2Migrando ambientes Windows NT 4.0 para o Windows Server 2003 KEY MESSAGE:SLIDE BUILDS: NoneSLIDE SCRIPT:SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:Rodrigo VallimMicrosoft Brasil
3O Que Veremos: O que há de novo no Windows Server 2003 Introdução aos “Functional Levels”Terminologia de MigraçãoCenários de Migração SuportadosQuando e Como Fazer UpgradeQuando e Como ReestruturarVisão Geral do Processo de MigraçãoKEY MESSAGE: Explain what we will cover and the scope of the session.SLIDE BUILDS: None. Bullets come in automatically.SLIDE SCRIPT:In this session, we have a detailed look at how to migrate NT 4.0 resources, such as users, groups, computers and security principles into the Active Directory.The first thing to mention is that, while throughout this session you will see references to Windows Server 2003, a lot of the theory and techniques described are applicable to Windows 2000.And that applies to our first topic, terminology. This hasn’t changed between the two releases. The terminology is Active Directory-based, as we will see.We will look at the supported migration scenarios for moving resources, then look at the reasons to either upgrade an existing NT 4 environment to Active Directory or to restructure it. There are pros and cons to each, and while this session does not directly say to use one over the other, the aim is to give you the information to help you best make that decision for your environment.We will also see a lot of the migration tool through this session, as I’ll be using it extensively in a restructure demo.SLIDE TRANSITION: So what key knowledge is advantageous to getting the most from this session?
4Conhecimentos Necessários Essa seção assume que você possui um conhecimento básico de:Windows NT 4.0 directory servicesActive Directory™KEY MESSAGE: What is advantageous to understand for this session?SLIDE BUILDS: None. Bullets automatically come in.SLIDE SCRIPT:As this is a migration session, we will be talking a lot about the directory service in both NT 4 and Windows Server products. So having an understanding of both will be an advantage. If you don’t have an understanding of the Active Directory, then I would suggest having a look first at the session Active Directory Fundamentals on TechNet. That session id is TNT1-98.SLIDE TRANSITION: So lets look at the agenda and dive right in.
5O que há de novo no Windows Server 2003 A Topologia de Replicação agora suporta milhares de SitesMudança de nome de DomíniosImplementação de Sites e Logging on sem Local Global Catalog ServersGroup Policy Management Console (GPMC)Relacionamentos de Confiança Kerberos transitivos entre florestas
6Como Usamos Isso?Muitas características trabalham com existentes DC’s de NT 4.0 e Windows 2000.Algumas grandes novidades não trabalham com Windows NT 4.0 ou Windows 2000.Essas novas características requerem uma solução de versionamento para evitar problemas de interoperabilidade.Solução: forest e domain functional levels.
7Functional Levels Windows Server 2003 Active Directory Versioning SchemeHabilita as novas características.Operação sem volta.Modo nativo do WindowsDomain Functional LevelsForest Functional LevelsDefinido por Atributos de Domínio e recipientes de configuração
8Domínios de Modo Misto Windows NT DC’s são permitidos Similar ao Windows 2000 Mixed ModeDC’s Windows NT 4.0 mantém as características de domínio.Sem universal ou nested groups.Sem sIDHistory.Windows 2000 Domain ControllersPermitido, mas não requirido.Windows Server 2003 pode realizar upgrade de Windows NT 4.0 e Windows 2000 domain controllers e member servers.
9Domínios de Modo Nativo Sem DC’s NT 4.0Qualquer cliente ou member server Win32® é permitido.Todos os domain controllers precisam ser Windows 2000 ou Windows Server 2003.Windows 2000 domain modes do not increment msDS-Behavior-Version.Enables User and Group Management FeaturesWindows 2000 and Windows .NET domain controllers onlyMixed and Native Mode Defined by nTMixedDomain0 (zero) or no value means native mode1 means mixed mode
10Functional Levels New in Windows .NET Server 2003 Introduce new features not compatible with previous version domain controllersManually advanced when all domain controllers in domain or forest are running Windows .NET ServerDefined by msDS-Behavior-Version attribute on Domain and Partitions ContainersDC=<domain>,DC=<tld>CN=Partitions,CN=Configuration,DC=<domain>, DC=<tld>
11Functional Levels (2) Windows .NET Domain Windows .NET Interim Forest Windows .NET Forest
12Domain Functional Levels All Domain Controllers Are Windows .NETWindows 2000 and Windows NT domain controllers are blocked.Manually advanced using Active Directory Domains and Trusts (Domain.msc).Also exposed through ADSIEdit.msc, LDP, or script, for example.msDS-Behavior-Version = 2 on DC=<domain>,DC=<tld>msDS-Behavior-Version = 1 defines interim domain mode, but is unused.
13Funcionalidade de Domínio Características Características disponíveis do Windows Server 2003DC’s suportados no DomínioModo MistoInstalar (DCPromo) a partir de mídias (IFM)Windows NT 4.0Windows 2000Windows 2003Modo NativoGroup nestingUniversal groupsUniversal group cachingsIDHistoryWindows 2003 InterimO mesmo que acimaO mesmo que Windows 2000 Nativo, mais:Replicated logon timestamp attributeKerberos KDC versionSenha de usuário em inetOrgPerson
14Forest Functional Levels Windows .NET Forest ModeAll domain controllers in the enterprise must run Windows .NET Server 2003.Advanced using Domain.msc or by setting msDS-Behavior-Version = 2 on CN=Partitions,CN=Configuration,DC=<domain>, DC=<tld>.Windows .NET Interim Forest ModeAllows Windows NT 4.0 domain controllers.Windows 2000 domain controllers are not allowed.Only UI is new forest through upgrade and DCPromo of Windows NT 4.0 primary domain controller (PDC).
15Funcionalidades de Floresta Características Funcionalidade de FlorestaCaracterísticas disponíveis do Windows Server 2003DC’s suportados na ForestaWindows 2000Instalar a partir de mídias (IFM)Universal Group cachingWindows NT 4.0Windows 2003Windows 2003 InterimISTG MelhoradoLinked value replicationO mesmo que Windows 2003 Interim, mais:Dynamic Aux classesUser to inetOrgPerson changeSchema defunct and redefineRenomeação de DomínioRelacionamento entre florestas
16Melhores Práticas para Funcional Levels Windows NT 4.0 UpgradeWindows 2003 interim forest modeHabilita as melhorias do Intersite Topology Generator e Knowledge Consistency Checker do Windows Server 2003Torna a replicação mais eficiente e robustaDepois que todos os DC’s forem atualizados, mude para Windows 2003 forest modeDomínios em modo nativo automaticamente mudam para Windows 2003 domain level quando a floresta é mudada para Windows 2003 interim
17Melhores Práticas para Funcional Levels (2) Windows 2000 UpgradeModo nativo é melhor para redes mistas Windows 2000 e Windows 2003.Nenhuma alteração no functional level até que todos os DC’s sejam Windows Server 2003.Quando todos os DC’s rodarem Windows 2003, mude a floresta para Windows 2003 forest mode.Quando a floresta é mudada, os domínios automaticamente avançarão para Windows 2003 domain mode.
18Terminologia de Migração Termos Migração de DomínioUpgradeReestruturaçãoModo MistoWindows 2000 e NT 4.0Windows 2000, Windows Server 2003 e NT 4.0Modo NativoWindows 2000 NativoWindows Server 2003 NativoKEY MESSAGE: Introduce the basic terms.SLIDE BUILDS: NoneSLIDE SCRIPT:The one thing Microsoft is good at, after creating software, is creating terms to describe that software. Each new release seems to also bring out a plethora of new acronyms, phrases, and other terminology.Well, migration has it’s fair share. Fortunately, when it really comes down to it, the two main terms to understand are Upgrade and Restructure. These two terms describer the two ways to migrate NT 4 resources to Active Directory. These two terms are not product-related or technology-related; they just describe the two types of migration you have to choose from.The Modes are product-related, and these describe the mode in which Windows 2000 or Windows Server 2003 operate. Even within these there are different modes. Windows 2000 supports the two modes while Windows Server 2003 supports three. We’ll come on to those in a bit.SLIDE TRANSITION: For now, lets concentrate on Restructure and, firstly, Upgrade.ADDITIONAL INFORMATION FOR PRESENTER:
19Terminologia de Migração Upgrade “Upgrade In Place”Mais fácil, menor riscoPreserva a estrutura existenteKEY MESSAGE: Describe what an Upgrade is.SLIDE BUILDS: NoneSLIDE SCRIPT:We can define the term “Upgrade” as the process of upgrading the software on the Primary Domain Controller (PDC) of a domain, and upgrading some or all of the Backup Domain Controllers (BDCs), from Windows NT 4.0 to Windows 2000 or Windows Server Because this is an operating system upgrade rather than a fresh installation, the existing domain structure, users, and groups are maintained, though in the process new Windows Server features are enabled. In fact, the biggest distinction between upgrade and consolidation lies in the fact that, in upgrading, we are maintaining the existing domain structure. This means that Upgrade represents the easiest, least-risk migration route because it retains most of your system settings, preferences, and program installations.SLIDE TRANSITION: So how does this compare to restructure?ADDITIONAL INFORMATION FOR PRESENTER:MUDRES3RES2RES1MUDRES1RES2RES3UpgradeDica: A maioria das empresas podem simplesmente efetuar esse tipo de migração
20Terminologia de Migração Reestruturação ConsolidaçãoMove os “Security Principals” entre DomíniosDesenha uma floresta idealKEY MESSAGE: Describe what a restructure is.SLIDE BUILDS: NoneSLIDE SCRIPT:Domain restructure on the other hand is a process designed to allow you to redesign the forest according to the needs of your organisation. Though restructure can result in any number of different outcomes, typically the result is some rationalisation of the current structure, and perhaps a move to fewer larger domains. These domains represent your version of the “Pristine Forest” for your organisation. For a small organisation, it may mean a single domain. For a worldwide enterprise, it may mean fewer domains based around geographical boundaries.SLIDE TRANSITION: Let’s shed some light on the Mode terminology.ADDITIONAL INFORMATION FOR PRESENTER:company.comamerica.company.comeurope.company.comMUD1RES1RES2RES3MUD2RestruturaçãoDica: Desenhando uma floresta ideal, o tamanho da SAM não é mais uma restrição
21Cenários de Migração Cenários Suportados Upgrade in PlaceMigração de Usuários e GruposMigração de RecursosKEY MESSAGE: Introduce the Migration Scenarios.SLIDE BUILDS: NoneSLIDE SCRIPT:So now let’s address the supported migration scenarios. As I mentioned earlier, I’m probably not going to describe an exact migration fit for each organization, but I will try and provide enough information to help you make the best choice for your organization. Although having said that, what we have typically found is that upgrade is typically best suited for small organizations and restructuring for large enterprises.SLIDE TRANSITION: So lets start with Upgrading in Place.ADDITIONAL INFORMATION FOR PRESENTER:
22Cenários de Migração Quando efetuar “Upgrade In Place” A sua arquitetura de domínio existente já é uma arquitetura própria para o Windows 2003?Sim UpgradeNão Uma migração em duas etapas é aceitável?Sim Upgrade agora, reestruture depoisNão Não realize um “upgrade in place”KEY MESSAGE: So when would you upgrade in place?SLIDE BUILDS: NoneSLIDE SCRIPT:Well, if you are you happy with your existing domain structure, there is no reason to do anything other than upgrade.If, however, you are not happy with this structure and think that after reviewing the Active Directory you can come up with a better design, then next question to ask is, Can I spend the time now designing my environment or am I under pressure to install the Active Directory?If you need to install Active Directory now and don’t have time to redesign, then that’s again OK, you can perform a two-phased migration. Upgrade your domain now and the restructure later. This is when it is more advantageous to upgrade to Windows Server 2003 with it’s ability to rename domains and also the ability to move them around a bit.If you answered no to both questions, then a restructure is the way to go.SLIDE TRANSITION: So how do you upgrade in place?ADDITIONAL INFORMATION FOR PRESENTER:
23Windows 2003 Tree and Forest Model Cenários de Migração Como efetuar o “Upgrade In Place”Windows 2003 Tree and Forest ModelPre-Windows 2003 ArchitectureKEY MESSAGE: Upgrading in place, as then term implies is fairly straight forwardSLIDE BUILDS: NoneSLIDE SCRIPT:This diagram illustrates converting from the Classic NT4 multi-master domain model where Users are grouped in Master User domains and resources are collected in Resource Domains, to the Windows 2000 model of trees of domains in a forest of trust.A significant difference between these two models is trust management.Before Windows 2000, a one way trust had to be explicitly established between a resource domain and every account domain containing users it trusted. Every Windows 2000 domain created or upgraded automatically establishes a two-way transitive trust between it and it’s new parent. 2-way trust means that resources in the new domain trust users from the parent domain AND vice verse, resources in the parent domain trust users from the child domain. The transitivity of this trust comes into play when accessing resources in a domain that is not your parent or child. Transitivity means: I not only trust you, I also trust everyone that you trust. E.g. Marketing not only trusts Users from North America, but it trusts users from New York as well, even though there’s no explicit trustThis upgrade works in a similar fashion to the Single Domain Upgrade. In this case you must also specify where in the forest the domain will be located.SLIDE TRANSITION: So lets break the steps down.ADDITIONAL INFORMATION FOR PRESENTER:NORTHAMERICANEWYORKNORTHAMERICANEWYORKMARKETINGRD2RD3MARKETINGRD2RD3
24Cenários de Migração Upgrade In Place Upgrade o PDC e crie a raíz da florestaUpgrade domínios de contaUpgrade domínios de recursosUpgrade Estações de TrabalhoUpgrade Servidores MembrosKEY MESSAGE: So what do you have to do?SLIDE BUILDS: NoneSLIDE SCRIPT:You must upgrade the PDC first, then the BDCs. The question of which domain to upgrade first is more problematic, and the answer may vary depending on your circumstances. For example, if you are planning to restructure certain domains out of existence later, there might be little point in upgrading them first.Though your situation may change this, a general recommendation is that you should consider the following order for upgrading your domains:1. Account domains2. Resource domainsWorkstations and member servers can be upgraded at any timeAs a general rule, you will get the most benefit from upgrading your account domains earliest because in most cases there will be more users to administer than computers. By upgrading your account domains to Windows 2000 you will benefit from:Improved scalability of Active Directory - Many organizations are pushing the upper bounds of the recommended SAM size with their existing numbers of users and groups.Delegated administration – The ability to delegate administrative capability at very fine granularity, without the necessity to grant absolute power.Dica: O AD é exposto aos sistemas operacionais antigos como uma estrutura de domínio do Windows NT 4.0
25Cenários de Migração Upgrade In Place: Domínios de Contas Fase 1: Diminua os riscos e mantenha o controleDomínios com menos usuários;Controladores de Domínio controlados pelo time de migraçãoFase 2: Domínios de Contas maioresFase 3: Domínios locais remanescentes que precisam ser reestruturadosKEY MESSAGE: Some guidelines for migrating the account domains.SLIDE BUILDS: NoneSLIDE SCRIPT:If you have more than one account domain, the following guidelines should help you choose in which order to upgrade them:Try to Mitigate risk and disruption and Maintain control. Though you will have tested your upgrade strategy in a lab or via a pilot, the first live migration will be the riskiest. To mitigate risk, you should upgrade domains where you have easiest access to the DCs. If there is more than one domain to choose from in any situation, upgrade the smallest first so that you minimize disruption to the most possible users, particularly while you are gaining experience of the process.Once you have gained experience of and confidence in the process, move onto the bigger account domains.If you are planning to restructure your domains, you should look to upgrade the likely targets of restructure early in the process. You cannot consolidate domains into a target that does not exist.SLIDE TRANSITION: So what about all those resource domains you may have? Are there guidelines for those?ADDITIONAL INFORMATION FOR PRESENTER:Dica: Um administrador trabalhando em um cliente sem o AD pode continuar a usar o Windows NT 4.0 administration tools
26Cenários de Migração Upgrade In Place: Domínios de Recursos Fase 1: Domínio de Recursos onde aplicações demandam seu upgradeFase 2: Domínios com muitas estações de trabalhoFase 3: Domínios de recursos que serão reestruturadosFase 4: Domínios remanescentesKEY MESSAGE: Some guidelines for migrating the resource domainsSLIDE BUILDS: NoneSLIDE SCRIPT:If you have more than one resource domain, the following guidelines should help you choose which order to upgrade them:First, you should upgrade domains where you are deploying applications that demand Active Directory, for example Exchange 2000 and 2003.Next, you should upgrade domains with many workstations, so that you can take advantage of Windows 2000 or Windows Server 2003 infrastructure features such as Group Policy.Just as with account domains, if you are planning restructure of your domains, you should look to upgrade the likely targets of restructure fairly early on.SLIDE TRANSITION: Finally, after account domains and resource domains, the only things left are the workstations and members servers. How do you migrate those?ADDITIONAL INFORMATION FOR PRESENTER:Dica: Você não precisa completar um upgrade de domínio de contas para começar o upgrade de um domínio de recursos.
27Cenários de Migração Upgrade In Place: Estações de Trabalho e Servidores Membros Upgrade facilmente a qualquer momentoRazões para o upgradeGerenciabilidadeSuporte ao Sistema de ArquivosServiços de AplicaçãoCompartilhamento e Publicação de InformaçõesKEY MESSAGE: Some guidelines for migrating the workstations and member servers.SLIDE BUILDS: NoneSLIDE SCRIPT:The thing with member servers and workstations is that these can be upgraded at any time. In fact for workstations, there may even be a separate project just for those. Workstation upgrades affect a lot more users directly, what with a different interface and possibly upgraded Office applications. So while they can be done any time, it is probably best to do that separately.Member servers are similar to workstations in as much as they don’t really mind which OS they run or in which type of domain they run. The caveat to this are servers that run applications that need a specific OS running the domain or those that just get the best out of being in an Active Directory world, for example a RRAS Server. If you have one, it’s probably a member server. The Windows 2000 / Windows Server 2003 version of this is much more powerful and secure than the NT 4.0 version, and this should be one to look at first.SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:Dica: Estações de Trabalho e Servidores Membros podem ser atualizados para Windows 2003 independente do upgrade do domínio.
28Cenários de Migração Upgrade In Place Desligue um BDCBDCUpgrade o PDCModo MistoWindows NT4Modo 2003Mude para o Modo NativoKEY MESSAGE: Describe the different modesSLIDE BUILDS: NoneSLIDE SCRIPT:Before upgrading any machines in this domain, be sure to take an existing BDC offline. This machine will serve as a backup in case a rollback to the NT 4 state is necessary, so make sure it is synchronized before taking it offline.Begin by upgrading the PDCPrior to upgrade, you must know where the domain you are upgrading fits into the Windows 2000 hierarchy. Is this domain controller a forest root, a child domain, etc…After the PDC has been upgraded, what do downlevel DCs see? They see the NETBIOS name given to the Windows 2000 domain during setup.Upgrade one or more BDCs right away; don’t leave PDC as only upgradeWindows 2000 Clients “prefer” a windows 2000 domain controller – (and cache preference) so, upgrading another machine spreads the loadThis also enables Multi-master replicationAdministrators can make changes at any Windows 2000 DC - Any of these changes are replicated to the DC acting as PDC, and are then replicated to BDCs using netlogon replicationMore scalable, responsive for large domains w/many clientsAfter the upgrades, DS enabled clients begin:Intelligently locating DCs using sitesUsing the DCs to find objects in the directoryNon DS clients, continue to validate using NTLM against a Windows 2000 DCIf you leave your domain in mixed mode (i.e. continue to have downlevel machines) you cannot take advantage of the nested Groups or Universal Groups – these features are available in Native Mode OnlyIf you need to roll back from mixed mode, take the current PDC off the network or make it a BDC, put the offline BDC back online, promote it to PDC to fix remaining BDCs.SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:Upgrade BDCsPDCBDCBDCBDC
29Cenários de Migração Quando Reestruturar Se a estrutura de domínios NT 4.0 existente não atender às necessidades da nova estrutura de domínios Windows 2003Se você quiser migrar gradualmente e quiser prover fallback para o Windows NT 4.0KEY MESSAGE: So we’ve looked at the reason to upgrade in place, and if that didn’t apply, then it’s a restructure?SLIDE BUILDS: NoneSLIDE SCRIPT:So the big reasons to restructure are either that the current domain structure does not meet the requirements of the business and a new structure would be most cost-effective and flexible, or that you want to have a fallback to the NT 4.0 environment if things do go pear-shaped.Once the new forest has been built, restructuring will begin with a pilot, where a number of users, groups, and resources are migrated to the new environment to act as an advance party, ensuring that business can carry on as normal in the new structure.On successful completion of this phase, the pilot will transition into a staged migration to the new environment. At some point, Windows 2000 will become the production environment. The old domain structure will be decommissioned, and the remaining resources will be redeployed.SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:Dica: Reestruturação pode requerer domínios e hardware adicionais
30Cenários de Migração Reestruturação Com Fallback ObjetivosCriar um ambiente Windows 2003 “pristine”O ambiente de produção existente é retidoTer fallback do ambiente Windows NT 4.0Manter acesso aos recursosExecutar cópia não destrutiva (clone)KEY MESSAGE: So lets look at a restructure with fallback.SLIDE BUILDS: NoneSLIDE SCRIPT:In a nutshell, Domain upgrade is a process designed to maintain as much of your current environment as possible, including your domain structure. While Domain restructure, on the other hand, is a process designed to allow you to redesign the forest according to the needs of your organization. Though restructure can result in any number of different outcomes, typically the result is some rationalization of the current structure, and perhaps a move to fewer larger domains.In the past, there have been a number of third-party directory management tools that have provided domain-restructuring support for Windows NT. Now both Windows 2000 and Windows Server 2003 provide native functionality to enable domain-restructuring scenarios, namely:Security principals can be moved from one domain to another while maintaining pre-move access to resources.DCs can be moved from one domain to another without complete reinstallation of the operating system.There is also a graphical tool to make domain restructuring easier, together with some scriptable COM components and command line utilities to aid restructuring operations.In the up-and-coming demonstrations, the goals stated here are the goals the dummy company wishes to achieve.SLIDE TRANSITION: The main tool that we will use is the Active Directory Migration Tool.ADDITIONAL INFORMATION FOR PRESENTER:Dica: Sua nova arquitetura de domínios deve considerar os efeitos da replicação.
31Cenários de Migração Active Directory Migration Tool Baseado em AssistentesExecução em Modo TesteRelatóriosCapacidade de FallbackAuditoriaAgentes de Re-ACL rodam em Windows NT 3.51, Windows NT 4.0 e Windows 2000KEY MESSAGE: Introduce and talk about the ADMT.SLIDE BUILDS: NoneSLIDE SCRIPT:The Active Directory Migration Tool provides an easy way to migrate to the Active Directory. You can use this tool to diagnose any possible problems before starting migration operations to Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations.SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:
32Cenários de Migração Cenário: Wide World Importers London Accounts DomainKEY MESSAGE: The Wide World Importers Demo.SLIDE BUILDS: NoneSLIDE SCRIPT:The demonstration scenario that we will be using is to migrate the Wide World Importers London office NT 4 environment to Active Directory. In this example, the target system is Windows Server 2003.We won’t be doing the whole migration. Instead, we will work on the Call Centre group and migrate those users and groups over. We will also use the ADMT to ensure that the resources on the NT 4 file server that the call centre groups uses are still accessible while using the new Active Directory accounts.As we go through the demonstration, I’ll explain more.SLIDE TRANSITION: So let’s start with setting up the environment ready for the migration.ADDITIONAL INFORMATION FOR PRESENTER:New Europe DomainLondon Resource Domain
33demonstração Preparação do Ambiente para a Migração Trocando de Modos de OperaçãoPreparando para a execução do Active Directory Migration toolKEY MESSAGE: Setting up for the migration demonstration.SLIDE BUILDS: NoneSLIDE SCRIPT:SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:
34Cenários de Migração Migrando Usuários NT 4.0 1. Crie uma nova floresta AD “pristine”Target2. Estabeleça os relacionamentos de confiança necessáriospara manter o acesso aos recursos.3. Clone os Grupos GlobaisKEY MESSAGE: Migrating users to Active Directory.SLIDE BUILDS: 6SLIDE SCRIPT:So lets look at migrating Users over from our NT 4 Domain.[BUILD 1] The first step to this process is to create the ideal or “pristine” Active Directory Forest.[BUILD 2] Next, to ensure that users in either environment can access the same resource from either their NT 4 account or their Active Directory account, we need to establish trusts between all the environments.[BUILD 3] Now we can use tools like the ADMT to migrate the Groups…[BUILD 4] …and the users. We could use the ADMT to do both at once, but this all depends on the environment. In the up-and-coming demonstration, this is what we will do.[BUILD 5] Finally, we could decommission the Account domain.SLIDE TRANSITION: Lets see an example of this in action.ADDITIONAL INFORMATION FOR PRESENTER:4. Clone os Usuários5. Eventualmente Desative o DomínioSourceFallback a qualquer momento!Resource DomainResource Domain
35demonstração Migrando Usuários Criando unidades organizacionais para os usuários migradosMigrando os Usuários e Grupos Call CentreKEY MESSAGE: Describe the different modes.SLIDE BUILDS: NoneSLIDE SCRIPT:In this demonstration, we will take a section of the user base—in this case, the Call Centre group of Wide World Importers—and migrate them over from the NT 4 environment into a new OU in the Active Directory.SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:
36Cenários de Migração Migrando Recursos NT 4.0 1. Clone os Grupos Locais2. Derrube os Servidores de AplicaçãoKEY MESSAGE: Describe the different modes.SLIDE BUILDS: NoneSLIDE SCRIPT:So we’ve seen users, now let’s talk about resources.[BUILD 1] The first step to this phase is to clone the locals that are used to assign permissions to. Remember from our Active Directory basics that Domain Local Groups are the group of choice when assigning local permissions, so we have to ensure they exist in the Active Directory.[BUILD 2] Next, demote the servers out of one domain…[BUILD 3] … and move them or add them to the new domain.[BUILD 4] Once all the resource have been moved, we can decommission the resource domain.SLIDE TRANSITION: Let’s move onto some Security concepts you need to be aware of when moving users—and we are not talking about the latest patches. This is how security principals are effected during migration.ADDITIONAL INFORMATION FOR PRESENTER:3. Mova os Servidores4. Eventualmente Desative o Domínio de OrigemAccount DomainTarget OUResource Domain
37Cenários de Migração Conceitos Importantes de NT 4.0 LON-ACC\STEPHBLON-ACCLON-ACC\Call Centre AllMembers: LON-ACC\STEPHBKEY MESSAGE: So, starting on a security note, lets recap some important concepts to remember.SLIDE BUILDS: NoneSLIDE SCRIPT:Now that we’ve seen how users and computers are migrated, let’s cover how their security principals are migrated. But before we do that, let’s discuss how a user gains access to resources in NT4.0. We will use the Demo setup I have as the example.We have a typical Master User Domain (MUD) architecture – the domain is called AcctDomain.[BUILD 1] So we have the London Account domain…[BUILD 2] …with user Stephanie, who is the manager of the call Centre Team.[BUILD 3] She is therefore a member of the Call Centre All group.[BUILD 4] The resources for the London office live in one of the London Resource domains. In this case, Stephanie’s workstation and all the Call Centre documents, profiles, printers, etc., live here. Mainly off the Lonfilesrv01.[BUILD 5] There is a trust, which allows the resource domain to trust the account domain.[BUILD 6] The local group, Call Centre All , on the member server includes the global group from the account domain.[BUILD 7] There also exists a share on Lonfilesrv01, Docs, on the member server, that gives Call Centre All full control.[BUILD 8] When Stephanie logs on at her workstation, it is using the Account domain account.[BUILD 9] Then, in the normal course of her day, she attempts to access the share Docs folder.[BUILD 10] Via passthrough authentication, Stephanie is given an access token that allows her access to Docs. This access token contains the SIDs for her user account and the two groups she is included in.SLIDE TRANSITION: So what are the effects to this process during and after migration?ADDITIONAL INFORMATION FOR PRESENTER:Steph’s Access Token on DocServ1:User: LON-ACC\Stephb SIDGroups:LON-ACC\Call Centre All SIDLONFILESRV01\Call CentreSIDLON-RES-01StephsWSLONFILESRV01LONFILESRV01\Call CentreMembers: LON-ACC\Call Centre All\\LONFILESR01\Docs: Call Centre: Full Control
38Cenários de Migração SID History Groups:User:SSSSAccess TokenEurope\stephbLON-ACC\stephb (SID History)KEY MESSAGE: What is SID History and why do we need it?SLIDE BUILDS: NoneSLIDE SCRIPT:So when migrating objects from NT 4 to Active Directory, the first thing to be aware of is how the Security Principals are affected. When taking a user, computer, or group from NT 4 to the Active Directory, these principals are in most cases created anew. Which means they get new SIDs, and therefore any permissions/rights granted to the old SID or any groups that this principal was a member of do not apply to the new SID.To overcome this, the old Security Identifiers (SIDs) for the account objects are retained in an attribute in the Active Directory called “SID history.” This allows the new security principal to include its former SIDs. So now, when a user identifies himself or herself by presenting his or her credentials, the system creates an access token for the user containing not only the SID of the user and the SIDs of all the groups that user is a member of, but also all SIDs in SID history.The good thing about this system is that is does not affect the security descriptor for a resource. This descriptor—which contains the Access Control List (ACL), with a list of Access Control Entries (ACEs), each consisting of an SID together with the indicator that identifies the grant or denied access to the resource—works as if nothing has changed. All the SIDs, old and new, are passed and checked against the Access Control List.For this to work in a restructure, trusts between the resource domain and the Active Directory domain must exist. In an upgrade, security principals remain in the same domain they were created in, and so the SIDs identifying them remain unchanged. As a result, resource access is unaffected by upgrade.SLIDE TRANSITION: The Active Directory Migration tool handles a lot of this. So lets round off the session with a look at how the tool can ensure that access is maintained.ADDITIONAL INFORMATION FOR PRESENTER:Europe\Call Centre AllLON-ACC\Call Centre All(SID History)SIDhistory garante o acesso ao grupo movidoDê Cotrole Total ao grupo:LON-ACC\Call Centre AllACL on lonfilesrv01\DocsGive Full Control toS
39demonstração Security Translation Wizard Popular a Base de Dados de Relacionamentos de GruposRodando o Security translationKEY MESSAGE: Describe the different modes.SLIDE BUILDS: NoneSLIDE SCRIPT:SLIDE TRANSITION:ADDITIONAL INFORMATION FOR PRESENTER:
40Resumo Migração é: Upgrade ou Reestruturação, ou ambos. Leve em consideração os prós e contras de cada opçãoEscolha a opção que melhor se encaixe em sua organizaçãoAproveite a oportunidade para criar uma nova estrutura que seja eficienteKEY MESSAGE:SLIDE BUILDS: NoneSLIDE SCRIPT:SLIDE TRANSITION:ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:
42MS Press Informações para profissionais de TI Key Message: Talk about MS Press books and introduce the Build your own book featureSLIDE BUILDS: 1SLIDE SCRIPT:[BUILD 1] (Add book script here)SLIDE TRANSITION:ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:Para os últimos títulos visite:
43Microsoft Learning Recursos de Treinamento para Profissionais de TI Migrating from Microsoft Windows NT 4.0 to Microsoft Windows Server 2003Número do Curso:2283Disponibilidade: ImediataSyllabus:Microsoft Learning (formerly MS Training & Certification and MS Press, the book division) develops the courseware called Microsoft Official Curriculum (MOC), including MSDN Training courses, eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for both IT professionals and developers who build, support, and implement solutions using Microsoft products and technologies.Please be sure to tell the audience that these training courses are related to the subject that was just covered in the slides, but they do not necessarily provide in-depth coverage of this exact subject as it may include other topics.Anyone interested in more information about the course(s) listed should visit the Microsoft Training & Certification Web site at and review the syllabus. All MOC courses are delivered by Microsoft’s premier training channel, Microsoft Certified Technical Education Centers (CTEC) and classes are taught by Microsoft Certified Trainers (MCT).Para localizar um centro de treinamento, acesse:Microsoft Certified Technical Education CentersSão parceiros Microsoft para serviços de treinamento