Transcript Preparing NT4 and Migrating to Windows NT5
Migrating to Windows 2000 in a Large Research Environment
Rand Morimoto President, Inacom Oakland [email protected]
Migrating to Windows 2000 in a Large Research Environment
Background of Active Directory DNS in Windows 2000 Migrating from WINS to DNS Consolidating NT4 Domains Conducting a Phased Migration Next Generation MS-Exchange
About the Speaker
• Microsoft Advisory Council Member (1995-present) • On the NT and Windows 2000 Development Team • Author: • “Deploying Microsoft Exchange v5”, 700-pages • “Tuning and Optimizing Windows NT”, 1000-pages • “Windows 2000: Design and Migration” • “Exchange v6: Design and Migration” • President / Inacom Oakland • Inacom Corporation • National / Int’l Services • Windows 2000 Services
Microsoft Directory Evolution Now Now Coming Microsoft Exchange Server directory Windows NT user directory Windows 2000 Windows NT user directory
Single enterprise logon
Central management
Replicated/ partitioned
E-mail names and rich attributes
X.500 naming
MAPI, LDAP support
Scalable to “millions”
Integrated DNS, X.500
Deep integration with OS security
More standard support: X.500 DAP/DSP, ADSI, OLE/dB, etc.
Scalable to millions
What is Active Directory?
Windows 2000 directory service Active Directory has
A hierarchical, flexible namespace
Partitioning for scalability
Multi-master replication
Dynamic extensibility
Open and extensible directory synchronization interfaces
Lightweight Directory Access Protocol (LDAP) as the core protocol for interoperability
AD Terminology
Namespace Name Domain Organizational Units (OUs) Tree Sites Global Catalog Schema
Differentiation
Administration Designators vs Replication Designators
Creating Administrative Structures
1.
2.
3.
4.
First I Create my “Domain” and Give it an Organization Name Then I Create Organizational Units within this Domain to Distribute Administration I then Create Users within the Organizational Units where they Belong Finally I Group the Users so I can more Easily set Policies to the Group
Creating Administrative Structures
Domain Organizational Units Users and Groups
Enterprise is Made of Domains
Domains can be linked by trust
Domains can be related by name
Both X.500 and DNS naming DC=MyCorp,DC=Com DC=Dev,DC=MyCorp,DC=Com whatever.edu
whatnot.whatever.edu
Active Directory Global namespace = DNS + LDAP Directories berkeley edu microsoft com inacom students courses PoliSci BSmith RJones AArney KBryant Domain: berkeley.edu Domain : microsoft.com
Domain : inacom.com
Windows 2000 DNS Management Services
Planning Your DNS Strategy
Active Directory is integrated with Domain Name System (DNS) Therefore, it is important to
Determine which DNS server to use
Determine your DNS root
DNS Server Options
Implement Microsoft DNS Exclusively Implement Microsoft DNS as a Delegated Sub domain Use an Existing DNS Server
Implement Microsoft DNS Exclusively
Benefits
Tight integration with Active Directory
Supports the extended character set, Unicode
Not dependent on existing DNS Servers
Will co-exist with other DNS Servers
Supports multi-master replication
Implement Microsoft DNS as a Delegated Sub-domain
Benefits
Requires no upgrade of any existing DNS servers
Utilize existing DNS infrastructure
Minimizes dependency of Active Directory on existing DNS servers
Use a Non-Microsoft DNS Server
Benefits
Does not require replacing existing DNS servers
No DNS changes required
Existing DNS Server
To Support Active Directory, a DNS Server
Must support the SRV RR defined by RFC 2052
Should also support:
The Dynamic Update Protocol - RFC 2136
Incremental Zone Tranfers - RFC 1995
Multiple Domains/Trees
Sometimes it is necessary to have more than one domain Multiple domains with a contiguous name space are referred to as trees
tailspintoys.com
europe.tailspintoys.com
marketing.europe.tailspintoys.com
Forest Definition
One or more Windows 2000 Trees
Do not form a contiguous namespace
Share a common schema, config., Global Catalog
All Trees in a Forest trust each other
Does not need a distinct name Microsoft.Com
PBS.Microsoft.Com
Softimage.Com
Finance.Softimage.com
NTDev.PBS.Microsoft.Com
Integrated Security Scenarios Single Sign-on Private Comm.
Secure Biz Tx Secure Desktop Safety:
Authenticode Driver signing Auth.:
Priv Key/Kerberos Public Key/X.509
NT4 Protocol:
SSL IPSEC RPC/DCOM Base:
Crypto API Encrypted F-S More Auditing Active Directory
•
PK Certificates
•
Kerberos keys
Goal of Windows 2000 for Enterprises: Reliability and Scalability
Network Load Balancing Clustering
Goal of Windows 2000 for Enterprises: World Ready
Multilingual user interface Same code runs anywhere Simultaneous support of multiple languages Single world-wide API
What Can be Done with NT4 in Anticipation of a Migration to Windows 2000
Consider Implementing NT4 Workstation Today
Higher level of security
ability to lock down w/s hardware config
ability to create and manage set processes
Ability to use global roaming profiles Key to Intellimirror in Windows 2000 Consolidated DLL model in Windows 2000
Design, Implement, and Gain Support for System Policies
Globally manage individuals, groups of users, or all users the ability to:
change screen saver
change desktop background
add applications
purposely or accidentally delete applications
drop to DOS prompt
modify workstation configurations
System Policies
Consolidate Domains
Minimize resource domains Develop structure that utilizes fewer domains Create simplified trust model Document enterprise hierarchy
server/host configurations
segment addresses
segment bandwidth
trust and authentication process
Fastlane Technologies: DM/Manager
Selectively move single or multiple users from any Source Domain...
...to any Target Domain!
Setting Rules / Policies for Migration
Flexible migration options...
Conduct Performance Analysis
Evaluate Client to Server Bandwidth Demands Evaluate Server to Server Bandwidth Utilization Analyze Server System Utilization Conduct WAN Bandwidth Analysis Bluecurve “Dynameasure” recognized by Microsoft for capacity analysis and capacity planning (http://www.bluecurve.com)
Performance Analysis Server CPU capacity is bottlenecked. All four server CPUs reach maximum thruput
Implement TCP/IP and SMTP as Core Communications Protocols TCP/IP SMTP Site A Site B
Implement DNS (in addition to (and in an Windows 2000 environment, in place of) WINS)
WINS needed for Netbios name resolution DNS to be native in Windows 2000 complete TCP/IP environment
Implement LDAP for Look-up Client Microsoft Management Console Domain Controller Legacy NT4 APIs NT4 BDC Replication SAM ADSI NW3 NW4 NT4 NTDS NCP NCP Net APIs wldap32.dll
LDAP Directory Service Windows 2000 M-M Replication
Create an Windows 2000 Deployment Team
Team Includes:
DNS Decision Makers (NT, UNIX, etc)
Hardware Implementers and Support Personnel
File/Print LAN/WAN Decision Makers
Firewall and Internet Security Decision Makers (Kerberos, X.509, etc)
Electronic Messaging Group
Desktop Support Group (Intellimirror, Windows Scripting, Sysclone, SMS)
Migrating from NT4 to Windows 2000
Migrating Domain Controllers Migrating Servers Migrating Users
Migration
Any Windows NT domain model can be migrated easily to the Active Directory Mixed environments
Fully supported
Look and act like Windows NT 4.0 domains
Migration to domain tree simple
Migration (Initial State) Initial state Windows NT 4.x domain “PDC” BDC BDC
Migration (Step 1) Upgrade PDC to Windows 2000 “PDC” Domain replica Global catalog BDC BDC BDC
Migration (Step 2) Upgrade remaining Windows NT 4.x BDCs DC - GC Domain replica Global catalog DC DC DC
Migration (Final State) DC - GC Domain replica Global catalog DC DC DC “Native” domain
Migration resource domains
Can be upgraded in place and joined to tree Can be replaced with OUs
Convert in place
Join to tree
Create OU in parent domain
Drag resource domain contents into OU
Delete (empty) resource domain
Server Role In Windows 2000 PDC Windows NT 4.0
Only writeable copy Windows 2000 Windows 2000 Mixed domain BDC Read-only copy Writeable copy.
Appears as PDC to downlevel clients - Only writeable copy (Windows NT 4.0 or Windows 2000) Read-only copy (Windows NT 4.0) Replica - Writeable copy Read-only copy
Next Generation Microsoft Exchange 2000 codename “Platinum”
Built on Windows 2000 Active Directory
AD Does Exchange Administration
Utilizes Multiple Storage Groups
• More than 1 MDB Per Server • Smaller MDBs for easier backup/restore • Separate MDB for NNTP and Internal Public Folders • Distribute DBs across multiple Storage Area Network (SAN) devices • Distribute Administration of DB management on a single server
Migration to Exchange Platinum
Exchange Platinum Migration
Exchange server needs to be migrated, but not the whole organization
Migration tools included to migrate Exchange v5.5 to Platinum (users, org/site structure, mailboxes, public folders)
Active Directory Connector provides a link between non-Active Directory NOSs and Exchange Platinum (NT4, NDS, LDAP)
Preparing for Exchange Platinum
Upgrade to Exchange v5.5 (if you have not already done so) Replace Site Connectors with SMTP or X.400 Connectors using InterOrg Directory Replication
Questions ?
Rand Morimoto
Inacom Oakland internet: [email protected]
(510) 444-5700 ext.100