Module 5: Restructuring Domains

&RQWHQWV### 2YHUYLHZ# 4# ,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ# 5# 8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\# 6# ,QWHU0)RUHVW#5HVWUXFWXULQJ# 8# &ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ## DQ#,QWHU0)RUHVW#6FHQDULR# 43# ,QWUD0)RUHVW#5HVWUXFWXULQJ# 49# 'RPDLQ#5HVWUXFWXUH#7RROV# 59# /DE#$=#3HUIRUPLQJ#,QWHU0)RUHVW## 'RPDLQ#5HVWUXFWXULQJ# 65# 5HYLHZ# 8;# #

Module 5: Restructuring

Domains

Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, MS, Windows, Windows NT, Active Directory, and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Project Lead/Instructional Designer: Sangeeta Garg (NIIT (USA) Inc.) Lead Program Manager: Angie Fultz

Instructional Designer: Robert Deupree (S&T OnSite) Subject Matter Expert: Brian Komar (3947018 Manitoba Inc)

Technical Contributors: John Pritchard, Greg Parsons, David Cross, Rodney Fournier, Tony de Freitas, Christoph Felix, Shaun Hayes, Megan Camp, Richard Maring, Glenn Pittaway, Anne Hopkins, Bob Heath, Jeff Newfeld, Jim Glynn, Paul Thompson (Mission Critical Software, Inc.), David Stern, Lyle Curry, Steve Tate, Bill Wade (Wadeware LLC).

Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T Onsite) Testers: Testing Testing 123

Instructional Design Consultants: Susan Greenberg, Paul Howard Instructional Design Contributor: Kathleen Norton

Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner

Editors: Marilyn McCune (Sole Proprietor), Wendy Cleary (S&T OnSite), Jane Ellen Combelic (S&T OnSite)

Copy Editor: Shawn Jackson (S&T Consulting) Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Onsite)

Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Courseware Testing: Data Dimensions, Inc. Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T Onsite) Manufacturing Support: Laura King (S&T Onsite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart

,QVWUXFWRU#1RWHV#

This module provides students with knowledge and ability to restructure domains.

At the end of this module, students will be able to:

„#Describe the components of domain security and resource access.

„#Describe inter-forest restructure scenarios.

„#Examine the implications of inter-forest restructuring on security principals.

„#Describe intra-forest restructure scenarios.

„#Examine the implications of intra-forest restructuring on security principals.

„#Describe and compare the various domain restructure tools.

0DWHULDOV#DQG#3UHSDUDWLRQ#

This section provides you with the required materials and preparation tasks that are needed to teach this module.

5HTXLUHG#0DWHULDOV#

To teach this module, you need the following materials:

„#Microsoft® PowerPoint® file 2010A_05.ppt

„#Module 5, “Restructuring Domains”

3UHSDUDWLRQ#7DVNV#

To prepare for this module, you should:

„#Read all of the materials for this module.

„#Complete the lab.

„#Read all of the delivery tips.

„#Read the white paper, Planning Migration from Microsoft Windows NT to Microsoft Windows 2000, on the Student Materials compact disc.

„#Read chapter 9, “Planning the Active Directory Structure,” of the Windows 2000 Server Deployment Planning Guide on the Student Materials compact disc.

„#Read chapter 10, "Determining Domain Migration Strategies,” of the Windows 2000 Server Deployment Planning Guide on the Student Materials compact disc.

„#Read the Microsoft Excel spreadsheet, Migration Tool Comparison, on the Student Materials compact disc.

3UHVHQWDWLRQ=# 93#0LQXWHV# #

/DE=# <3#0LQXWHV#

0RGXOH#6WUDWHJ\#

Use the following strategy to present this module:

„#Introduction to Domain Restructuring

The module begins with a summary of what a domain restructure is. Give a brief explanation of what inter-forest and intra-forest restructuring are and when students can perform them. In your introduction, you may want to review the reasons why an organization might choose domain restructure and the benefits of this migration path.

„#Understanding Domain Security

Explain what a security identifier (SID) is.

Students may ask what credentials are required for logon authentication. A user provides the system with the following set of credentials: the user name, the domain to be logged on to, and a password (or smart card). Remind students that discretionary access control lists (DACLs) exist on files, shares, the registry, and Active Directory™ _{directory service objects.} Emphasize that the authorization process is automatic and transparent to users.

Students may ask what the difference is between SIDs, relative identifiers (RIDs), object identifiers, and globally unique identifiers (GUIDs). Be prepared to define these terms for them.

Explain sIDHistory.

Emphasize that sIDHistory is not known to cause any performance

problems by making the access token larger, but that it is still good practice to remove unwanted sIDHistory values when the original domain is decommissioned. This is discussed later in this module.

„#Inter-Forest Restructuring

Describe the inter-forest restructure scenarios. Provide enough detail so that students understand the difference between restructuring an account and a resource domain. Mention that restructuring between two Microsoft

Windows® 2000 forests would occur in corporate merger situations, but that such a scenario is outside the scope of this course.

Emphasize that in an inter-forest scenario, user, global, and shared local group accounts are cloned by using the ClonePrincipal utility or the Active Directory Migration Tool (ADMT), while computer accounts are moved by using Netdom or the ADMT.

Explain the requirements and restrictions that apply for inter-forest restructuring. The lab takes students through each of the steps in preparing the environment for restructuring.

„#Cloning Security Principals

On each page, explain the process and implications of cloning users, global and universal groups, computers and local group accounts, and local groups on domain controllers. Students may find this section more interesting if you use the ADMT to demonstrate cloning operations for each type of security principal.

„#Intra-Forest Restructuring

Describe the intra-forest restructure scenarios. Make sure that students understand that objects are moved between domains of the same forest. Objects cannot be cloned in this scenario.

Explain the requirements for intra-forest restructuring. Intra-forest

restructuring is not covered in the hands-on lab, and you will not be able to demonstrate these operations.

„#Moving Security Principals

Explain the implications of using closed sets to move users and global groups, domain local groups, computers and local accounts, and domain controllers. Computers, local accounts, and domain controllers are moved in the same way in an intra-forest scenario as they are in an inter-forest scenario.

Emphasize that moving a security principal between domains has the effect of changing the security principal’s SID, just as cloning an account does.

„#Domain Restructure Tools

Describe and compare the tools for domain restructuring.

This section is an overview of the migration tools that Microsoft provides. The characteristics and functionality of each tool differ widely. Encourage students to thoroughly investigate and test each tool prior to beginning their migrations.

Students may have questions about the details and specific functionality of each tool. Tell them that they can refer to the migration tools comparison table on the Student Materials compact disc. Be sure also to point students to the Help files, where they can obtain additional information on the tools. Consider demonstrating the ADMT interface, showing the list of wizards available.

You may want to mention third-party migration tools that Microsoft endorses, which can be found on the Microsoft Web site.

2YHUYLHZ#

„

,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ

„

8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\

„

,QWHU0)RUHVW#5HVWUXFWXULQJ

„

&ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ#DQ#,QWHU0)RUHVW#6FHQDULR

„

,QWUD0)RUHVW#5HVWUXFWXULQJ

„

0RYLQJ#6HFXULW\#3ULQFLSDOV

„

'RPDLQ#5HVWUXFWXUH#7RROV#

Domain restructuring implies a redesign of the existing domain environment and is usually undertaken because the existing model is outdated or no longer supports business needs.

The purpose of this module is to explain how to restructure domains and to discuss the implications that restructuring domains has on security principals. The module also explains some restructure scenarios that facilitate the

movement of users and resources from a Microsoft® Windows NT® version 4.0 source domain to a Microsoft Windows® 2000 target domain, or from a Windows 2000 domain in one forest to a Windows 2000 domain in another forest. The remainder of this module describes the various tools that assist you in restructuring your domains during migration.

At the end of this module, you will be able to:

„#Describe the components of domain security and resource access.

„#Describe inter-forest restructure scenarios.

„#Examine the implications of inter-forest restructuring on security principals.

„#Describe intra-forest restructure scenarios.

„#Examine the implications of intra-forest restructuring on security principals.

„#Describe and compare the various domain restructure tools. 6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#RYHUYLHZ#RI# WKH#PRGXOH#WRSLFV#DQG# REMHFWLYHV1# /HDG0LQ# ,Q#WKLV#PRGXOH/#\RX#ZLOO#OHDUQ# DERXW=#WKH#LPSOLFDWLRQV#RI# UHVWUXFWXULQJ#RQ#VHFXULW\# SULQFLSDOV/#UHVWUXFWXULQJ# VFHQDULRV/#UHTXLUHPHQWV#DQG# VWHSV#IRU#PLJUDWLQJ#VHFXULW\# SULQFLSDOV#DQG#UHVRXUFHV/# DQG#UHVWUXFWXUH#WRROV1#

,QWURGXFWLRQ#WR#'RPDLQ#5HVWUXFWXULQJ#

„

'RPDLQ#5HVWUXFWXULQJ#$OORZV#<RX#WR#5HGHVLJQ#WKH#

)RUHVW#$FFRUGLQJ#WR#WKH#1HHGV#RI#<RXU#2UJDQL]DWLRQ

„

'RPDLQ#5HVWUXFWXULQJ#&DQ#,QYROYH=

z

,QWHU0IRUHVW#FRS\#RSHUDWLRQV#

z

,QWUD0IRUHVW#PRYH#RSHUDWLRQV#

Where domain upgrade maintains the existing domain structure, domain restructuring as a migration path allows you to redesign the domain environment according to the needs of your organization.

Domain restructuring can involve inter-forest copy operations or intra-forest move operations. In inter-forest restructuring, security principals are copied from a Windows NT 4.0 domain to a Windows 2000 domain, or from a Windows 2000 domain in one forest to a Windows 2000 domain in another forest. Intra-forest restructuring involves moving security principals from one Windows 2000 domain to another in the same forest.

There are specific issues with restructuring security principals from a Windows NT 3.51 domain. For more information, refer to the white paper, Planning Migration from Windows NT to Windows 2000, which is located on the Student Materials compact disc.

6OLGH#2EMHFWLYH# 7R#SURYLGH#DQ#LQWURGXFWLRQ#WR# UHVWUXFWXULQJ#GRPDLQV1# /HDG0LQ# 'RPDLQ#UHVWUXFWXULQJ#DV#D# PLJUDWLRQ#SDWK#DOORZV#\RX#WR# UHGHVLJQ#WKH#IRUHVW# DFFRUGLQJ#WR#WKH#QHHGV#RI# \RXU#RUJDQL]DWLRQ1# .H\#3RLQWV# :LQGRZV#17#YHUVLRQ#6184# GRPDLQ#UHVWUXFWXULQJ#LV# RXWVLGH#WKH#VFRSH#RI#WKLV# FRXUVH/#EXW#VWXGHQWV#PD\# KDYH#TXHVWLRQV#DERXW#WKH# LVVXHV#LQYROYHG#LQ#VXFK#D# VFHQDULR1#(QFRXUDJH# VWXGHQWV#WR#UHDG#WKH#ZKLWH# SDSHU/#3ODQQLQJ#0LJUDWLRQ# IURP#0LFURVRIW#:LQGRZV#17# WR#0LFURVRIW#:LQGRZV#5333/# RQ#WKH#6WXGHQW#0DWHULDOV# FRPSDFW#GLVF1# # 'RPDLQ#UHVWUXFWXULQJ#DOORZV# DQ#RUJDQL]DWLRQ#WR#UHGHVLJQ# WKH#GRPDLQ#HQYLURQPHQW1# # 'RPDLQ#UHVWUXFWXULQJ#PD\# LQYROYH#FRS\LQJ#RU#PRYLQJ# VHFXULW\#SULQFLSDOV1# 1RWH#

8QGHUVWDQGLQJ#'RPDLQ#6HFXULW\#

Access Token User: S-1-5-21-397955417-626881126-188441444-2812048 Groups: S-1-5-21-645522239-1957994488-725345543-1108 S-1-5-21-397955417-626881126-188441444-101018 S-1-5-21-645522239-1957994488-725345543-1109 . . . . Access Token User: S-1-5-21-397955417-626881126-188441444-2812048 Groups: S-1-5-21-645522239-1957994488-725345543-1108 S-1-5-21-397955417-626881126-188441444-101018 S-1-5-21-645522239-1957994488-725345543-1109 . . . . Allow R W S-1-5-21-645522239-1957994488-725345543-1108

SIDhistory grants access for moved user

User’s primary SID User’s primary SID sIDHistory of user sIDHistory of user SIDs of groups to which user belongs SIDs of groups to which user belongs

ACL on source shared folder

Windows NT 4.0 and Windows 2000 domain security depends on security identifiers (SIDs). SIDs are domain-specific identifiers that the operating system uses to distinguish security principals, such as users, groups, and computers. While the user interface displays security principals as names, the operating system maps these names to SIDs for logon authentication,

permissions assignment, and resource authorization.

When logging on, authenticating users present to the system a set of credentials, including their display user names. If the credentials match those that the system has on record, the user is authenticated and granted an access token. The access token is a key that enables access to network resources. It consists of a list of SIDs that identify the user and the groups of which he or she is a member, in addition to the various system rights granted to the user.

Discretionary access control lists (DACLs), which administrators use to define access permissions on resources, contain user and group SIDs and the access permissions granted to each security principal. When a user attempts to access a resource, his or her access token (granted at logon), together with the type of access requested (read, write, and so on), is compared with the SIDs in the DACL of the resource being requested. If the SIDs match, the user is granted the permissions defined in the DACL.

5HVROYLQJ#6,'V#$IWHU#5HVWUXFWXULQJ#

SIDs are specific to domains. The only way to move or copy a security principal between domains is to create a new object in the target domain. Creating a new security principal in the target domain assigns a new SID to the object. Prior to Windows 2000, granting resource access to the new security principal required searching the source domain and trusting domains looking for references to the old SID, and then adding the new SID to resource DACLs. 6OLGH#2EMHFWLYH# 7R#GHVFULEH#VRPH# FRPSRQHQWV#WKDW#FRQWURO# GRPDLQ#VHFXULW\#DQG# UHVRXUFH#DFFHVV1# /HDG0LQ# :KHQ#PRYLQJ#VHFXULW\# SULQFLSDOV#LQWR#$FWLYH# 'LUHFWRU\/#RQH#FULWLFDO# FRQFHUQ#LV#WKH#HIIHFW#WKDW# WKLV#PRYH#KDV#RQ#GRPDLQ# VHFXULW\#DQG#DFFHVV#WR# UHVRXUFHV1# 'HILQH#6,'V#DQG#H[SODLQ# KRZ#WKH\#DUH#UHIHUHQFHG#LQ# DFFHVV#WRNHQV#IRU#ORJRQ# DXWKHQWLFDWLRQ#DQG#UHVRXUFH# DXWKRUL]DWLRQ1# .H\#3RLQWV# ([SODLQ#WKDW#PLJUDWLQJ#D# VHFXULW\#SULQFLSDO#FUHDWHV/#LQ# WKH#WDUJHW#GRPDLQ/#D#QHZ# REMHFW#WKDW#LV#DVVLJQHG#D# QHZ#6,'1# # ([SODLQ#WKDW#WKH#QHZ# V,'+,VWRU\#DWWULEXWH#IRU# :LQGRZV#5333#VHFXULW\# SULQFLSDOV#DOORZV#XVHUV# PLJUDWHG#WR#:LQGRZV#5333# WR#UHWDLQ#DFFHVV#WR# UHVRXUFHV#LQ#WKH#VRXUFH# HQYLURQPHQW1#

A Windows 2000 Active Directory™ _{directory service attribute called}

sIDHistory makes this situation considerably easier. sIDHistory is an attribute of security principal objects that is used to store the former SIDs of restructured security principals. The sIDHistory value ensures that appropriate access is granted after restructuring, even on systems that predate Windows 2000 or Active Directory.

The sIDHistory attribute of a migrated object is updated with its former SID as part of the migration operation. When the user logs on to the system with a migrated account, the system retrieves the user’s primary SID and the entries in the user’s sIDHistory and adds them to the user’s access token. Because groups are security principals with a sIDHistory attribute, the sIDHistory of all the groups of which the user is a member is also added to the user’s access token when he or she logs on.

The value of the sIDHistory attribute can be populated only in native-mode Windows 2000 domains, which has the effect of requiring all migration operations relying on sIDHistory to have a native-mode target domain for restructure.

‹

‹#,QWHU0)RUHVW#5HVWUXFWXULQJ#

„

,QWHU0)RUHVW#5HVWUXFWXUH#6FHQDULRV

„

5HTXLUHPHQWV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ

„

5HVWULFWLRQV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ

Inter-forest restructuring is a migration path that involves copying accounts from a Windows NT 4.0 domain to a Windows 2000 domain, or from a Windows 2000 domain in one forest to a Windows 2000 domain in another forest.

Inter-forest restructuring is sometimes referred to as prune and graft, a more complex migration scenario used to relocate security principals between two Windows 2000 forests in cases of corporate mergers or acquisitions.

6OLGH#2EMHFWLYH# 7R#GHILQH#LQWHU0IRUHVW# UHVWUXFWXULQJ1# /HDG0LQ# ,QWHU0IRUHVW#UHVWUXFWXULQJ#LV# XVHG#WR#PLJUDWH#D#:LQGRZV# 17#713#GRPDLQ#HQYLURQPHQW# WR#D#:LQGRZV#5333#IRUHVW1# 'HILQH#LQWHU0IRUHVW# UHVWUXFWXULQJ#DQG#WKH# VFHQDULRV#WKDW#LW# HQFRPSDVVHV1#

,QWHU0)RUHVW#5HVWUXFWXUH#6FHQDULRV#

Account Domain _Target OU OU OU OU OU OU OUOUOU OU OU OU OUOUOU OUOUOU OUOUOU Resource Domain Target OU Source Source „

5HVWUXFWXULQJ#

D#:LQGRZV#17#

713#$FFRXQW#

'RPDLQ#

„

5HVWUXFWXULQJ#

D#:LQGRZV#17#

713#5HVRXUFH#

'RPDLQ

„

5HVWUXFWXULQJ#

%HWZHHQ#7ZR#

:LQGRZV#5333#

)RUHVWV

The inter-forest restructure scenarios include Windows NT or Windows 2000 to Windows 2000 account migration, and Windows NT or Windows 2000 to Windows 2000 resource migration.

5HVWUXFWXULQJ#D#:LQGRZV#17#713#$FFRXQW#'RPDLQ#

Restructuring a Windows NT 4.0 account domain involves incrementally copying users and groups from a Windows NT 4.0 account domain to a parallel Windows 2000 Active Directory environment. This environment operates in tandem with the existing Windows NT 4.0 network and reflects the forest proposed by the Active Directory design.

In this scenario, Windows NT 4.0 user, global, and shared local group accounts are copied from the source domain to the pristine environment. While this migration path is more expensive because of the hardware requirements of creating a duplicate environment, it ensures that you can recover from problems during migration because the original accounts remain untouched during the process. This scenario can also preserve existing security until cloned account access is fully tested by migrating the sIDHistory. After the users and groups have all been copied to Active Directory, the environment has been tested, and the new accounts are in use, the Windows NT 4.0 domain can be

decommissioned.

5HVWUXFWXULQJ#D#:LQGRZV#17#713#5HVRXUFH#'RPDLQ#

An inter-forest scenario may also involve restructuring resources. Collapsing a Windows NT 4.0 resource domain into an organizational unit (OU) in a destination Windows 2000 domain reduces the number of domains and the administrative cost of managing trust relationships.

In this scenario, a combination of copying and moving techniques is used to restructure the resource domain. Computer accounts for workstations and member servers are moved or copied to the destination domain. Shared local groups residing on a Windows NT 4.0 domain controller must also be cloned to the target domain.

6OLGH#2EMHFWLYH# 7R#GHVFULEH#WKH#LQWHU0IRUHVW# UHVWUXFWXUH#VFHQDULRV1# /HDG0LQ# 7KH#LQWHU0IRUHVW#UHVWUXFWXUH# VFHQDULRV#LQFOXGH#:LQGRZV# 17#RU#:LQGRZV#5333#WR# :LQGRZV#5333#DFFRXQW# PLJUDWLRQ/#DQG#:LQGRZV#17# RU#:LQGRZV#5333#WR# :LQGRZV#5333#UHVRXUFH# PLJUDWLRQ1# 8VH#WKH#VOLGH#WR#GLVFXVV#WKH# WKUHH#LQWHU0IRUHVW#UHVWUXFWXUH# VFHQDULRV/#SURYLGLQJ#DQ# RYHUYLHZ#RI#WKH#VWHSV#LQ# HDFK#VFHQDULR¶V#PLJUDWLRQ# SURFHVV1#0HQWLRQ#WKDW# PLJUDWLRQ#WRROV#IDFLOLWDWH# HDFK#VWHS#LQ#WKH#SURFHVV1## 'HOLYHU\#7LS# 'R#QRW#VSHQG#WRR#PXFK#WLPH# H[SODLQLQJ#WKH#VSHFLILFV#RI# WKH#WRROV#DW#WKLV#SRLQW1#7KLV# ZLOO#EH#FRYHUHG#LQ#PRUH# GHWDLO#ODWHU#LQ#WKH#PRGXOH1#

You can redeploy Windows NT 4.0 domain controllers to the target domain by:

„#Upgrading to Windows 2000 server, whereupon they can join the Active Directory forest as a member server or domain controller, or

„#Demoting to a member server, which requires reinstalling Windows NT 4.0. Then the member server account can be moved to the Active Directory forest.

After all accounts have been migrated and resource servers have joined the forest, you can completely decommission the Windows NT 4.0 resource domain.

5HVWUXFWXULQJ#%HWZHHQ#7ZR#:LQGRZV#5333#)RUHVWV#

You may use inter-forest restructuring to cut the accounts and resources from one Active Directory forest and paste them into another; perhaps a pilot forest to a production environment, for example, or the forests of two separate organizations. In this scenario, users, groups, computers, and resources are migrated to a target domain in an Active Directory forest. Domain controllers can be demoted out of the source domain and promoted to domain replicas in the target forest.

You cannot truly combine forests because there is currently no way to merge the schemas of separate Active Directory forests.

5HTXLUHPHQWV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ#

„

7DUJHW#'RPDLQ#0XVW#%H#D#1DWLYH#0RGH#:LQGRZV#5333#

'RPDLQ

„

6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#+DYH#WKH#)ROORZLQJ#

5HJLVWU\#(QWU\

HKEY_LOCAL_MACHINE | System |

CurrentControlSet | Control | Lsa

TcpipClientSupport:REG_DWORD:0X1

„

8VHU#3HUIRUPLQJ#WKH#5HVWUXFWXUH#0XVW#+DYH#

$GPLQLVWUDWRU#3ULYLOHJHV#LQ#WKH#6RXUFH#DQG#7DUJHW#

'RPDLQV

„

$XGLWLQJ#0XVW#%H#(QDEOHG#RQ#%RWK#6RXUFH#DQG#7DUJHW#

'RPDLQV

„

$#/RFDO#*URXS#0XVW#%H#&UHDWHG#LQ#WKH#6RXUFH#'RPDLQ

Because cloning is a security-sensitive operation, the following must be in place before using the migration tools to perform inter-forest restructuring:

„#The target domain must be a native-mode Windows 2000 domain if sIDHistory will be migrated.

„#The source domain controller’s registry must contain the following non-default registry entry:

HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Lsa TcpipClientSupport: REG_DWORD:0X1

Be sure to restart after making this change to the server.

„#The user performing the restructure operation must be a member of Domain Admins in the target domain and have administrative privileges in the source and target domains.

„#Account auditing must be enabled on both the source and target domains. For a Windows NT 4.0 domain, success and failure Group Management auditing must be enabled on the primary domain controller (PDC). For a Windows 2000 domain, Audit account management must be enabled on the Default Domain Controllers Policy.

„#A local group, sourcedomainname$$$, must be created in the source domain; for example, Contoso$$$. This group is used for auditing and must be empty. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#UHTXLUHPHQWV# IRU#SHUIRUPLQJ#DQ#LQWHU0IRUHVW# UHVWUXFWXULQJ1# /HDG0LQ# %HFDXVH#FORQLQJ#LV#D# VHFXULW\0VHQVLWLYH#RSHUDWLRQ/# \RX#PXVW#SUHSDUH#DQ# DSSURSULDWH#HQYLURQPHQW# EHIRUH#SHUIRUPLQJ#LQWHU0 IRUHVW#UHVWUXFWXULQJ1# ([SODLQ#WKH#UHTXLUHPHQWV#IRU# SHUIRUPLQJ#DQ#LQWHU0IRUHVW# UHVWUXFWXULQJ1# 'HOLYHU\#7LS# ,Q#WKH#ODE/#VWXGHQWV#ZLOO# IROORZ#HDFK#RI#WKH#VWHSV# UHTXLUHG#WR#SUHSDUH#WKH# WDUJHW#DQG#VRXUFH#GRPDLQV# IRU#UHVWUXFWXULQJ1# ,PSRUWDQW#

5HVWULFWLRQV#IRU#,QWHU0)RUHVW#5HVWUXFWXULQJ#

„

6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#%H#3'&#RU#3'&#

(PXODWRU#RI#:LQGRZV#5333#'RPDLQ

„

6RXUFH#'RPDLQ#0XVW#1RW#%H#LQ#6DPH#)RUHVW#DV#7DUJHW#

'RPDLQ

„

6RXUFH#2EMHFW#0XVW#%H#D#8VHU#RU#6HFXULW\0(QDEOHG#

*URXS

„

6,'#RI#WKH#6RXUFH#2EMHFW#0XVW#1RW#$OUHDG\#([LVW#LQ#

7DUJHW#)RUHVW

„

7RROV#0XVW#%H#5XQ#RQ#7DUJHW#'RPDLQ#&RQWUROOHU

Some of the restrictions that apply when performing an inter-forest restructuring are:

„#The source domain controller must be the PDC (Windows NT 4.0) or PDC Emulator of a Windows 2000 native- or mixed-mode domain.

„#The source domain must not be in same forest as the target domain.

„#The source object must be a user account or security-enabled group.

„#The SID of the source object must not already exist in the target forest, either as a primary account SID or in the sIDHistory of an account.

Certain objects, such as built-in groups and accounts that have well-known SIDs or well-known relative identifiers (RIDs), cannot be migrated. For details on these accounts, see the white paper, Planning Migration from Microsoft Windows NT to Microsoft Windows 2000, on the Student Materials compact disc.

„#The migration tools must be run on the target domain controller. Physical access to the target computer is required unless Windows Terminal Services are used to run tools remotely.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#ZKDW#UHVWULFWLRQV# DSSO\#ZKHQ#SHUIRUPLQJ#DQ# LQWHU0IRUHVW#UHVWUXFWXULQJ1# /HDG0LQ# 6HYHUDO#UHVWULFWLRQV#DSSO\# ZKHQ#SHUIRUPLQJ#DQ#LQWHU0 IRUHVW#UHVWUXFWXULQJ1# 8VH#WKH#VOLGH#WR#GLVFXVV# HDFK#RI#WKH#UXOHV#WKDW#PXVW# EH#IROORZHG#ZKHQ# SHUIRUPLQJ#LQWHU0IRUHVW# UHVWUXFWXULQJ1# 'HOLYHU\#7LS# ,I#VWXGHQWV#DVN#ZKDW# VHFXULW\0HQDEOHG#JURXSV#DUH/# H[SODLQ#WKDW#WKHVH#LQFOXGH# JOREDO#JURXSV/#:LQGRZV# 5333#GRPDLQ#ORFDO#JURXSV/# DQG#:LQGRZV#17#713#VKDUHG# ORFDO#JURXSV1# ,PSRUWDQW#

‹

‹#&ORQLQJ#6HFXULW\#3ULQFLSDOV#LQ#DQ#,QWHU0)RUHVW#6FHQDULR#

&ORQLQJ#8VHUV &ORQLQJ#8VHUV &ORQLQJ#*OREDO#*URXSV &ORQLQJ#*OREDO#*URXSV &ORQLQJ#8QLYHUVDO#*URXSV &ORQLQJ#8QLYHUVDO#*URXSV &ORQLQJ#'RPDLQ#/RFDO#*URXSV

&ORQLQJ#'RPDLQ#/RFDO#*URXSV &ORQLQJ#/RFDO#*URXSV&ORQLQJ#/RFDO#*URXSV 0RYLQJ#&RPSXWHU#$FFRXQWV

0RYLQJ#&RPSXWHU#$FFRXQWV

Cloning, or copying security principals, is the most common inter-forest migration operation. A clone is an account in a native-mode Windows 2000 domain containing properties that have been copied from a source account. The source account may reside in a Windows NT 4.0 domain or a Windows 2000 domain in a separate forest.

Cloning is not possible between domains in the same forest.

Although a clone has a different primary SID than the source account, the sIDHistory attribute retains the SID of the source account. Populating the sIDHistory attribute with the SID of a source account allows the clone the same access to network resources available to the source account, provided that appropriate trusts exist from the resource domains to the clone’s account domain.

One advantage to cloning is that it does not disrupt the existing production environment. Users are cloned to a parallel environment, allowing them to log on by using their cloned account in Active Directory while maintaining the ability to fall back to the source account from the production environment, if necessary, until the target domain is decommissioned.

Cloning is only possible between domains in different forests (inter-forest). Moving objects while updating sIDHistory is only possible between domains in the same Windows 2000 forest (intra-forest).

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#FORQLQJ#XVHUV/#JOREDO#DQG# XQLYHUVDO#JURXSV/#FRPSXWHUV# DQG#ORFDO#JURXS#DFFRXQWV/# DQG#ORFDO#JURXSV#RQ#GRPDLQ# FRQWUROOHUV1# /HDG0LQ# $#FORQH#LV#DQ#DFFRXQW#LQ#D# QDWLYH0PRGH#:LQGRZV#5333# GRPDLQ#IRU#ZKLFK#:LQGRZV# 17#713#DFFRXQW#SURSHUWLHV# DQG#JURXS#PHPEHUVKLSV# KDYH#EHHQ#FRSLHG#IURP#D# VRXUFH#DFFRXQW1# 'HILQH#WKH#WHUP#FORQH#DQG# LWV#FKDUDFWHULVWLFV1# # 'HVFULEH#WKH#EHQHILWV#RI# FORQLQJ1## .H\#3RLQWV# 7KLV#VHFWLRQ#GHVFULEHV#WKH# ZD\V#WKDW#VHFXULW\#SULQFLSDOV# DUH#PLJUDWHG#LQ#DQ#LQWHU0 IRUHVW#PLJUDWLRQ#VFHQDULR1# # &ORQLQJ#LV#XVHG#WR#PLJUDWH# VHFXULW\#SULQFLSDOV#LQ#DQ# LQWHU0IRUHVW#UHVWUXFWXUH# VFHQDULR1# # 0LJUDWLQJ#WKH#6,'#RI#DQ# DFFRXQW#LV#RSWLRQDO#ZKHQ# XVLQJ#WKH#$'071# # 0HQWLRQ#WKDW#$'07#DQG# &ORQH3ULQFLSDO#DUH#XVHG#WR# FORQH#VHFXULW\#SULQFLSDOV1# 1RWH# 1RWH#

&ORQLQJ#8VHUV#

„

&ORQHG#8VHUV#$UH#$XWRPDWLFDOO\#0DGH#0HPEHUV#RI#

'RPDLQ#8VHUV

„

8VHU·V#0HPEHUVKLS#LQ#*URXSV#,V#$XWRPDWLFDOO\#5HVWRUHG

When you clone a user, you can add the SID of the original account to the target account’s sIDHistory attribute to retain access to resources in the source

environment. Cloned users are automatically made members of Domain Users. Global or universal groups of which the source account was a member are restored in the target domain if those groups have been previously copied. If the source groups are cloned after the user, the cloned user membership is restored automatically at this time.

You use ClonePrincipal and the Active Directory Migration Tool (ADMT) to clone user accounts for inter-forest restructuring.

When you clone user accounts with the ClonePrincipal utility, the source accounts are automatically disabled. You can configure the ADMT to disable either the source or target account.

Not all source account properties are copied during cloning operations. For more information on the properties that are copied during migration, see the white paper, Planning Migration from Microsoft Windows NT to Microsoft Windows 2000, on the Student Materials compact disc.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#FORQLQJ#XVHUV1# /HDG0LQ# &ORQHG#XVHUV#DUH# DXWRPDWLFDOO\#PDGH# PHPEHUV#RI#'RPDLQ#8VHUV1# .H\#3RLQWV# &ORQHG#XVHUV#UHWDLQ#DFFHVV# WR#VRXUFH#UHVRXUFHV#WKURXJK# WKH#V,'+LVWRU\#DWWULEXWH1# # &ORQHG#XVHUV#EHFRPH# PHPEHUV#RI#WKH#WDUJHW# 'RPDLQ#8VHUV#JURXS1# # 8VHUV#WKDW#DUH#PHPEHUV#RI# DQ\#JURXSV#ZLOO#UHWDLQ#WKHLU# PHPEHUVKLS#DIWHU#ERWK#WKH# XVHU#DQG#JURXS#DFFRXQWV# DUH#FORQHG1# # 'HOLYHU\#7LS# <RX#PD\#ZDQW#WR# GHPRQVWUDWH#FORQLQJ#XVHUV# ZLWK#WKH#$'071# # 6WXGHQWV#PD\#KDYH# TXHVWLRQV#DERXW#ZKDW# SURSHUWLHV#DUH#FORQHG#ZLWK# WKH#XVHU1#:KHQ#FORQLQJ# XVHUV#LQ#WKH#ODE/#WKH\#ZLOO# VHH#VRPH#RI#WKH#SURSHUWLHV# WKDW#DUH#PLJUDWHG1#)RU#D# FRPSOHWH#OLVW/#UHIHU#WKHP#WR# WKH#ZKLWH#SDSHU#PHQWLRQHG# RQ#WKLV#SDJH1# 1RWH# 1RWH#

&ORQLQJ#*OREDO#DQG#8QLYHUVDO#*URXSV#

„

&ORQLQJ#*OREDO#DQG#8QLYHUVDO#*URXSV#3RSXODWHV#WKH

V,'+LVWRU\ 9DOXH#RI#WKH#1HZ#&ORQHG#$FFRXQW

„

&ORQHG#*URXS#0HPEHUVKLS#,V#$XWRPDWLFDOO\#5HVWRUHG#WR#

5HIOHFW#7KDW#RI#WKH#6RXUFH#$FFRXQW

When cloning global or universal groups, the primary SID of the source group is retained as the sIDHistory value of the new cloned account. The membership of the target group is restored to reflect that of the source account if member clone accounts exist. If the member accounts are cloned after the group, membership is restored at that time. This is also true for nested groups when cloning from a Windows 2000 source domain.

You use ClonePrincipal and the ADMT to clone group accounts for inter-forest restructuring.

During the cloning operation, you can merge multiple source groups into a single target group. When collapsing multiple Windows NT account domains into the same Windows 2000 domain, this feature has the advantage of allowing global groups to be combined.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#FORQLQJ#JOREDO#DQG# XQLYHUVDO#JURXSV1# /HDG0LQ# :KHQ#FORQLQJ#JOREDO#RU# XQLYHUVDO#JURXSV/#WKH# SULPDU\#6,'#RI#WKH#VRXUFH# JURXS#LV#UHWDLQHG#DV#WKH# V,'+LVWRU\#YDOXH#RI#WKH#QHZ# FORQHG#DFFRXQW1# .H\#3RLQWV# &ORQLQJ#JOREDO#DQG#XQLYHUVDO# JURXSV#SRSXODWHV#WKH# V,'+LVWRU\#YDOXH#RI#WKH#QHZ# FORQHG#DFFRXQW1# # *URXS#PHPEHUVKLS#LV# UHVWRUHG#DIWHU#WKH#JURXS#DQG# LWV#PHPEHUV#DUH#FORQHG1# # 'HOLYHU\#7LS# ,Q#WKH#ODE/#VWXGHQWV#ZLOO# FORQH#JURXSV#ZLWK#DQG# ZLWKRXW#WKHLU#PHPEHUV#WR# VHH#KRZ#WKH#PHPEHUVKLS#LV# SRSXODWHG#DIWHU#FORQLQJ# RSHUDWLRQV1# # <RX#PD\#ZDQW#WR# GHPRQVWUDWH#KRZ#JURXSV# DUH#FORQHG#XVLQJ#WKH#$'071# 7LS#

0LJUDWLQJ#&RPSXWHUV#DQG#/RFDO#*URXS#$FFRXQWV#

„

/RFDO#*URXSV#RQ#0RYHG#&RPSXWHUV#$UH#8QDIIHFWHG#E\#

0LJUDWLRQ

„

'$&/V#5HIHUHQFLQJ#/RFDO#*URXS#$UH#8QDIIHFWHG

In an inter-forest restructure scenario, workstation and member server computer accounts are migrated to the target domain. Computer accounts are not cloned; they must be moved to the target domain. You can accomplish this remotely by moving the account to the target domain by using the ADMT or Netdom migration tools. You can also manually configure each computer to join the target domain.

As a part of the local Security Accounts Manager (SAM) database, local group accounts and their properties are migrated when the computer on which they reside joins the target domain. This means that local groups are unaffected by migration, so their SIDs do not need to be changed.

Local groups provide access to resources on the computer on which they reside. Permissions granted to local groups in resource DACLs on the moved computer will be maintained. Resource access will continue to function properly,

provided that appropriate trusts to the target domain exist.

If local groups contain members from trusted domains, trusts must exist between the target domain and any domains from which local group members reside. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#PLJUDWLQJ#FRPSXWHUV#DQG# ORFDO#JURXS#DFFRXQWV1# /HDG0LQ# /RFDO#JURXSV#DUH#RQO\# UHODWLYH#WR#WKH#FRPSXWHU#RQ# ZKLFK#WKH\#UHVLGH#DQG#DUH# PLJUDWHG#ZKHQ#WKH#FRPSXWHU# RQ#ZKLFK#WKH\#UHVLGH#LV# MRLQHG#WR#WKH#WDUJHW#GRPDLQ1# .H\#3RLQW# &RPSXWHU#DFFRXQWV#DUH#QRW# FORQHG1#7R#PLJUDWH#D# FRPSXWHU/#\RX#PXVW#PRYH# DFFRXQWV#E\#XVLQJ#D# PLJUDWLRQ#WRRO#RU#PDQXDOO\# FRQILJXUH#WKHP#WR#MRLQ#D# GLIIHUHQW#GRPDLQ1# # 'HOLYHU\#7LS# %HFDXVH#WKH#FODVVURRP# GRHV#QRW#FRQWDLQ#D#PHPEHU# VHUYHU#RU#ZRUNVWDWLRQ/#\RX# FDQQRW#GHPRQVWUDWH#FORQLQJ# FRPSXWHUV1# ,PSRUWDQW#

&ORQLQJ#/RFDO#*URXSV#RQ#'RPDLQ#&RQWUROOHUV#

„

7KH V,'+LVWRU\ $WWULEXWH#,V#E\#'HIDXOW#3RSXODWHG#IRU#

&ORQHG#6KDUHG#/RFDO#*URXSV

„

6KDUHG#/RFDO#*URXSV#$UH#&RQYHUWHG#WR#'RPDLQ#/RFDO#

*URXSV#LQ#WKH#7DUJHW#'RPDLQ#

Shared local groups reside on Windows NT 4.0 PDCs and are shared between the PDC and all backup domain controllers (BDCs) in the same domain. The membership of this type of account can consist of accounts from any trusted Windows NT or Windows 2000 domain.

When a shared local group is cloned, the sIDHistory of the former account is retained, and a domain local group is created in the target domain. Shared local groups are converted to domain local groups when cloned because the target domain is in native mode.

To clone shared local groups, the ADMT tool is recommended because it is the easiest and most comprehensive way to migrate local groups. The ADMT will copy the local group and populate its membership automatically if the member accounts are migrated at the same time.

Retaining membership in cloned shared local groups is more complex when using ClonePrincipal, as opposed to using the ADMT. See the Windows 2000 Support Tools Help files located in the support folder on the Windows 2000 Server compact disc for more information.

To ensure that resource permissions granted to the cloned local group still function, you must establish appropriate trusts. If the shared local group contained members from trusted domains, you must establish a trust between the target domain where the clone account resides and the domain where the group members reside.

The Netdom and ADMT utilities can assist in identifying and establishing the appropriate trusts when cloning shared local groups. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#FORQLQJ#ORFDO#JURXSV#RQ# GRPDLQ#FRQWUROOHUV1# /HDG0LQ# 7KH#PLJUDWLRQ#WRROV#KDQGOH# ORFDO#JURXS#FORQLQJ# GLIIHUHQWO\1# .H\#3RLQWV# 'HILQH#VKDUHG#ORFDO#JURXS1# # ,W#LV#HDVLHVW#WR#FORQH#VKDUHG# ORFDO#JURXSV#ZLWK#WKH#$'071# # 7R#HQVXUH#WKDW#UHVRXUFH# SHUPLVVLRQV#DVVLJQHG#WR# ORFDO#JURXSV#FRQWLQXH#WR# DFFHVV#UHVRXUFHV#LQ#WKH# VRXUFH#HQYLURQPHQW/#\RX# PXVW#HVWDEOLVK#DSSURSULDWH# WUXVWV1# ,PSRUWDQW# 1RWH#

0RYLQJ#'RPDLQ#&RQWUROOHUV#

„

7R#0RYH#:LQGRZV#17#713#'RPDLQ#&RQWUROOHUV=

z

8SJUDGH#WKH#GRPDLQ#FRQWUROOHU#WR#:LQGRZV#5333#6HUYHU#

DQG#WKHQ#FRQILJXUH#LW#WR#MRLQ#WKH#WDUJHW#GRPDLQ

25

z

5HLQVWDOO#WKH#VHUYHU#DV#D#:LQGRZV#17#713#PHPEHU#

VHUYHU#DQG#WKHQ#FRQILJXUH#LW#WR#MRLQ#WKH#WDUJHW#GRPDLQ

„

7R#0RYH#:LQGRZV#5333#'RPDLQ#&RQWUROOHUV=

z

'HPRWH#WKH#GRPDLQ#FRQWUROOHU#WR#D#PHPEHU#VHUYHU

z

&RQILJXUH#WKH#VHUYHU#WR#MRLQ#WKH#WDUJHW#GRPDLQ

Once you clone user, group, and computer accounts to the target domain, you can migrate domain controllers. Domain controllers, like other computer accounts, cannot be cloned in any migration scenario. Domain controllers must be moved. Moving domain controllers is one of the final steps in inter-forest domain restructuring and, in effect, decommissions the source domain.

If the domain controller is a Windows NT 4.0 PDC or BDC, there are two ways to move the computer:

„#Upgrade the domain controller to Windows 2000 Server. When the Active Directory Installation wizard runs, you can configure the computer to join the target domain.

„#Reinstall the server as a Windows NT 4.0 member server, at which point the server’s computer account can be moved in the same way that other

computer accounts are moved. Once the server is a member of the target domain, it can be maintained as a member server or be promoted as a replica domain controller to support the target domain.

When upgrading domain controllers, you must always upgrade the PDC first.

If you are moving a BDC that is also an application server and you select to reinstall it as a member server, make sure that all application data is backed up prior to the upgrade and then restored after the operating system re- installation is completed.

The only one way to move Windows 2000 domain controllers is to demote the domain controller to a member server, whereupon the member server can join the target domain, or the account may be moved by using the Netdom or ADMT utility in the same way that other computer accounts are moved. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#UHTXLUHPHQWV# IRU#PRYLQJ#GRPDLQ# FRQWUROOHUV1# /HDG0LQ# 0RYLQJ#GRPDLQ#FRQWUROOHUV#LV# RQH#RI#WKH#ILQDO#VWHSV#LQ# LQWHU0IRUHVW#GRPDLQ# UHVWUXFWXULQJ#DQG/#LQ#HIIHFW/# GHFRPPLVVLRQV#WKH#VRXUFH# GRPDLQ1# .H\#3RLQWV# 'RPDLQ#FRQWUROOHUV#DUH# PRYHG/#QRW#FORQHG1# # 7R#PRYH#D#:LQGRZV#17#713# GRPDLQ#FRQWUROOHU/#\RX#PXVW# HLWKHU#XSJUDGH#LW#WR#:LQGRZV# 5333#RU#UHLQVWDOO#LW#DV#D# :LQGRZV#17#713#PHPEHU# VHUYHU1#$IWHU#\RX#SHUIRUP# RQH#RI#WKHVH#VWHSV/#WKH# VHUYHU#FDQ#MRLQ#WKH#WDUJHW# GRPDLQ1# # 7R#PRYH#D#:LQGRZV#5333# GRPDLQ#FRQWUROOHU/#\RX#PXVW# ILUVW#GHPRWH#LW#WR#D#PHPEHU# VHUYHU1# &DXWLRQ# 7LS#

‹

‹#,QWUD0)RUHVW#5HVWUXFWXULQJ#

„

,QWUD0)RUHVW#5HVWUXFWXULQJ#6FHQDULRV

„

5HTXLUHPHQWV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ

„

5HVWULFWLRQV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ

Intra-forest restructuring involves moving security principals between two Windows 2000 domains in the same Active Directory forest. Intra-forest restructuring is most common in two-phased migrations where organizations choose to restructure after fully upgrading the existing Windows NT 4.0 domain model. Some organizations may also require intra-forest restructuring to perform the more complex Active Directory redesigns required by a corporate reorganization. 6OLGH#2EMHFWLYH# 7R#GHILQH#LQWUD0IRUHVW# UHVWUXFWXULQJ1# /HDG0LQ# ,QWUD0IRUHVW#UHVWUXFWXULQJ#LV# GRQH#ZKHQ#DFFRXQWV#PXVW# EH#PRYHG#EHWZHHQ#GRPDLQV# LQ#WKH#VDPH#IRUHVW1#5HDVRQV# IRU#GRLQJ#WKLV#PLJKW#EH=#WR# FDUU\#RXW#WKH#VHFRQG#SKDVH# RI#DQ#XSJUDGH0WKHQ0 UHVWUXFWXUH#PLJUDWLRQ# VWUDWHJ\/#RU#WR#FDUU\#RXW#D# FRUSRUDWH#UHRUJDQL]DWLRQ1# 0HQWLRQ#WKH#UHDVRQV#ZK\#DQ# RUJDQL]DWLRQ#PLJKW#QHHG#WR# SHUIRUP#LQWUD0IRUHVW# UHVWUXFWXULQJ1# .H\#3RLQW# ,QWUD0IRUHVW#UHVWUXFWXULQJ# RFFXUV#EHWZHHQ#WZR# :LQGRZV#5333#GRPDLQV#LQ# WKH#VDPH#IRUHVW1#

,QWUD0)RUHVW#5HVWUXFWXULQJ#6FHQDULRV#

Source

Target

Over time, accounts may need to be moved between domains when a user transfers from one division of an organization to another. Changes in business needs may influence more dramatic changes in the forest design (such as merging domains to create a smaller Active Directory), prompting postmigration intra-forest restructuring.

Moving is the only migration operation in an intra-forest scenario. Moving security principals between Windows 2000 domains imposes a certain amount of risk to the production environment and does not provide fallback, because in a move operation the source account is deleted.

6OLGH#2EMHFWLYH# 7R#GHVFULEH#DQ#LQWUD0IRUHVW# UHVWUXFWXUH#VFHQDULR1# /HDG0LQ# ,QWUD0IRUHVW#UHVWUXFWXULQJ# LQYROYHV#PRYLQJ#VHFXULW\# SULQFLSDOV#EHWZHHQ#WZR# GRPDLQV#LQ#WKH#VDPH#$FWLYH# 'LUHFWRU\#IRUHVW1# .H\#3RLQW# (PSKDVL]H#WKDW#PRYLQJ# VHFXULW\#SULQFLSDOV#GRHV#QRW# SURYLGH#HDV\#IDOOEDFN# EHFDXVH#WKH#VRXUFH#DFFRXQW# LV#GHOHWHG#GXULQJ#WKH#PRYH# RSHUDWLRQ1# # 'HOLYHU\#7LS# 'HPRQVWUDWLQJ#LQWUD0IRUHVW# PLJUDWLRQ#RSHUDWLRQV#LV#QRW# SRVVLEOH#ZLWK#WKH#GHIDXOW# FODVVURRP#VHWXS1#

5HTXLUHPHQWV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ#

„ 7DUJHW#'RPDLQ#0XVW#%H#D#1DWLYH#0RGH#:LQGRZV#5333#'RPDLQ „ 6RXUFH#'RPDLQ#&RQWUROOHU#0XVW#+DYH#WKH#)ROORZLQJ#5HJLVWU\#(QWU\

HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Lsa TcpipClientSupport:REG_DWORD:0X1

„ 8VHU#3HUIRUPLQJ#WKH#5HVWUXFWXUH#0XVW#+DYH#$GPLQLVWUDWLYH#

3ULYLOHJHV#RQ#6RXUFH#DQG#7DUJHW#'RPDLQV

„ $XGLWLQJ#0XVW#%H#(QDEOHG#LQ#%RWK#WKH#6RXUFH#DQG#7DUJHW#'RPDLQV

Because moving is a security-sensitive operation, the following must be in place before performing intra-forest restructuring:

„#The target domain must be a Windows 2000 native-mode domain.

„#The source domain controller’s registry must contain the following registry entry:

HKEY_LOCAL_MACHINE | System | CurrentControlSet | Control | Lsa TcpipClientSupport: REG_DWORD:0X1

„#The user performing the restructure operation must have administrative privileges in the source and target domains.

„#Auditing must be enabled in both the source and target domains. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#UHTXLUHPHQWV# IRU#SHUIRUPLQJ#DQ#LQWUD0IRUHVW# UHVWUXFWXULQJ1# /HDG0LQ# %HFDXVH#PRYLQJ#LV#D# VHFXULW\0VHQVLWLYH#RSHUDWLRQ/# \RX#PXVW#SUHSDUH#DQ# DSSURSULDWH#HQYLURQPHQW# EHIRUH#SHUIRUPLQJ#LQWUD0 IRUHVW#UHVWUXFWXULQJ1# ([SODLQ#WKH#UHTXLUHPHQWV#IRU# SHUIRUPLQJ#DQ#LQWUD0IRUHVW# UHVWUXFWXULQJ1#

5HVWULFWLRQV#IRU#,QWUD0)RUHVW#5HVWUXFWXULQJ#

„

6RXUFH#'RPDLQ#0XVW#%H#LQ#6DPH#)RUHVW#DV#7DUJHW#

'RPDLQ

„

6RXUFH#2EMHFWV#0XVW#%H#8VHU#RU#6HFXULW\0(QDEOHG#

*URXSV#RU#&RPSXWHUV

„

6RXUFH#2EMHFW#0XVW#1RW#%H#D#%XLOW0,Q#$FFRXQW

„

6,'#RI#WKH#6RXUFH#2EMHFW#0XVW#1RW#$OUHDG\#([LVW#LQ#

7DUJHW#'RPDLQ

„

$GPLQLVWUDWLYH#6KDUHV#0XVW#([LVW#RQ#&RPSXWHU#:KHUH#

WKH#$'07#,V#([HFXWLQJ

Some of the restrictions that apply when performing an inter-forest restructuring are:

„#The source domain must be a Windows 2000 domain in same forest as target domain.

„#Source objects must be user or security-enabled groups, computers, or organizational units.

„#Source object must not be a built-in account.

Because built-in groups have well-known SIDs and RIDs, they cannot be moved.

„#The SID of the source object must not already exist in the target domain, either as a primary account SID or in the sIDHistory of an account.

„#Administrative shares must exist on the computer where the ADMT is running and any computer where the ADMT must install an agent.

In intra-forest scenarios, you may run the migration tools on a target or source domain controller.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#ZKDW#UHVWULFWLRQV# DSSO\#ZKHQ#SHUIRUPLQJ#DQ# LQWUD0IRUHVW#UHVWUXFWXULQJ1# /HDG0LQ# 6HYHUDO#UHVWULFWLRQV#DSSO\# ZKHQ#SHUIRUPLQJ#DQ#LQWUD0 IRUHVW#UHVWUXFWXULQJ1# 8VH#WKH#VOLGH#WR#GLVFXVV# HDFK#RI#WKH#UXOHV#WKDW#PXVW# EH#IROORZHG#ZKHQ# SHUIRUPLQJ#LQWHU0IRUHVW# UHVWUXFWXULQJ1# 1RWH# 1RWH#

‹

‹

#

0RYLQJ#6HFXULW\#3ULQFLSDOV#

„

8VLQJ#&ORVHG#6HWV#WR#0RYH#8VHUV#DQG#*OREDO#*URXSV

„

8VLQJ#&ORVHG#6HWV#WR#0RYH#'RPDLQ#/RFDO#*URXSV

„

$OWHUQDWLYHV#WR#0RYLQJ#ZLWK#&ORVHG#6HWV

„

0RYLQJ#&RPSXWHUV#DQG#/RFDO#$FFRXQWV

„

0RYLQJ#'RPDLQ#&RQWUROOHUV

Intra-forest migration operations require that security principals be moved from one Windows 2000 domain to another in the same forest. Moving security principals creates a new identical account in a destination domain and removes the account from the source domain. The move operation does not allow a return to the old account status if problems occur with the migration. To ensure that access permissions are maintained during an intra-forest restructuring, the underlying APIs used to move objects apply a constraint, called closed sets, on these operations. A closed set is a block of accounts that are moved at the same time.

MoveTree and ADMT move security principals and provide the ability to retain the source account SID in the target account sIDHistory attribute. Including the source account SID in the target account sIDHistory attribute provides

continued resource access to moved accounts.

Cloning is not possible in intra-forest migration scenarios because one SID would be associated with two security principals.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#PRYLQJ#XVHUV#DQG#JOREDO# JURXSV/#GRPDLQ#ORFDO# JURXSV/#FORVHG#VHWV/# FRPSXWHUV#DQG#ORFDO# DFFRXQWV/#DQG#GRPDLQ# FRQWUROOHUV1# /HDG0LQ# 0RYLQJ#D#VHFXULW\#SULQFLSDO# EHWZHHQ#GRPDLQV#FKDQJHV# WKH#VHFXULW\#SULQFLSDO¶V#6,'1# .H\#3RLQWV# 0RYLQJ#DFFRXQWV#LV#WKH#RQO\# ZD\#WR#SHUIRUP#LQWUD0IRUHVW# PLJUDWLRQ1# # 0RYLQJ#GHOHWHV#WKH#VRXUFH# DFFRXQW1# 'HILQH#D#FORVHG#VHW1# ,PSRUWDQW#

8VLQJ#&ORVHG#6HWV#WR#0RYH#8VHUV#DQG#*OREDO#*URXSV#

„

:KHQ#D#8VHU#,V#0RYHG/#$Q\#*OREDO#*URXSV#RI#:KLFK#WKH#

8VHU#,V#D#0HPEHU#0XVW#$OVR#%H#0RYHG#

„

:KHQ#D#*OREDO#*URXS#,V#0RYHG/#$OO#RI#,WV#0HPEHUV#0XVW#

$OVR#%H#0RYHG

The primary SID of the source global group is retained as the value of the moved groups’ sIDHistory attribute. When a user is moved between domains, any global groups of which the user is a member must also be moved. This preserves group membership and maintains resource permissions assigned to global groups. Likewise, if a global group is moved, its members must also be moved in a closed-set fashion.

If a global group contains other global groups—as can be the case with a Windows 2000 native-mode source domain—for each nested group, all of its members must be moved, including the membership of all nested groups. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#PRYLQJ#XVHUV#DQG#JOREDO# JURXSV1# /HDG0LQ# $#JOREDO#JURXS#FDQ#RQO\# FRQWDLQ#PHPEHUV#IURP#LWV# RZQ#GRPDLQ1# .H\#3RLQW# :KHQ#D#JOREDO#JURXS#LV# PRYHG/#DOO#RI#LWV#PHPEHUV# PXVW#DOVR#EH#PRYHG1# 1RWH#

8VLQJ#&ORVHG#6HWV#WR#0RYH#'RPDLQ#/RFDO#*URXSV#

„

)RU#(DFK#'RPDLQ#/RFDO#*URXS#%HLQJ#0RYHG/#$OO#'RPDLQ#

&RQWUROOHUV#LQ#WKH#'RPDLQ#&RQWDLQLQJ#'$&/V

5HIHUHQFLQJ#WKH#*URXS#$UH#$OVR#0RYHG

„

)RU#(DFK#'RPDLQ#&RQWUROOHU#%HLQJ#0RYHG/#$OO#'RPDLQ#

/RFDO#*URXSV#5HIHUHQFHG#LQ '$&/V RQ#,WV#5HVRXUFHV#

$UH#$OVR#0RYHG

An organization that wants to simplify its Active Directory domain hierarchy may choose to merge two or more domains. This process involves moving Windows 2000 domain local groups, and the domain controllers on which they reside, into the target domain. Because Windows 2000 domain local groups are valid only in the domain in which they were created, if such a group is moved independently of its members, any references to the group in resource DACLs in the source domain will be irresolvable. Closed sets are used to prevent this from occurring. To preserve group membership and retain resource access:

„#For each domain local group being moved, all domain controllers in the domain with resource DACLs referencing the group are moved at the same time.

„#For each domain controller being moved, all domain local groups referenced in DACLs on its resources are moved at the same time.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#PRYLQJ#GRPDLQ#ORFDO# JURXSV1# /HDG0LQ# %HFDXVH#:LQGRZV#5333# GRPDLQ#ORFDO#JURXSV#DUH# YDOLG#RQO\#LQ#WKH#GRPDLQ#LQ# ZKLFK#WKH\#ZHUH#FUHDWHG/#LI# VXFK#D#JURXS#LV#PRYHG# LQGHSHQGHQWO\#RI#LWV# PHPEHUV/#DQ\#UHIHUHQFHV#WR# WKH#JURXS#LQ#'$&/V#LQ#WKH# VRXUFH#GRPDLQ#ZLOO#EH# LUUHVROYDEOH1# .H\#3RLQWV# 7R#PRYH#D#VKDUHG#ORFDO# JURXS/#DOO#FRPSXWHUV#ZLWK# UHVRXUFHV#WKDW#UHIHUHQFH#WKH# JURXS#LQ#WKHLU#'$&/V#PXVW# DOVR#EH#PRYHG1# # 0RGXOH#9/³'HYHORSLQJ#D# 'RPDLQ#5HVWUXFWXUH# 6WUDWHJ\/´#LQ#FRXUVH#5343$/# 'HVLJQLQJ#D#0LFURVRIW# :LQGRZV#5333#0LJUDWLRQ# 6WUDWHJ\/#GLVFXVVHV#ZD\V#WR# DYRLG#LUUHVROYDEOH#6,'V#LQ# UHVRXUFH#'$&/V1#

$OWHUQDWLYHV#WR#0RYLQJ#ZLWK#&ORVHG#6HWV#

„

&UHDWH#3DUDOOHO#*URXSV

z

,QYROYHV#FUHDWLQJ#SDUDOOHO#JOREDO#JURXSV#LQ#WKH#WDUJHW#

GRPDLQ#LQVWHDG#RI#PRYLQJ#JOREDO#JURXSV

„

/HYHUDJH#8QLYHUVDO#*URXSV

z

,QYROYHV#VZLWFKLQJ#WKH#:LQGRZV#5333#VRXUFH#GRPDLQ#WR#

QDWLYH#PRGH/#WKHQ#FKDQJLQJ#WKH#JURXS#W\SH#RI#WKH#JURXSV#

WR#EH#PRYHG#WR#XQLYHUVDO

„

5HFRQVLGHU#<RXU#0LJUDWLRQ#6WUDWHJ\

z

5HVWUXFWXUH#GLUHFWO\#IURP#DQ#H[LVWLQJ#:LQGRZV#17#713#

GRPDLQ#RU#VHSDUDWH#:LQGRZV#5333#IRUHVW

Closed sets are particularly challenging during an intra-forest migration between Windows 2000 domains in the same forest. Depopulating and repopulating large groups can be time-consuming, and in some cases the smallest closed set may consist of the entire source domain.

There are three possible approaches to addressing closed set issues:

„#Create parallel groups. This involves creating parallel global groups, instead of moving groups, in the target domain. Because the parallel group does not contain the sIDHistory of the source group, additional steps are required. First, the new group membership must be defined. Then, all resources in the enterprise containing DACLs referencing the original group must be modified to include permissions for the parallel global group that match the source global group.

„#Leverage universal groups. This involves changing the group type to universal of the groups to be moved. Because universal groups have scope across the entire forest, such a change allows them to be safely be moved, in addition to retaining their membership and maintaining access to resources left behind. After the restructure has been completed, the group types can be changed back to their original types.

Be cautious when using this approach. The membership of universal groups is stored in the global catalog, and when universal group membership changes, the entire group membership is replicated throughout the forest.

„#Reconsider your migration strategy. Cloning or copying security principals does not impose the use of closed sets. However, cloning only works when copying accounts between forests. To avoid the restrictions of closed sets, restructure directly from an existing Windows NT 4.0 domain or separate Windows 2000 forest. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#DOWHUQDWLYHV# WR#PRYLQJ#ZLWK#FORVHG#VHWV1# /HDG0LQ# 'HSRSXODWLQJ#DQG# UHSRSXODWLQJ#ODUJH#JOREDO# JURXSV#FDQ#EH#WLPH0 FRQVXPLQJ/#DQG#LQ#VRPH# FDVHV#WKH#VPDOOHVW#FORVHG# VHW#PD\#EH#WKH#ZKROH# VRXUFH#GRPDLQ1# 'LVFXVV#WKH#WKUHH# DOWHUQDWLYHV#WR#PRYLQJ#ZLWK# FORVHG#VHWV1# ,PSRUWDQW#

0RYLQJ#&RPSXWHUV#DQG#/RFDO#$FFRXQWV#

„

/RFDO#8VHU#$FFRXQWV#$UH#8QDIIHFWHG#:KHQ#0RYLQJ#D#

&RPSXWHU#$FFRXQW

„

/RFDO#*URXS#$FFRXQWV#5HVLGLQJ#LQ#WKH#/RFDO#6$0#

'DWDEDVH#$UH#8QDIIHFWHG#E\#WKH#0RYH

„

/RFDO#*URXSV#&RQWDLQLQJ#/RFDO#RU#'RPDLQ#8VHUV/#RU#

8VHUV#IURP#7UXVWHG#'RPDLQV/#$UH#8QDIIHFWHG#E\#WKH#

0RYH#

Moving computer accounts in an intra-forest scenario is functionally the same as moving computer accounts in an inter-forest scenario. Workstations and member servers have their own SAM database. If they are moved between domains, they always take this database with them.

Local user accounts are unaffected when moving a computer account in an intra-forest restructure. Local group accounts defined on workstations and member servers always move with the computer and are unaffected by the move operation. Local groups containing accounts from trusted domains are also unaffected by the move.

Local groups provide access to resources on the local computer on which they reside. Permissions granted to local groups in resource DACLs on the moved computer will be maintained. Resource access will continue to function properly, provided that appropriate trusts to the target domain exist.

If local groups contain members from trusted domains, trusts must exist between the target domain and any domains from which local group members reside.

Computer accounts can be moved remotely with the ADMT and Netdom, or a user at the local computer can join the new domain manually.

6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#LPSOLFDWLRQV# RI#PRYLQJ#FRPSXWHUV#DQG# ORFDO#DFFRXQWV1# /HDG0LQ# :KHQ#ZRUNVWDWLRQV#DQG# PHPEHU#VHUYHUV#DUH#PRYHG# EHWZHHQ#GRPDLQV/#WKH\#WDNH# WKHLU#6HFXULW\#$FFRXQWV# 0DQDJHU#+6$0,#GDWDEDVH# ZLWK#WKHP1# .H\#3RLQWV# 0RYLQJ#FRPSXWHU#DFFRXQWV# LQ#DQ#LQWUD0IRUHVW#VFHQDULR#LV# WKH#VDPH#DV#PRYLQJ# FRPSXWHU#DFFRXQWV#LQ#DQ# LQWHU0IRUHVW#VFHQDULR1# # 0LJUDWLRQ#GRHV#QRW#DIIHFW# ORFDO#JURXSV#RQ#PRYHG# FRPSXWHUV#EHFDXVH#WKH\# UHVLGH#LQ#WKH#ORFDO#6$0# GDWDEDVH1## # 5HVRXUFH#'$&/V#LQ#WKH# VRXUFH#HQYLURQPHQW#WKDW# UHIHUHQFH#PRYHG#ORFDO# JURXSV#DUH#DOVR#XQDIIHFWHG# DQG#ZLOO#FRQWLQXH#WR#SURYLGH# UHVRXUFH#DFFHVV#WR# PHPEHUV#RI#WKH#ORFDO#JURXS/# SURYLGHG#WKDW#DSSURSULDWH# WUXVWV#H[LVW#EHWZHHQ#WKH# WDUJHW#GRPDLQ#DQG#GRPDLQV# LQ#WKH#VRXUFH#HQYLURQPHQW1# ,PSRUWDQW#

0RYLQJ#'RPDLQ#&RQWUROOHUV#

„

0RYLQJ#D#'RPDLQ#&RQWUROOHU#5HTXLUHV#7KDW#

z

,W#EH#GHPRWHG#WR#D#PHPEHU#VHUYHU#ILUVW

z

,W#MRLQ#WKH#WDUJHW#GRPDLQ

Moving domain controllers is one of the final steps in intra-forest domain restructuring and, in effect, decommissions the source domain. Once user, group and computer accounts are moved to the target domain, the source domain controllers can be migrated.

Moving domain controllers in an intra-forest scenario is functionally the same as moving domain controllers in an inter-forest scenario. Moving a Windows 2000 domain controller requires that it be demoted to a member server, whereupon the member server can join the target domain or the account can be moved using the Netdom or ADMT utility.

Once the server is a member of the target domain, it can be maintained as a member server or promoted as a replica domain controller to support the target domain. 6OLGH#2EMHFWLYH# 7R#H[SODLQ#WKH#UHTXLUHPHQWV# IRU#PRYLQJ#GRPDLQ# FRQWUROOHUV1# /HDG0LQ# 0RYLQJ#GRPDLQ#FRQWUROOHUV#LV# RQH#RI#WKH#ILQDO#VWHSV#LQ# LQWHU0IRUHVW#GRPDLQ# UHVWUXFWXULQJ#DQG/#LQ#HIIHFW/# GHFRPPLVVLRQV#WKH#VRXUFH# GRPDLQ1# .H\#3RLQWV# ,Q#DQ#LQWUD0IRUHVW#PLJUDWLRQ/# :LQGRZV#5333#GRPDLQ# FRQWUROOHUV#DUH#PRYHG#LQ#WKH# VDPH#ZD\#WKDW#WKH\#DUH# PRYHG#LQ#DQ#LQWHU0IRUHVW# VFHQDULR1# # :LQGRZV#5333#GRPDLQ# FRQWUROOHUV#PXVW#EH#GHPRWHG# WR#PHPEHU#VHUYHUV#WR#EH# PRYHG1# # 2QFH#WKH#DFFRXQW#LV#PRYHG/# LW#FDQ#VHUYH#DV#D#PHPEHU# VHUYHU#RU#EH#SURPRWHG#WR#D# UHSOLFD#GRPDLQ#FRQWUROOHU#LQ# WKH#WDUJHW#GRPDLQ1#

‹

‹#'RPDLQ#5HVWUXFWXUH#7RROV#

„

$FWLYH#'LUHFWRU\#0LJUDWLRQ#7RRO

„

$GGLWLRQDO#5HVWUXFWXUH#7RROV

z

&ORQH3ULQFLSDO

z

1HWGRP

z

/GS

z

0RYH7UHH

There are several tools available from Microsoft and third-party software vendors to aid administrators in migrating from Windows NT 4.0 to Windows 2000 domains, and for restructuring Windows 2000 forests. Some of the tools that you will use for a domain restructuring are:

„#Active Directory Migration Tool (ADMT). ADMT is a strategic tool for facilitating migration operations for both inter-forest and intra-forest restructuring.

„#ClonePrincipal. ClonePrincipal is a set of scripts that clone users and groups to the new Windows 2000 environment. It facilitates inter-forest migration.

„#Netdom. Netdom is a command-line utility that can be used to query a domain for trust relationships and create new trust relationships

automatically. Netdom can also be used to add, move, and query computer accounts in a Windows domain. It facilitates both inter-forest and intra-forest migration operations.

„#Ldp. Ldp is a graphical tool that uses Lightweight Directory Access Protocol (LDAP) to allow an administrator to display the attributes of any object in Active Directory. By displaying the sIDHistory of a cloned principal, this tool validates that security principles have been migrated correctly.

„#MoveTree. MoveTree is a command-line utility that moves Active Directory security principal objects, such as groups and users, between domains in a single forest.

For details about the specific functionality of each tool, see the migration tools comparison table on the Student Materials compact disc.

6OLGH#2EMHFWLYH# 7R#LQWURGXFH#WKH#WRROV#IRU# GRPDLQ#UHVWUXFWXULQJ1## /HDG0LQ# 6RPH#RI#WKH#WRROV#XVHG#IRU# GRPDLQ#UHVWUXFWXULQJ#DUH# $'07/#&ORQH3ULQFLSDO/# 1HWGRP/#/GS/#DQG# 0RYH7UHH1# %ULHIO\#GHVFULEH#WKH#WRROV# WKDW#FDQ#EH#XVHG#IRU#GRPDLQ# UHVWUXFWXULQJ1# 7LS#

$FWLYH#'LUHFWRU\#0LJUDWLRQ#7RRO#

„

5HSRUWLQJ#DQG#7ULDO#0LJUDWLRQ#)HDWXUH

„

)DOOEDFN#&DSDELOLW\

„

/RFDOL]HG

„

&ORQH#:LQGRZV#17#713#8VHUV#DQG#5HVRXUFHV#WR#

:LQGRZV#5333

„

0RYH#8VHUV#DQG#5HVRXUFHV#%HWZHHQ#:LQGRZV#5333#

'RPDLQV

The ADMT is a wizard-based Microsoft Management Console (MMC) interface licensed from Mission Critical Software to facilitate both inter-forest and intra-forest migrations.

The ADMT is available for download on the Windows 2000 Web site at http://www.microsoft.com/windows2000

The ADMT copies and moves user accounts, groups, and computer accounts from one domain to another, populating the sIDHistory attribute of migrated security principals. It can then resolve the related file, directory, and share security issues for the copied accounts by redefining permission on source resources that have not been migrated. ADMT is a comprehensive tool that allows you to analyze the migration impact both before and after the actual migration process. It also allows you to test migration scenarios before you perform the migration.

The following table lists and describes the key features of ADMT.

Feature Description

Reporting The tool provides a number of predefined reports, including: Migrated users and computers.

Expired computer accounts. Accounts referenced in DACLs. Name conflicts.

Fallback capability The tool allows many operations to be undone to provide fallback to an original state.

Localized The tool is localized into the Windows 2000 Server languages. 6OLGH#2EMHFWLYH# 7R#LQWURGXFH#WKH#:LQGRZV# 5333#$FWLYH#'LUHFWRU\# 0LJUDWLRQ#7RRO1# /HDG0LQ# 7KH#$'07#SURYLGHV# UHSRUWLQJ#IHDWXUHV#DQG# IDOOEDFN#DQG#DXGLWLQJ# FDSDELOLWLHV#DQG#LV#ORFDOL]HG# WR#DOO#RI#WKH#ODQJXDJHV#LQ# ZKLFK#:LQGRZV#5333#LV# RIIHUHG1# &RQVLGHU#GHPRQVWUDWLQJ#WKH# $'07#LQWHUIDFH/#VKRZLQJ# WKH#OLVW#RI#ZL]DUGV#DYDLODEOH1# <RX#PD\#DOVR#ZDQW#WR# GHPRQVWUDWH#D#FORQH#RI#D# XVHU#DFFRXQW#IURP#WKH# &RQWRVR#GRPDLQ#RU#SHUIRUP# D#WULDO#PLJUDWLRQ#RI#VHYHUDO# XVHU#DFFRXQWV1# # <RX#FDQ#ILQG#WKH#$'07#RQ# WKH#6WXGHQW#0DWHULDOV# FRPSDFW#GLVF1# 1RWH#

(continued)

Feature Description Supported

migration scenarios

The tool supports cloning security principals and resources from a Windows NT 4.0 or Windows 2000 domain to a Windows 2000 native-mode domain in a different forest (inter-forest).

The tool supports moving security principals and resources between Windows 2000 domains in the same forest (intra-forest).

For more information about the ADMT capabilities and functionality, please see the Help file available in the MMC console.

$GGLWLRQDO#5HVWUXFWXUH#7RROV#

„

&ORQH3ULQFLSDO

z

$OORZV#\RX#WR#FORQH#XVHUV#DQG#UHVRXUFHV#IURP#:LQGRZV#

17#713#WR#D#:LQGRZV 5333#HQYLURQPHQW

„

1HWGRP#

$OORZV#\RX#WR#PDQDJH#:LQGRZV#5333#GRPDLQV#DQG#WUXVW#

UHODWLRQVKLSV#IURP#D#FRPPDQG#SURPSW

„

0RYH7UHH#

$OORZV#DGPLQLVWUDWRUV#WR#PRYH#$FWLYH#'LUHFWRU\#REMHFWV#

EHWZHHQ#GRPDLQV#LQ#D#VLQJOH#IRUHVW#

„

/GS#

$OORZV#\RX#WR#SHUIRUP#/'$3#RSHUDWLRQV

The following additional Microsoft migration tools make domain restructuring easier.

&ORQH3ULQFLSDO#

ClonePrincipal is a suite of sample Microsoft Visual Basic® scripts that copy users and groups from Windows NT 4.0 or Windows 2000 to a Windows 2000 native-mode domain without impacting your existing production environment. Like the ADMT, ClonePrincipal populates the sIDHistory attribute of cloned accounts to retain access to resources in the source environment.

The ClonePrincipal files are found in the \support\tools folder on the Windows 2000 Server compact disc, and include the following preset scripts:

„#sidhist.vbs copies the SID of a source principal to the sIDHistory of an existing destination principal.

„#clonepr.vbs copies the properties of a source principal and copies the source SID to the sIDHistory of the destination object. The destination principal need not exist, but if it does, both destination SAM name and distinguished name must refer to the same object.

„#clonegg.vbs clones all global groups in a domain, including well-known accounts, such as Domain Guests, but excluding built-in accounts, such as Backup Operators.

See the white paper, Planning Migration from Microsoft Windows NT to Microsoft Windows 2000, on the Student Materials compact disc for a table defining well-known and built-in accounts.

„#cloneggu.vbs clones all global groups and users in a domain, including well-known accounts, but excluding built-in accounts.

6OLGH#2EMHFWLYH# 7R#LQWURGXFH#&ORQH3ULQFLSDO/# 1HWGRP/#/GS/#DQG# 0RYH7UHH#WRROV1# /HDG0LQ# &ORQH3ULQFLSDO/#/GS/#DQG# 1HWGRP#DUH#XVHG#WR#SHUIRUP# LQWHU0IRUHVW#UHVWUXFWXULQJ/# ZKLOH#0RYH7UHH#DQG# 1HWGRP#DUH#XVHG#IRU#LQWUD0 IRUHVW#UHVWUXFWXULQJ1# 'HOLYHU\#7LS# 7KH#ODE#IRU#WKLV#PRGXOH# FRQWDLQV#D#VDPSOH# FRPPDQG#IRU#LGHQWLI\LQJ#WKH# WUXVW#UHODWLRQVKLSV#LQ#WKH# FODVVURRP#HQYLURQPHQW1#<RX# PD\#ZDQW#WR#GHPRQVWUDWH# 1HWGRP#ZLWK#WKLV#FRPPDQG1# # <RX#PD\#ZDQW#WR# GHPRQVWUDWH#KRZ#/GS#FDQ# EH#XVHG#WR#YLHZ#DFFRXQW# SURSHUWLHV1#,I#\RX# GHPRQVWUDWHG#D#XVHU#FORQLQJ# RSHUDWLRQ#HDUOLHU#LQ#WKLV# WRSLF/#\RX#FDQ#GLVSOD\#WKH# 6,'#DQG#V,'+LVWRU\#RI#WKH# FORQHG#XVHU1# 1RWH#

„#clonelg.vbs clones all local groups in a domain, including well-known accounts, but excluding built-in accounts.

It is unlikely that the sample scripts will exactly match the requirements of an organization carrying out a Windows 2000 domain migration. The scripts can be customized or combined with the functionality of other command-line migration tools to fit your needs using Visual Basic scripting.

1HWGRP#

Netdom is a command-line utility used to facilitate inter-forest and intra-forest migration operations. It is found in the \Support\Tools folder on the Windows 2000 Server compact disc and can be used to query a domain for trust relationships and create new trust relationships automatically. Netdom can be used as part of an automated migration script—a particularly useful utility in an environment where it is unclear which trusts already exist. By using Netdom, you can:

„#Securely join a computer running Windows 2000 to a Windows NT or Windows 2000 organizational unit (OU).

„#Add, remove, and query client computer accounts.

„#Move an existing computer account from one domain to another, maintaining the primary SID.

„#Establish (one- or two-way) trust relationships between domains for the following domain types:

• Windows NT domains

• Windows 2000 parent and child domains in a domain tree • The Windows 2000 portion of a trust link to a Kerberos realm

„#Verify and reset the secure channels for member clients and servers, BDCs, and domain replicas.

„#Enumerate and view trust relationships between Windows NT and Windows 2000 domains, and between two Windows 2000 domains.

0RYH7UHH#

MoveTree is a command-line tool used to facilitate intra-forest migration operations by allowing administrators to move Active Directory objects, such as organizational units, users, or groups between domains in a single forest. It is found in the \support\tools folder on the Windows 2000 Server compact disc. Like ClonePrincipal, MoveTree uses the sIDHistory attribute to preserve access to resources after a group, user, or computer is moved from one Windows 2000 domain to another. MoveTree works only if the target domain is running in native mode. A further restriction of MoveTree is that it only moves global groups as a closed set of groups in the source domain. This makes MoveTree a tool with limited functionality in most migration scenarios.

/GS#

Ldp is a graphical Active Directory administrative tool with an interface like Windows Explorer that allows users to perform LDAP operations—such as connect, bind, search, modify, add, and delete—against any LDAP-compatible directory, such as Active Directory.

In troubleshooting, administrators can use Ldp to view objects stored in Active Directory along with the object attributes, such as security descriptors and replication metadata. This is useful in identifying whether objects have been migrated or replicated between domain controllers.

You can obtain more information on ClonePrincipal, Netdom, and MoveTree from the Resource Kit Tools Help file found in the support folder on the Windows 2000 Server compact disc. You can find details about Ldp utility in the Windows 2000 Help files.

For information about Microsoft-endorsed, third-party migration tools, go to http://www.microsoft.com/windows2000.

1RWH#

/DE#$=#3HUIRUPLQJ#,QWHU0)RUHVW#'RPDLQ#5HVWUXFWXULQJ#

2EMHFWLYHV#

After completing this lab, you will be able to:

„#Prepare the Windows 2000 environment for restructuring.

„#Clone users and groups from a Windows NT 4.0 domain to a Windows 2000 domain.

„#Clone resources from a Windows NT 4.0 domain into a Windows 2000 organizational unit (OU).

„#Examine the effects of restructuring domains.

3UHUHTXLVLWHV#

Before working on this lab, you must have:

„#Knowledge of domain security and security principals.

„#Knowledge of Windows NT domains and administration.

„#Knowledge of Windows 2000 Active Directory domains and administration.

„#Knowledge of inter-forest domain restructuring.

„#The knowledge and skills to clone security principals between Windows NT 4.0 and Windows 2000 domains.

/DE#6HWXS#

To complete this lab, you need the following:

„#A Windows NT 4.0 Server configured according to the Classroom Setup Guide.

„#A Windows 2000 Server configured according to the Classroom Setup Guide. 6OLGH#2EMHFWLYH# 7R#LQWURGXFH#WKH#ODE1# /HDG0LQ# ,Q#WKLV#ODE/#\RX#ZLOO#SUHSDUH# WKH#:LQGRZV#5333# HQYLURQPHQW#IRU# UHVWUXFWXULQJ/#FORQH#XVHUV# DQG#JURXSV#IURP#D#:LQGRZV# 17#713#GRPDLQ#WR#D# :LQGRZV#5333#GRPDLQ/#DQG# FORQH#UHVRXUFHV#IURP#D# :LQGRZV#17#713#GRPDLQ# LQWR#D#:LQGRZV#5333#281# ([SODLQ#WKH#ODE#REMHFWLYHV1#

6FHQDULR#

A multinational company has an existing Windows NT 4.0 complete trust domain model that accommodates a variety of independently operated business divisions. After a major corporate reorganization, these divisions are combined under a single holding company called Northwind Traders. Because the new business model requires a high level of divisional interdependence, the reorganization rendered the existing domain model obsolete and difficult to manage.

In an effort to streamline administrative practices and lower the cost of

managing the complex network, Northwind is migrating to Active Directory in Windows 2000.

To abide by the capital-expenditure freeze that Northwind has imposed, the migration team determined that upgrading each domain will allow them to deploy Active Directory. However, to meet the goals of the Active Directory design, the upgrade must be followed by a restructure to eliminate obsolete domains.

A key line-of-business application, running on the primary domain controller (PDC) in the Contoso Windows NT 4.0 domain, is incompatible with Windows 2000. To accommodate this application, the migration team determined that they cannot upgrade the Contoso domain at this time. Instead, they will transfer all security principals to domains in the new Active Directory forest. To facilitate this process, the team has documented all user and group accounts, as well as the membership of all groups. After they migrate security principals and resources, they will re-install the PDC as a Windows NT 4.0 member server and move it to the Northwind Traders root Windows 2000 domain.