason for multi-forests deployment is data or service isolation, use SID FilteringIf forests are managed by the same administrators, or DCs are located in same locations, SID Filtering does not provide additional valueMergers and AcquisitionUsually admin staff from one forest takes over other forestNo more requirement for security isolationNo need for SID Filtering

Migration And SID FilteringFabrikam, Inc.corp.fabrikam.commf.corp.fabrikam.comrd.corp.fabrikam.comna.corp.contoso.comContoso, Ltd.corp.contoso.comap.contoso.corp.comjpn.ap.contoso.corp.comSolution 2: External trustSolution 3: Perform Security Translation on ResourceSolution 4: Migrate resources with users (closed set)SIDHistory filteredSolution 1: Disable SID filtering on cross-forest trust

User

user

User

user

Migration And SID FilteringFabrikam, Inc.corp.fabrikam.commf.corp.fabrikam.comrd.corp.fabrikam.comna.corp.contoso.comContoso, Ltd.corp.contoso.comap.contoso.corp.comjpn.ap.contoso.corp.comSolution 2: External trustSolution 3: Perform Security Translation on ResourceSolution 4: Migrate resources with users (closed set)Solution 1: Disable SID filtering on cross-forest trust

User

user

Migration with SID Filtering demo

Process for Large Scale MigrationsLarge migrations require planningSpecial care for local profile migrationUsers should not logon with new account before local profile is migratedWorkstation should be in same domain as userSmartcard logons, wireless networksSynchronize group policiesApplication deploymentClient side caching

Restructuring Process Inter Forest

Restructuring Process Inter Forest

Restructuring Process Inter Forest

Restructuring Process Inter Forest

Restructuring Process Inter Forest Migrating Users without SID Filtering between Forests

Restructuring Process Inter Forest Migrating Users with SID Filtering between Forests

Restructuring Process Inter Forest

Restructuring Process Inter Forest

Intra Forest RestructuringExample: Reducing number of domains in a forestDifferent from Inter Forest restructuringObject moved instead of copiedDifferent APIs usedInter-forest: New object is createdIntra-forest: LDAP_move() replicates object

Restructure ComparisonInter-forest vs. Intra-forestInter-forest migration like object cloningNon-destructiveSource object still exists = fallbackIncremental migration straightforwardPreserves old SID in sIDHistoryDoesnt preserve GUID (Windows 2000, XP)Multiple security principals with same SID

Restructure ComparisonInter-forest vs. Intra-forestIntra-forest migration like object moveDestructiveSource object moved = no fallbackIncremental migration hard (closed sets)Preserves old SID in sIDHistoryPreserves GUIDUnique SID

Restructure Considerations Intra-forestClosed setsResource access granted through groupsUser -> GG -> LG -> resourceUsers and Global Groups must be in same domainResources and local groups must be in same domainMigration Tools support scenarioADMT automatically changes Global Group to Universal Group if members are in different domainsUniversal Group automatically migrated back to Global Group once all members are in target domainPermissions on resources can be translated if resource and local group cannot be migrated together

Intra-Forest Migration demo

Restructuring Process Intra-Forest

Restructuring Process Intra-Forest

Restructuring Process Intra-Forest

Restructuring Process Intra-Forest

SummaryEvaluate options in M&A scenariosRestructure or multi-forestADMT v-2 supports all restructuring tasksInter-forest restructuring has easier fall-backProcesses for large-scale restructurings documented in the Windows 2003 Deployment KitADMT v-2 on Windows 2003 CDWeb downloadhttp://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

Community ResourcesCommunity Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluations

2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002