Getting off NT4

1
Getting off NT4

• Raj Natarajan
• National Technology Specialist

2
What this Session Covers

• Upgrade / Migration by Workload
• Domain / Directory
• File Print
• Infrastructure Services
• App Server

3
Prerequisite Knowledge

• Windows NT Server 4.0 administration
• Windows Server 2003 administration
• Virtual PC 2004 or Virtual Server 2005
• the ability to develop an Operating System!
  (NOT)

4
Preparing to Upgrade OS

• In all cases, first step should be
• winnt32.exe /checkupgradeonly
• This provides a detailed report of what will and
  will not work with Windows Server 2003.
• Exportable list of what needs to be fixed and
  what to do about it.
• If internet connection is present, Winnt32.Exe
  can query Microsoft for any important changes
  since the installation media was prepared.

5
Forest / Domain / Tree considerations

• Forest is the Security boundary
• Number of domains should match password
  complexity requirements
• Extranet Use another forest, not another domain
• Tree Political / Organisational considerations
  around namespace
• If upgrading legacy NT4 domains
• Create Empty Forest Root or Upgrade largest
  Accounts Domain to Root Domain in Forest
• Upgrade other Domains as Child Domains in
  existing forest
• Once upgrade is complete, consider domain
  consolidation via Intra-forest migration ADMTv2
  is your friend ?

6
Windows NT 4.0 Domain Upgrade Preparation

• Know your domain
• Visio Network Discovery or similar tools can be
  leveraged for network inventory.
• If Domain Name System (DNS) infrastructure
  exists, create a delegation for the first PDC to
  host the Active Directory zone.
• LMRepl should be configured on Windows NT 4.0
  domain controllers.
• The LMRepl export server should be the last
  server upgraded.

7
Domain Upgrade Strategies

• Windows NT 4.0 Domain Upgrade
• Similar to process for upgrade to Windows 2000
• In-place or Migrate
• Different Approaches for Simplifying Domain
  Structure
• Single domain strategy
• Empty forest root strategy

8
Single Domain Forest Strategy

• Largest Windows NT 4.0 account domain is upgraded
  to Windows Server 2003 forest root
• Select Windows 2003 interim forest mode during
  DCPromo.
• Let DCPromo configure DNS
• DCPromo will read the delegation and prompt to
  install DNS locally.
• Forest and domain zones will be created
  automatically.
• Continue upgrading or retiring backup domain
  controllers (BDCs) until all domain controllers
  run Windows Server 2003

9
Multi-Domain Strategy

• Establish forest with empty root domain with a
  new Windows Server 2003
• Advance domain to Windows 2003 functionality
  level using Domain.msc
• Advance forest to Windows 2003 interim
  functionality level
• No UI offered in clean install
• Use ADSIEdit.msc or LDP.exe
• Create delegation in DNS for first PDC to be
  upgraded

10
Multi-Domain Strategy (2)

• Upgrade Windows NT 4.0 PDC and DCPromo to create
  child domain of the empty root
• Domain will be automatically set to Windows 2003
  Interim Mode
• DCPromo will notice the delegation and prompt to
  install DNS
• DNS will create default application partition
• When all BDCs are upgraded, advance domain to
  Windows 2003 functionality

11
Migrating with ADMTv2

• Two Types of Domain Migration
• Interforest Objects are cloned across domain and
  forest boundaries
• Intraforest LDAP_Move operation after which the
  source object no longer exists
• By definition, all Windows NT to Active Directory
  migrations are Interforest.

12
Domain Migration with ADMTv2

• Objects migrated include
• Users
• Groups
• Computers
• Profiles
• Network resources
• Access control lists
• Security identifiers
• Domain controllers cannot be migrated.

13
Maintaining Access with ADMTv2

• Windows 2000 introduced the sIDHistory attribute
  on Users and Groups in native mode domains.
• When Users and Groups are migrated, sIDHistory
  can be populated with their security identifiers
  from the source domain.
• sIDHistory provides a temporary method of
  maintaining access to resources during migration.
• This should not be considered a permanent
  solution for access to resources.

14
ADMTv2 Improvements

• Interforest Password Migration
• More Robust Computer Migration Agents
• Group Migration Optimised for Speed
• Internal sID Database Allows Source Domains to be
  Retired
• Migration Tasks Can be Delegated Rather than
  Requiring Domain Administrator Credentials
• inetOrgPerson Support
• Post-Migration User Renaming

15
ADMTv2 Improvements (2)

• Scripting and Command Line Interfaces
• Customisable Attribute Exclusion Lists
• Enhanced Logging
• Account Transition Options
• Improved Reporting Wizard
• Security Translation and SID Mapping Files
• Available for free from www.microsoft.com

16
Active Directory Migration Tool
17
File/Print/Other

• File Server Migration Toolkit
• Printer Migration Scripts
• DNS/DHCP/WINS easy cut-over
• RAS/RADIUS/VPN
• IIS Compatibility Mode?

18
Application Servers

• Now that takes care of the Domain, Directory,
  Core Infrastructure Servers, what about my App
  servers?
• Standard IT Answer It Depends!
• Evaluate what you really need!
• Virtual Server?
• Application Compatibility Mode
• Common Issues in Application Compatibility
• Application Compatibility Toolkit

19
Evaluate what really needs to stay

• Legacy Apps
• Apps replaced by new apps with similar
  functionality
• Servers untouched in a corner
• Cobwebs in the power supply!

20
Status Quo

• Identify Risks
• Put in Mitigation (migration) plans
• Reduce Hardware risk by Virtualising
• Virtualise only where applicable
• Dont virtualise because you can

21
Virtual Server 2005Pros and Cons of Migration

• Pros
• Extends the life of the LOB application
• Re-organisation or consolidation
• Hardware Risk Mitigation
• Cons
• No more stable
• Similar Security Model
• Does not extend Windows NT Server 4.0 support

http//www.microsoft.com/technet/community/events
/vpc/tnt1-97.mspx
22
Virtual Server 2005Virtualisation Scenario
Overview
Physical Server Windows NT Server 4.0 Server
23
Virtual Server Migration Toolkit
24
Application Compatibility ModeApplication
Compatibility Mode Options
25
Common Compatibility Issues on Windows XP

• OS Version Number
• Hard-coding paths to Special Folders
• Temp
• Profiles
• Documents Settings
• My Documents
• Running under non-Administrator Accounts
• Installation Failures
• Registry Changes
• Applications with Platform-Specific drivers
• Common in Anti-Virus, Backup and Partitioning
  software
• Low-level drivers, 9x drivers, File System
  Filters, etc.

26
Windows XP Compatibility Issues
27
Windows Server 2003 Changes

• The new DLL search order
• Application folder.
• System32.
• System (16-bit system folder).
• Windows.
• Current working directory.
• Previous Windows platforms had current working
  directory before System32!
• No Visual Basic 5.0 Runtime
• IIS Not Installed by Default
• Default Permissions Services Changed

28
If you want to fix your application

• Application Compatibility Toolkit v3.0
• Provide tools knowledge for development
• Testing infrastructure
• Application verifier for new apps
• Application analyser tool (inventory)

Newsgroup microsoft.public.win32.programmer.tool
s
29
Application Analyser
30
Session Summary

• Active Directory migration is simple with a
  little planning
• More mature tools available to move core
  Infrastructure services
• Application Compatibility Mode can help push back
  costly upgrades
• Virtual Server (and VSMT) can allow you to
  continue using legacy LOB applications under
  their original environments

31
For More Information

• Visit TechNet at www.microsoft.com/technet
• Infrastructure Special Interest Group Register
  at TechNet Lounge
• http//www.microsoft.com/australia/technet
• FREE Active Directory Jigsaw and Migration
  Roadmap Posters