Post on 02-Feb-2016
description
Windows Server 2003
La migrazione da Windows NT 4.0a Windows Server 2003
Relatore: Corrado.Cappucci@pipeline.it
MCSE - MCT
Upgrading Domains
The Domain Upgrade Process
A domain upgrade:
Upgrades a PDC to Windows Server 2003 and Active Directory
Maintains existing users, groups, computers, and applications
Prevent domain controller overloadPrevent domain controller overload
Upgrade the PDC to Windows Server 2003Upgrade the PDC to Windows Server 2003
Install and configure DNSInstall and configure DNS
Install Active DirectoryInstall Active Directory
11
33
44
22
Verify domain controller operationsVerify domain controller operations
Upgrade Windows NT 4.0 BDCsUpgrade Windows NT 4.0 BDCs
55
66
Effects of a Domain Upgrade on Groups
Forest and domain functional levels Local Global Domain
Local Universal
Windows NT 4.0(original domain)
Windows 2000 Mixed(allows multiple operating systems)
Windows 2000 Native(allows multiple operating systems)
Windows Server 2003 Interim
Windows Server 2003
Effects of a Domain Upgrade on Trust Relationships
To protect resource security:To protect resource security:
Audit memberships in all administrative groupsAudit memberships in all administrative groups11
Review DACLs for important resources Review DACLs for important resources 22
Windows Server 2003 Domains
2-WayTransitive
Trust
2-WayTransitive
Trust
2-WayTransitive
Trust
Res1Res1
ForestRoot
ForestRoot
Acct1Acct1 Acct2Acct2One-Way
Non-TransitiveTrust
One-WayNon-Transitive
Trust
2 One-WayNon-Transitive
Trust
Windows NT 4.0 Domains
Res1Res1
Acct1Acct1 Acct2Acct2
UpgradeUpgrade
Implications of Upgrading a PDC
What happens during a PDC upgrade?
The forest functional level can be set at either: Windows 2000 mixed Windows Server 2003 interim
Security level permissions are set at either: Permissions compatible with pre-Windows 2000 Permissions compatible only with Windows 2000 or
Windows Server 2003
The upgraded PDC holds the PDC emulator operations master role
How to Upgrade a Windows NT 4.0 PDC
Select Upgrade for the installation typeSelect Upgrade for the installation type
Verify that you are using a static IP addressVerify that you are using a static IP address
Configure DNS client settingsConfigure DNS client settings
Configure partitions as NTFSConfigure partitions as NTFS
11
44
22
33
Add a newly installed domain controllerAdd a newly installed domain controller11
Transfer operations master rolesTransfer operations master roles22
Reformat disk on upgraded domain controller and perform a clean installation
Reformat disk on upgraded domain controller and perform a clean installation
33
Transfer back any operations master rolesTransfer back any operations master roles44
Process minimizes adverse effects from any corrupted data on the PDC
prior to upgrade
Process minimizes adverse effects from any corrupted data on the PDC
prior to upgrade
To upgrade a PDC: Best practice to add additional domain controllers:
Install Active DirectoryInstall Active Directory55
How to Verify Domain Controller Operations
Verify trust relationshipsVerify trust relationships
Verify new user accounts can be createdVerify new user accounts can be created
Verify new user object replicationVerify new user object replication
Verify successful logonVerify successful logon
To verify Active Directory is functional:
11
33
44
22
At this point a complete recovery is still possible without any data lossAt this point a complete recovery is still possible without any data loss
Diagnostic tools:Use dcdiag.exe to verify the Active Directory serviceUse Repadmin.exe/showreps to verify the parent domainUse nltest.exe/bdc_query:domainname to verify the BDC replication status
How to Develop a Recovery Plan for a Domain Upgrade
Recovery plan:Details steps to roll back
directory services migration
Recovery plan:Details steps to roll back
directory services migration
Rollback strategy:A plan to return production environment
to the state before changes
Rollback strategy:A plan to return production environment
to the state before changes
Remove all computers running Windows Server 2003
Promote the offline BDC to a PDC
Recovery tasks:
Add a BDC to any domain that contains only a single domain controller
Document configuration of services and applications
Back up all services and applications to tape
Synchronize all BDCs with PDC
Take a fully synchronized BDC offline before upgrades are performed
Periodically start protected BDC while still in Windows 2000 mixed domain
To ensure that a domain can be rolled back:
How to Prevent the Domain Controller from Overloading
On the domain controller to be upgraded, browse to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Netlogon\Parameters
On the domain controller to be upgraded, browse to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Netlogon\Parameters
11
Repeat the procedure on each domain controllerRepeat the procedure on each domain controller33
After additional domain controllers have been added, set the value of the NT4Emulator registry key to 0, or delete the keyAfter additional domain controllers have been added, set the value of the NT4Emulator registry key to 0, or delete the key44
Add the REG_DWORD entry NT4Emulator with the value 1Add the REG_DWORD entry NT4Emulator with the value 122
Overload occurs when too many client computers request authentication from too few domain controllers
Overload occurs when too many client computers request authentication from too few domain controllers
How to Neutralize Windows NT 4.0 Domain Controller Emulation
The Active Directory installation will fail if the domain controller is configured to prevent domain controller overload
The Active Directory installation will fail if the domain controller is configured to prevent domain controller overload
Use NeutralizeNT4Emulator for the new entry nameUse NeutralizeNT4Emulator for the new entry name33
Change the DWORD valueChange the DWORD value22
In the Edit DWORD Value dialog box, type 1 In the Edit DWORD Value dialog box, type 1 55
Double-click the new entry nameDouble-click the new entry name44
Click Registry, and then click Exit Click Registry, and then click Exit 66
On the client computer, browse to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Netlogon\ParametersOn the client computer, browse to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Netlogon\Parameters11
How to Add Additional Domain Controllers
Process for upgrading a Windows NT 4.0 BDC:Process for upgrading a Windows NT 4.0 BDC:
Upgrade operating system to Windows Server 2003Upgrade operating system to Windows Server 200311Run the Active Directory Installation WizardRun the Active Directory Installation Wizard22
Add additional domain controllers for fault tolerance and load balancing
Add additional domain controllers for fault tolerance and load balancing
Add new servers running Windows Server 2003 to the domain and then install Active Directory
Take a Windows NT 4.0 BDC offline, reformat hard disk, then install Windows Server 2003 and Active Directory
Upgrade a Windows NT 4.0 BDC to Windows Server 2003
Options:
How to Complete the Upgrade
To complete the domain upgrade:To complete the domain upgrade:
Reconfigure the DNS serviceReconfigure the DNS service11
Eliminate anonymous connections to domain controllersEliminate anonymous connections to domain controllers33
Raise domain and forest functional levelsRaise domain and forest functional levels44
Move users and computers to an OUMove users and computers to an OU55
Add Windows NT 4.0 BDCs to the domain if necessaryAdd Windows NT 4.0 BDCs to the domain if necessary22