Migrating to Windows 2000 in a Migrating to Windows 2000 in a Large Research EnvironmentLarge Research Environment

Rand MorimotoRand Morimoto

President, Inacom OaklandPresident, Inacom Oakland

rand@inaoak.comrand@inaoak.com

Migrating to Windows 2000 in a Migrating to Windows 2000 in a Large Research EnvironmentLarge Research Environment

Background of Active DirectoryBackground of Active Directory DNS in Windows 2000DNS in Windows 2000 Migrating from WINS to DNSMigrating from WINS to DNS Consolidating NT4 DomainsConsolidating NT4 Domains Conducting a Phased MigrationConducting a Phased Migration Next Generation MS-ExchangeNext Generation MS-Exchange

• Microsoft Advisory Council Member (1995-present)• On the NT and Windows 2000 Development Team• Author:

• “Deploying Microsoft Exchange v5”, 700-pages• “Tuning and Optimizing Windows NT”, 1000-pages• “Windows 2000: Design and Migration”• “Exchange v6: Design and Migration”

• President / Inacom Oakland• Inacom Corporation

• National / Int’l Services• Windows 2000 Services

About the SpeakerAbout the Speaker

Microsoft Directory EvolutionMicrosoft Directory Evolution

Windows NT user directory Windows 2000

NowNow NowNow ComingComing

SingleSingleenterprise logonenterprise logonCentralCentralmanagementmanagementReplicated/ Replicated/ partitionedpartitioned

E-mail namesE-mail namesand rich attributesand rich attributesX.500 namingX.500 namingMAPI, LDAP MAPI, LDAP supportsupportScalable to Scalable to “millions”“millions”

Integrated DNS, X.500Integrated DNS, X.500Deep integration with OS Deep integration with OS securitysecurityMore standard support: More standard support: X.500 DAP/DSP, ADSI, X.500 DAP/DSP, ADSI, OLE/dB, etc.OLE/dB, etc.Scalable to millionsScalable to millions

Windows NT user directory

Microsoft Exchange Server

directory

What is Active Directory?What is Active Directory?

Windows 2000 directory serviceWindows 2000 directory service Active Directory hasActive Directory has

A hierarchical, flexible namespaceA hierarchical, flexible namespace Partitioning for scalabilityPartitioning for scalability Multi-master replicationMulti-master replication Dynamic extensibilityDynamic extensibility Open and extensible directory Open and extensible directory

synchronization interfacessynchronization interfaces Lightweight Directory Access Protocol Lightweight Directory Access Protocol

(LDAP) as the core protocol for (LDAP) as the core protocol for interoperability interoperability

AD TerminologyAD Terminology

NamespaceNamespace NameName DomainDomain Organizational Units (OUs)Organizational Units (OUs) TreeTree SitesSites Global CatalogGlobal Catalog SchemaSchema

Administration DesignatorsAdministration Designators

vsvs

Replication DesignatorsReplication Designators

DifferentiationDifferentiation

1.1. First I Create my “Domain” and Give it an First I Create my “Domain” and Give it an Organization NameOrganization Name

2.2. Then I Create Organizational Units within Then I Create Organizational Units within this Domain to Distribute Administrationthis Domain to Distribute Administration

3.3. I then Create Users within the Organizational I then Create Users within the Organizational Units where they BelongUnits where they Belong

4.4. Finally I Group the Users so I can more Finally I Group the Users so I can more Easily set Policies to the GroupEasily set Policies to the Group

Creating Administrative StructuresCreating Administrative Structures

DomainDomain

Organizational Units Users and

Groups

Creating Administrative StructuresCreating Administrative Structures

Enterprise is Made of DomainsEnterprise is Made of DomainsDomains can be linked by trustDomains can be linked by trustDomains can be related by nameDomains can be related by nameBoth X.500 and DNS namingBoth X.500 and DNS naming

DC=MyCorp,DC=ComDC=MyCorp,DC=Com

DC=Dev,DC=MyCorp,DC=ComDC=Dev,DC=MyCorp,DC=Com

whatever.eduwhatever.edu

whatnot.whatever.eduwhatnot.whatever.edu

comcom

inacominacom

eduedu

berkeleyberkeley

coursescourses

Domain:Domain:berkeley.edu berkeley.edu

microsoftmicrosoft

PoliSciPoliSci

studentsstudents

AArneyAArneyKBryantKBryant

BSmithBSmithRJonesRJones

Domain :Domain :microsoft.commicrosoft.com

Domain :Domain :inacom.cominacom.com

Active DirectoryActive DirectoryGlobal namespace = DNS + LDAP DirectoriesGlobal namespace = DNS + LDAP Directories

Windows 2000 DNS Management ServicesWindows 2000 DNS Management Services

Planning Your DNS StrategyPlanning Your DNS Strategy

Active Directory is integrated with Domain Active Directory is integrated with Domain Name System (DNS)Name System (DNS)

Therefore, it is important toTherefore, it is important to Determine which DNS server to useDetermine which DNS server to use Determine your DNS rootDetermine your DNS root

DNS Server OptionsDNS Server Options

Implement Microsoft DNS ExclusivelyImplement Microsoft DNS Exclusively Implement Microsoft DNS as a Delegated Sub-Implement Microsoft DNS as a Delegated Sub-

domaindomain Use an Existing DNS ServerUse an Existing DNS Server

Implement Microsoft DNS Implement Microsoft DNS ExclusivelyExclusively

BenefitsBenefits Tight integration with Active DirectoryTight integration with Active Directory Supports the extended character set, UnicodeSupports the extended character set, Unicode Not dependent on existing DNS ServersNot dependent on existing DNS Servers Will co-exist with other DNS ServersWill co-exist with other DNS Servers Supports multi-master replicationSupports multi-master replication

Implement Microsoft DNS as a Implement Microsoft DNS as a Delegated Sub-domainDelegated Sub-domain

BenefitsBenefits Requires no upgrade of any existing DNS Requires no upgrade of any existing DNS

serversservers Utilize existing DNS infrastructureUtilize existing DNS infrastructure Minimizes dependency of Active Directory on Minimizes dependency of Active Directory on

existing DNS serversexisting DNS servers

Use a Non-Microsoft DNS ServerUse a Non-Microsoft DNS Server

BenefitsBenefits Does not require replacing existing DNS Does not require replacing existing DNS

serversservers No DNS changes requiredNo DNS changes required

Existing DNS ServerExisting DNS Server

To Support Active Directory, a DNS ServerTo Support Active Directory, a DNS Server Must support the SRV RR defined by RFC Must support the SRV RR defined by RFC

20522052 Should also support:Should also support:

The Dynamic Update Protocol - RFC 2136The Dynamic Update Protocol - RFC 2136 Incremental Zone Tranfers - RFC 1995Incremental Zone Tranfers - RFC 1995

Multiple Domains/TreesMultiple Domains/Trees

Sometimes it is necessary to have more than one Sometimes it is necessary to have more than one domaindomain

Multiple domains with a contiguous name space Multiple domains with a contiguous name space are referred to as treesare referred to as trees

tailspintoys.com

europe.tailspintoys.com

marketing.europe.tailspintoys.com

Forest DefinitionForest Definition One or more Windows 2000 TreesOne or more Windows 2000 Trees

Do not form a contiguous namespaceDo not form a contiguous namespace Share a common schema, config., Global CatalogShare a common schema, config., Global Catalog All Trees in a Forest trust each otherAll Trees in a Forest trust each other Does not need a distinct nameDoes not need a distinct name

Microsoft.Com

PBS.Microsoft.Com

NTDev.PBS.Microsoft.Com

Softimage.Com

Finance.Softimage.com

Integrated Security

Safety:Safety: AuthenticodeAuthenticode Driver signingDriver signing

Auth.:Auth.: Priv Key/KerberosPriv Key/Kerberos Public Key/X.509Public Key/X.509 NT4NT4

Protocol:Protocol: SSLSSL IPSECIPSEC RPC/DCOMRPC/DCOM

Base:Base: Crypto APICrypto API Encrypted F-SEncrypted F-S More AuditingMore Auditing

ScenariosScenarios

SingleSingleSign-onSign-on

PrivatePrivateComm.Comm.

SecureSecureBiz TxBiz Tx

SecureSecureDesktopDesktop

•PK Certificates•Kerberos keys

Active Directory

Network Load BalancingNetwork Load Balancing

ClusteringClustering

Goal of Windows 2000 for Enterprises:Goal of Windows 2000 for Enterprises:Reliability and ScalabilityReliability and Scalability

Multilingual user Multilingual user interfaceinterface

Same code runs Same code runs anywhereanywhere

Simultaneous Simultaneous support of multiple support of multiple languageslanguages

Single world-wide Single world-wide APIAPI

Goal of Windows 2000 for Enterprises:Goal of Windows 2000 for Enterprises:World ReadyWorld Ready

What Can be Done with NT4 in What Can be Done with NT4 in Anticipation of a Migration to Anticipation of a Migration to

Windows 2000Windows 2000

Consider Implementing NT4 Consider Implementing NT4 Workstation TodayWorkstation Today

Higher level of securityHigher level of security ability to lock down w/s hardware configability to lock down w/s hardware config ability to create and manage set processesability to create and manage set processes

Ability to use global roaming profilesAbility to use global roaming profiles Key to Intellimirror in Windows 2000Key to Intellimirror in Windows 2000 Consolidated DLL model in Windows 2000Consolidated DLL model in Windows 2000

Design, Implement, and Gain Support Design, Implement, and Gain Support for System Policiesfor System Policies

Globally manage individuals, groups of users, Globally manage individuals, groups of users, or all users the ability to:or all users the ability to: change screen saverchange screen saver change desktop backgroundchange desktop background add applicationsadd applications purposely or accidentally delete applicationspurposely or accidentally delete applications drop to DOS promptdrop to DOS prompt modify workstation configurationsmodify workstation configurations

System PoliciesSystem Policies

Consolidate DomainsConsolidate Domains

Minimize resource domainsMinimize resource domains Develop structure that utilizes fewer Develop structure that utilizes fewer

domainsdomains Create simplified trust modelCreate simplified trust model Document enterprise hierarchyDocument enterprise hierarchy

server/host configurationsserver/host configurations segment addressessegment addresses segment bandwidthsegment bandwidth trust and authentication processtrust and authentication process

Selectively move single ormultiple users from

any Source Domain...

...to any Target Domain!

Fastlane Technologies: DM/ManagerFastlane Technologies: DM/Manager

Flexible migration options...

Setting Rules / Policies for MigrationSetting Rules / Policies for Migration

Conduct Performance AnalysisConduct Performance Analysis

Evaluate Client to Server Bandwidth Evaluate Client to Server Bandwidth DemandsDemands

Evaluate Server to Server Bandwidth Evaluate Server to Server Bandwidth UtilizationUtilization

Analyze Server System UtilizationAnalyze Server System Utilization Conduct WAN Bandwidth AnalysisConduct WAN Bandwidth Analysis

Bluecurve “Dynameasure” recognized by Bluecurve “Dynameasure” recognized by Microsoft for capacity analysis and Microsoft for capacity analysis and capacity planning capacity planning (http://www.bluecurve.com)(http://www.bluecurve.com)

Server CPU capacity is bottlenecked. All four server CPUs reach maximum

thruput

Performance AnalysisPerformance Analysis

Implement TCP/IP and SMTP as Implement TCP/IP and SMTP as Core Communications ProtocolsCore Communications Protocols

TCP/IPSMTP

Site A Site B

Implement DNS (in addition to (and Implement DNS (in addition to (and in an Windows 2000 environment, in in an Windows 2000 environment, in place of) WINS)place of) WINS)

WINS needed for Netbios name resolutionWINS needed for Netbios name resolution DNS to be native in Windows 2000 complete DNS to be native in Windows 2000 complete

TCP/IP environmentTCP/IP environment

Implement LDAP for Look-upImplement LDAP for Look-up

MicrosoftMicrosoftManagementManagement

ConsoleConsole

ADSIADSI

Domain ControllerDomain Controller

SAMSAM

DirectoryDirectoryServiceService

LDAPLDAP

NT4 BDCNT4 BDCReplicationReplication

NW3 NW4 NT4 NTDSNW3 NW4 NT4 NTDS

NCPNCP NCPNCP NetNetAPIsAPIs

wldap32.dllwldap32.dll

Windows 2000 M-MWindows 2000 M-MReplicationReplication

Legacy NT4 APIsLegacy NT4 APIs

ClientClient

Create an Windows 2000 Create an Windows 2000 Deployment TeamDeployment Team

Team Includes:Team Includes: DNS Decision Makers (NT, UNIX, etc)DNS Decision Makers (NT, UNIX, etc) Hardware Implementers and Support Hardware Implementers and Support

PersonnelPersonnel File/Print LAN/WAN Decision MakersFile/Print LAN/WAN Decision Makers Firewall and Internet Security Decision Firewall and Internet Security Decision

Makers (Kerberos, X.509, etc)Makers (Kerberos, X.509, etc) Electronic Messaging GroupElectronic Messaging Group Desktop Support Group (Intellimirror, Desktop Support Group (Intellimirror,

Windows Scripting, Sysclone, SMS)Windows Scripting, Sysclone, SMS)

Migrating from NT4 to Windows 2000Migrating from NT4 to Windows 2000

Migrating Domain ControllersMigrating Domain Controllers

Migrating ServersMigrating Servers

Migrating UsersMigrating Users

MigrationMigration

Any Windows NT domain model can be migrated Any Windows NT domain model can be migrated easily to the Active Directoryeasily to the Active Directory

Mixed environmentsMixed environments Fully supportedFully supported Look and act like Windows NT 4.0 domainsLook and act like Windows NT 4.0 domains Migration to domain tree simpleMigration to domain tree simple

Windows NT 4.x domainWindows NT 4.x domain

““PDC”PDC”

Initial stateInitial state

Migration (Initial State)Migration (Initial State)

BDCBDC BDCBDC

BDCBDCBDCBDC BDCBDC

Upgrade PDC to Windows 2000Upgrade PDC to Windows 2000

Domain replicaDomain replica

Global catalogGlobal catalog

Migration (Step 1)Migration (Step 1)

““PDC”PDC”

DC - GCDC - GC

Upgrade remaining Windows NT 4.x BDCsUpgrade remaining Windows NT 4.x BDCs

Migration (Step 2)Migration (Step 2)

Domain replicaDomain replica

Global catalogGlobal catalog

DCDCDCDC DCDC

““Native” domainNative” domainDomain replicaDomain replica

Global catalogGlobal catalog

Migration (Final State)Migration (Final State)

DC - GCDC - GC

DCDCDCDC DCDC

MigrationMigrationresource domainsresource domains

Can be upgraded in place and Can be upgraded in place and joined to treejoined to tree

Can be replaced with OUsCan be replaced with OUs Convert in placeConvert in place Join to treeJoin to tree Create OU in parent domainCreate OU in parent domain Drag resource domain contents into OUDrag resource domain contents into OU Delete (empty) resource domainDelete (empty) resource domain

Server Role In Windows 2000Server Role In Windows 2000

PDCPDC BDCBDC ReplicaReplica

Windows NT 4.0Windows NT 4.0 Only writeableOnly writeable Read-onlyRead-only ----copycopy copycopy

Windows 2000Windows 2000 Writeable copy.Writeable copy. ---- Writeable copyWriteable copyAppears as Appears as PDC to PDC to downlevel clientsdownlevel clients

Windows 2000Windows 2000 Only writeableOnly writeable Read-onlyRead-only Read-onlyRead-onlyMixed domainMixed domain copy (Windowscopy (Windows copycopy copycopy

NT 4.0 orNT 4.0 or (Windows(WindowsWindows 2000)Windows 2000) NT 4.0)NT 4.0)

Next GenerationNext GenerationMicrosoft Exchange 2000Microsoft Exchange 2000

codename “Platinum”codename “Platinum”

Built on Windows 2000 Active DirectoryBuilt on Windows 2000 Active Directory

AD Does Exchange AdministrationAD Does Exchange Administration

• More than 1 MDB Per Server

• Smaller MDBs for easier backup/restore

• Separate MDB for NNTP and Internal Public Folders

• Distribute DBs across multiple Storage Area Network (SAN) devices

• Distribute Administration of DB management on a single server

Utilizes Multiple Storage GroupsUtilizes Multiple Storage Groups

Exchange Platinum MigrationExchange Platinum Migration Exchange server needs to be migrated, but Exchange server needs to be migrated, but

not the whole organizationnot the whole organization Migration tools included to migrate Migration tools included to migrate

Exchange v5.5 to Platinum (users, org/site Exchange v5.5 to Platinum (users, org/site structure, mailboxes, public folders)structure, mailboxes, public folders)

Active Directory Connector provides a link Active Directory Connector provides a link between non-Active Directory NOSs and between non-Active Directory NOSs and Exchange Platinum (NT4, NDS, LDAP)Exchange Platinum (NT4, NDS, LDAP)

Migration to Exchange PlatinumMigration to Exchange Platinum

Upgrade to Exchange v5.5 (if you have not Upgrade to Exchange v5.5 (if you have not already done so)already done so)

Replace Site Connectors with SMTP or Replace Site Connectors with SMTP or X.400 Connectors using InterOrg Directory X.400 Connectors using InterOrg Directory ReplicationReplication

Preparing for Exchange PlatinumPreparing for Exchange Platinum

Questions ?Questions ?

Rand MorimotoRand MorimotoInacom OaklandInacom Oakland

internet: rand@inaoak.cominternet: rand@inaoak.com(510) 444-5700 ext.100(510) 444-5700 ext.100