• No results found

Planning an Active Directory Deployment Project

N/A
N/A
Protected

Academic year: 2021

Share "Planning an Active Directory Deployment Project"

Copied!
26
0
0

Loading.... (view fulltext now)

Full text

(1)

When you deploy the Microsoft® Windows® Server 2003 Active Directory® directory service in your environment, you can take advantage of the centralized, delegated administrative model and single sign-on capability that Active Directory provides. After you identify the current

environment and deployment goals for your organization, you can create the Active Directory deployment strategy that meets your organization’s needs. Testing the deployment in an isolated lab environment and refining the deployment in selected pilot areas of your production

environment help to ensure a smooth deployment throughout your organization.

In This Chapter

Overview of Planning an Active Directory Deployment Project...4

Determining Your Active Directory Design and Deployment Strategy...8

Testing and Verifying the Deployment Process ... 18

Additional Resources... 26

Related Information

u For more information about planning, testing, and piloting a deployment project, see

“Designing a Test Environment” and “Planning and Testing for Application Deployment” in Planning, Testing, and Piloting Deployment Projects in this kit.

u For more information about deploying Windows Server 2003 Domain Name System (DNS), see “Deploying DNS” in Deploying Network Services in this kit.

u For more information about Group Policy, see the Distributed Services Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit).

Planning an Active

Directory Deployment

Project

(2)

Overview of Planning an Active Directory Deployment Project

Active Directory in the Microsoft® Windows® Server 2003, Standard Edition; Windows®

Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems allows organizations to simplify user and resource management while creating a scalable, secure, and manageable infrastructure. You can use Active Directory to manage your network infrastructure, including branch office, Microsoft® Exchange Server, and multiple forest environments.

Although the guidelines presented in this book are appropriate for almost all network operating system (NOS) management deployments, the guidelines have been tested and validated specifically for environments that contain fewer than 100,000 users and fewer than 1,000 sites, with network connections of a minimum of 28.8 kilobits per second (Kbps). If your environment does not meet these criteria, consider using a consulting firm that has experience deploying Active Directory in more complex environments.

Deploying Active Directory provides the following benefits to your organization:

u Simplified administration and resource management. You can delegate administration to all levels of an organization, and you can use Group Policy to centralize administration.

u Increased network security and single sign-on for users. Active Directory supports multiple authentication protocols and X.509 certificates, and provides support for smart cards.

u Interoperability with other directory services. Active Directory provides standards-based, open interfaces that interoperate with other directory services and applications, such as e- mail applications.

u Features that reduce administration costs, increase security, and provide additional functionality. Application directory partitions allow you to configure application-specific data replication settings on domain controllers. When you raise domain or forest functional levels to Windows Server 2003, you can do the following:

u Rename domains and domain controllers u Establish two-way forest trusts

u Restructure forests u Improve replication

u Remove some limitations in environments with a large number of sites

(3)

Although the Windows Server 2003 Active Directory design and deployment strategies that are presented in this book are based on extensive lab and pilot-program testing and successful implementation in customer environments, you might have to customize your Active Directory design and deployment to better suit specific, complex environments. For more information about deploying Active Directory in a branch office environment, see the Active Directory Branch Office Planning Guide. For more information about deploying Active Directory in an Exchange environment, see Best Practice Active Directory Design for Exchange 2000. For more information about deploying Active Directory in a multiple forest environment, see Multiple Forest Considerations. To download these guides, see the Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources, and then click

“Planning & Deployment Guides.”

This book also provides flowcharts, job aids, and deployment examples to help you optimize your Active Directory design and deployment process.

Process for Planning an Active Directory Deployment Project

To plan a Windows Server 2003 Active Directory deployment project, first determine your design and deployment strategy, and then test and verify your design and deployment. Figure 1.1 shows the process for planning your Active Directory deployment project.

Figure 1.1 Planning an Active Directory Deployment Project

Determine your Active Directory design and deployment strategy Test and verify the deployment process

(4)

Active Directory Background Information

Before you design and deploy Windows Server 2003 Active Directory, become familiar with the Active Directory deployment project cycle, as well as Active Directory–related terms that are required for the Windows Server 2003 Active Directory deployment process.

Active Directory Deployment Project Cycle

An Active Directory deployment project involves three phases: a design phase, a deployment phase, and an operations phase. During the design phase, the design team creates a design for the Active Directory logical structure that best meets the needs of each division in the organization that will use the directory service. After the design is approved, the deployment team tests the design in a lab environment and then implements the design in the production environment.

Because testing is performed by the deployment team and potentially affects the design phase, it is an interim activity that overlaps both design and deployment. When the deployment is complete, the operations team is responsible for maintaining the directory service.

Lab testing and the implementation of a pilot program continue throughout the lifetime of the Active Directory deployment.

Figure 1.2 shows the relationship between the phases of the Active Directory project cycle relative to the lifetime of the deployment project.

Figure 1.2 Relationship Between Active Directory Project Cycle Phases

Long term ownership Long term

ownership

Deployment Project Lifetime New Deployment Project

Design

Deploy

Operations Lab/Pilot

On going

pilot Design

Deploy

Operations Lab/Pilot

Changes to design

(5)

Terms and Definitions

The following terms are important to understanding the Windows Server 2003 Active Directory deployment process.

Active Directory domain

An administrative unit in a computer network that, for management convenience, groups several capabilities, including:

u Network-wide user identity. Domains allow user identities to be created once and referenced on any computer that is joined to the forest in which the domain is located.

Domain controllers that make up a domain are used to store user accounts and user credentials, such as passwords or certificates, securely.

u Authentication. Domain controllers provide authentication services for users and supply additional authorization data, such as user group memberships. These services can be used to control access to resources on the network.

u Trust relationships. Domains extend authentication services to users in other domains in their own forest by means of automatic bidirectional trusts, and to users in domains in other forests by means of either manually created external trusts or forest trusts.

u Policy administration. The domain is a scope of administrative policies, such as password complexity and password reuse rules.

u Replication. The domain defines a partition of the directory tree that provides data that is adequate to provide the required services and that is replicated between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.

Active Directory forest

A collection of one or more Active Directory domains that share a common logical structure, directory schema, and network configuration, as well as automatic two-way transitive trust relationships. Each forest is a single instance of the directory and defines a security boundary.

Active Directory functional level

A setting in Windows Server 2003 Active Directory that enables advanced domain-wide or forest-wide Active Directory features.

(6)

Migration

The process of moving an object from a source domain to a target domain, while preserving or modifying characteristics of the object to make it accessible in the new domain.

Domain restructure

A migration process that involves changing the domain structure of a forest. A domain restructure can involve either consolidating or adding domains, and can take place between forests or within a forest.

Domain consolidation

A restructuring process that involves eliminating Microsoft® Windows NT® 4.0 domains or Active Directory domains by merging their contents with the contents of other domains.

Domain upgrade

The process of upgrading the directory service of a domain to a later version of the directory service. This includes upgrading the operating system on all domain controllers and raising the Active Directory functional level where applicable.

In-place domain upgrade

The process of upgrading the operating system on all domain controllers that are based on Windows NT 4.0 or on the Microsoft® Windows® 2000 operating system and raising the functional level of the domain if applicable, while leaving domain objects, such as users and groups, in place.

Regional domain

A child domain that is created based on a geographic region in order to optimize replication traffic.

Determining Your Active Directory Design and Deployment Strategy

After you perform a high-level assessment of your current environment and determine your Active Directory deployment goals, you can determine the deployment strategy that works best for your environment. Figure 1.3 shows the steps for defining the Active Directory deployment process.

(7)

Figure 1.3 Determining Your Design and Deployment Strategy

Determine your Active Directory design and deployment strategy

Test and verify the deployment process

Determine your Active Directory design requirements

Determine your Active Directory deployment requirements

Determine your restructure requirements

The Active Directory deployment strategy that you apply varies according to your existing network configuration. For example, if your organization currently runs Windows 2000, you can simply upgrade your operating system to Windows Server 2003. If your organization currently runs Windows NT 4.0 or a non-Windows network operating system, however, you must design an Active Directory infrastructure before you upgrade to Windows Server 2003.

Your deployment process might involve restructuring existing domains, either within an Active Directory forest or between Active Directory forests. You might need to restructure your existing domains after you deploy Windows Server 2003 Active Directory or after organizational changes or corporate acquisitions. You can also restructure domains from a Windows NT 4.0

environment to an Active Directory forest in order to upgrade your production environment to Windows Server 2003.

(8)

Table 1.1 lists the possible starting points and goals for a Windows Server 2003 Active Directory deployment and the corresponding deployment steps and chapters in this book that apply to each.

Table 1.1 Current Environment, Goals, and Corresponding Chapters for Deploying Windows Server 2003 Active Directory

Environment Deployment Goals Corresponding Chapters

Create forest, domain, DNS, and organizational unit design.

Chapter 2: “Designing the Active Directory Logical Structure”

Create a site and site link design. Chapter 3: “Designing the Site Topology”

Assess hardware requirements. Chapter 4: “Planning Domain Controller Capacity”

Deploy the forest root domain. Chapter 6: “Deploying the Windows Server 2003 Forest Root Domain”

Deploy regional domains. Chapter 7: “Deploying Windows Server 2003 Regional Domains”

New organization

Raise the domain and forest functional levels.

Chapter 5: “Enabling Advanced Windows Server 2003 Active Directory Features”

Create forest, domain, DNS, and organizational unit design.

Chapter 2: “Designing the Active Directory Logical Structure”

Create a site and site link design. Chapter 3: “Designing the Site Topology”

Assess hardware requirements. Chapter 4: “Planning Domain Controller Capacity”

Deploy the forest root domain. Chapter 6: “Deploying the Windows Server 2003 Forest Root Domain”

Deploy regional domains. Chapter 7: “Deploying Windows Server 2003 Regional Domains”

Upgrade in-place Windows NT 4.0 domains that will remain part of your Active Directory domain structure.

Chapter 8: “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory”

Restructure other Windows NT 4.0 domains.

Chapter 10: “Restructuring Windows NT 4.0 Domains to an Active Directory Forest”

Windows NT 4.0

Raise the domain and forest functional levels.

Chapter 5: “Enabling Advanced Windows Server 2003 Active Directory Features”

Upgrade Windows 2000 domain controllers.

Chapter 9: “Upgrading Windows 2000 Domains to Windows Server 2003 Domains”

Windows 2000

Raise the domain and forest functional levels.

Chapter 5: “Enabling Advanced Windows Server 2003 Active Directory Features”

(9)

Table 1.2 lists the goals and corresponding chapters that apply to restructuring domains either within or between forests.

Table 1.2 Goals and Corresponding Chapters for Restructuring Active Directory Domains

Action Deployment Goals Corresponding Chapters

Create forest, domain, DNS, and organizational unit design.

Chapter 2: “Designing the Active Directory Logical Structure”

Create a site and site link design. Chapter 3: “Designing the Site Topology”

Restructure domains within a

forest Use a tool such as Active Directory Migration Tool (ADMT) to

restructure domains within a forest.

Chapter 12: “Restructuring Active Directory Domains Within a Forest”

Create forest, domain, DNS, and organizational unit design.

Chapter 2: “Designing the Active Directory Logical Structure”

Create a site and site link design. Chapter 3: “Designing the Site Topology”

Restructure domains between

forests Use a tool such as ADMT to restructure domains between forests.

Chapter 11: “Restructuring Active Directory Domains Between Forests”

Determining Your Active Directory Design Requirements

If your network environment is currently operating without a directory service, or if you need to modify your current Active Directory infrastructure, complete the design process for your Active Directory infrastructure. You must complete a comprehensive design of your Active Directory logical structure before you deploy Active Directory. Thoroughly preparing your Active Directory design is essential to a cost-effective deployment.

Logical Structure Design

Before you deploy Windows Server 2003 Active Directory, you must plan for and design the Active Directory logical structure for your environment. The Active Directory logical structure determines how your directory objects are organized, and provides an effective method for managing your network accounts and shared resources. When you design your Active Directory logical structure, you define a significant part of the network infrastructure of your organization.

To design the Active Directory logical structure, determine the number of forests that your organization requires, and then create designs for domains, DNS, and organizational units.

(10)

Site Topology Design

After you design the logical structure for your Active Directory infrastructure, you must design the site topology for your network. The site topology is a logical representation of your physical network. It contains information about the location of Active Directory sites, the Active Directory domain controllers within each site, and the site links that support Active Directory replication between sites.

Domain Controller Capacity Planning

To ensure efficient Active Directory performance, you must determine the appropriate number of domain controllers for each site and verify that they meet the hardware requirements for

Windows Server 2003. Careful capacity planning for your domain controllers ensures that you do not underestimate hardware requirements, which can cause poor domain controller performance and application response time.

Advanced Active Directory Features

Functional levels in Windows Server 2003 Active Directory allow you to enable new features, such as improved group membership replication, deactivation and redefinition of attributes and classes in the schema, and forest trust relationships that require that all domain controllers within the participating domain or forest run Windows Server 2003. Part of the Active Directory design process involves identifying the domain and forest functional levels that your organization requires. To implement these Windows Server 2003 Active Directory features in your organization, you must first deploy Windows Server 2003 Active Directory and then raise the forest and domain to the appropriate functional level.

Determining Your Active Directory Deployment Requirements

The structure of your existing environment determines your strategy for deploying Windows Server 2003 Active Directory. If you are creating an Active Directory environment and you do not have an existing domain structure, you must complete your Active Directory design before you begin creating your Active Directory environment. Then you can deploy a new forest root domain and deploy the rest of your domain structure according to your design.

Windows Server 2003 Forest Root

To deploy Active Directory, you must first deploy a Windows Server 2003 forest root domain.

To do this, you must configure DNS, deploy forest root domain controllers, configure the site topology for the forest root domain, and configure operations master roles.

(11)

Windows Server 2003 Regional Domains

If you are creating one or more new regional domains in a Windows Server 2003 forest, you must deploy each regional domain after you deploy your forest root domain. To do this, you must delegate a DNS zone and deploy domain controllers for each regional domain.

Windows NT 4.0 Domain Upgrade to Windows Server 2003

When you perform an in-place domain upgrade of Windows NT 4.0 domains, you can begin to use Active Directory without making any modifications to your existing domain structure.

Alternatively, if you do not want to retain your existing domain structure, you can restructure your Windows NT 4.0 domains to a Windows Server 2003 forest. For more information about restructuring your Windows NT 4.0 domains to a Windows Server 2003 forest, see "Determining Your Restructure Requirements" later in this chapter.

Windows 2000 Domain Upgrade to Windows Server 2003

Upgrading your Windows 2000 domains to Windows Server 2003 domains is an efficient, straightforward way to take advantage of additional Windows Server 2003 features and functionality. Upgrading from Windows 2000 to Windows Server 2003 requires minimal network configuration and has little impact on user operations.

Determining Your Restructure Requirements

As part of your Active Directory deployment, you might choose to restructure your environment.

Before doing so, you must determine when and how you want to restructure your environment.

Organizations with an existing Windows NT 4.0 domain structure might perform an in-place upgrade of some domains and restructure others. In addition, you might decide to reduce the complexity of your environment by either restructuring domains between forests or restructuring domains within a forest after you deploy Active Directory.

Windows NT 4.0 Domain Restructure to a Windows Server 2003 Forest

Because of its greater scalability, a Windows Server 2003 Active Directory environment requires fewer domains than a Windows NT 4.0 environment. Instead of performing an in-place upgrade of your Windows NT 4.0 domains, it might be more efficient to consolidate a number of smaller Windows NT 4.0 account and resource domains into a few, larger Active Directory domains.

(12)

Interforest Active Directory Domain Restructure

When you restructure domains between Windows Server 2003 forests, you can reduce the number of domains in your environment and, therefore, reduce administrative complexity and overhead. When you migrate objects between forests as part of the restructuring process, both the source and target domain environments exist simultaneously. This enables you to roll back to the source environment during the migration, if necessary.

Intraforest Active Directory Domain Restructure

When you restructure Windows Server 2003 domains within a Windows Server 2003 forest, you can consolidate your domain structure and, therefore, reduce administrative complexity and overhead. Unlike the process for restructuring Windows Server 2003 domains between forests, when you restructure domains within a forest, the migrated accounts no longer exist in the source domain.

Table 1.3 lists the differences between an interforest and an intraforest domain restructure.

Table 1.3 Differences Between Interforest and Intraforest Domain Restructures Migration

Consideration Interforest Restructure Intraforest Restructure Object

preservation

Objects are cloned rather than migrated.

The original object remains in the source location to maintain user access to resources.

Objects are migrated and no longer exist in the source location.

SID history maintenance

Maintaining SID history is optional. SID history is required.

Password retention

Password retention is optional. Passwords are always retained.

Local profile migration

You must use tools such as ADMT to migrate local profiles.

For workstations that run Windows 2000 and later, local profiles are migrated automatically because the user’s GUID is preserved. However, you must use tools such as ADMT to migrate local profiles for workstations that run Windows NT 4.0 and earlier.

Closed sets You do not need to migrate accounts in closed sets.

You must migrate accounts in closed sets.

(13)

Example: Establishing an Active Directory Deployment Strategy

To illustrate the Active Directory deployment process, the chapters in this book show an example of how a fictitious company, Contoso Pharmaceuticals, deploys Active Directory in its

environment. The Contoso environment consists of four domains, all of which are running Windows 2000 Active Directory. Figure 1.4 shows the current domain structure for the Contoso corporation.

Figure 1.4 Contoso Corporation Domain Structure

noam.concorp.contoso.com africa.concorp.contoso.com

concorp.contoso.com

emea.concorp.contoso.com

After reviewing its existing environment and identifying its deployment goals, Contoso established the following Active Directory deployment strategy:

u Upgrade Windows 2000 domains to Windows Server 2003 domains.

u Enable advanced Active Directory features by raising the domain and forest functional levels to Windows Server 2003.

After upgrading all Windows 2000 domains to Windows Server 2003 domains, Contoso will restructure the africa.concorp.contoso.com domain within the forest to consolidate it with the emea.concorp.contoso.com domain.

(14)

The Contoso corporation is acquiring a company called Trey Research, which is currently running a Windows NT 4.0–based environment, as shown in Figure 1.5.

Figure 1.5 Current Environment for Trey Research EAST

BOSTON

MAIL-APPS PROD-APPS OFFICE-APPS

Contoso established the following Active Directory deployment strategy for their Trey Research acquisition:

u Design the Active Directory logical structure to create forest, domain, DNS, and organizational unit designs for the new Windows Server 2003 environment.

u Design the site topology to create the required sites, site links, and site link bridges.

u Plan domain controller capacity to determine the hardware requirements for the new Windows Server 2003 environment.

u Deploy trccorp.treyresearch.net as the forest root domain.

u Deploy three regional domains. Different teams can create these domains simultaneously.

u Upgrade the EAST domain to Windows Server 2003 to become east.trccorp.treyresearch.net.

u Create two new Windows Server 2003 regional domains called asia.trccorp.treyresearch.net and west.trccorp.treyresearch.net.

u Restructure the BOSTON, MAIL-APPS, PROD-APPS, and OFFICE-APPS domains to the east.trccorp.treyresearch.net Windows Server 2003 domain by using ADMT.

u Raise the domain and forest functional levels to Windows Server 2003.

Figure 1.6 shows the interim environment for Trey Research.

(15)

Figure 1.6 Interim Environment for Trey Research

west.trccorp.treyresearch.net asia.trccorp.treyresearch.net east.trccorp.treyresearch.net trccorp.treyresearch.net

At a later time, Contoso determined that a single domain would be more cost-effective for the Europe, Middle East, and Asia region, so the final step in the deployment process is to restructure asia.trccorp.treyresearch.net into the emea.concorp.contoso.com domain in the Contoso forest by using ADMT.

Figure 1.7 shows the domain structure for the Contoso corporation after the acquisition of Trey Research and the Windows Server 2003 Active Directory deployment process is complete.

Figure 1.7 Final Environment for Contoso and Trey Research

noam.concorp.contoso.com

concorp.contoso.com

emea.concorp.contoso.com west.trccorp.treyresearch.com

trccorp.treyresearch.net

east.trccorp.treyresearch.com

(16)

Testing and Verifying the Deployment Process

In any Active Directory deployment, you can minimize the impact on normal business operations by testing design assumptions and verifying the deployment process in a pilot program. As you create the first draft of your Active Directory design, begin to test and verify. Testing and verifying begin during the design phase and continues through the deployment and operations phase.

Figure 1.8 shows the process for testing and verifying your Active Directory design and deployment.

Figure 1.8 Testing and Verifying the Active Directory Design and Deployment

Determine your Active Directory design and deployment strategy

Test and verify the deployment process

Test the design and deployment in a lab environment

Verify the deployment in a pilot program

Complete the pilot deployment program

Testing the Design and Deployment in a Lab Environment

Lab testing is the first evaluation of the Active Directory design. During lab testing, you confirm the assumptions made by the design architects.

As the first draft of the Active Directory design approaches completion, begin testing specific design assumptions in the deployment process in a lab environment. By testing the deployment process in your lab, you can discover potential design problems that affect the deployment process and provide feedback to the design team to correct problems before the deployment.

(17)

Ensure that the test lab environment is isolated from the rest of your organization's production network and represents, on a small scale, the hardware and operating system configuration of the computers in your organization. Include enough domain controllers in the lab environment to support a representative sample of your site design, including intrasite and intersite replication partners, site links, and realistic replication intervals.

Include user and group accounts and other resources that are exclusively designated for testing.

Ensure that your test environment provides access to test configurations of external services, such as mainframe or Internet access, as required. Retain the lab permanently to test new procedures and train the deployment team.

The deployment team can use the lab environment to learn the specifics of your deployment process and to gain familiarity with the deployment and migration tools that are used during the Active Directory deployment.

Typically, the design assumption tests and the deployment process tests are performed by different teams. Table 1.4 lists the lab tests and the team members who perform the tests in the lab.

Table 1.4 Lab Tests and Corresponding Team Members

Test Process Lab Tests Team Members

Analyze Active Directory replication and site topology.

Design team, site topology owner, and deployment team.

Test design assumptions

Test application and desktop compatibility.

Design team.

Test disaster recovery. Forest owner and deployment team.

Test account and resource migration.

Forest owner and deployment team.

Test deployment process

Evaluate delegation,

administration, and management.

Forest owner.

Testing Design Assumptions

During the design process, the design team makes assumptions that are incorporated into the Active Directory design, such as Active Directory replication and application compatibility.

After the team completes a preliminary draft of the design, it must prove these assumptions in the lab environment.

To test the design assumptions in the lab environment, the design team must:

u Analyze Active Directory replication site topology.

u Develop a test plan, and then test application and desktop compatibility.

(18)

Analyze Active Directory Replication and Site Topology

The site topology design specifies the maximum replication latency. This is the length of time that is required to replicate changes throughout the forest. The design team must make sure that forest-wide replication latency is less than or equal to the maximum replication latency specified in the design. The team must perform a worst-case test that is based on the maximum number of hops that are assumed in the design. The team must observe the time that is required for replication convergence when a domain controller or communications link fails.

To analyze Active Directory intersite replication site failover

1. Identify the domain controllers that are responsible for intersite replication by using Active Directory Sites and Services.

2. Disconnect domain controllers or disable communications links that are used in intersite replication.

3. Allow the Knowledge Consistency Checker (KCC) to automatically configure new replication topology.

4. Identify the domain controllers that are now responsible for intersite replication.

5. Reconnect the domain controllers or enable communications links.

6. Verify that the intersite replication topology returns to the original state, as identified in step 1.

Verify Application and Desktop Compatibility

The design team must also determine the compatibility between applications, desktop operating systems, and Active Directory. Typically, the aspects of application testing that are affected by an Active Directory migration or upgrade include applications that run on servers and client computers, in addition to remote access usage.

Verify the application and desktop compatibility design assumptions by creating a list of all critical applications. Have design team members test each application to make sure that it operates correctly in a migrated environment.

When you verify application and desktop compatibility, verify that:

u Existing server applications, such as those that currently run on a Windows NT 4.0 backup domain controller (BDC), can run on Windows Server 2003–based member servers and domain controllers.

For example, some server applications that run on BDCs take advantage of Shared Local Groups. To run these server applications on a Windows Server 2003–based domain controller, verify that the applications run correctly by using Active Directory domain local groups.

u Server applications that run on a mixture of Windows Server 2003–based and Windows NT 4.0–based servers can interoperate with one another.

For example, verify that a Windows Server 2003–based server running Microsoft® SQL Server™ can interact with a Windows NT 4.0–based server running the same application.

(19)

u Existing desktop applications run correctly when the domain infrastructure is migrated to Windows Server 2003 Active Directory.

u Existing applications that use integrated Windows security run correctly when the domain infrastructure is migrated to Windows Server 2003 Active Directory.

If you find that a server application cannot be migrated to a Windows Server 2003–based domain controller, you can try to reinstall the application or a later version of the application on a Windows Server 2003–based member server. If the application cannot run on a server that runs Windows Server 2003, you can continue to run the application on the server that runs

Windows NT 4.0 or Windows 2000.

Provide feedback to the design team that the server application's domain cannot be upgraded in- place or consolidated and must remain until a version of the application that can run on a Windows Server 2003–based domain controller is available. As a long-term deployment goal, transition any applications that currently run on domain controllers to member servers.

Testing Deployment Processes

In a lab environment before the pilot program begins, the deployment team must test specific tasks that are essential to the Active Directory deployment process, such as testing account and resource migration from Windows NT 4.0 to Windows Server 2003 Active Directory.

To verify the deployment process in the lab environment:

u Test disaster recovery.

u Test account and resource migration.

u Evaluate delegation, administration, and management.

Test Disaster Recovery

Test disaster recovery in your lab environment to validate that users can log on within an acceptable response time until a failed domain controller is restored and to determine the time that is required to restore the failed domain controller.

To implement a disaster recovery process in your Active Directory deployment, back up the System State data on at least two domain controllers in the lab environment. After you back up the data, you need to test the validity of the backup tape and the restore process. Test the following scenarios:

u Perform a non-authoritative restore of the domain controller whose directory services database contains corrupted data.

u Perform an authoritative restore of a domain controller to restore Active Directory data that has been deleted.

(20)

Make sure that the tests represent the slowest connection speeds in your environment and the largest number of user accounts.

For example, when you determine the time that is required to restore a failed domain controller, make sure to test the restore of System State data from your backup for any domain controller that is the only one in a site that is connected with a data rate of 128 Kbps or less. In addition, test the restore of System State data from your backup for any domain controller in a domain that contains more than 20,000 user accounts.

When a domain controller is connected to other domain controllers with a data rate that is equal to or greater than 128 Kbps, test your process for installing Active Directory on a new domain controller and letting Active Directory replication repopulate the Active Directory database.

For more information about testing disaster recovery, see the Active Directory Disaster Recovery (.doc) link on the Web Resources page at

http://www.microsoft.com/windows/reskits/webresources.

Test Account and Resource Migration

To test the deployment process for account and resource migration, use the procedures in the chapter for the restructure process that you are planning. Organizations that are planning to restructure Windows NT 4.0 domains can also perform the following tests of their restructure process:

To test the deployment process for account and resource migration

1. In two or more production Windows NT 4.0 account domains, create new backup domain controllers (BDCs).

2. Remove the new BDCs from the production network.

3. Install the new BDCs in the lab environment.

4. Promote the new BDCs to primary domain controllers (PDCs).

5. Perform in-place upgrades and restructure the account domains in your lab.

6. Perform account and resource migrations by using a migration tool such as ADMT.

7. Verify that migrated accounts have access to resources and retain user profiles.

(21)

Evaluate Delegation, Administration, and Management

Evaluate the delegation, administration, and management processes by creating the

organizational unit structure that is specified by your Active Directory design. Delegate control of organizational units to specific group accounts that are used for administration. Use these steps to verify the success of the delegation:

To verify successful delegation of control of OUs to specific groups

1. Log on as a user who belongs to the group account to which you delegated control.

2. Perform administration tasks on objects within the organizational unit (for example, modify the properties of a user in an account organizational unit).

3. Try, and subsequently fail, to perform administrative tasks on organizational units to which the administration group does not have delegated control.

Verifying the Deployment in a Pilot Program

In the lab environment, you verify that the deployment process works outside of your production environment on accounts and resources that approximate your production environment. If your environment runs Windows 2000 Active Directory, use your existing pilot program to verify your Windows Server 2003 deployment. In the pilot deployment program, identify a controlled subset of the accounts (users, groups, and services) and resources that exist in the production environment. Perform the deployment process on the identified accounts and resources.

The goals of the pilot program include:

u Extend testing into a subset of the production environment.

u Provide a test environment for other design and deployment groups, such as Exchange 2000 deployment.

u Verify process and procedures for network and operating system infrastructure updates.

u Verify proper operation of application updates.

u Evaluate the impact of monitoring solutions on the network infrastructure and the servers that are being monitored.

u Discover any potential problems in the deployment process that are caused by complexities that could not be modeled in the lab environment.

u Revise the deployment process to correct any problems that you discovered before the production deployment.

In your pilot deployment, begin with users who are involved in the deployment project, and then include users who are representative of your user population.

(22)

To create a pilot deployment program in your environment

1. Create forest_root_domain (where forest_root_domain is the name of an empty Active Directory forest root domain that was created by appending “-test” to the same name as the production forest root domain).

2. Create regional_domain (where regional_domain is the regional domain name in the pilot program) by appending “-test” to a production regional domain.

3. Establish the appropriate trust relationships between regional_domain and winnt_domain (where winnt_domain is a Windows NT 4.0 account or resource domain).

4. Migrate selected accounts and resources from winnt_domain to regional_domain.

5. Verify that users and administrators can minimally perform the same tasks that they performed before the migration (such as resource access, account administration, and resource administration).

Example: Creating a Pilot Deployment Program for Trey Research

Contoso corporation and Trey Research created a pilot deployment program for the Active Directory deployment. Table 1.5 lists the names that they provided for their pilot deployment.

Table 1.5 Example of a Pilot Deployment Program

Domain Name

forest_root_domain trccorp-test.treyresearch.net

regional_domain east-test.trccorp-test.treyresearch.net

winnt_domain BOSTON for account domain

OFFICE-APPS for resource domain

Figure 1.9 illustrates the pilot deployment configuration.

Important

When you migrate production users to the pilot, leave the user accounts enabled in the production and the pilot environments. By leaving the user accounts enabled in the production environment, you provide a fallback plan if any problems occur in the pilot environment.

(23)

Figure 1.9 Pilot Deployment Configuration trccorp-test.treyresearch.net

east-test.trccorp-test.treyresearch.net

OFFICE-APPS (Account Domain)

BOSTON (Resource Domain)

Completing the Pilot Deployment Program

After you finish the pilot deployment program, retain the pilot deployment environment and use it as a staging environment for your production deployment. Continue to use the pilot forest to verify new deployment processes, such as adding new applications or schema extensions, installing operating systems, creating Group Policy objects, or restructuring organizational units.

As noted earlier, provide a fallback plan by leaving user accounts enabled in both the original production environment and the pilot deployment environment. Keep users in the pilot

deployment environment to do their production work; do not migrate the accounts from the pilot deployment environment to the production forest. Instead, if you decide to move pilot users to another production forest, migrate them from their original production environment. This ensures that all users in the production forest have consistent accounts and makes troubleshooting easier.

(24)

Example: Completing the Pilot Deployment Program for Trey Research

Figure 1.10 shows a comparison between the design of the Active Directory pilot forest and the production forest deployment.

Figure 1.10 Comparison of the Pilot Forest and the Production Forest

Pilot Forest Trey Research Production Forest

trccorp.treyresearch.net

east-test.trccorp-test.treyresearch.net trccorp-test.treyresearch.net

west.trccorp.treyresearch.net east.trccorp.treyresearch.net

Additional Resources

These resources contain additional information and tools related to this chapter.

Related Information

u “Designing the Active Directory Logical Structure” in this book.

u “Designing the Site Topology” in this book.

u “Planning Domain Controller Capacity” in this book.

u “Enabling Advanced Windows Server 2003 Active Directory Features” in this book.

u “Deploying the Windows Server 2003 Forest Root Domain” in this book.

(25)

u “Deploying the Windows Server 2003 Regional Domains” in this book.

u “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.

u “Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.

u “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” in this book.

u “Restructuring Active Directory Domains Between Forests” in this book.

u “Restructuring Active Directory Domains Within a Forest” in this book.

u “Deploying DNS” in Deploying Network Services in this kit.

u The Active Directory link on the Web Resources page at

http://www.microsoft.com/windows/reskits/webresources. Click “Planning & Deployment Guides” to find additional links where you can download the following guides:

u Active Directory Branch Office Planning Guide u Active Directory Operations Guide

u Best Practice Active Directory Design for Exchange 2000 u Multiple Forest Considerations

u Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I

Related Help Topics

For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set search options. Under Help Topics, select the Search in title only check box.

u “Active Directory” in Help and Support Center for Windows Server 2003.

u “Windows Support Tools” under “Tools” in Help and Support Center for Windows Server 2003.

(26)

References

Related documents

Exam 70‐294: Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. • Planning and Implementing an Active

This course is intended for IT professionals who are responsible for planning, designing, and deploying a physical and a logical Windows Server 2012 enterprise Active Directory

Exam 70-294: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.. Planning and Implementing an Active

This course is intended for IT professionals who are responsible for planning, designing, and deploying a physical and a logical Windows Server 2012 enterprise Active Directory

This course is intended for IT professionals who are responsible for planning, designing, and deploying a physical and a logical Windows Server 2012 enterprise Active Directory

This course is intended for IT professionals who are responsible for planning, designing, and deploying a physical and a logical Windows Server 2012 enterprise Active Directory

Module 4: Designing Active Directory Domain Administrative Structures in Windows Server 2008This module explains how to design Active Directory domain administrative structures

The course focuses on a Windows Server 2003 directory service environment, including forest and domain structure, Domain Name System (DNS), site topology and