Lesson 4 - Planning for Migration and InteroperabilityITMT 2456 70-647

Designing support identity and access management componentsPlan for domain or forest migration, upgrade, and restructuring.3.1 Designing support identity and access management componentsPlan for interoperability.3.4

Migrating to Windows Server 2008 R2 Adding computers running Windows Server 2008 R2 to an existing Windows Server 2003 or Windows 2000 Server network as member servers does not require any special planning or preparation.

Migrating to Windows Server 2008 R2 However, if you are planning to upgrade existing servers to Windows Server 2008 R2, there are certain limitations. In-place upgrades to Windows Server 2008 R2 are permissible from Windows Server 2003 SP2, Windows Server 2003 R2, or Windows Server 2008, as long as the platform, architecture, edition, and language are the same. You can upgrade across editions if the Windows Server 2008 R2 edition is the same or higher than its precedent.

Migration Paths A directory service migration is the process that takes you from a source directory, that is, your current Active Directory infrastructure, to a target directory, which is a Windows Server 2008 R2 AD DS infrastructure. There are three possible migration paths from the source to the target, as follows: Domain upgrade migration Domain restructure migration Upgrade-then restructure migration

Selecting a Migration Path One of the first steps in the planning process is to decide which migration path you want to use. Some of the criteria you should use to make that decision are as follows: Design Time Budget Productivity Manpower

Migrating Objects All migrations that include a domain restructuring require administrators to copy or move objects between domains, or possibly between forests. Active Directory Migration Tool (ADMT) is a free package from Microsoft that can migrate objects with or between forests, and includes a modeling mode that enables you to try out sample designs before committing to them.

Upgrading a Domain To upgrade to Windows Server 2008 R2, you must, you must modify the schema of your existing Active Directory installation. Prepare the forestadprep /forestprep Prepare the domainadprep /domainprep /gpprep Then you can upgrade one of the domain controllers to Windows Server 2008 R2 or install a new Windows Server 2008 R2 domain controller.

Change Schema Master Dialog Box

Adprep /forestprep Command

Operations Master Dialog Box

Adpep /domainprep /gpprep Command

Restructuring a Domain As mentioned earlier, in a domain restructure migration, you create at least one new Windows Server 2008 R2 domain and copy or move your existing objects into it. Because you are moving objects individually, you can place them in different domains and organizational units, creating an entirely different AD DS hierarchy for your network There are two basic types of domain restructure: Interforest IntraforestInterforest Migration In an interforest migration, you create a new Windows Server 2008 R2 forest (pristine forest). In this model, the source domain remains unmodified because the only connection between the source and the target domains is a trust relationship, and trusts can exist between forests using different versions of Windows Server.

Intraforest Migration In an intraforest migration, you create a new domain in the same forest as your source domain and copy or move objects between the two. However, you cannot create a Windows Server 2008 R2 domain in an existing Windows Server 2003 or Windows 2000 Server forest. Therefore, you must upgrade your existing forest to Windows Server 2008 R2 first, and then perform the restructure.

Performing an Interforest Migration An interforest domain restructure migration does not require the schema preparation that a domain upgrade does, because you are not adding to or modifying the source domain in any way. The steps involved in performing the migration: Creating a Prestine Forest Creating Interforest Connections Installing Active Directory Migration Tool Enable Auditing Decommissioning the Source Domain

DNS Secondary Zones for Interforest Communication

Create Trusts Between Forests Audit Policy Container

Order of Migration To preserve all of the object attributes and to place all of the objects in the appropriate destinations, you must migrate the objects in the correct order, as follows:1.Groups2.Users3.Computers

Migration Groups - Group Selection Page

Migration Groups - Object Properties Exclusion Page

Migration Groups - Conflict Management Page

Migration Groups - Migration Progress Page

Migrating Users Password Options

Understanding Cross-Forest Authentication Every object in an Active Directory or Active Directory Domain Services database has a unique security identifier (SID). AD DS uses SIDs internally to identify objects. No matter what migration tool or mechanism you use, when it creates new objects in your target domain, AD DS assigns new SIDs to them. The sIDHistory attribute contains all of the former SIDs by which the object has been known.

Migrating Computers After migrating your users and groups, you can proceed to migrate the computers other than the domain controllers in your source domain. Because the member servers and workstations in your source domain are actual physical resources, the migration process is somewhat more complicated than it is for logical objects, such as users and groups. Computer will require a reboot

Migration Computers Translate Objects Page

Performing an Intraforest Migration An intraforest migration consists of both the domain upgrade and domain restructuring procedures described in this chapter. After upgrading your forest to Windows Server 2008 R2, you can restructure it by creating new domains and using ADMT to migrate your objects from source to target within the same forest.

Planning for Interoperability Interoperability issues typically occur in two ways: Users outside the organization have to access the enterprise network There are non-Windows computers inside the enterprise that have to access Windows resources. Windows Server 2008 R2 includes a variety of tools that address these issues.

Active Directory Federation Services Active Directory Federation Services (AD FS) is a service that can extend the boundaries of an AD DS environment to users in a partner enterprise. AD FS is an identity federation solution that is essentially a different type of trust relationship between two entities. A federation trust relationship enables one AD DS network to trust the user accounts in another AD DS network. This provides cross-forest authentication capabilities for the two enterprises. AD FS is a Windows Server 2008 R2 role that functions together with Active Directory Domain Services or Active Directory Lightweight Directory Services (AD LDS). To establish a federation partnership between two organizations, each must have an AD FS server with the Federation Service role service installed. Administrators then join these two servers together in a federation trust, which enables users in one enterprise to send authentication requests to resource servers in the other enterprise. The role services for the AD FS role: Federation Service The primary AD FS service that authenticates users and issues them security tokens Federation Service Proxy An intermediate service, located on a perimeter network, that provides secured Internet access to the Federation Service on an internal server AD FS Web Agents Runs on web servers hosting various types of applications, processing the security tokens generated by the Federation Service

The Account Partner The AD FS architecture designates one side of the federation as the account partner and the other side as the resource partner. The account partner requires a server running the Federation Service role service, which in turn requires access to the AD DS or AD LDS directory.

The Account Partner Side of an AD FS Federation

Federation Claims Because the account partner side is where the users are located, the Federation Service on that side is responsible for authenticating the users against the AD DS or AD LDS database. The service also gathers federation claims which are certain agreed-upon attributes from the user accounts, such as group memberships and packages them in a security token, which it sends to the resource partner.

Resource Partner The resource partner side of the federation contains the same basic components an internal server running the Federation Service role service and a perimeter server running the Federation Service Proxy role service but the tasks they perform are slightly different. When the Federation Service receives the security token from the account partner, it first confirms that the partner is trusted. Part of the configuration process on both sides of the federation consists of identifying the other partner and the account store or resource involved in the trust.

The Resource Partner Side of an AD FS Federation

Federated Web Server A federated web server has one of the AD FS web agents installed on it, which takes the form of an ISAPI extension in IIS. The web agent is the consumer of the security tokens generated by the resource partner Federation Service, granting the user the access specified by the claims in the token. Windows Server 2008 R2 includes two web agents: one for current applications that know how to handle claims and one for applications that are not claims-aware.

Active Directory Lightweight Directory Services Active Directory Lightweight Directory Services (AD LDS) is essentially a subset of Active Directory Domain Services that provides basic services for directory-enabled applications that do not require a full domain and forest infrastructure. AD LDS is included with the Standard, Enterprise, and Datacenter versions of Windows Server 2008 R2, using the Full or Server Core installation option.

Planning UNIX Interopeability Windows Server 2008 R2 includes a number of roles and features that enable computers running UNIX operating systems to interact with Windows services, and enable computers running Windows to access UNIX services.

Services for Network File System In the UNIX world, standard file sharing is done with the Network File System (NFS). As a result of this open standard, virtually all UNIX distributions available today include both NFS client and server support. To accommodate organizations that have heterogeneous networks containing both Windows and UNIX computers, Windows Server 2008 R2 includes the Services for Network File System role service, which provides NFS Server and NFS Client capabilities.

Creating NFS Shares When you install the Services for Network File System role service in the File Services role, the system adds an NFS Sharing tab to every volume and folder on the computers drives. To make a volume or folder accessible to NFS clients, you must explicitly share it, just as you would for Windows network users.

NFS Sharing Tab of a Folders Properties Sheet

Obtaining Users and Group Information UNIX operating systems have their own user accounts, separate from those in Windows and AD DS. To prevent NFS clients running on UNIX systems from having to perform a separate logon when accessing NFS shares, the Windows Server 2008 R2 NFS Server implementation can look up the user information sent by the client and associate the UNIX account with a particular Windows account. In UNIX, when a user successfully authenticates with an account name and password, the operating system assigns him or her a user identifier (UID) value and a group identifier (GID) value. The NFS client includes the UID and GID in the file access request messages it sends to the NFS server. NFS Server supports two mechanisms for obtaining user and group information, as follows: Active Directory lookup User Name Mapping

UNIX Attributes tab of User Objects Properties Sheet

Identity Management for UNIX While Services for NFS is designed to provide UNIX clients with access to Windows resources, Identity Management for UNIX is a role service of the Active Directory Domain Services role that is intended to integrate computers running Windows into a UNIX infrastructure.

Network Information Services Network Information Service (NIS) is directory service that many UNIX distributions use as a repository for user and group information. Unlike AD DS, NIS is a simple directory that is neither hierarchical nor object-oriented. The Server for Network Information Services role service enables an AD DS domain controller running Windows Server 2008 R2 to assume the role of the master NIS server for your network, presumably replacing a UNIX server.

NIS Data Migration Wizard Password Synchronization UNIX systems maintain their own user accounts, separate from those in AD DS and on standalone Windows servers. For enterprises with users that must access both Windows and UNIX resources, maintaining these accounts in synchrony can require a great deal of administrative effort. The Password Synchronization role service automates this task by detecting password changes in AD DS or Windows and sending those changes to selected UNIX systems using encrypted messages. After adding the role service, you can add UNIX computers in the Microsoft Identity Management for UNIX console.

Add Computer Dialog Box for Password Synchronization

Password Synchronization The Password Synchronization role server provides the Windows side of the service, but you must also install the correct components on your UNIX systems before synchronization can occur. To synchronize passwords on UNIX computers with changes to Windows user accounts, you must install the Password Synchronization daemon on the UNIX systems.

You Learned In-place upgrades to Windows Server 2008 R2 are permissible from Windows Server 2003 SP2, Windows Server 2003 R2, or Windows Server 2008, as long as the platform, architecture, edition, and language are the same. In a domain upgrade migration, you either upgrade one of the existing domain controllers in your source domain to Windows Server 2008 R2 or install a new domain controller running Windows Server 2008 R2 into the domain. An upgrade-then-restructure migration is a two-phase process in which you first upgrade your existing forest and domains to Windows Server 2008 R2 and then restructure the AD DS database by migrating objects into other domains within the same forest In an interforest migration, you create a new Windows Server 2008 R2 forest called a pristine forest because it is in no way an upgrade from your existing directory and copy or move objects from your source domain into it. In an intraforest migration, you create a new domain in the same forest as your source domain and copy or move objects between the two. Active Directory Migration Tool is a wizard-based utility that enables you to perform both interforest and intraforest migrations. Interoperability issues typically occur in two ways: either users outside the organization have to access the enterprise network or there are non-Windows computers inside the enterprise that have to access Windows resources. Active Directory Federation Services is an identity federation solution that enables one AD DS network to trust the user accounts in another AD DS network. The administrators on the account partner side designate an AD DS or AD LDS directory as the account store and maintain the user accounts that require access to the resources hosted by the resource partner. The resource partner side of the federation contains the same basic components as the account partner, but the Federation Service receives the security token from the account partner, confirms that the partner is trusted, and creates another token for the web server hosting the application. AD LDS is essentially a subset of Active Directory Domain Services that provides basic services for directory-enabled applications that do not require a full domain and forest infrastructure. To accommodate organizations that have heterogeneous networks containing both Windows and UNIX computers, Windows Server 2008 R2 includes The Services for Network File System role service provides NFS Server and NFS Client capabilities. An NFS server exports part of its file system, and the NFS client integrates the exported information, a process called mounting, into its own file system. Identity Management for UNIX is a role service of the Active Directory Domain Services role that is intended to integrate computers running Windows into a UNIX infrastructure. Network Information Service (NIS) is directory service that many UNIX distributions use as a repository for user and group information. Unlike AD DS, NIS is a simple directory that is neither hierarchical nor object-oriented.