Migrando ambientes Windows NT 4.0 para o Windows Server 2003 KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Rodrigo Vallim Microsoft Brasil

O Que Veremos: O que há de novo no Windows Server 2003 Introdução aos “Functional Levels” Terminologia de Migração Cenários de Migração Suportados Quando e Como Fazer Upgrade Quando e Como Reestruturar Visão Geral do Processo de Migração KEY MESSAGE: Explain what we will cover and the scope of the session. SLIDE BUILDS: None. Bullets come in automatically. SLIDE SCRIPT: In this session, we have a detailed look at how to migrate NT 4.0 resources, such as users, groups, computers and security principles into the Active Directory. The first thing to mention is that, while throughout this session you will see references to Windows Server 2003, a lot of the theory and techniques described are applicable to Windows 2000. And that applies to our first topic, terminology. This hasn’t changed between the two releases. The terminology is Active Directory-based, as we will see. We will look at the supported migration scenarios for moving resources, then look at the reasons to either upgrade an existing NT 4 environment to Active Directory or to restructure it. There are pros and cons to each, and while this session does not directly say to use one over the other, the aim is to give you the information to help you best make that decision for your environment. We will also see a lot of the migration tool through this session, as I’ll be using it extensively in a restructure demo. SLIDE TRANSITION: So what key knowledge is advantageous to getting the most from this session?

Conhecimentos Necessários Essa seção assume que você possui um conhecimento básico de: Windows NT 4.0 directory services Active Directory™ KEY MESSAGE: What is advantageous to understand for this session? SLIDE BUILDS: None. Bullets automatically come in. SLIDE SCRIPT: As this is a migration session, we will be talking a lot about the directory service in both NT 4 and Windows Server products. So having an understanding of both will be an advantage. If you don’t have an understanding of the Active Directory, then I would suggest having a look first at the session Active Directory Fundamentals on TechNet. That session id is TNT1-98. SLIDE TRANSITION: So lets look at the agenda and dive right in.

O que há de novo no Windows Server 2003 A Topologia de Replicação agora suporta milhares de Sites Mudança de nome de Domínios Implementação de Sites e Logging on sem Local Global Catalog Servers Group Policy Management Console (GPMC) Relacionamentos de Confiança Kerberos transitivos entre florestas

Como Usamos Isso? Muitas características trabalham com existentes DC’s de NT 4.0 e Windows 2000. Algumas grandes novidades não trabalham com Windows NT 4.0 ou Windows 2000. Essas novas características requerem uma solução de versionamento para evitar problemas de interoperabilidade. Solução: forest e domain functional levels.

Functional Levels Windows Server 2003 Active Directory Versioning Scheme Habilita as novas características. Operação sem volta. Modo nativo do Windows 2000 ++. Domain Functional Levels Forest Functional Levels Definido por Atributos de Domínio e recipientes de configuração

Domínios de Modo Misto Windows NT DC’s são permitidos Similar ao Windows 2000 Mixed Mode DC’s Windows NT 4.0 mantém as características de domínio. Sem universal ou nested groups. Sem sIDHistory. Windows 2000 Domain Controllers Permitido, mas não requirido. Windows Server 2003 pode realizar upgrade de Windows NT 4.0 e Windows 2000 domain controllers e member servers.

Domínios de Modo Nativo Sem DC’s NT 4.0 Qualquer cliente ou member server Win32® é permitido. Todos os domain controllers precisam ser Windows 2000 ou Windows Server 2003. Windows 2000 domain modes do not increment msDS-Behavior-Version. Enables User and Group Management Features Windows 2000 and Windows .NET domain controllers only Mixed and Native Mode Defined by nTMixedDomain 0 (zero) or no value means native mode 1 means mixed mode

Functional Levels New in Windows .NET Server 2003 Introduce new features not compatible with previous version domain controllers Manually advanced when all domain controllers in domain or forest are running Windows .NET Server Defined by msDS-Behavior-Version attribute on Domain and Partitions Containers DC=<domain>,DC=<tld> CN=Partitions,CN=Configuration,DC=<domain>, DC=<tld>

Functional Levels (2) Windows .NET Domain Windows .NET Interim Forest Windows .NET Forest http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsnetserver/evaluate/cpp/reskit/adsec/part1/rkpdsefl.asp

Domain Functional Levels All Domain Controllers Are Windows .NET Windows 2000 and Windows NT domain controllers are blocked. Manually advanced using Active Directory Domains and Trusts (Domain.msc). Also exposed through ADSIEdit.msc, LDP, or script, for example. msDS-Behavior-Version = 2 on DC=<domain>,DC=<tld> msDS-Behavior-Version = 1 defines interim domain mode, but is unused.

Funcionalidade de Domínio Características Características disponíveis do Windows Server 2003 DC’s suportados no Domínio Modo Misto Instalar (DCPromo) a partir de mídias (IFM) Windows NT 4.0 Windows 2000 Windows 2003 Modo Nativo Group nesting Universal groups Universal group caching sIDHistory Windows 2003 Interim O mesmo que acima O mesmo que Windows 2000 Nativo, mais: Replicated logon timestamp attribute Kerberos KDC version Senha de usuário em inetOrgPerson

Forest Functional Levels Windows .NET Forest Mode All domain controllers in the enterprise must run Windows .NET Server 2003. Advanced using Domain.msc or by setting msDS-Behavior-Version = 2 on CN=Partitions,CN=Configuration,DC=<domain>, DC=<tld>. Windows .NET Interim Forest Mode Allows Windows NT 4.0 domain controllers. Windows 2000 domain controllers are not allowed. Only UI is new forest through upgrade and DCPromo of Windows NT 4.0 primary domain controller (PDC).

Funcionalidades de Floresta Características Funcionalidade de Floresta Características disponíveis do Windows Server 2003 DC’s suportados na Foresta Windows 2000 Instalar a partir de mídias (IFM) Universal Group caching Windows NT 4.0 Windows 2003 Windows 2003 Interim ISTG Melhorado Linked value replication O mesmo que Windows 2003 Interim, mais: Dynamic Aux classes User to inetOrgPerson change Schema defunct and redefine Renomeação de Domínio Relacionamento entre florestas

Melhores Práticas para Funcional Levels Windows NT 4.0 Upgrade Windows 2003 interim forest mode Habilita as melhorias do Intersite Topology Generator e Knowledge Consistency Checker do Windows Server 2003 Torna a replicação mais eficiente e robusta Depois que todos os DC’s forem atualizados, mude para Windows 2003 forest mode Domínios em modo nativo automaticamente mudam para Windows 2003 domain level quando a floresta é mudada para Windows 2003 interim

Melhores Práticas para Funcional Levels (2) Windows 2000 Upgrade Modo nativo é melhor para redes mistas Windows 2000 e Windows 2003. Nenhuma alteração no functional level até que todos os DC’s sejam Windows Server 2003. Quando todos os DC’s rodarem Windows 2003, mude a floresta para Windows 2003 forest mode. Quando a floresta é mudada, os domínios automaticamente avançarão para Windows 2003 domain mode.

Terminologia de Migração Termos Migração de Domínio Upgrade Reestruturação Modo Misto Windows 2000 e NT 4.0 Windows 2000, Windows Server 2003 e NT 4.0 Modo Nativo Windows 2000 Nativo Windows Server 2003 Nativo KEY MESSAGE: Introduce the basic terms. SLIDE BUILDS: None SLIDE SCRIPT: The one thing Microsoft is good at, after creating software, is creating terms to describe that software. Each new release seems to also bring out a plethora of new acronyms, phrases, and other terminology. Well, migration has it’s fair share. Fortunately, when it really comes down to it, the two main terms to understand are Upgrade and Restructure. These two terms describer the two ways to migrate NT 4 resources to Active Directory. These two terms are not product-related or technology-related; they just describe the two types of migration you have to choose from. The Modes are product-related, and these describe the mode in which Windows 2000 or Windows Server 2003 operate. Even within these there are different modes. Windows 2000 supports the two modes while Windows Server 2003 supports three. We’ll come on to those in a bit. SLIDE TRANSITION: For now, lets concentrate on Restructure and, firstly, Upgrade. ADDITIONAL INFORMATION FOR PRESENTER:

Terminologia de Migração Upgrade “Upgrade In Place” Mais fácil, menor risco Preserva a estrutura existente KEY MESSAGE: Describe what an Upgrade is. SLIDE BUILDS: None SLIDE SCRIPT: We can define the term “Upgrade” as the process of upgrading the software on the Primary Domain Controller (PDC) of a domain, and upgrading some or all of the Backup Domain Controllers (BDCs), from Windows NT 4.0 to Windows 2000 or Windows Server 2003. Because this is an operating system upgrade rather than a fresh installation, the existing domain structure, users, and groups are maintained, though in the process new Windows Server features are enabled. In fact, the biggest distinction between upgrade and consolidation lies in the fact that, in upgrading, we are maintaining the existing domain structure. This means that Upgrade represents the easiest, least-risk migration route because it retains most of your system settings, preferences, and program installations. SLIDE TRANSITION: So how does this compare to restructure? ADDITIONAL INFORMATION FOR PRESENTER: MUD RES3 RES2 RES1 MUD RES1 RES2 RES3 Upgrade Dica: A maioria das empresas podem simplesmente efetuar esse tipo de migração

Terminologia de Migração Reestruturação Consolidação Move os “Security Principals” entre Domínios Desenha uma floresta ideal KEY MESSAGE: Describe what a restructure is. SLIDE BUILDS: None SLIDE SCRIPT: Domain restructure on the other hand is a process designed to allow you to redesign the forest according to the needs of your organisation. Though restructure can result in any number of different outcomes, typically the result is some rationalisation of the current structure, and perhaps a move to fewer larger domains. These domains represent your version of the “Pristine Forest” for your organisation. For a small organisation, it may mean a single domain. For a worldwide enterprise, it may mean fewer domains based around geographical boundaries. SLIDE TRANSITION: Let’s shed some light on the Mode terminology. ADDITIONAL INFORMATION FOR PRESENTER: company.com america.company.com europe.company.com MUD1 RES1 RES2 RES3 MUD2 Restruturação Dica: Desenhando uma floresta ideal, o tamanho da SAM não é mais uma restrição

Cenários de Migração Cenários Suportados Upgrade in Place Migração de Usuários e Grupos Migração de Recursos KEY MESSAGE: Introduce the Migration Scenarios. SLIDE BUILDS: None SLIDE SCRIPT: So now let’s address the supported migration scenarios. As I mentioned earlier, I’m probably not going to describe an exact migration fit for each organization, but I will try and provide enough information to help you make the best choice for your organization. Although having said that, what we have typically found is that upgrade is typically best suited for small organizations and restructuring for large enterprises. SLIDE TRANSITION: So lets start with Upgrading in Place. ADDITIONAL INFORMATION FOR PRESENTER:

Cenários de Migração Quando efetuar “Upgrade In Place” A sua arquitetura de domínio existente já é uma arquitetura própria para o Windows 2003? Sim  Upgrade Não  Uma migração em duas etapas é aceitável? Sim  Upgrade agora, reestruture depois Não  Não realize um “upgrade in place” KEY MESSAGE: So when would you upgrade in place? SLIDE BUILDS: None SLIDE SCRIPT: Well, if you are you happy with your existing domain structure, there is no reason to do anything other than upgrade. If, however, you are not happy with this structure and think that after reviewing the Active Directory you can come up with a better design, then next question to ask is, Can I spend the time now designing my environment or am I under pressure to install the Active Directory? If you need to install Active Directory now and don’t have time to redesign, then that’s again OK, you can perform a two-phased migration. Upgrade your domain now and the restructure later. This is when it is more advantageous to upgrade to Windows Server 2003 with it’s ability to rename domains and also the ability to move them around a bit. If you answered no to both questions, then a restructure is the way to go. SLIDE TRANSITION: So how do you upgrade in place? ADDITIONAL INFORMATION FOR PRESENTER:

Windows 2003 Tree and Forest Model Cenários de Migração Como efetuar o “Upgrade In Place” Windows 2003 Tree and Forest Model Pre-Windows 2003 Architecture KEY MESSAGE: Upgrading in place, as then term implies is fairly straight forward SLIDE BUILDS: None SLIDE SCRIPT: This diagram illustrates converting from the Classic NT4 multi-master domain model where Users are grouped in Master User domains and resources are collected in Resource Domains, to the Windows 2000 model of trees of domains in a forest of trust. A significant difference between these two models is trust management. Before Windows 2000, a one way trust had to be explicitly established between a resource domain and every account domain containing users it trusted. Every Windows 2000 domain created or upgraded automatically establishes a two-way transitive trust between it and it’s new parent. 2-way trust means that resources in the new domain trust users from the parent domain AND vice verse, resources in the parent domain trust users from the child domain. The transitivity of this trust comes into play when accessing resources in a domain that is not your parent or child. Transitivity means: I not only trust you, I also trust everyone that you trust. E.g. Marketing not only trusts Users from North America, but it trusts users from New York as well, even though there’s no explicit trust This upgrade works in a similar fashion to the Single Domain Upgrade. In this case you must also specify where in the forest the domain will be located. SLIDE TRANSITION: So lets break the steps down. ADDITIONAL INFORMATION FOR PRESENTER: NORTH AMERICA NEW YORK NORTH AMERICA NEW YORK MARKETING RD2 RD3 MARKETING RD2 RD3

Cenários de Migração Upgrade In Place Upgrade o PDC e crie a raíz da floresta Upgrade domínios de conta Upgrade domínios de recursos Upgrade Estações de Trabalho Upgrade Servidores Membros KEY MESSAGE: So what do you have to do? SLIDE BUILDS: None SLIDE SCRIPT: You must upgrade the PDC first, then the BDCs. The question of which domain to upgrade first is more problematic, and the answer may vary depending on your circumstances. For example, if you are planning to restructure certain domains out of existence later, there might be little point in upgrading them first. Though your situation may change this, a general recommendation is that you should consider the following order for upgrading your domains: 1.   Account domains 2.   Resource domains Workstations and member servers can be upgraded at any time As a general rule, you will get the most benefit from upgrading your account domains earliest because in most cases there will be more users to administer than computers. By upgrading your account domains to Windows 2000 you will benefit from: Improved scalability of Active Directory - Many organizations are pushing the upper bounds of the recommended SAM size with their existing numbers of users and groups. Delegated administration – The ability to delegate administrative capability at very fine granularity, without the necessity to grant absolute power. Dica: O AD é exposto aos sistemas operacionais antigos como uma estrutura de domínio do Windows NT 4.0

Cenários de Migração Upgrade In Place: Domínios de Contas Fase 1: Diminua os riscos e mantenha o controle Domínios com menos usuários; Controladores de Domínio controlados pelo time de migração Fase 2: Domínios de Contas maiores Fase 3: Domínios locais remanescentes que precisam ser reestruturados KEY MESSAGE: Some guidelines for migrating the account domains. SLIDE BUILDS: None SLIDE SCRIPT: If you have more than one account domain, the following guidelines should help you choose in which order to upgrade them: Try to Mitigate risk and disruption and Maintain control. Though you will have tested your upgrade strategy in a lab or via a pilot, the first live migration will be the riskiest. To mitigate risk, you should upgrade domains where you have easiest access to the DCs. If there is more than one domain to choose from in any situation, upgrade the smallest first so that you minimize disruption to the most possible users, particularly while you are gaining experience of the process. Once you have gained experience of and confidence in the process, move onto the bigger account domains. If you are planning to restructure your domains, you should look to upgrade the likely targets of restructure early in the process. You cannot consolidate domains into a target that does not exist. SLIDE TRANSITION: So what about all those resource domains you may have? Are there guidelines for those? ADDITIONAL INFORMATION FOR PRESENTER: Dica: Um administrador trabalhando em um cliente sem o AD pode continuar a usar o Windows NT 4.0 administration tools

Cenários de Migração Upgrade In Place: Domínios de Recursos Fase 1: Domínio de Recursos onde aplicações demandam seu upgrade Fase 2: Domínios com muitas estações de trabalho Fase 3: Domínios de recursos que serão reestruturados Fase 4: Domínios remanescentes KEY MESSAGE: Some guidelines for migrating the resource domains SLIDE BUILDS: None SLIDE SCRIPT: If you have more than one resource domain, the following guidelines should help you choose which order to upgrade them: First, you should upgrade domains where you are deploying applications that demand Active Directory, for example Exchange 2000 and 2003. Next, you should upgrade domains with many workstations, so that you can take advantage of Windows 2000 or Windows Server 2003 infrastructure features such as Group Policy. Just as with account domains, if you are planning restructure of your domains, you should look to upgrade the likely targets of restructure fairly early on. SLIDE TRANSITION: Finally, after account domains and resource domains, the only things left are the workstations and members servers. How do you migrate those? ADDITIONAL INFORMATION FOR PRESENTER: Dica: Você não precisa completar um upgrade de domínio de contas para começar o upgrade de um domínio de recursos.

Cenários de Migração Upgrade In Place: Estações de Trabalho e Servidores Membros Upgrade facilmente a qualquer momento Razões para o upgrade Gerenciabilidade Suporte ao Sistema de Arquivos Serviços de Aplicação Compartilhamento e Publicação de Informações KEY MESSAGE: Some guidelines for migrating the workstations and member servers. SLIDE BUILDS: None SLIDE SCRIPT: The thing with member servers and workstations is that these can be upgraded at any time. In fact for workstations, there may even be a separate project just for those. Workstation upgrades affect a lot more users directly, what with a different interface and possibly upgraded Office applications. So while they can be done any time, it is probably best to do that separately. Member servers are similar to workstations in as much as they don’t really mind which OS they run or in which type of domain they run. The caveat to this are servers that run applications that need a specific OS running the domain or those that just get the best out of being in an Active Directory world, for example a RRAS Server. If you have one, it’s probably a member server. The Windows 2000 / Windows Server 2003 version of this is much more powerful and secure than the NT 4.0 version, and this should be one to look at first. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Dica: Estações de Trabalho e Servidores Membros podem ser atualizados para Windows 2003 independente do upgrade do domínio.

Cenários de Migração Upgrade In Place Desligue um BDC BDC Upgrade o PDC Modo Misto Windows NT4 Modo 2003 Mude para o Modo Nativo KEY MESSAGE: Describe the different modes SLIDE BUILDS: None SLIDE SCRIPT: Before upgrading any machines in this domain, be sure to take an existing BDC offline. This machine will serve as a backup in case a rollback to the NT 4 state is necessary, so make sure it is synchronized before taking it offline. Begin by upgrading the PDC Prior to upgrade, you must know where the domain you are upgrading fits into the Windows 2000 hierarchy. Is this domain controller a forest root, a child domain, etc… After the PDC has been upgraded, what do downlevel DCs see? They see the NETBIOS name given to the Windows 2000 domain during setup. Upgrade one or more BDCs right away; don’t leave PDC as only upgrade Windows 2000 Clients “prefer” a windows 2000 domain controller – (and cache preference) so, upgrading another machine spreads the load This also enables Multi-master replication Administrators can make changes at any Windows 2000 DC - Any of these changes are replicated to the DC acting as PDC, and are then replicated to BDCs using netlogon replication More scalable, responsive for large domains w/many clients After the upgrades, DS enabled clients begin: Intelligently locating DCs using sites Using the DCs to find objects in the directory Non DS clients, continue to validate using NTLM against a Windows 2000 DC If you leave your domain in mixed mode (i.e. continue to have downlevel machines) you cannot take advantage of the nested Groups or Universal Groups – these features are available in Native Mode Only If you need to roll back from mixed mode, take the current PDC off the network or make it a BDC, put the offline BDC back online, promote it to PDC to fix remaining BDCs. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Upgrade BDCs PDC BDC BDC BDC

Cenários de Migração Quando Reestruturar Se a estrutura de domínios NT 4.0 existente não atender às necessidades da nova estrutura de domínios Windows 2003 Se você quiser migrar gradualmente e quiser prover fallback para o Windows NT 4.0 KEY MESSAGE: So we’ve looked at the reason to upgrade in place, and if that didn’t apply, then it’s a restructure? SLIDE BUILDS: None SLIDE SCRIPT: So the big reasons to restructure are either that the current domain structure does not meet the requirements of the business and a new structure would be most cost-effective and flexible, or that you want to have a fallback to the NT 4.0 environment if things do go pear-shaped. Once the new forest has been built, restructuring will begin with a pilot, where a number of users, groups, and resources are migrated to the new environment to act as an advance party, ensuring that business can carry on as normal in the new structure. On successful completion of this phase, the pilot will transition into a staged migration to the new environment. At some point, Windows 2000 will become the production environment. The old domain structure will be decommissioned, and the remaining resources will be redeployed. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER: Dica: Reestruturação pode requerer domínios e hardware adicionais

Cenários de Migração Reestruturação Com Fallback Objetivos Criar um ambiente Windows 2003 “pristine” O ambiente de produção existente é retido Ter fallback do ambiente Windows NT 4.0 Manter acesso aos recursos Executar cópia não destrutiva (clone) KEY MESSAGE: So lets look at a restructure with fallback. SLIDE BUILDS: None SLIDE SCRIPT: In a nutshell, Domain upgrade is a process designed to maintain as much of your current environment as possible, including your domain structure. While Domain restructure, on the other hand, is a process designed to allow you to redesign the forest according to the needs of your organization. Though restructure can result in any number of different outcomes, typically the result is some rationalization of the current structure, and perhaps a move to fewer larger domains. In the past, there have been a number of third-party directory management tools that have provided domain-restructuring support for Windows NT. Now both Windows 2000 and Windows Server 2003 provide native functionality to enable domain-restructuring scenarios, namely: Security principals can be moved from one domain to another while maintaining pre-move access to resources. DCs can be moved from one domain to another without complete reinstallation of the operating system. There is also a graphical tool to make domain restructuring easier, together with some scriptable COM components and command line utilities to aid restructuring operations. In the up-and-coming demonstrations, the goals stated here are the goals the dummy company wishes to achieve. SLIDE TRANSITION: The main tool that we will use is the Active Directory Migration Tool. ADDITIONAL INFORMATION FOR PRESENTER: Dica: Sua nova arquitetura de domínios deve considerar os efeitos da replicação.

Cenários de Migração Active Directory Migration Tool Baseado em Assistentes Execução em Modo Teste Relatórios Capacidade de Fallback Auditoria Agentes de Re-ACL rodam em Windows NT 3.51, Windows NT 4.0 e Windows 2000 KEY MESSAGE: Introduce and talk about the ADMT. SLIDE BUILDS: None SLIDE SCRIPT: The Active Directory Migration Tool provides an easy way to migrate to the Active Directory. You can use this tool to diagnose any possible problems before starting migration operations to Active Directory. You can then use the task-based wizard to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

Cenários de Migração Cenário: Wide World Importers London Accounts Domain KEY MESSAGE: The Wide World Importers Demo. SLIDE BUILDS: None SLIDE SCRIPT: The demonstration scenario that we will be using is to migrate the Wide World Importers London office NT 4 environment to Active Directory. In this example, the target system is Windows Server 2003. We won’t be doing the whole migration. Instead, we will work on the Call Centre group and migrate those users and groups over. We will also use the ADMT to ensure that the resources on the NT 4 file server that the call centre groups uses are still accessible while using the new Active Directory accounts. As we go through the demonstration, I’ll explain more. SLIDE TRANSITION: So let’s start with setting up the environment ready for the migration. ADDITIONAL INFORMATION FOR PRESENTER: New Europe Domain London Resource Domain

demonstração Preparação do Ambiente para a Migração Trocando de Modos de Operação Preparando para a execução do Active Directory Migration tool KEY MESSAGE: Setting up for the migration demonstration. SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

Cenários de Migração Migrando Usuários NT 4.0 1. Crie uma nova floresta AD “pristine” Target 2. Estabeleça os relacionamentos de confiança necessários para manter o acesso aos recursos. 3. Clone os Grupos Globais KEY MESSAGE: Migrating users to Active Directory. SLIDE BUILDS: 6 SLIDE SCRIPT: So lets look at migrating Users over from our NT 4 Domain. [BUILD 1] The first step to this process is to create the ideal or “pristine” Active Directory Forest. [BUILD 2] Next, to ensure that users in either environment can access the same resource from either their NT 4 account or their Active Directory account, we need to establish trusts between all the environments. [BUILD 3] Now we can use tools like the ADMT to migrate the Groups… [BUILD 4] …and the users. We could use the ADMT to do both at once, but this all depends on the environment. In the up-and-coming demonstration, this is what we will do. [BUILD 5] Finally, we could decommission the Account domain. SLIDE TRANSITION: Lets see an example of this in action. ADDITIONAL INFORMATION FOR PRESENTER: 4. Clone os Usuários 5. Eventualmente Desative o Domínio Source Fallback a qualquer momento! Resource Domain Resource Domain

demonstração Migrando Usuários Criando unidades organizacionais para os usuários migrados Migrando os Usuários e Grupos Call Centre KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: In this demonstration, we will take a section of the user base—in this case, the Call Centre group of Wide World Importers—and migrate them over from the NT 4 environment into a new OU in the Active Directory. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

Cenários de Migração Migrando Recursos NT 4.0 1. Clone os Grupos Locais 2. Derrube os Servidores de Aplicação KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: So we’ve seen users, now let’s talk about resources. [BUILD 1] The first step to this phase is to clone the locals that are used to assign permissions to. Remember from our Active Directory basics that Domain Local Groups are the group of choice when assigning local permissions, so we have to ensure they exist in the Active Directory. [BUILD 2] Next, demote the servers out of one domain… [BUILD 3] … and move them or add them to the new domain. [BUILD 4] Once all the resource have been moved, we can decommission the resource domain. SLIDE TRANSITION: Let’s move onto some Security concepts you need to be aware of when moving users—and we are not talking about the latest patches. This is how security principals are effected during migration. ADDITIONAL INFORMATION FOR PRESENTER: 3. Mova os Servidores 4. Eventualmente Desative o Domínio de Origem Account Domain Target OU Resource Domain

Cenários de Migração Conceitos Importantes de NT 4.0 LON-ACC\STEPHB LON-ACC LON-ACC\Call Centre All Members: LON-ACC\STEPHB KEY MESSAGE: So, starting on a security note, lets recap some important concepts to remember. SLIDE BUILDS: None SLIDE SCRIPT: Now that we’ve seen how users and computers are migrated, let’s cover how their security principals are migrated. But before we do that, let’s discuss how a user gains access to resources in NT4.0. We will use the Demo setup I have as the example. We have a typical Master User Domain (MUD) architecture – the domain is called AcctDomain. [BUILD 1] So we have the London Account domain… [BUILD 2] …with user Stephanie, who is the manager of the call Centre Team. [BUILD 3] She is therefore a member of the Call Centre All group. [BUILD 4] The resources for the London office live in one of the London Resource domains. In this case, Stephanie’s workstation and all the Call Centre documents, profiles, printers, etc., live here. Mainly off the Lonfilesrv01. [BUILD 5] There is a trust, which allows the resource domain to trust the account domain. [BUILD 6] The local group, Call Centre All , on the member server includes the global group from the account domain. [BUILD 7] There also exists a share on Lonfilesrv01, Docs, on the member server, that gives Call Centre All full control. [BUILD 8] When Stephanie logs on at her workstation, it is using the Account domain account. [BUILD 9] Then, in the normal course of her day, she attempts to access the share Docs folder. [BUILD 10] Via passthrough authentication, Stephanie is given an access token that allows her access to Docs. This access token contains the SIDs for her user account and the two groups she is included in. SLIDE TRANSITION: So what are the effects to this process during and after migration? ADDITIONAL INFORMATION FOR PRESENTER: Steph’s Access Token on DocServ1: User: LON-ACC\Stephb SID Groups: LON-ACC\Call Centre All SID LONFILESRV01\Call CentreSID LON-RES-01 StephsWS LONFILESRV01 LONFILESRV01\Call Centre Members: LON-ACC\Call Centre All \\LONFILESR01\Docs: Call Centre: Full Control

Cenários de Migração SID History Groups: User: S-1-5-21-397955417-626881126-188441444-2812048 S-1-5-21-1645522239-1957994488-725345543-1108 S-1-5-21-397955417-626881126-188441444-101018 S-1-5-21-1645522239-1957994488-725345543-1109 Access Token Europe\stephb LON-ACC\stephb (SID History) KEY MESSAGE: What is SID History and why do we need it? SLIDE BUILDS: None SLIDE SCRIPT: So when migrating objects from NT 4 to Active Directory, the first thing to be aware of is how the Security Principals are affected. When taking a user, computer, or group from NT 4 to the Active Directory, these principals are in most cases created anew. Which means they get new SIDs, and therefore any permissions/rights granted to the old SID or any groups that this principal was a member of do not apply to the new SID. To overcome this, the old Security Identifiers (SIDs) for the account objects are retained in an attribute in the Active Directory called “SID history.” This allows the new security principal to include its former SIDs. So now, when a user identifies himself or herself by presenting his or her credentials, the system creates an access token for the user containing not only the SID of the user and the SIDs of all the groups that user is a member of, but also all SIDs in SID history. The good thing about this system is that is does not affect the security descriptor for a resource. This descriptor—which contains the Access Control List (ACL), with a list of Access Control Entries (ACEs), each consisting of an SID together with the indicator that identifies the grant or denied access to the resource—works as if nothing has changed. All the SIDs, old and new, are passed and checked against the Access Control List. For this to work in a restructure, trusts between the resource domain and the Active Directory domain must exist. In an upgrade, security principals remain in the same domain they were created in, and so the SIDs identifying them remain unchanged. As a result, resource access is unaffected by upgrade. SLIDE TRANSITION: The Active Directory Migration tool handles a lot of this. So lets round off the session with a look at how the tool can ensure that access is maintained. ADDITIONAL INFORMATION FOR PRESENTER: Europe\Call Centre All LON-ACC\Call Centre All (SID History) SIDhistory garante o acesso ao grupo movido Dê Cotrole Total ao grupo: LON-ACC\Call Centre All ACL on lonfilesrv01\Docs Give Full Control to S-1-5-21-1645522239-1957994488-725345543-1109

demonstração Security Translation Wizard Popular a Base de Dados de Relacionamentos de Grupos Rodando o Security translation KEY MESSAGE: Describe the different modes. SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

Resumo Migração é: Upgrade ou Reestruturação, ou ambos. Leve em consideração os prós e contras de cada opção Escolha a opção que melhor se encaixe em sua organização Aproveite a oportunidade para criar uma nova estrutura que seja eficiente KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER:

Mais Informações… Technet www.microsoft.com/technet www.technetbrasil.com.br KEY MESSAGE: SLIDE BUILDS: None SLIDE SCRIPT: SLIDE TRANSITION:

MS Press Informações para profissionais de TI Key Message: Talk about MS Press books and introduce the Build your own book feature SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] (Add book script here) SLIDE TRANSITION: ADDITIONAL INFORMATION/CROSS REFERENCE FOR PRESENTER: Para os últimos títulos visite: www.microsoft.com/learning/it/books

Microsoft Learning Recursos de Treinamento para Profissionais de TI Migrating from Microsoft Windows NT 4.0 to Microsoft Windows Server 2003 Número do Curso:2283 Disponibilidade: Imediata Syllabus: www.microsoft.com/learning Microsoft Learning (formerly MS Training & Certification and MS Press, the book division) develops the courseware called Microsoft Official Curriculum (MOC), including MSDN Training courses, eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for both IT professionals and developers who build, support, and implement solutions using Microsoft products and technologies. Please be sure to tell the audience that these training courses are related to the subject that was just covered in the slides, but they do not necessarily provide in-depth coverage of this exact subject as it may include other topics. Anyone interested in more information about the course(s) listed should visit the Microsoft Training & Certification Web site at www.microsoft.com/learning and review the syllabus. All MOC courses are delivered by Microsoft’s premier training channel, Microsoft Certified Technical Education Centers (CTEC) and classes are taught by Microsoft Certified Trainers (MCT). Para localizar um centro de treinamento, acesse: www.microsoft.com/learning Microsoft Certified Technical Education Centers São parceiros Microsoft para serviços de treinamento