Over the years, Lillian Rose’s small New England company’s corporate IT environment has grown haphazardly, continually adding servers and system patches in an ultimately futile attempt to meet Moment Of Glory Insurance’s ever-growing corporate needs. The company has finally outgrown its aging Windows NT infrastructure. Lillian, the IT systems manager is thrilled; after months of pleading, company management has finally given the OK to upgrade the servers to Windows 2003/Active Directory.
Now that the initial exhilaration is past, though, it’s time to figure out what this migration will really entail. Fortunately, help is available that can make a Windows Server 2003 Active Directory migration as painless as possible.
With Microsoft phasing out NT support by 2005, many NT administrators are beginning to plan their migration to Windows 2000 or 2003 to beat the inevitable degradation of support. For a larger company with a complex infrastructure, Gartner suggests this process can take as long as 12-18 months to complete. For smaller companies, with fewer servers, legacy systems, and users, the deployment is likely to need only 3-9 months.
Such a large-scale project is a tall order for any company, and one that can put stress on fragile systems and scarce IT resources. So let’s get started with an exploration of Microsoft utilities, best practices, tools, and tips for minimizing the mountainous task of migration.
Because the topic is so large, we will remain focused only on the Windows NT to Windows 2000/2003 migration. Considerations of migrating from UNIX or Windows 2000 to 2003 and third-party migration utilities are outside the scope of this article (but if you’d be interested in seeing such articles, let us know).
You have heard it so many times before — the best way to ensure any project’s success is planning, planning, and more planning. An NT migration venture is no exception. Before the first install even begins, many decisions need to be resolved and many tasks completed.
Your first tasks are determining and documenting your existing environment and evaluating your environment’s readiness for migration. With that information as a baseline, you can then determine and resolve key decision points early.
Evaluate Your Environment
It’s well worth the time and effort to document your environment in the early planning stage. There is nothing worse than finding out about nasty and expensive surprises about your environment halfway through deployment. And even if a thorough evaluation has been conducted in the past, it’s not likely to be current. Your documentation should include at least the following:
- Network diagrams
- NT domains (number of accounts, usage profiles, domain controllers, etc.)
- A hardware and software asset inventory (see below for more details)
- Internet connections
- Security measures and policies
- Applications that currently use the NT directory and how they interface with NT (any attributes imported/exported, etc.)
- Applications that will use Active Directory
- Other directories that will synchronize with Active Directory
- File and print services
Simplify Your Environment
After documenting your environment and before proceeding to the migration plan itself, you need to answer the following critical questions:
- Is my site prepared for a Windows server 2003 migration, and if not, how much additional work will I need to do to get ready?
- How much hardware/software consolidation and elimination can be done prior to migration?
Even if your existing hardware meets the minimum published requirements for Windows Server 2003, you should still verify migration readiness. Microsoft is notorious for underestimating the hardware configuration requirements. To check your PDCs/BDCs for 2003 readiness, enter the command winnnt32/checkupgradeonly at the console prompt. Note that by default the results are saved to upgrade.txt in the systemroot directory.
Be aware of two important caveats before proceeding. This capability is only available after installing Windows NT Service Pack 5 or later, and the server will not be able to perform its PDC/BDC role during the readiness check.
Use the Windows Application Compatibility Toolkit (currently version 3.0) to evaluate application migration readiness. This handy utility contains three very useful applications.
Microsoft Compatibility Analyzer – An application that will perform a software inventory that is stored in an Access or SQL Server database. It can also sort by various fields such as application, department name, or computer type.
Compatibility Administrator – For custom applications, the analyzer can determine exactly what fixes are needed to upgrade a given application. It will then create software packages with the required patches. It also has the capability to create a custom fix database. Compatibility Database Installer can then be used for custom patch installs.
Windows Application Verifier – In-house developers can use the verifier to probe for potential migration problems with home-grown applications. Since many in-house applications are not as carefully built for portability as commercial software, this can be a real lifesaver. This will be especially useful for those converting older Windows 9x applications.
To make the migration easier, you may want to consider using the project as an opportunity to consolidate and retire older hardware and legacy applications. If you are contemplating this, keep the following points in mind:
- Many companies have far too many unneeded NT domains, including grassroots domains were created by users. Smaller, less active domains should be consolidated or expired.
- With legacy applications, you will have to decide when to retire or consolidate them before the migration. If these applications will be supported after the migration, they will have to interface with Active Directory through Directory Synchronization or LDAP replication.
- Server and application consolidation can take place during the migration process. Windows Server 2003 will ably replace multiple Windows NT servers. This can mean either running more applications per server or running one application with many more users than the equivalent NT server.
At some point before final implementation you must make a series of interrelated decisions. Each of these choices will affect how you will plan your approach to the overall project, so it is important to be aware of the consequences.
Which DNS to use? Those using UNIX DNS servers will have to make sure they support SRV (service) records. In Bind 4.9.7 or later, the default dynamic updates setting is recommended but not required. You are encouraged to use Bind 8.2.2 or later for this capability. If necessary for your infrastructure, Active Directory can work with versions earlier than BIND 4.9.7.
DNS is used to store software service locations and define the organizational structure used by Active Directory entries. SRV records are used by NetLogin to find the PDCs and BDCs in an Active Directory environment. Those using Microsoft DNS can take advantage of integrated administrative tools within the Windows operating system.
- Co-existence or complete turnover? Windows Server 2003 provides two major options. The first is moving your domain controllers and clients completely over to Windows Server 2003. If you choose this option, you can take advantage of the new operating system features.
The second option is to live in a mixed mode environment, ideally with a Windows Server 2003 in NT PDC/BDC emulation mode (or with some NT PDCs/BDCs) and your clients running various Windows operating systems. A secondary question is how long do you plan to stay in mixed mode? The answer should be “as short a period as the company can operationally and organizationally stand.”
- In-place installs or upgrades? Microsoft allows you to upgrade your current NT PDCs/BDCs to Windows Server 2003 (if compliant) or replace them with new hardware. The advantage of an in-place install is that no new hardware is needed; your user information, third-party software, ACLs, and existing directory structure are all maintained and converted to the new system. The disadvantage is that if anything goes wrong during the conversion, you might find yourself dead in the water with a major outage.
- What will you monitor? Monitoring can help you avoid problems and also provides invaluable information when problems do occur. Those who want to stay with an all-Microsoft solution can use the Microsoft Operations Manager (MOM) with the Active Directory Management Pack. With over 40 reports and 400 pre-set monitoring rules available to help you evaluate your environment’s viability, MOM can:
- Monitor the health of all Active Directory components and their services
- Save performance information
- Evaluate replication health
- Query response and service level agreement compliance
- Allow anonymous LDAP operations? Performing LDAP operations such as queries using an anonymous ID is turned off by default. This is because of the possibility that a user might retrieve secure information about your servers and users.
Because you are unable to monitor who is behind the LDAP operation, you are potentially left with a big security hole. On the other hand, using anonymous logins means that users will not have to authenticate to perform LDAP queries and other operations, thereby simplifying your operations and administration.
- Extend the schema? Those in vertical industries or using third-party applications may want to extend the Active Directory schema to better suit their specific needs. This is not a novice task, though, and should only be approached with a good deal of planning and understanding of the risks involved.
Staff and Organizational Concerns
Because so many systems administrators are concerned with the hardware, network, and software requirements, many admins overlook organizational concerns. Not having the right staff or training in place can be just as devastating to a project as a poor hardware configuration decision. Some guidelines to consider include:
- Early training of the migration staff team, including the decision-makers, is extremely important. A trained team can make informed decisions, anticipate user needs, and avoid possible bottlenecks.
- Before your delegation model is even started, decide which organizations and individuals will be administrators over which attributes and users. Plan ahead in order to preempt political decisions from bogging down the technical ones.
- You can never communicate too much on any project. Provide continuous updates and set expectations for the phase(s) to come.
As you can see, the decision to migrate your NT servers to 2003 is not a matter of if, but rather a matter of when. With the information outlined above, you should be able to start planning your migration with aplomb. Future articles will cover additional details of how to design, implement, and address post implementation concerns.
Official Microsoft Active Directory Site
Lots of great information and software utilities.
Active Directory Operations Guide
“In the trenches” advice to get you started administering Active Directory. There are many other planning and deploying guides on the Microsoft AD web site as well.
Windows Step-by-Step Guides
Step-by-step guides for performing many Active Directory operations.
Windows Server 2003/Migration
Windows Server 2003 Resources including Active Directory
news://microsoft.public.security – Security issues across Microsoft products.
news://microsoft.public.win2000.active_directory – General and technical Active Directory questions.
news://microsoft.public.win2000.setup_deployment – Deployment and implementation questions. Just starting to include Windows Server 2003 information.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Hallett German is an IT consultant who will soon launch Alessea Consulting, a company focusing on network identity and electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He is always on the lookout for challenging opportunities that will expand his directory, networking, and security skills.