beams division local administrators meeting 9/17/02 brian drendel

Beams Division Local Beams Division Local Administrators MeetingAdministrators Meeting

9/17/029/17/02

Brian DrendelBrian Drendel

What will we talk about What will we talk about today?today?

Upgrade your OS (quick review)Upgrade your OS (quick review)– Upgrade OS to WinNT/2KUpgrade OS to WinNT/2K– Install the latest Service PacksInstall the latest Service Packs

Apply for your Win2k AccountApply for your Win2k Account– Win2k Kerberos AuthenticationWin2k Kerberos Authentication– Account cloning procedureAccount cloning procedure

Move your Computer into Fermi DomainMove your Computer into Fermi Domain– Check Beams ProfileCheck Beams Profile– Copy ProfileCopy Profile– NTLMv2NTLMv2– Join the Fermi DomainJoin the Fermi Domain– Group MembershipGroup Membership– Login to Fermi DomainLogin to Fermi Domain

Today’s TalkToday’s Talk

This talk will follow the steps outlined in This talk will follow the steps outlined in our “Win2k/XP Migration Steps our “Win2k/XP Migration Steps document located at document located at http://www-bdnew.fnal.gov/network/Mighttp://www-bdnew.fnal.gov/network/Migrating-Beams-2-Fermi.htmrating-Beams-2-Fermi.htm..

We will build on the information given at We will build on the information given at our last local administrator talk, which our last local administrator talk, which can be reviewed at can be reviewed at http://vmsstreamer1.fnal.gov/VMS_Site_http://vmsstreamer1.fnal.gov/VMS_Site_02/Lectures/BDNetworking/020625Dren02/Lectures/BDNetworking/020625Drendel/index.htmdel/index.htm..

Upgrade your Operating Upgrade your Operating System to WinNT/2KSystem to WinNT/2K

Computing Division is only allowing Computing Division is only allowing Win2k and WinXP computers to Win2k and WinXP computers to join the Fermi Domain. join the Fermi Domain.

There are two options for your There are two options for your Win98/NT Computers:Win98/NT Computers:– Upgrade using our Ghost Image.Upgrade using our Ghost Image.– Fill out the OS upgrade form.Fill out the OS upgrade form.


To enhance the material presented in the last To enhance the material presented in the last local administrators meeting, we have detailed local administrators meeting, we have detailed WinXP Ghost Setup instructions at WinXP Ghost Setup instructions at http://www-bdnew.fnal.gov/network/WinXP%20http://www-bdnew.fnal.gov/network/WinXP%20Ghost%20Setup.htmGhost%20Setup.htm..– ISO images are stored on ISO images are stored on

\\Beamssrv1\PC-Support\DriveImages\\Beamssrv1\PC-Support\DriveImages Complete computer ghosting and post-ghost Complete computer ghosting and post-ghost

setup usually takes less than an hour.setup usually takes less than an hour.


As we covered in great detail during the As we covered in great detail during the last local administrator talk, local last local administrator talk, local administrators who do not have time to administrators who do not have time to complete operating system upgrades complete operating system upgrades can fill out our Win2k/XP upgrade form can fill out our Win2k/XP upgrade form http://www-bdnew.fnal.gov/network/w2khttp://www-bdnew.fnal.gov/network/w2kmigration/migration/ to schedule a time for the to schedule a time for the BD/Networking group to upgrade their BD/Networking group to upgrade their computer.computer.

Only secure computers are Only secure computers are allowed in the Win2k allowed in the Win2k

DomainDomain Upgrade your OS (quick review)Upgrade your OS (quick review)

– Upgrade OS to WinNT/2KUpgrade OS to WinNT/2K– Install the latest Service PacksInstall the latest Service Packs



Install Service PacksInstall Service Packs Computing Division has asked that any Computing Division has asked that any

computer that joins the Fermi Win2k Domain computer that joins the Fermi Win2k Domain have the latest Service Packs and hotfixes.have the latest Service Packs and hotfixes.

BD/Networking Group maintains a web page at BD/Networking Group maintains a web page at http://www-bdnew.fnal.gov/network/latest-os-serhttp://www-bdnew.fnal.gov/network/latest-os-service-packs.htmvice-packs.htm that lists the latest service packs and hotfixes that lists the latest service packs and hotfixes available on Beamssrv1.available on Beamssrv1.

There are two options for installing service There are two options for installing service packs:packs:– Install them from the service pack script on Beamssrv1 Install them from the service pack script on Beamssrv1

using your local administrator account.using your local administrator account.– Have BD/Networking install them from the security Have BD/Networking install them from the security

server.server.

Install Service PacksInstall Service PacksRecent Operating System Service Packs

Does Win2k use Kerberos?Does Win2k use Kerberos? Upgrade your OS (quick review)Upgrade your OS (quick review)




Kerberos AuthenticationKerberos Authentication

CD Security has mandated that all CD Security has mandated that all network computer access must use network computer access must use Kerberos authentication.Kerberos authentication.

A Win2k/XP client computer A Win2k/XP client computer logging into the Win2k domain logging into the Win2k domain uses Kerberos authentication.uses Kerberos authentication.

WinNT computers do not use kerberosWinNT computers do not use kerberos Win2k/XP computers logging into a Win2k/XP computers logging into a

WinNT Domain do not use kerberos.WinNT Domain do not use kerberos.


You cannot use your WinNT Beams You cannot use your WinNT Beams Account to login to the Win2k Domain. Account to login to the Win2k Domain. – A new Win2k Fermi account will be created A new Win2k Fermi account will be created

for you to login to the new domain.for you to login to the new domain.– This account is separate from your WinNT This account is separate from your WinNT

Beams Domain Account.Beams Domain Account. Important!Important! You need to have access to your You need to have access to your

WinNT Beams Domain resources (Beamssrv1, WinNT Beams Domain resources (Beamssrv1, Beams-prt-srv,…) from the Win2k Fermi Beams-prt-srv,…) from the Win2k Fermi Domain. How will this be done?Domain. How will this be done?


Maintaining Beams Domain Resources (part 1):Maintaining Beams Domain Resources (part 1):– A one way trust has been setup between the A one way trust has been setup between the

Fermi and Beams Domains to allow Fermi Fermi and Beams Domains to allow Fermi Domain users, with the appropriate access Domain users, with the appropriate access privileges, to access resources in the Beams privileges, to access resources in the Beams domain.domain.

The trust does not go the other way, which means that The trust does not go the other way, which means that Beams Domain users will NOT have access to Fermi Beams Domain users will NOT have access to Fermi Domain resources.Domain resources.

The Beams Domain servers will remain in the Beams The Beams Domain servers will remain in the Beams WinNT Domain during the migration.WinNT Domain during the migration.

After the Beams Domain servers are moved to the After the Beams Domain servers are moved to the Win2k Fermi Domain, users in the Beams Domain will Win2k Fermi Domain, users in the Beams Domain will no longer have access to the servers.no longer have access to the servers.

Kerberos AuthenticationKerberos Authentication Maintaining Beams Domain Resources (part 2):Maintaining Beams Domain Resources (part 2):

– Your new Win2k Fermi Domain account Your new Win2k Fermi Domain account maintains your Beams Domain account maintains your Beams Domain account privileges through a process called privileges through a process called “cloning”. Cloning:“cloning”. Cloning:

Copies your WinNT SID information to your WIN2k Copies your WinNT SID information to your WIN2k account.account.

Does not change your WinNT account…you have Does not change your WinNT account…you have two accounts.two accounts.

Computing Division Domain Administrators do the Computing Division Domain Administrators do the cloning.cloning.

BD OU Admins modify the Win2k account after it BD OU Admins modify the Win2k account after it is cloned.is cloned.


Computing Division has mandated Computing Division has mandated that no Win2k Account can be that no Win2k Account can be created if the user does not have a created if the user does not have a kerberos principal.kerberos principal.– This eventually will be automated for This eventually will be automated for

new employees.new employees.– Existing employees without kerberos Existing employees without kerberos

principals must fill out the form at principals must fill out the form at http://www.fnal.gov/cd/forms/strongauthttp://www.fnal.gov/cd/forms/strongauth.htmlh.html to apply for their kerberos principal. to apply for their kerberos principal.

It’s time to clone!It’s time to clone! Upgrade your OS (quick review)Upgrade your OS (quick review)




Cloning your AccountCloning your Account

How do you get your account cloned?How do you get your account cloned?– You can request that your existing WinNT You can request that your existing WinNT

Beams Account credentials be cloned over Beams Account credentials be cloned over to your new Win2k Account by filling out our to your new Win2k Account by filling out our “Account Request From” at “Account Request From” at http://www-bdnew.fnal.gov/network/add_usehttp://www-bdnew.fnal.gov/network/add_user.aspr.asp..

– On the next slide will will fill out the form. On the next slide will will fill out the form. We added fields to the account request form.We added fields to the account request form. I will highlight new features of the form to allow I will highlight new features of the form to allow

the clone request.the clone request.

Cloning your AccountCloning your Account

1

3

5

2

4

6

Cloning your AccountCloning your AccountAfter the submit button is clicked, you will see the following if the form was filled out correctly.

Cloning your AccountCloning your AccountEmail is then sent to [email protected].

Cloning your AccountCloning your Account The BD OU Admins The BD OU Admins

receive the clone receive the clone request and start a request and start a help desk “clone help desk “clone request” to the request” to the Computing Division Computing Division Domain Domain Administrators.Administrators.

Cloning your accountCloning your account After Computing After Computing

Division clones Division clones the account, the the account, the BD OU Admins:BD OU Admins:– Move the Move the

account into the account into the BD OU structure.BD OU structure.

– Make any Make any account account modifications.modifications.

– Set initial Set initial password.password.

– Notify the user.Notify the user.

Let’s look at a Beams Domain Let’s look at a Beams Domain ProfileProfile




Beams Domain ProfileBeams Domain Profile

Once your computer has been upgraded Once your computer has been upgraded to Win2K/XP and your account has been to Win2K/XP and your account has been cloned, we are ready to add your cloned, we are ready to add your computer to the domain. This requires computer to the domain. This requires the following steps:the following steps:– Check Beams ProfileCheck Beams Profile– Copy ProfileCopy Profile– NTLMv2NTLMv2– Join the Fermi DomainJoin the Fermi Domain– Group MembershipGroup Membership– Login to Fermi DomainLogin to Fermi Domain


First we will login to the user’s First we will login to the user’s WinNT Beams Domain account and WinNT Beams Domain account and look at profile information, look at profile information, including:including:– Screen backgroundScreen background– Desktop iconsDesktop icons– PrintersPrinters

Beams Domain ProfileBeams Domain ProfileLogin to the user’s Beams Domain Account while their computer is still a joined to the Beams Domain.

Y drive Z drive

Printer

Desktop & Desktop icons


Now we will logout of the domain account. Now we will logout of the domain account. Remember,Remember,

– Screen backgroundScreen background– Desktop iconsDesktop icons– PrinterPrinter

Will I have to rebuild the Will I have to rebuild the user’s profile?user’s profile?




Copy User ProfileCopy User Profile When a user logins in to their new Win2k When a user logins in to their new Win2k

Domain account, the default action is to Domain account, the default action is to create a new user profile. create a new user profile.

A user profile contains:A user profile contains:– Screen BackgroundScreen Background– Software and Hardware settingsSoftware and Hardware settings– PrintersPrinters– Desktop icons and filesDesktop icons and files– Email files (Outlook or Outlook Express)Email files (Outlook or Outlook Express)– Network drivesNetwork drives– Application data filesApplication data files

Copy User ProfileCopy User Profile

Problem:Problem: User profiles can take a User profiles can take a long time to rebuild.long time to rebuild.

Solution:Solution: There is a resource kit There is a resource kit utility called “moveuser” that lets utility called “moveuser” that lets you copy a user’s WinNT Domain you copy a user’s WinNT Domain profile before you join the their profile before you join the their computer to the Win2k Domain.computer to the Win2k Domain.

We will show you how to use this utility We will show you how to use this utility from the local administrator account.from the local administrator account.

Let’s login.Let’s login.

Copy User ProfileCopy User ProfileLogin to the local administrator account

Copy User ProfileCopy User ProfileBrowse to Beamssrv1


When prompted, login using your When prompted, login using your Beams Domain credentials.Beams Domain credentials.

Copy User ProfileCopy User ProfileBrowse through the Win2k-Setup folder to the Win2k-migrate folder

Copy User ProfileCopy User ProfileDouble-click the copy_tools.bat file to copy the move user tools to c:\winnt (c:\windows) on your hard drive.


A command window appears and shows the status of the copy.

Copy User ProfileCopy User Profile Use “My Computer” or “Explorer” to browse Use “My Computer” or “Explorer” to browse

to c:\winnt\tools (or c:\windows\tools)to c:\winnt\tools (or c:\windows\tools) Find moveuser.bat (not moveuser.exe)Find moveuser.bat (not moveuser.exe)


Moveuser.bat does the following:Moveuser.bat does the following:– Makes a registry setting so that your Makes a registry setting so that your

computer uses only kerberos and computer uses only kerberos and NTLMv2 instead of NTLMv1 (more on NTLMv2 instead of NTLMv1 (more on this shortly).this shortly).

– Prompts you to type the command to Prompts you to type the command to copy your profile:copy your profile:

Moveuser Beams\”Moveuser Beams\”usernameusername” ” Fermi\”Fermi\”usernameusername””

Copy User ProfileCopy User ProfileFollow the directions listed in the command window.


There are common errors:There are common errors:– Error 2 = the profile is currently Error 2 = the profile is currently

locked. Simply reboot, login to the locked. Simply reboot, login to the local administrator account, and try local administrator account, and try again.again.

– Error 5 = Access to profile is denied, Error 5 = Access to profile is denied, or the profile does not exist. You will or the profile does not exist. You will see this if you mistype the account see this if you mistype the account name.name.

Kerberos & NTLMv2Kerberos & NTLMv2 Upgrade your OS (quick review)Upgrade your OS (quick review)




NTLMv2NTLMv2 Win2k Domains authenticate in the following Win2k Domains authenticate in the following

order:order:– KerberosKerberos– If Kerberos fails, use NTLM.If Kerberos fails, use NTLM.

NTLM is not considered secure by Computing NTLM is not considered secure by Computing Division.Division.

A registry change can change the Win2k A registry change can change the Win2k authentication order to:authentication order to:– KerberosKerberos– If Kerberos fails, use NTLMv2.If Kerberos fails, use NTLMv2.

This is not 100% Kerberos compliance, but is This is not 100% Kerberos compliance, but is more acceptable than NTLMv1.more acceptable than NTLMv1.

NTLMv2NTLMv2

There are a three ways to make There are a three ways to make this NTLMv2 registry change.this NTLMv2 registry change.– It is automatically made if you run the It is automatically made if you run the

MOVEUSER.BAT file in the previous MOVEUSER.BAT file in the previous step.step.

– Run the registry file that accompanies Run the registry file that accompanies our moveuser utility (will show this).our moveuser utility (will show this).

– Manually edit the registry.Manually edit the registry.

NTLMv2NTLMv2

Use “My Computer” or “Explorer” to browse to Use “My Computer” or “Explorer” to browse to c:\winnt\tools (or c:\windows\tools)c:\winnt\tools (or c:\windows\tools)

Find Find lma_05.reglma_05.reg (lma_00.reg removes the (lma_00.reg removes the change)change)

NTLMv2NTLMv2

Double-click lma_05.reg

NTLMv2NTLMv2Alternately, you could manually edit the registry with regedt32 (regedit for WinXP).The following key is changed.

LmcompatibilityLevel = 5 for NTLMv2LmcompatibilityLevel=0 for NTLMv1.

It’s time to join the Fermi It’s time to join the Fermi Domain!Domain!




Join the Fermi DomainJoin the Fermi Domain

Now that the user profile has been Now that the user profile has been copied and the NTLMv2 change is copied and the NTLMv2 change is in place, it is time to move the in place, it is time to move the user’s computer into the domain.user’s computer into the domain.– The BD OU Admins must add your The BD OU Admins must add your

computer to the BD OU.computer to the BD OU.– The local administrator can then join The local administrator can then join

the computer to the domain.the computer to the domain.

Join the Fermi DomainJoin the Fermi Domain The BD OU Admins will The BD OU Admins will

add your add your computer namecomputer name to the Fermi BD OU.to the Fermi BD OU.– The BD OU Admins set The BD OU Admins set

management privileges in management privileges in Active Directory to allow Active Directory to allow the local administrator to the local administrator to add this computer to the add this computer to the domain locally.domain locally.

The local administrator can The local administrator can join the computer to the join the computer to the domain using their Fermi domain using their Fermi Domain account credentials.Domain account credentials.– The computer automatically The computer automatically

joins the domain in the correct joins the domain in the correct OU.OU.

Join the Fermi DomainJoin the Fermi DomainNow we’ll show you how a local administrator can add a computer to the domain after the BD OU Administrators have added the computer information into the Active Directory.Right-click on My Computer and select properties.


The System Properties box is opened.Select the “Computer Name” tab (WinXP) or the “Network Identification” tab (Win2k).Click on the “Change” button (WinXP) or the “Properties” button (Win2k).


The Change (WinXP) or Properties (Win2k) button pulls up the window where we can change the computer name and/or domain.


Normal domain changing procedure is: Change the computer name Change to Workgroup = Workgroup Reboot Change from Workgroup = Workgroup to

Domain = Fermi Reboot

However, if you are not changing your computer name, you can use the following shortcut.


If you are not changing your computer name, you can change directly from

•Domain = Beams to

•Domain = Fermi.

Join the Fermi DomainJoin the Fermi DomainWhen prompted for credentials, supply your Fermi domain account username and password.

Remember, the BD OU Administrators grant you the right to join a computer to the domain, so this privilege must be arranged in advance.

If successful, you will get a welcome to fermi domain popup window.

Join the Fermi DomainJoin the Fermi Domain After joining the Fermi Domain, you will be After joining the Fermi Domain, you will be

prompted to reboot. You must do this to prompted to reboot. You must do this to complete the Domain joining process.complete the Domain joining process.

After the reboot, it is really tempting to let After the reboot, it is really tempting to let the user login to their Fermi Domain the user login to their Fermi Domain account; however, we are not quite ready account; however, we are not quite ready for user login.for user login.

We must configure group membership We must configure group membership before the user’s domain account can before the user’s domain account can maintain the same level of functionality as maintain the same level of functionality as they are used to.they are used to.

Group Membership is Group Membership is important!important!




Group MembershipGroup MembershipTo configure group membership, login to To configure group membership, login to the local administrator account again.the local administrator account again.

Group MembershipGroup MembershipOpen the Control Panel and find “User Accounts” (WinXP) or “Users and Passwords” (Win2K).

Group MembershipGroup Membership

In the User Accounts window, go to the “Advanced” tab


In the “Advanced” Tab, click on the “Advanced” button


The “Advanced” button brings up the “Local Users and Groups” window.Click on “Groups”.

Group MembershipGroup MembershipThe “Groups” folders lists all of the local groups on your computer in the right pane.


Double-click on “Administrators” to show what users have administrative privileges on your computer.We will have to add Fermi\BD Domain Admins.Click Add

Group MembershipGroup MembershipThe “Select Users or Groups” window is opened.If you know the group name that you want to add, you can type the name in the bottom pain.


You can click on “Check Names” to verify that the group name has been typed correctly.Clicking OK will add the group. If you don’t know the name of the group, click the “Advanced” button.


The “Advanced” button lets you search for a group.Enter search criteria (if any) in the name or description fieldsClick “Find Now”

Group MembershipGroup MembershipThe “Find Now” button pulls up a list of groups that fit your search criteria.Double-click on the desired group (BD Domain Admins in our case).


The result is we added the Fermi\Domain Admins global group to the Administrators group on your computer.The list of users in your administrator’s group should match what is shown here. Add or remove the appropriate group(s) as necessary.


If Fermi\BD Domain Admins is not added to the administrators group, then the BD OU Admins will not be able to administer your computer.

Group MembershipGroup MembershipNext, we need to modify the Power Users group.


Add Fermi\Domain Users.Without this change users will not be able to add printers and run some programs.

You can remove any other users or groups that are in the Power Users group.


Next, we will need to edit the Backup Operators group.


Add the Fermi\bd-service-backup account to the Backup Operators group.You can remove any other users or groups that are in the Power Users group.


Now that the Group Membership configuration is complete, we can logout of the localadmin account and have the user login to their new Fermi Domain account.

The final test!The final test! Upgrade your OS (quick review)Upgrade your OS (quick review)




Login to the Fermi DomainLogin to the Fermi Domain

Have the user login to their Fermi Have the user login to their Fermi Domain account on the computer that Domain account on the computer that was joined to the Fermi Domain.was joined to the Fermi Domain.

Try to remember the Beams Domain Try to remember the Beams Domain Profile that we looked at earlier. Profile that we looked at earlier. – Minos backgroundMinos background– Adebt2-color printerAdebt2-color printer– Meeting Maker and Migration Screen icons…Meeting Maker and Migration Screen icons…


Have the user login to the Fermi Domain account

Y drive Z drive

Printer

Desktop & Desktop icons


Earlier user profile was successful. Earlier user profile was successful. All user profile configurations that All user profile configurations that the user had in their WinNT Beams the user had in their WinNT Beams user profile is now in their Win2k user profile is now in their Win2k Fermi user profile!Fermi user profile!

What will we talk about What will we talk about today?today?




Questions?Questions?

beams division local administrators meeting 9/17/02 brian drendel

Documents

fermi win2k domain

latest service packsapply

os upgrade form

service packsrecent

os quick reviewupgrade

win2k domainupgrade

win2kxp upgrade form

service pack script