As has been widely published in the technology press, Microsoft has announced it will terminate support for Windows NT by 2005, forcing all the small and mid-sized businesses currently running Windows NT to upgrade and convert or risk business disruption from running obsolete systems. Unlike with previous Microsoft conversions, though, moving to Windows 2003 and its greatly enhanced features and toolset can be both relatively painless and beneficial to your business. And fortunately, there are many tools and techniques to help with this momentous task.
As an example, the NT to Windows 2003 migration for the mid-sized law firm of Kalowe, Gaffin, and Zeigler has been proceeding smoothly. Several NT domains and legacy systems have already been retired or consolidated, and the users have so far been only minimally affected. Because Jennie York’s small but valiant two-person IT team made most of the needed planning decisions in advance, the team is now ready and adequately prepared for the design and the implementation phases. The team has already planned the next steps, so Jennie is confident that they will be as uneventful as the previous ones.
Like Jennie, you can also accomplish a painless Windows NT to 2003 conversion if you follow some simple suggestions. In our previous article, we discussed pre-installation tips, decision points, and staff/organizational concerns. For this discussion, it will help if you have a good understanding of Active Directory components. If this is not the case, please review our previous two articles that go into the details of Active Directory.
We will first dig into guidelines for designing your Active Directory tree and then follow with an exploration of some implementation tools from Microsoft and third-party companies that can greatly simplify the conversion process. Finally, we will review some post-implementation implications that need to be considered.
More Active Directory implementations go wrong at the initial design stage than at any other stage. Because AD is still not very forgiving about mistakes made at the very earliest architecture phases, it’s vitally important to have a full understanding of what you are trying to accomplish with your design. If you keep the following items in mind when creating your Active Directory design, you will be able to avoid the common pitfalls.
- Start with a simple design – One forest containing one domain. Set up a clear and objective set of criteria to justify adding additional forest and domains.
- Develop a design that can handle unexpected organization/site changes or growth spurts. An inflexible design means potential downtime when reactively adjusting the forest/domain to changing circumstances.
- When creating your OUs (Organizational Units) design, keep in mind the group members and the required security policies.
- Site design is important but can always be easily changed since it is a logical grouping of network components. Focus your critical design decisions on the components that are more difficult to change retroactively.
Microsoft has not been completely heartless about withdrawing NT support. The company has released a variety of useful migration tools you can use to help ensure a successful upgrade project, including:
- Active Directory Sizer – Though this is positioned as a tool to help choose the right hardware, it can actually do much more if (and this is a big if) you can provide a good estimate of what you need for your proposed Active Directory environment.
- Inputs about user information such as logon characteristics, directory characteristics, and domain controller behavior
- The estimated outputs such as domain controllers and a global catalog for each domain within a site. The tool also gives estimates for the disk, memory, and network bandwidth requirements for your new Active Directory environment
- This utility has recently been updated for Windows Server 2003
- Active Directory Migration Tool (ADMT) – ADMT is a licensed product from NetIQ. It has been greatly enhanced for Windows Server 2003. ADMT is accessible through the Microsoft Management Console. ADMT is powerful enough to perform either inter-forest or intra-forest domain migration. ADMT’s capabilities include:
- The ability to migrate user accounts, local profiles, domains, and computers. This can be a useful and painless feature if you can do a trial simulation before migrating
- The ability to migrate SIDs (System Identifiers) and their history
- A handy agent monitor page to track information retrieval status from remote computers
ADMT will also produce detailed reports that can help with migration troubleshooting. These reports include information on name conflicts and various migration operations such as Exchange and service accounts, trust, groups, etc. ADMT now supports a command line and scripting interface as well, which includes the well-documented TemplateScript.vbs. Note that the command line interface will not support all options (such as the undo feature and extended characters). Be aware that both of these interfaces will produce less friendly error messages than their GUI counterparts.
When using the ADMT tool, there are some things to keep in mind so you can maximize its effectiveness. Take the time to review the Readme file and the Checklist included in the help file, both of which explain some of the subtle problems and limitations of the product.
You may want to consider third-party migration tools. Links to some of these are provided in the reference section at the end of this article. Nearly all of the tools have demos and tutorials so you can “try before you buy.” Here is a very incomplete list of migration utilities, with some comments about their relative advantages and disadvantages.
- Aelita has a healthy mindshare for their NT/Exchange migration utilities. Two helpful utilities are: the Enterprise Migration Manager (EMM) for directory tree maintenance/future Active Directory migrations and the Server Consolidation Wizard (SCW) for server/printer consolidation.
- Netpro has a good set of utilities wherever you are in the Active Directory lifecycle. Of particular interest are their DNS Analyzer and Directory Troubleshooter tools.
- NetIQ’s strength is its cross-platform and all-encompassing set of utilities. You may want to pay particular attention to their Migration Suite (with domain and server consolidation aids) and Group Policy Guardian.
- Quest also has a variety of utilities and migration tools, including FastLane Migrator. Another utility that is very useful for large understaffed sites is exMSPassword Reset Manager, which allows users to reset their own passwords to offload the helpdesk staff.
Once you have navigated the unsettled waters of the migration, you are not quite done yet. Inevitably, some things will go awry during the implementation “shakeout” period when you and your users are getting used to the new scheme and systems. If you adhere to the following pointers, you will minimize the unavoidable disruptions.
- Determine early on a baseline of what is considered “normal operations.” This will help you when outages and possible security intrusions occur
- Start a knowledge base of typical problems that manifest
- Continuously scan your event logs and evaluate your monitoring effectiveness. This is especially important for replication. You may well be able to eliminate potential problems before they happen
- Use the Resource Toolkit utility repadmin to monitor replication health. Some of the options include:
- showreps, which shows replication for a particular domain controller
- bind, which shows supported replication options
- propcheck, which shows if a server is current for a particular directory record
- Never stop your continuous improvement efforts:
- Evaluate the addition of software capabilities in terms of whether they make business and operational sense
- Keep network, group, and other related documentation up to date
- Review security policies on a regular basis
- Evaluate emerging Internet standards and lobby Microsoft if you want to see these standards incorporated into their products
As you can see, Windows NT to 2003 migrations are serious business, but they are not impossible. If you take the time to do thorough research and planning, you will be fully prepared for the inevitable mishaps. By taking full advantage of the myriad of Microsoft and third-party tools available, you can truly make your migration project as smooth and painless as our intrepid Jennie York.
Official Microsoft Active Directory Site
Lots of great information and software utilities.
Active Directory Operations Guide
“In the trenches” advice to get you started administering Active Directory. There are many other planning and deploying guides on the Microsoft AD web site as well.
Windows Step-by-Step Guides
Step-by-step guides for performing many Active Directory operations.
Active Directory Sizer Tool
Download and overview of the tool.
Active Directory Sizer Tool Demo
Additional links for the Active Directory Sizer tool, including a demo for Windows Server 2003.
news://microsoft.public.security – Security issues across Microsoft products.
news://microsoft.public.win2000.active_directory – General and technical Active Directory questions.
news://microsoft.public.win2000.setup_deployment – Deployment and implementation questions. Just starting to include Windows Server 2003 information.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Hallett German is an IT consultant who will soon launch Alessea Consulting, a company focusing on network identity and electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He is always on the lookout for challenging opportunities that will expand his directory, networking, and security skills.