320 likes | 564 Views
In Place Windows NT 4.0 Upgrade. Mike Brannigan Enterprise Strategy and Senior Consultant. V1.1. Agenda. Why Upgrade from Windows NT 4.0 Domains to Windows 2003 Active Directory? In Place Upgrade Customer Experiences Not covering design (Domain, Forest, OU, Site..).
E N D
In Place Windows NT 4.0 Upgrade Mike Brannigan Enterprise Strategy and Senior Consultant V1.1
Agenda • Why Upgrade from Windows NT 4.0 Domains to Windows 2003 Active Directory? • In Place Upgrade • Customer Experiences • Not covering design (Domain, Forest, OU, Site..)
Why Upgrade from Windows NT 4.0 Domains to Windows Server 2003 Active Directory?
Why Upgrade from NT4 to Win2K3 AD? • Technical Benefits • Deploy Directory enabled applications • Exchange 200x • ISA Server • Live Communications Server • Numerous 3rd party applications • Reduced Complexity • Fewer domains & trusts • Easier to apply policies • Easier to delegate administrative tasks within IT organisation (e.g. helpdesk not Domain Admin)
Why Upgrade from NT4 to Win2K3 AD? • Increased security • Kerberos • Secure by Design, Deployment and Default • PKI / smartcard • Wireless network security • More user self-service / delegated admin • Delegation • MMC
Why Upgrade from NT4 to Win2K3 AD? • Business Benefits • Reduced Cost • Increased Security • Support business changes • Raise productivity • Be supportable
In Place Upgrade • Benefits • Minimal migration effort for users, clients and servers • Preserves NetBIOS domain name • No need for SIDHistory / re-ACLing • No need to migrate mailboxes • Disadvantages • Need to avoid “piling-on” • Perceived as higher risk (big bang) • Not the MCS preferred method when Windows 2000 was released
In Place Upgrade • Preparation • Domain health checks & determine security settings • Check for services running as Localsystem • Test • Upgrade (typical approach is the “swing” upgrade) • Delegate DNS Zone for new root/child domain • Backup an old BDC and take offline • Install new NT4 BDC on new production hardware • Promote new BDC to PDC • Upgrade PDC to Windows 2003 • Rollback if needed • Take new PDC offline • Bring back old BDC • Promote to PDC
Preparation • Security improvements change behaviour of Windows 2003 Server Domain Controllers • SMB signing and secure channel encryption enforced • Domain Controller access policies • Adjustments needed for older clients • Windows NT 4.0 SP3 and higher, Windows 2000, XP clients work without adjustments • Win9x and Windows NT 4.0 pre-SP3 require to make changes to the default policies • Disable enforcement of SMB signing • Network access, allow anonymous SID look-up
Preparation • Check for services running as local system on all member servers and workstations • Re-configure service to use user account, or • Upgrade server to Windows 2000 / 2003, or • Use “Enable downlevel access” in dcpromo • E.g. RAS service
Preparation • Cleanup the NT 4.0 directory • Unused groups • Group Membership (esp. Domain Admin) • Retired users • Old computer accounts • Ensure NT4 SP6a is on all DCs and SP3+ on other NT computers • Check for LMHOST & static WINS addresses • Change freeze • Check replication health (KB158148) NLTEST /BDC_QUERY:<domain name> Windows NT 4. Resource Kit Tools: http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp
Preparation • Backup • PDC • The BDC which will be taken offline for rollback • Test the backup to ensure it can be restored successfully
Test • Create a test lab to prove the process • Isolated test lab (same NetBIOS names) • Use a restored copy of the production PDC and BDC • Could use Virtual Server and the VS Migration Toolkit to make a copy of the 2 production DCs • Use same hardware as that planned for the new production environment • Resolve all issues before attempting in production • Repeat full tests if necessary, right from creating a new backup
Upgrade • Make the DC you will upgrade last the Lmrepl export server • If Lmrepl export is on PDC, promote a BDC or • Select one NT 4.0 BDC to be new Lmrepl export server & reconfigure Lmrepl on all NT 4.0 BDCs to point at this one • Wait for Lmrepl to stabilise before proceeding
Upgrade • Secure one BDC • Sync with PDC • Take back-up and test restore • Take BDC off-line and keep in storage • Install new BDC on new production hardware • Make partition as large as possible (>2Gb) • No agents • No 3rd party software (other than drivers if needed) • Promote new BDC to PDC
Upgrade • Win2K and WinXP clients will only communicate with Win2K/Win2K3 DCs in a mixed-mode domain • Potential for DC overload, especially when the PDC is upgraded • Solution is to make the Win2K3 DCs emulate NT 4.0 DCs (KB298713) • Set the following registry keys on each Win2K3 DC prior to completing DCPromo; HKLM/System/CurrentControlSet/Services/Netlogon/Parameters/NT4Emulator DWORD 0x1
Upgrade • Upgrade PDC • PDC will not be able to perform PDC role during upgrade & DCPromo execution • No changes possible (no new users, groups, group membership changes) • Clients and workstations will not be able to change passwords • Trusts might fail • Use Nltest and Netdom to test/fix • Plan for the change freeze / downtime
Review: AD Functional Levels 1These modes also apply to Windows Server 2003 domains & have the same name 2Only when upgrading directly from NT4 to Win2K3 (no Win2K DCs)
AD Functional Levels • Domain functional level directly affects migration; • Windows 2000 domain native mode needed for • SIDHistory • Group Nesting • Forest functional level indirectly affects migration; • Windows Server 2003 interim forest functional level needed for • Linked-list replication (groups with >5k users) • ISTG improvements (larger # AD sites)
Windows Server 2003 interim functional level • Enabled in two ways; • In place upgrade route: • When upgrading the NT4.0 PDC, the Active Directory Installation Wizard offers you the option to raise the forest functional level to Win2K3 interim • New Win2K3 Forest route: • Build a new Win2K3 domain as the forest root • Raise the forest functional level to Win2K3 interim using ADSIEdit or LDP (KB322692) • Upgrade existing NT 4.0 domains as child domains
AD Functional Levels • Conclusion • Only 1 downside (not able to have Windows 2000 DCs) • Several benefits • Use it unless you will have Win2K DCs
Upgrade • Configure security settings • SMB Signing • Anonymous SID/name translation • Authorise DHCP if installed on PDC • Verify success • Verify down-level replication works • Verify that users can be added and passwords can be changed
Upgrade • Install and configure Lmbridge to export the contents of SYSVOL on a Win2K3 DC to the Lmrepl export server • http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en • Copy all logon scripts and other files from Lmrepl export server to PDCe • Configure Lmbridge to copy files from PDCe to Lmrepl export server • Change files on PDCe only
Upgrade • Continue upgrading BDCs by adding new Win2K3 servers and retiring old NT 4.0 servers (i.e. don’t upgrade NT 4.0 BDCs) • Once all DCs in all domains are Windows 2003, switch to Windows 2003 forest functional level
Post Upgrade • The problem with NT4Emulator: • The DC ignores LDAP calls – so you cannot remotely administer it, nor can you add further Win2K/2K3 DCs • Solution is another registry key on the admin client(s) and additional Win2K/2K3 DCs (before running DCPromo) HKLM/System/CurrentControlSet/Services/ Netlogon/Parameters/NeutralizeNT4Emulator DWORD 0x1 • Transfer FSMO roles off 1st DC and DCPromo out of domain (machine was an NT 4.0 upgrade) • In multi-domain forests, don’t worry about single domain modes, wait until last domain is upgraded
Rollback • If there are problems after the upgrade of the PDC (e.g. authentication, replication etc) which cannot be resolved • Turn off new PDC • Turn secured BDC back on • Promote secured BDC to PDC • Initiate replication • If you’ve not used NT4Emulator, any Win2K and XP clients will not be happy with rollback • Reset the secure channel using Netdom, or • Remove workstation from domain, and re-introduce
In Place Upgrade - Customer Experiences • Alliance & Leicester • Forgot to add NT4 RAS servers to RAS and IAS Servers group • Teamed NIC became un-teamed during upgrade, one NIC stole the hostname so the new PDC had the wrong name • Motorola • In place upgrade of master account domain • Migrated 7 further account domains into new master • Collapsed 8 resource domains into 1 child domain
©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.