Migrating to Windows Server 2003 Active Directory

1
Migrating to Windows Server 2003 Active
Directory
2
Agenda

• Functional levels
• General deployment strategies
• Preparing the forest and domains
• Performing in-place domain upgrades
• Active Directory Enhancements
• Active Directory Multi-Forest Support
• DNS Enhancements

3
Domain Functional Levels
4
Forest Functional Levels
5
Domain Functionality
Win NT4
Win2000
B
A
C
mixed
native
Windows 2000 - mixed
Windows 2000 -native
Windows Server 2003 Interim
Windows Server 2003
Windows Server 2003
Upgrade to Windows Server 2003 (DCPROMO)
Prior to Windows Server 2003
UI (Users Computers or Domains and Trusts)
Happens automatically (when Forest version is
raised during PDC upgrade)
6
Forest Functionality
B
A
C
Win2000
Win NT4
Win2000
Windows Server 2003 Interim
Win2000
Windows Server 2003
Windows Server 2003
Recommended (choose option in DCPROMO during PDC
upgrade)
DCPROMO (Upgrade to Windows Server 2003)
Workaround if you decide to go to level 1 later
(using LDP, adsiedit)
UI (Domains and Trusts)
7
Deployment strategies

• Domain restructure
• In-place domain upgrade
• From Windows 2000
• From NT 4.0
• - Upgraded domain is forest root
• - Upgraded domain is additional domain in forest

8
Domain Restructure

• Consolidation or collapse
• Move security principals and DCs between domains
• Allows you to design an ideal forest
• Use restructuring tools
• ADMT, Movetree, Clone Principal, 3rd party

MUD
Restructure
RES1
9
Upgrade from Windows 2000

• Easy and seamless upgrade process
• No restructuring necessary
• No forest, domain, OU or replication planning
  necessary
• No user / workstation / profile migration
• Windows Server 2003 DCs fully compatible with
  Windows 2000 DCs
• Windows Server 2003 DCs can play in Windows 2000
  forest / domain in any role
• - New DC (dcpromo)
• - Upgrade of existing DC
• Preparing forest and domains are separate step
  from introducing the first Windows Server 2003 DC

10
Windows 2000 Forest/Domain Upgrade

• New features and fixes require upgrade operations
• Tightens security on resources that use the
  Everyone group to grant access by
• Improving default security descriptors.
• Changing group memberships the Anonymous Logon
  group is no longer a member of the Everyone
  group.
• Creates new objects used by individual
  applications.
• Creates new containers that can be used to verify
  that the preparation was successful.
• Updates the Active Directory Schema.
• Previous schema modifications in your environment
  are not affected
• Single tool (adprep) to accomplish all tasks
• Run once per forest (adprep /forestprep)
• Run once per domain (adprep /domainprep)

11
ADPREP /FORESTPREP

• Schema upgrade
• Needs to run on schema master
• Does not cause a GC full-sync
• Small number of new indexed attributes
• SP3 DCs No performance impact
• Schema extension creates little replication
  traffic only
• Display specifiers
• Enables new features in UI
• Creates around 100KB replication traffic

12
ADPREP /FORESTPREP

• Adjusts ACLs to enable new features
• RSOP, Everyone ! Anonymous logon, PKI
• Little replication traffic only
• Adprep /forestprep has only small impact
• Replication
• Domain controller performance
• No impact on Windows 2000 SP3 DCs
• Small impact on pre-Windows 2000 SP3 DCs
• AD database size
• Creates special container when finished
  successfully
• CNWindows2002Update,CNForestUpdates,CNConfigura
  tion, DCltforest_root_domaingt

13
ADPREP /DOMAINPREP

• Needs to run on Infrastructure Master in each
  domain
• Impact on Domain Controllers is hardly measurable
  (network traffic, DC impact)
• Creates special container when finished
  successfully
• CNWindows2002Update,CNDomainUpdates,CNSystem,
  DCltdomaingt

14
Introducing the First WS2003 Domain Controller in
Forest

• Once adprep has run, Windows Server 2003 Domain
  Controllers can join the forest
• Two methods
• Upgrade existing domain controller (Windows 2000
  or Windows NT 4)
• Install Windows Server 2003 as member server and
  run dcpromo
• Choose any domain to hold the first Windows
  Server 2003 DC
• Upgrade of PDC performs special operations again
• Creates group for Terminal Service, internal
  groups
• Role transfer to Windows Server 2003 DC triggers
  same operations
• Best practice
• Install Windows Server 2003 member server and
  promote to Domain Controller
• Upgrade PDC to Windows Server 2003 early in the
  process
• Or transfer PDC role to Windows Server 2003 DC,
  even if temporarily only

15
Features depending on Windows Server 2003 Version

• More scalable KCC algorithm
• Link value replication
• Cross forest trust
• Dynamic auxiliary classes
• InetOrgPerson objectClass change
• Schema delete
• Domain rename

16
Active Directory Enhancements
17
Agenda

• Enhancements in the areas of
• Building Domain Controllers
• Active Directory versioning and functional levels
• AD Replication
• Global Catalog Improvements
• Enhanced Administration
• Active Directory Objects and Architecture
• Schema deletes
• Application directory partitions
• Domain Controller Domain Rename

18
Design Goals

• Incremental release
• Build on Windows 2000
• Design fundamentals are the same
• Build on existing Active Directory deployment
• Impose no requirement to redesign
• No specific planning considerations continue
  with Windows 2000 planning/deployment
• Review new security lockdown features
• Scalability, management, monitoring
• Improve deployment and manageability
• Alleviate fear of making irreversible decisions

19
Replica From Media
DC
Target Server
Restore to an alternative location
20
Replication Model

• Replication is at attribute level
• The replication model is described as
  multimaster, loose consistency with convergence
• Multimaster
• Changes can be made at any DC
• Loose consistency
• There is a latency between changes being made and
  their availability throughout the enterprise
• Convergence
• Eventually the changes will propagate to all DCs
  and conflicts will have to be detected and
  resolved

21
Problem Group Replication
Sally
Members
John
G1
G1
Jane
Srv1
Srv2
On Replication newer attribute wins

• Multivalue attributes are replicated as a single
  entity
• One change, lots of data replicated
• If the same group is simultaneously updated,
  after replication only one set of users will be
  retained

22
Solution Linked-Value Replication

• Store per-value replication metadata for linked
  multi-valued attributes
• Replicate individual changes instead of whole
  membership
• Storage and protocol incompatible with Windows
  2000 - only works with Windows Server 2003
• Requires Windows Server 2003 or Windows Server
  2003 Interim forest functionality
• Eliminates the limit of 5000 direct group members

23
Problem KCC Scalability

• No issues for Intra-Site replication
• Inter-Site replication topology (ISTG) can be a
  complex operation, similar to OSPF routing
• Factors are
• Number of Sites
• Number of Domains
• Transitiveness of Site-Links increases CPU cost
  of topology generation
• Transitiveness is implemented as one
  Site-Link-Bridge that contains all Site-Links

24
Workaround Windows 2000 Guidelines

• Always disable transitiveness
• Less than 500 sites Use KCC
• But test your hardware first
• Follow guidelines in KB article Q244368
• More than 500 sites Create connection objects
  manually
• Branch Office deployment guide recommends manual
  topology for more than 100 sites

25
Solution Improved ISTG

• Vastly improved inter-site topology generation
  (ISTG) scalability
• Eliminates need for manual topology
• Vastly more scaleable
• Current thinking is that it scales to 5,000 sites
  (3000 tested)
• Still single threaded uses only one CPU on SMP
  DCs
• Generates different topology than Windows 2000
  ISTG
• Requires Windows Server 2003 or Interim forest
  functionality

26
Problem Logon and GC Dependency

• A users universal group membershipchanges by
• Adding the user to a universal group
• Adding a global group of which the user is a
  member
• Nesting appropriate global and universal groups

Security Access Token User SID Group SIDs

• During the logon process the security access
  token is constructed

27
Workaround 1

• A GC at every site to avoid logon failures when
  the network is down
• Increased hardware costs
• Replication overhead

28
Workaround 2

• Logon failed if GC not available
• Administrators can still logon
• Registry switch
• HKLM\system\CurrentControlSet\Control
  \Lsa\IgnoreGCFailure
• Logon with failed GC presents a possible security
  breach
• Incomplete security token
• Ignores access deny for universal groups

29
Solution GC-less Logon
DC
London

• The cached group information stored in the users
  
• msDS-Cached-Membership attribute
• - Enabled as attribute of site object

30
Solution Universal Group Caching

• Domain controller caches complete group
  membership of an user
• Cache is populated at first logon
• Subsequent logons use cache
• Cache is refreshed periodically
• Source from nearest GC
• Observe replication schedule on site link
• All DCs in site perform cache refresh for users
  who have logged on to that site
• Replicated to all other DCs in domain

31
Design Implications of Universal Group Caching

• Design benefit
• GCs not needed permanently for logon
• GC placement only driven by applications now
• Reduces replication overhead for GCs in many
  deployments
• Still good reasons to widely distribute GC
  servers (e.g. Exchange 2000)

32
Problem GC Full Sync

• Adding attributes to the GC partial attribute set
  causes all GCs to full sync
• Equivalent to repromoting all GCs
• No interruption in service
• Bandwidth, CPU intensive
• Applications may add attributes to the GC partial
  attribute set that trigger a mass replication
• Exchange 2000

33
Solution No GC Full Sync

• Replicate only added attributes
• Modification to replication protocol
• Works in Windows 2000-mode domain / forest
• Works between Windows Server 2003 DCs only
• If Windows Server 2003 DC cannot find Windows
  Server 2003 partner, it will full sync
• Design benefit
• Schema extensions that change GC PAS can now be
  deployed without GC full sync
• Implication on deployment of Windows Server 2003
  DCs in a Windows 2000 AD

34
Application DirectoryPartitions
35
AD as an Application Directory

• Inappropriate to store volatile data
• Only three choices of replication scope
• Not replicated
• Domain-wide (domain NC)
• Forest-wide (configuration NC)
• Data may go to places where not used
• But the DS is a rich data store!
• Powerful query, extensible schema, rich access
  control, and more

36
Application Directory Partitions

• Provides the ability to create new naming
  contexts within the directory
• The DCs that host the replicas of the NC can be
  controlled
• Cross-domain replication is supported
• With the exception of security principals any
  type of object/attribute can be supported
• Will typically be created directly by applications

37
Application Partitions

• Domain1 Data
• DNS Data
• IP Telephony Data

• Domain2 Data
• IP Telephony Data

Domain1
Domain2
Forest

• Domain1 Data
• DNS Data

• Domain2 Data
• DNS Data

• Domain1 Data

• Create on/replicate to any DC in a forest (can
  cross domain boundaries)
• As few/many replicas as you want
• Not replicated to GC
• Observes existing forest site topology,
  replication schedule
• Can contain any object type except security
  principals
• Named/located via DNS (e.g., MyApp.xyz.com)

38
DEMOApplication Partition
39
Active Directory Multi-Forest Support
40
Forest Trust Scenarios

• Reasons for using forest trust
• High security demands / not trusting all domain
  admin in forest / all DC in forest not physically
  secured.
• Different AD schema requirements.
• Isolation of DMZ.
• Outsourcing IT operations (Operator creates
  separate forests and administrates using same
  credentials.)
• Creating separate Application forest(s).
• Sharing information with other organizations
  partners, customers, suppliers

41
External Trust

• Required for AD-NT4, AD-AD (inter-forest) and
  AD-AD (intra-forest shortcut trust)
• Non Transitive direct trust to each trusted
  domain required.
• External trust is NT 4.0 style trust. Require
  NetBIOS name resolution (WINS or LMHOSTS file).
• Kerberos fails over external trust
• Only NTLM authentication and authorization
  possible over external trust.
• No support for UPN logons

42
External Trust Management
Forest A
Forest B
Forest C
43
Limits to W2K Multi-Forest Support Kerberos
Authentication
Forest B
Forest A
External Trust
Multi-tier Application
Users PC
File Server
44
External Trusts and Kerberos
45
Limits to W2K Multi-Forest Support UPN Logon
Forest B
Forest A
External Trust
Kerberos Fails
NTLM Fails
Alices DC
46
Forest Trust Overview

• One way or two way Kerberos trust.
• Established between forest root domains.
• Transitive between all domains in two forests.
• Forest trust is NOT transitive between forests.
• Kerberos trust NTLM supported over trust.

Trust A-B
Trust B-C
A
B
C
Forest A
Forest B
Forest A does NOT trust forest C
47
Forest Trust Explained

• Allows you to authenticate using account in
  trusted forest.
• Allows Kerberos and NTLM authentication
• Allows assigning rights to users, machines and
  groups in trusted forest.
• Allow UPN logon using credential from any trusted
  domain. (Logon using NetBIOS domain name only
  possible between forest root domains.)

48
What Forest Trust NOT provide

• For security, privacy and performance reasons it
  is NOT possible to perform LDAP browsing of
  trusted forests. (LDAP search is however possible
  as long as you know the name of security
  principal you wish to add from the trusted
  forest.)
• It is NOT possible to logon, using credentials
  from trusted domain, if client does not support
  UPN logon (except between the forest domain
  roots.)
• Kerberos delegation is NOT supported over forest
  trusts.

49
Cross-forest Authentication

• Network logon
• Both Kerberos NTLM are enabled
• Interactive logon
• Smartcard logon for Kerberos
• Logon with UPN
• Both Kerberos NTLM are enabled
• Type full UPN (no domain selection / dropdown or
  NT4 style names)

50
Cross-forest logon
51
DEMO Forest Trust
52
DNS Enhancements
53
Conditional forwarding
Forward all other names
Forward all other names
Forward .acquired.com
Forward .example.com
Zone
Zone
acquired.com
example.com
54
Stub zone
Queries for .acquired.com
Zone example.com
Zone acquired.com
Stub Zone acquired.com
55
DNS inter-namespace resolution mechanisms
56
DNS Application Partitions in Active Directory
57
Issues with AD-integrated DNS zones (Windows 2000)

• Stored in Domain-NC
• Only replicates intra-domain
• Complicates replication of
• Non-AD namespaces
• Forest root domain

58
Availability of Forest Root

• The DNS zone of the forest root contains the DNS
  entries for
• Global Catalog location
• DC location by GUID
• Required for replication
• If DNS zone corresponding to forest root domain
  cannot be queried by DCs in other domains
• Replication may fail
• GCs wont be found
• Inter-tree trust relationships will fail
• Result Forest Root Zone must be widely available
• Especially zone _msdcs.ltForestNamegt
• e.g. _msdcs.company.com

59
Deploying DNSBest Practices (Win 2000)
corp.example.com
Zones Primary AD-int Primary AD-int
corp.example.com
_msdcs.corp.example.com
Domain1.corp.example.com
Zone Transfer
Site3
Site2
Site1
Zones Primary AD-int Std. Secondary
Domain1.corp.example.com
_msdcs.corp.example.com
60
Deploying DNSBest Practices (WS 2003)
corp.example.com
Zones App Part Primary AD-int App Part Primary
AD-int
corp.example.com
_msdcs.corp.example.com
Domain1.corp.example.com
AD Replication
Site3
Site2
Site1
Zones App Part Primary AD-int App Part Primary
AD-int
Domain1.corp.example.com
_msdcs.corp.example.com
61
DEMO DNS Application Partition
62
Questions ?