Active Directory Migration Guide

Active DirectoryMigration Guide

Active Directory Migration Guide

Prepared by

Microsoft

Version 1.0.0.0 Baseline

First published

17 March 2008

Copyright

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Engl

Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface

Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either register

Corporation in the United States and/or other countries.

© Microsoft Corporation and Crown Copyright 2008

Disclaimer

At the time of writing this document, Web sites are referenced using active hyperlinks to the

time, these links may become invalid. Microsoft is not responsible for the content of external

The example companies, organisations, products, domain names, e

association with any real company, organisation, product, domain name, e

Active DirectoryVersion 1.0.0.0

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in Engl

are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exer

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface

for further information on the NHS CUI Programme.

All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

Crown Copyright 2008

At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in

these links may become invalid. Microsoft is not responsible for the content of external Internet sites.

The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No

association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

Active Directory Migration Guide 1.0.0.0 Baseline

Prepared by Microsoft

This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property

are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise

their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.

ed trademarks or trademarks of Microsoft

correct Web page. Due to the dynamic nature of Web sites, in

s, people, places, and events depicted herein are fictitious. No

mail address, logo, person, places, or events is intended or should be inferred.

Page ii

http://www.cui.nhs.uk/


TABLE OF CONTENTS

1 Executive Summary ................................

2 Introduction ................................

2.1 Value Proposition ................................

2.2 Knowledge Prerequisites

2.2.1 Skills and Knowledge

2.2.2 Training and Assessment

2.3 Infrastructure Prerequisites

2.4 Audience ................................

2.5 Assumptions ................................

3 Using This Document ................................

3.1 Document Structure ................................

4 Envision ................................

4.1 Active Directory Overview

4.2 Initial State Environment

4.2.1 Public Domain Active Directory Migration Guidance

4.2.2 Microsoft Healthcare Platform Optimisation Active Directory Migration Gu

4.2.3 Technology Scenarios

4.3 End State Environment

5 Plan ................................................................

5.1 Migration Type ................................

5.1.1 New Active Directory or In

5.1.2 Direct or Phased Migration

5.2 Evaluating the Existing Environment

5.3 Scope of Migration ................................

5.3.1 Users ................................

5.3.2 Groups ................................

5.3.3 Computers ................................

5.3.4 Printers ................................

5.3.5 Data ................................

5.3.6 Login Scripts ................................

5.4 Migration Process ................................

5.4.1 Manual Migration ................................

5.4.2 Automated Migration

5.5 Migration Tools Available

5.5.1 Migrating from Microsoft Operating Systems

5.5.2 Migrating from Novell NetWare Operating Systems


ONTENTS

................................................................................................

................................................................................................................................

................................................................................................

Knowledge Prerequisites ................................................................................................

Skills and Knowledge ................................................................................................

Training and Assessment ................................................................................................

Infrastructure Prerequisites ................................................................................................

................................................................................................................................

................................................................................................

................................................................................................

................................................................................................

................................................................................................................................

Active Directory Overview ................................................................................................

Initial State Environment ................................................................................................

Public Domain Active Directory Migration Guidance ................................

Microsoft Healthcare Platform Optimisation Active Directory Migration Gu

Technology Scenarios ................................................................................................

................................................................................................

................................................................................................

................................................................................................

New Active Directory or In-Place (Upgrade) Migration ................................

Direct or Phased Migration ................................................................................................

Evaluating the Existing Environment ................................................................

................................................................................................

................................................................................................................................

...............................................................................................................................

................................................................................................

..............................................................................................................................

................................................................................................................................

................................................................................................

................................................................................................

................................................................................................

Automated Migration ................................................................................................

Migration Tools Available ................................................................................................

Migrating from Microsoft Operating Systems ................................................................

Migrating from Novell NetWare Operating Systems ................................


Page iii

....................................................... 1

.................................... 2

...................................................... 2

.......................................... 2

.......................................... 2

.................................... 3

...................................... 3

................................... 3

............................................................. 3

.................................................... 4

.................................................. 4

.......................................... 5

........................................ 5

........................................... 5

.......................................................... 6

Microsoft Healthcare Platform Optimisation Active Directory Migration Guidance ............. 6

......................................... 7

............................................. 9

............................................... 10

........................................................ 10

..................................................... 11

................................ 12

...................................................... 12

.................................................. 13

................................. 14

............................... 15

......................................................... 15

.............................. 17

................................... 17

...................................................... 17

................................................... 18

............................................... 18

......................................... 18

....................................... 18

.................................... 18

......................................................... 22


6 Develop ................................

6.1 Windows NT 4.0 Domain or Active Directory Migration

6.1.1 ADMT Prerequisites

6.1.2 Installing ADMT ................................

6.1.3 Enabling Password Migration

6.1.4 Configuring ADMT ................................

6.1.5 ADMT Option File and Include File

6.2 Novell NetWare Migration

6.2.1 Microsoft SfN Prerequisites

6.2.2 Installing Microsoft Services for Netware

6.2.3 Directory Synchronisation Using MSDSS

6.2.4 Password Synchronisation Using MSDSS

7 Stabilise ................................

7.1 Migration Test Process

7.1.1 Pilot ................................

7.2 Reviewing Log Files................................

7.2.1 Microsoft Migration Logs

7.2.2 Novell Migration Logs

APPENDIX A Skills and Training Resources

PART I Microsoft Active Directory 2003

PART II Active Directory Migration

APPENDIX B ADMT Sample Option File

APPENDIX C Document Information

PART I Terms and Abbreviations

PART II References ................................


................................................................................................................................

Windows NT 4.0 Domain or Active Directory Migration ................................

ADMT Prerequisites ................................................................................................

................................................................................................

Enabling Password Migration ................................................................

................................................................................................

Option File and Include File ................................................................

Novell NetWare Migration ................................................................................................

Microsoft SfN Prerequisites ...............................................................................................

Installing Microsoft Services for Netware ................................................................

Directory Synchronisation Using MSDSS ................................................................

Password Synchronisation Using MSDSS ................................................................

................................................................................................................................

................................................................................................

................................................................................................................................

................................................................................................

crosoft Migration Logs ................................................................................................

Novell Migration Logs ................................................................................................

Skills and Training Resources ................................................................

Microsoft Active Directory 2003 ................................................................

Active Directory Migration ................................................................

ADMT Sample Option File ................................................................

Document Information ..............................................................................................

Terms and Abbreviations ................................................................................................

................................................................................................


Page iv

......................................... 27

......................................................... 27

.......................................... 27

................................................. 35

............................................................ 38

............................................. 41

................................................... 46

....................................... 49

............................... 49

.......................................... 53

......................................... 56

........................................ 60

........................................ 61

........................................... 61

................................... 61

................................................ 62

................................... 62

........................................ 62

................................................. 63

........................................................ 63

............................................................. 63

........................................................ 64

.............................. 66

.................................. 66

.................................................... 67


1 EXECUTIVE SUMMARY

The Active Directory MigrationMicrosoft® Windows Server® 2003 Active Directorybring about a reduction in diversity of

The Active Directory Design Guiderequired to design a new Active Directory infrastructure. This document Guide) provides guidance and current best practice specific to planning and creation of an Active Directory migration solution.

This document includes guidance for

� Microsoft Windows NT

� Microsoft Windows® 2000 Se

� Microsoft Windows Server 2003 Active Directory

� Novell Directory Services

1 Active Directory Design Guide {R1}: http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirecto


UMMARY

Migration Guide will help accelerate the planning and subsequent 2003 Active Directory® within a healthcare organisation

bring about a reduction in diversity of server operating systems.

Active Directory Design Guide1 provides a healthcare organisation with the information a new Active Directory infrastructure. This document (Active Directory Migration

provides guidance and current best practice specific to the healthcare industry planning and creation of an Active Directory migration solution.

This document includes guidance for a healthcare organisation migrating from the following:

Microsoft Windows NT® Server 4.0 domains

2000 Server Active Directory

Microsoft Windows Server 2003 Active Directory

Directory Services® (NDS) 4.x, 5.x and 6.x

: http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx


Page 1

subsequent migration to healthcare organisation, and help

the information Active Directory Migration

healthcare industry for the

migrating from the following:

http://www.microsoft.com/industry/healthcare/technology/hpo/security/activedirectory.aspx


2 INTRODUCTION

At present, healthcare organisationsauthentication and providing access to resources. Should Active Directory within their environment, they need to first ascertain how the users, computers, applications, data and other resources will be migr

This document is a component of the strategic Microsoft infrastructure guidance provided through Microsoft Healthcare Platform Optimisationscripts and specific design decision2003 Active Directory from a number of different network operating systems

2.1 Value PropositionThis document provides guidance on the planning aspects required to carry out an Active Directory migration, and the tools and utilities that can be used

� Help identify potential design and deployment risks

� Provide rapid knowledge transfer to reduce the learning curve of designing an Directory migration solution

� Establish some preliminary design decisions before moving ahead with the

� Provide a consolidation of Directory migration that

� Focuses on guidance specific to

� Reduces the need for decision making

2.2 Knowledge PrerequisitesTo implement the recommendations and environmental infrastructure prerequisites should be in placeknowledge and skills to use the Active Directory Migration Guideand skill assessment resources to make the most of this guidance. The necessary infrastructure prerequisites are detailed in se

2.2.1 Skills and Knowledge

The technical knowledge and

� Windows Server 2003

� Active Directory design concepts

� Organisational Unit design

� Windows NT Server 4.0

� Administrative knowledge for maintaining users and computers

� NDS or Bindery (if migrating from

� NDS or Bindery object properties for mapping to Active Directory

� Migration Tools:

� Active Directory Migration Tool

� Microsoft Services for NetWare


NTRODUCTION

healthcare organisations typically use one of a number of solutions authentication and providing access to resources. Should a healthcare organisationActive Directory within their environment, they need to first ascertain how the users, computers, applications, data and other resources will be migrated across.

This document is a component of the strategic Microsoft infrastructure guidance provided through Microsoft Healthcare Platform Optimisation. It provides current best practice guidance,

and specific design decision recommendations on migrating to Microsoft Windows Server Active Directory from a number of different network operating systems.

Value Proposition This document provides guidance on the planning aspects required to carry out an Active Directory

ion, and the tools and utilities that can be used. The guidance is designed to:

Help identify potential design and deployment risks

Provide rapid knowledge transfer to reduce the learning curve of designing an migration solution

some preliminary design decisions before moving ahead with the

Provide a consolidation of relevant and publicly available best practice guidance for Active that:

Focuses on guidance specific to healthcare scenarios

need for decision making by making recommendations where appropriate

Knowledge Prerequisites To implement the recommendations in this document effectively, a number of knowledgeand environmental infrastructure prerequisites should be in place. This section outlines t

to use the Active Directory Migration Guide, and provides suggested training and skill assessment resources to make the most of this guidance. The necessary infrastructure prerequisites are detailed in section 2.3.

Skills and Knowledge

minimum skills required to use the Deliverable are:

Windows Server 2003 Active Directory and Windows 2000 Server Active Directory

Active Directory design concepts

Organisational Unit design

4.0 operating system (if migrating from this environment

Administrative knowledge for maintaining users and computers

if migrating from a Novell® environment):

NDS or Bindery object properties for mapping to Active Directory

Active Directory Migration Tool, if migrating from a Microsoft environment

Microsoft Services for NetWare, if migrating from a Novell environment


Page 2

solutions available for user a healthcare organisation wish to deploy

Active Directory within their environment, they need to first ascertain how the users, computers,

This document is a component of the strategic Microsoft infrastructure guidance provided through . It provides current best practice guidance, sample

Microsoft Windows Server

This document provides guidance on the planning aspects required to carry out an Active Directory is designed to:

Provide rapid knowledge transfer to reduce the learning curve of designing an Active

some preliminary design decisions before moving ahead with the migration

available best practice guidance for Active

by making recommendations where appropriate

effectively, a number of knowledge-based section outlines the required

, and provides suggested training and skill assessment resources to make the most of this guidance. The necessary infrastructure

required to use the Deliverable are:

Active Directory:

if migrating from this environment):

, if migrating from a Microsoft environment

Novell environment


2.2.2 Training and Assessment

Guidelines on the basic skill setAPPENDIX A. These represent the courses mentioned are optional and can be provided by a variety of certified training partners.

2.3 Infrastructure PrerequisitesThe following are prerequisites fororganisation:

� Available hardware and Windows Server 2003 software for installing the migration tools

� Full administrative rights to all domains, servers and objects involved in the migration

2.4 Audience The guidance contained in this document is targeted at a variety of roles within the organisations. Table 1 provides a reading guide for this document, illustrsections of the document that are likely to be of most interest.described in section 3.1.

Role Document Usage

IT Manager Review the relevant areas within the

understand the justification and drivers, and to develop an

understanding of the implementation requirements

IT Architect Review the relevant areas within the document against

local architecture strategy and implementation plans

IT Professional/

Administrator

Detailed review and implementation of the guidance to

meet local requirements

Table 1: Document Audience

2.5 Assumptions The guidance provided in this document assumes that services and resources between sites already have suitable schemes to enable successful siteassigned to each participating underlying Domain Name System (DNS) require the use of unique IP Addressingadjoining sites for cross-site communication to function successfully. The use of NAT (Network Address Translation) within an by Microsoft.


Training and Assessment

skill sets required to make best use of this Deliverable These represent the training courses and other resources available.

courses mentioned are optional and can be provided by a variety of certified training partners.

Infrastructure Prerequisites The following are prerequisites for using the Active Directory Migration Guide within

Available hardware and Windows Server 2003 software for installing the migration tools

Full administrative rights to all domains, servers and objects involved in the migration

dance contained in this document is targeted at a variety of roles within the provides a reading guide for this document, illustrating the roles and the

sections of the document that are likely to be of most interest. The structure of the

Usage Executive

Summary

Envision

Plan

the relevant areas within the document to

understand the justification and drivers, and to develop an

understanding of the implementation requirements

� �

Review the relevant areas within the document against

local architecture strategy and implementation plans

� � �

Detailed review and implementation of the guidance to

meet local requirements

� � �

The guidance provided in this document assumes that healthcare organisationsservices and resources between sites already have suitable Internet Protocol (IP

nable successful site-to-site communication (that is, unique IP Addressing schemes assigned to each participating healthcare organisation with no overlap). Active Directory and the underlying Domain Name System (DNS) require the use of unique IP Addressing

site communication to function successfully. The use of NAT (Network Address Translation) within an Active Directory environment is neither recommended nor supported


Page 3

are detailed in and other resources available. However, all

courses mentioned are optional and can be provided by a variety of certified training partners.

ive Directory Migration Guide within a healthcare

Available hardware and Windows Server 2003 software for installing the migration tools

Full administrative rights to all domains, servers and objects involved in the migration

dance contained in this document is targeted at a variety of roles within the healthcare IT ating the roles and the

The structure of these sections is

Develop

Stabilise

Operate

�

� � �

healthcare organisations that want to share IP) Addressing

that is, unique IP Addressing schemes . Active Directory and the

underlying Domain Name System (DNS) require the use of unique IP Addressing schemes at site communication to function successfully. The use of NAT (Network

environment is neither recommended nor supported


3 USING THIS D

This document is intended for use by migrate to Windows Server 2003 Active Directoryplanning and implementation of tasks involved.

3.1 Document StructureThis document contains four sections that deal with the project lifecycle, as illustrated in

� Envision

� Plan

� Develop

� Stabilise

Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project Lifecycle is described in more detail the MOF Executive Overview3

of activities for building, deploying and managing IT solutions. Rather than prescriseries of procedures, they are flexible enough to accommodate a broad range of IT projects.

Figure 1: MSF Process Model Phases and Document Structure

2 Microsoft Solutions Framework Core Whitepapers http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b

3 MOF Executive Overview {R3}: http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx


DOCUMENT

This document is intended for use by healthcare organisations and IT administrators who wish migrate to Windows Server 2003 Active Directory. The document should be used to assist with the planning and implementation of a migration solution and as a reference guide for the most common

Document Structure sections that deal with the project lifecycle, as illustrated in

Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project

cribed in more detail in the Microsoft Solutions Framework Core White Papers3. The MSF Process Model and MOF describe a high

of activities for building, deploying and managing IT solutions. Rather than prescriseries of procedures, they are flexible enough to accommodate a broad range of IT projects.

: MSF Process Model Phases and Document Structure

Microsoft Solutions Framework Core Whitepapers {R2}: http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en

http://www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx


Page 4

and IT administrators who wish to . The document should be used to assist with the

and as a reference guide for the most common

sections that deal with the project lifecycle, as illustrated in Figure 1:

Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project

Microsoft Solutions Framework Core White Papers2 and . The MSF Process Model and MOF describe a high-level sequence

of activities for building, deploying and managing IT solutions. Rather than prescribing a specific series of procedures, they are flexible enough to accommodate a broad range of IT projects.

fc886956790e&DisplayLang=en


http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en



4 ENVISION

The Envision phase addresses one of the most fundamentproject: unification of the project team behind a common vision. There must be a clear vision of what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a high-level view of the overall goals and constraints, will serve as an early form of planningthe stage for the more formal planning process that will take place during the planning phase.

Figure 2 acts as a high-level checklist, illustrating the sequence of events undertaken when envisioning an Active Directory migration

Active Directory Overview

Initial State Environment

End State Environment

Technology Scenarios

Figure 2: Sequence for Envisioning an Active Directory Migration

4.1 Active Directory OverviewActive Directory is the networkWindows Server 2003 operating systems. service that enables network authentication, administration and management of to an organisation running a Windows

4.2 Initial State EnvironmentA migration to Active Directory can be a complex undertaking and there are many different approaches to completing such a project. provide healthcare-specific guidance to reduce the Directory within a healthcare organisationrequirements for the migrationdesign recommendations, will reduce the time and ecomputers to Active Directory


phase addresses one of the most fundamental requirements for success in any unification of the project team behind a common vision. There must be a clear vision of

what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a all goals and constraints, will serve as an early form of planning

the stage for the more formal planning process that will take place during the planning phase.

level checklist, illustrating the sequence of events that should be when envisioning an Active Directory migration within a healthcare organisation

Public DomainActive Directory

Migration Guidance

Microsoft Healthcare Platform Optimisation

Active Directory Migration Guidance

Microsoft Windows NT 4.0

Microsoft Windows 2000/2003 Active

DirectoryNovell Netware

Envisioning an Active Directory Migration

Active Directory Overview is the network-focused directory service included in the Windows 2000

Windows Server 2003 operating systems. Active Directory provides an extensiblnetwork authentication, administration and management of

to an organisation running a Windows-based network infrastructure.

Initial State Environment A migration to Active Directory can be a complex undertaking and there are many different approaches to completing such a project. Microsoft Healthcare Platform Optimisation

specific guidance to reduce the complexity of planning a migration to Active a healthcare organisation, thereby reducing the support and management

for the migration. The provision of a standardised design approach, including key design recommendations, will reduce the time and effort required to design and

within the healthcare organisation.


Page 5

al requirements for success in any unification of the project team behind a common vision. There must be a clear vision of

what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a all goals and constraints, will serve as an early form of planning, and sets

the stage for the more formal planning process that will take place during the planning phase.

should be a healthcare organisation:

Novell Netware

focused directory service included in the Windows 2000 Server and an extensible and scalable

network authentication, administration and management of directory services

A migration to Active Directory can be a complex undertaking and there are many different Healthcare Platform Optimisation seeks to

a migration to Active , thereby reducing the support and management

. The provision of a standardised design approach, including key ffort required to design and migrate users and


4.2.1 Public Domain Active Directory Migration Guidance

The Internet hosts many Web understanding the various aspects involved in a migrationnavigate, and can contain inconsistenciesprovide accurate and current best practice guidancepublicly available sources of information for from multiple current server operating systems

� Migrating from Windows NT Server 4.0 to Windows Server 2003 Actiprovides information on migration methods and Active Directory considerations

� Designing and Deploying Directory and Security Serviceschapters on both upgrading and restructuring Windows NT Directory domains

� ADMT v3 Migration Guide(ADMT) version 3 to migrate and restructure Windows NT Directory domains

� Migrating Novell NetWare to Windows S2003 Active Directory into an existing NetWare environment and on migrating NetWare Directory Service (NDS) objects to Active Directory

� Solution for Migrating File, Print, and Directory Services from NovellServer 2003, which provides solution. This information can be downloaded as a Microsoft Office Word document or browsed online:

� To download the Word document, visit the Download

� To view the information online, visit the Technet Library

� Microsoft Services for NetWare 5.03 White Paperreference information on

4.2.2 Microsoft Healthcare Platform Optimisation Migration Guidance

The guidance provided within this document is predominantly based on sources listed in section 4.2.1,healthcare industry. Coupled with this is current best practice guidance, which is provided to help

4 Migrating from Windows NT Server 4.0http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0

5 Designing and Deploying Directory and Security Serviceshttp://technet2.microsoft.com/windowsserver/en/library/d2ff1315

6 ADMT v3 Migration Guide {R6}: http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770

7 SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx

8 Microsoft Word document available for download from NetWare to Windows Server 2003 {R8

9 Solution for Migrating File, Print, and Directory Services from Novell NetWare to Whttp://technet.microsoft.com/en-gb/library/bb496964.aspx

10 Services for NetWare 5.03 White Paperhttp://www.microsoft.com/windowsserver


Public Domain Active Directory Migration Guidance

sites, documents and guidance that provide assistance in nding the various aspects involved in a migration. This information can be hard to

can contain inconsistencies or out-of-date information. This document seeks to provide accurate and current best practice guidance, much of which is based on publicly available sources of information for migrating to Active Directory. It also

server operating systems in use. These sources include:

Windows NT Server 4.0 to Windows Server 2003 Active Directoryprovides information on migration methods and Active Directory considerations

Designing and Deploying Directory and Security Services5, which provides chapters on both upgrading and restructuring Windows NT Server 4.0 domains

ADMT v3 Migration Guide6, which details how to use the Active Directory Migration Tool version 3 to migrate and restructure Windows NT Server 4.0 domains and Active

Migrating Novell NetWare to Windows Server 20037, details how to deploy Windows Server 2003 Active Directory into an existing NetWare environment and on migrating NetWare Directory Service (NDS) objects to Active Directory

Solution for Migrating File, Print, and Directory Services from Novell NetWare to Windows which provides information on planning, testing and deploying a migration

. This information can be downloaded as a Microsoft Office Word document or

To download the Word document, visit the Download Center8

To view the information online, visit the Technet Library9

Microsoft Services for NetWare 5.03 White Paper10, which provides detailed on the use of Services for NetWare (SfN)

Microsoft Healthcare Platform Optimisation Active Directory Migration Guidance

The guidance provided within this document is predominantly based on the information , which has only been included where it is deemed relevant to the

Coupled with this is current best practice guidance, which is provided to help

ows NT Server 4.0 to Windows Server 2003 {R4}: http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en

Deploying Directory and Security Services {R5}: http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx

.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en

SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx

ilable for download from Solution for Migrating File, Print, and Directory Services from Novell R8}: http://go.microsoft.com/fwlink/?LinkID=46606

Solution for Migrating File, Print, and Directory Services from Novell NetWare to Windows Server 2003gb/library/bb496964.aspx

for NetWare 5.03 White Paper {R10}: http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx


Page 6

Public Domain Active Directory Migration Guidance

provide assistance in . This information can be hard to

date information. This document seeks to is based on a number of

It also provides guidance

ve Directory4, which provides information on migration methods and Active Directory considerations

which provides specific 4.0 domains and Active

, which details how to use the Active Directory Migration Tool 4.0 domains and Active

details how to deploy Windows Server 2003 Active Directory into an existing NetWare environment and on migrating NetWare

NetWare to Windows information on planning, testing and deploying a migration

. This information can be downloaded as a Microsoft Office Word document or

detailed technical

Active Directory

the information in the which has only been included where it is deemed relevant to the

Coupled with this is current best practice guidance, which is provided to help a

19544062A6E6&displaylang=en

8cae1b593eb11033.mspx

01E9F7EF7342&displaylang=en

SFNmig.doc available for download from NetWare to Windows Server 2003 Migration Planning Guide {R7}:

Solution for Migrating File, Print, and Directory Services from Novell

indows Server 2003 {R9}:

http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-19544062A6E6&displaylang=en

http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx

http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en

http://www.microsoft.com/windowsserver2003/techinfo/overview/sfnmig.mspx

http://go.microsoft.com/fwlink/?LinkID=46606

http://technet.microsoft.com/en-gb/library/bb496964.aspx

http://www.microsoft.com/windowsserver2003/techinfo/overview/sfn503wp.mspx


healthcare organisation make requirements.

The referenced documentation is not expected to be a universal solution for all organisations, but rather a set of design choices and best practices that can be used to local directory services migration is made, and how to implement that decision.

This Active Directory guidance endeavours not to repeat content from public documentation, but to provide a consolidated, organised and structured reference list to the documents4.2.1. It highlights recommendations when deviate from the current default installation configurations Windows Server 2003 Active Directory

4.2.3 Technology Scenarios

This guide aims to provide current bestcomputer accounts to Active Directorywhich a healthcare organisation

� Microsoft Windows NT

� Active Directory domain(s)

� Novell Netware® (either NetWare 3.x

The following diagrams in this section scenarios covered in this guidance

4.2.3.1 Microsoft Windows NT

Figure 3 represents a simple implementation of relationship between them:

Figure 3: Microsoft Windows NT 4.0 Domain S

Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains deployed within each physical location of between them, in order to share resources amongst


decisions in order to plan a migration solution that meets their

The referenced documentation is not expected to be a universal solution for all , but rather a set of design choices and best practices that can be used to

migration solution, understand what decisions are available, why a decision is made, and how to implement that decision.

guidance endeavours not to repeat content from public documentation, but to dated, organised and structured reference list to the documents

. It highlights recommendations when it is appropriate for a typical healthcare organisationdeviate from the current default installation configurations of the tools available

Active Directory.

Technology Scenarios

aims to provide current best practice recommendations on how to migrate user and Active Directory. There are three scenarios covered by this guidance

a healthcare organisation can map their environment. These scenarios are:

Microsoft Windows NT Server 4.0 domain(s)

domain(s)

(either NetWare 3.x Binderies or NDS)

in this section represent some example environments andin this guidance.

Microsoft Windows NT Server 4.0

represents a simple implementation of two Windows NT 4.0 domains with a two

Scenario

Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains deployed within each physical location of the organisation. Trust relationships are then created

to share resources amongst the users.


Page 7

plan a migration solution that meets their

The referenced documentation is not expected to be a universal solution for all healthcare , but rather a set of design choices and best practices that can be used to initiate the

solution, understand what decisions are available, why a decision

guidance endeavours not to repeat content from public documentation, but to dated, organised and structured reference list to the documents listed in section

healthcare organisation to of the tools available, when migrating to

how to migrate user and . There are three scenarios covered by this guidance, to

map their environment. These scenarios are:

and illustrate the

Windows NT 4.0 domains with a two-way trust

Where an organisation still utilises Windows NT 4.0 domains, it is common to find domains are then created


Figure 3 could, for example, representcomputer accounts reside, with resource domains distributed throughout the remthese resource domains then trust the account domain with a onecommon to find that a two-way trust

Whether there are only a few Windows NT 4.0 domains or over 100implementation of trust relationships between them, the migration of user and computer accountsto an Active Directory environment

4.2.3.2 Active Directory

Figure 4 represents the implementation of

Figure 4: Microsoft Windows 2000/2003 Active Directory

The migration from an existing Active Directory forestenvironment is included in this guidance2000 Server domain or forest including a migration of this type is for those deployed, but did not follow current bestinfrastructure. This can typically result from the deploymentDirectory requirement, and the project scope for the delivery of the application did not include a detailed design for Active Directory

A healthcare organisation can use of a new Active Directory design. They the Active Directory objects from one or more domain.


for example, represent a centralised account domain where both , with resource domains distributed throughout the rem

hese resource domains then trust the account domain with a one-way trust; howeverway trust is used.

Windows NT 4.0 domains or over 100, with a complicated on of trust relationships between them, the migration of user and computer accounts

to an Active Directory environment is dealt with in a similar manner.

Active Directory

represents the implementation of an Active Directory directory service:

: Microsoft Windows 2000/2003 Active Directory Scenario

ng Active Directory forest to a current best practice Active Directory is included in this guidance. Migration information is provided from

and a Windows Server 2003 domain or forest. The purpose of ncluding a migration of this type is for those healthcare organisations that have Active Directory

follow current best practice guidance when designing the . This can typically result from the deployment of an application that

and the project scope for the delivery of the application did not include a Active Directory.

can use the Active Directory Design Guide {R1} to aid Active Directory design. They will then be able to use this migration guidance to migrate

bjects from one or more Active Directory domains to the new


Page 8

both user and , with resource domains distributed throughout the remote sites. In turn,

way trust; however, it is also

with a complicated on of trust relationships between them, the migration of user and computer accounts

directory service:

a current best practice Active Directory from both a Windows . The purpose of

have Active Directory practice guidance when designing the Active Directory

that had an Active and the project scope for the delivery of the application did not include a

to aid in the production guidance to migrate

domains to the new Active Directory


4.2.3.3 Novell NetWare

Figure 5 represents the implementation of a Novell NetWarethe healthcare organisation’s users and computers

Figure 5: Novell NetWare Scenario

This guidance covers in detail the options available and migrate from an NDS using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003 Directory. While this guidance focusguidance if migrating from an implementation of NetWare 3.x environment (that usesinformation).

4.3 End State EnvironmentThe Active Directory migrationthrough the process of making complex design and implementation decisions Active Directory infrastructure.

Whilst no Active Directory migrationhealthcare organisation to simplify the requirements. This will enable the new Active Directory environment

This guidance, when used with the organisation in implementing a directory service designs across the organisationdirectory services.


Novell NetWare

represents the implementation of a Novell NetWare-based authentication mechanism for s users and computers:

in detail the options available and the current best practice methods to using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003

While this guidance focuses on these NetWare versions, it is still possible to use this implementation of a Novell eDirectory™ environment

that uses binderies to store user accounts and other resource

End State Environment Active Directory migration guidance in this document will help lead a healthcare organisation

g complex design and implementation decisions to migrate toinfrastructure.

migration guidance can be all encompassing, this document enables to simplify the decision process, whilst allowing them to

This will enable the organisation to migrate users, computers and other resources to the new Active Directory environment.

This guidance, when used with the Active Directory Design Guide {R1}, can assistin implementing a directory service that can reduce diversity in Active Directory

organisation, aiding in the supportability of the healthcare organisations


Page 9

uthentication mechanism for

practice methods to using NetWare version 4.x, 5.x or 6.x to a Windows Server 2003 Active

possible to use this environment or a Novell

binderies to store user accounts and other resource

a healthcare organisation to migrate to an

document enables a m to consider local

to migrate users, computers and other resources to

can assist a healthcare Active Directory

healthcare organisations’


5 PLAN

The Plan phase is where the bulk of the implementation planning is completed. During this phasethe areas for further analysis are identified and a design process

Figure 6 acts as a high-level checklist, illustrating the sequence of events IT Architect need to determine when planning for healthcare organisation:

Figure 6: Sequence for Planning an Active Directory Migration

5.1 Migration Type The initial decisions to be made as part of a migration project new Active Directory environment and then the approach as to how objects will be migrated to it.

There are two ways in which a healthcare organisationenvironment. The current environment

� If a healthcare organisationActive Directory, it is possible to carry out an inand the new Active Directory environment


phase is where the bulk of the implementation planning is completed. During this phasethe areas for further analysis are identified and a design process commences.

level checklist, illustrating the sequence of events that the IT Manager and IT Architect need to determine when planning for an Active Directory migration solution

an Active Directory Migration

ecisions to be made as part of a migration project are to first ascertain how to

environment and then the approach as to how objects will be migrated to it.

a healthcare organisation can build the new Active Directory he current environment may determine the way in which the environment

a healthcare organisation currently uses a Windows NT 4.0 domain or a Windows 2000 Active Directory, it is possible to carry out an in-place migration to Windows Server 2003 and the new Active Directory environment


Page 10

phase is where the bulk of the implementation planning is completed. During this phase,

the IT Manager and ory migration solution within a

ascertain how to create the environment and then the approach as to how objects will be migrated to it.

can build the new Active Directory the environment is built:

domain or a Windows 2000 migration to Windows Server 2003


� If a healthcare organisationenvironment that does not meet the needs of the Directory installation should

There are also two ways in which environment with the objects that should be migrated from the old environment

� A Direct migration approach involves the migration of all users, groups, computers, and any other objects required, typi

� A Phased migration approach enables while maintaining both the old and new environments using trust relationships or synchronisation tools during the transition period

5.1.1 New Active Directory or In

The decision on whether a new Active Directory environment is an in-place migration should considerbelow.

Important

The in-place migration approach is not available to Active Directory from Novell NetWare

The creation of a new Active Directory installation provides a clean environment populated with users or computers between the old and new environmentscan act as part of a rollback facility should issues occur during the migration.

A disadvantage of creating a new Active Directory installation is that all computers that are members of the old environment need to have theor automated/scripted process. The same need to be migrated. These disadvantages can be Active Directory Migration Tool (ADMT) or the Microsoft Directory Synchronization Services (MSDSS) utility.

It is important to also consider the hardware requirements for the inhealthcare organisation is assessingserver to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common approach is to install Windows NTdoes meet the hardware requirements of Windows Server 2003, and This server can then be upgraded to Windows Server 2003objects.

Caution

If a new server is to be purchased to install Windows NTServer 2003, ensure the hardware vendor provides new servers fail to run the Windows NT

Recommendation

It is recommended that a new Active Directory installation that can be designed from the ground up. Use the designing of the new Active Directory.


a healthcare organisation currently uses Novell NetWare, or has an Active Directorydoes not meet the needs of the healthcare organisation

Directory installation should be deployed

There are also two ways in which a healthcare organisation can populate the new Active Directory with the objects that should be migrated from the old environment

A Direct migration approach involves the migration of all users, groups, computers, and any other objects required, typically within a one-time migration

approach enables a healthcare organisation to migrate various objects while maintaining both the old and new environments using trust relationships or synchronisation tools during the transition period

ew Active Directory or In-Place (Upgrade) Migration

whether a new Active Directory environment is created from a fresh iconsider some basic advantages and disadvantages

place migration approach is not available to healthcare organisations that are looking to migrate to Active Directory from Novell NetWare; therefore, they must use the new Active Directory method.

The creation of a new Active Directory installation provides a clean environment populated with users or computers that potentially no longer exist. It also allows a between the old and new environments and allows the old environment to remain in place

rollback facility should issues occur during the migration.

creating a new Active Directory installation is that all computers that are of the old environment need to have their computer accounts migrated

or automated/scripted process. The same process needs to take place for the user accounts that need to be migrated. These disadvantages can be addressed using migration tools such as the

tion Tool (ADMT) or the Microsoft Directory Synchronization Services

It is important to also consider the hardware requirements for the in-place migration approach. assessing an in-place migration from a Windows NT

server to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common

to install Windows NT 4.0 as a Backup Domain Controller (BDC) on a new server requirements of Windows Server 2003, and to promote this as the PDC

This server can then be upgraded to Windows Server 2003, retaining the user and computer

server is to be purchased to install Windows NT 4.0 and subsequently upgradeServer 2003, ensure the hardware vendor provides Windows NT 4.0 drivers for the server

the Windows NT 4.0 operating system properly, due to the lack of available drivers

It is recommended that a new Active Directory installation is deployed to introduce a clean environment can be designed from the ground up. Use the Active Directory Design Guide {R1

designing of the new Active Directory.


Page 11

Active Directory healthcare organisation, a new Active

can populate the new Active Directory with the objects that should be migrated from the old environment:

A Direct migration approach involves the migration of all users, groups, computers, and any

to migrate various objects while maintaining both the old and new environments using trust relationships or

) Migration

from a fresh installation or some basic advantages and disadvantages as detailed

are looking to migrate to must use the new Active Directory method.

The creation of a new Active Directory installation provides a clean environment that is not . It also allows a clear distinction

ronment to remain in place, which

creating a new Active Directory installation is that all computers that are migrated through a manual

needs to take place for the user accounts that using migration tools such as the

tion Tool (ADMT) or the Microsoft Directory Synchronization Services

place migration approach. If a NT 4.0 domain, the

server to be used should be both the Primary Domain Controller (PDC) and be capable of running Windows Server 2003. If the server is not capable of running Windows Server 2003, a common

kup Domain Controller (BDC) on a new server that promote this as the PDC.

retaining the user and computer

and subsequently upgraded to Windows drivers for the server because many

lack of available drivers.

a clean environment R1} to aid in the


5.1.2 Direct or Phased

Once the decision has been made on how to implement the new Active Directory envdecision needs to be made on whether the migration takes a

A direct migration is one that involves the migration of all objects including servers, users, groups, client computers, and so on, in a single, onewhere any earlier systems, such as a Windows NTlonger required (as all applications have been replaced or relocated away from these serversServers running Windows 2000 Server member server. This process should be fully tested in a test environment as an issue a rollback of changes, which could mean migrated to the new environment

A phased migration, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more manageable stages, therefore reducing rollback of the changes made. This is becausea specific stage, as opposed to an entire migration

Recommendation

It is recommended that a healthcare organisationcomplexity and size of their environment. This allows stages, cater for easier rollbackmigration.

In a phased migration, it is important to make both the old and new environments accessiblewhether through trusts or synchronisation. In a Windowsthrough the use of external trust relationshipstools to synchronise directory information.

5.2 Evaluating the Existing EnvironmentThe aim of evaluating the existing environment is to understandplace and to be aware of the risks involved in such a the potential for unforeseen issues

As part of the evaluation, a number of infrastructure areas should be assessed and documented as listed in Table 2:

Infrastructure

Area Comment

Network Diagram The current network should be documented

such as file server, Web server, database server

version, patch revision, and

Printers Ensure all printers currently used within the environment can continue to be used once migrated. Especially

in NetWare environments

ensure it can use TCP/IP. If not, the printer may need replacing.

Network stored

information

All information stored on the network servers needs to be identified, whether

data. The location of the data

requirements for data

Server operating

systems dependent

software

Ensure that if any software installed on a server to be

migration process. This involves documenting the version installed, any configuration and whether or not the

software can run on Windows Server 2003. If not, the software may need updating or repla


Phased Migration

Once the decision has been made on how to implement the new Active Directory envdecision needs to be made on whether the migration takes a direct or phased approach.

involves the migration of all objects including servers, users, groups, in a single, one-time migration. This approach should only be used

such as a Windows NT 4.0 PDC or BDC, or a NetWare server, are no as all applications have been replaced or relocated away from these serversWindows 2000 Server that act as a domain controller can be demoted and act as a

member server. This process should be fully tested in a test environment as an issue could mean having to revisit all the computers that

migrated to the new environment.

, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more

therefore reducing the element of risk involved. This also allows easier . This is because the IT administrators have a more focused view on

as opposed to an entire migration completed at one time.

a healthcare organisation use the phased migration approach due to the potential their environment. This allows IT administrators to focus on easily managed

for easier rollback, should issues occur, as well as reducing the risk involved in a

In a phased migration, it is important to make both the old and new environments accessiblewhether through trusts or synchronisation. In a Windows-based environment, this can occur

trust relationships, whereas in a Novell environmenttools to synchronise directory information.

Evaluating the Existing Environment The aim of evaluating the existing environment is to understand the infrastructure that is currently in place and to be aware of the risks involved in such a migration project. The aim is to also reduce

issues, which may arise during the actual migration.

As part of the evaluation, a number of infrastructure areas should be assessed and documented as

The current network should be documented in a diagram to show the location of servers,

such as file server, Web server, database server, and so on. For each server, the

, patch revision, and the transport protocols that are in use should also be documented

Ensure all printers currently used within the environment can continue to be used once migrated. Especially

in NetWare environments, where a printer currently uses the Internetwork Packet Exchange (

ensure it can use TCP/IP. If not, the printer may need replacing.

All information stored on the network servers needs to be identified, whether it is user

he location of the data, who is responsible for it, which users have access to it and the security

requirements for data storage must also be noted.

any software installed on a server to be decommissioned is still required


software can run on Windows Server 2003. If not, the software may need updating or repla


Page 12

Once the decision has been made on how to implement the new Active Directory environment, a approach.

involves the migration of all objects including servers, users, groups, ation. This approach should only be used PDC or BDC, or a NetWare server, are no

as all applications have been replaced or relocated away from these servers). act as a domain controller can be demoted and act as a

member server. This process should be fully tested in a test environment as an issue could require hat have already been

, also referred to as a staged migration, involves running the new and old environment in parallel for a period of time. This enables the migration to be split into more

element of risk involved. This also allows easier the IT administrators have a more focused view on

use the phased migration approach due to the potential focus on easily managed

reducing the risk involved in a direct

In a phased migration, it is important to make both the old and new environments accessible, based environment, this can occur

whereas in a Novell environment, this involves using

tructure that is currently in project. The aim is to also reduce

which may arise during the actual migration.

As part of the evaluation, a number of infrastructure areas should be assessed and documented as

location of servers, and the server type,

the server operating system’s

should also be documented.

Ensure all printers currently used within the environment can continue to be used once migrated. Especially

Internetwork Packet Exchange (IPX) protocol,

is user data or application

, which users have access to it and the security

is still required, it is catered for in the


software can run on Windows Server 2003. If not, the software may need updating or replacing.


Infrastructure

Area Comment

Local Area Networks

(LAN)/Wide Area

Networks (WAN) links

Along with the network diagram detailing the servers, it is also important to create a diagram

network links in place and the available bandwidth. This

User environment

properties

This includes the identification of login scripts, system or group policies in place, and home folder locations.

Health of current

domain or NDS

This primarily refers to the

domains or Active Directory, ensure replication is occurring properly between domain controllers and the

event viewer does not contain any unexpected errors. For Novell server

DSREPAIR to verify synchronisation.

Systems to be migrated Determine which servers are to be migrated or decommissioned. As part of this, understand which users,

groups, computers, files, and databases will be affected.

Table 2: Evaluating the Existing Environment

5.3 Scope of MigrationAs part of any migration project, it is important to understand all the components migrated. As part of the infrastructure documentation listed in Table systems to be migrated enablesincludes:

� Users

� Groups

� Computers

� Printers

� Data

� Login scripts

For each of these, document the

� Current name (including domain name if a user, group or computer account)

� Target name (especially if domain consolidation is part of the migrationcurrently share the same name

� Current location (both physical

� Target destination (the migrated, and the location of a server


Along with the network diagram detailing the servers, it is also important to create a diagram

network links in place and the available bandwidth. This is a prerequisite for an Active Directory design.


This primarily refers to the synchronisation between servers but also to the server operating system. For NT4


event viewer does not contain any unexpected errors. For Novell servers, use tools such as DSTRACE and

to verify synchronisation.

Determine which servers are to be migrated or decommissioned. As part of this, understand which users,

groups, computers, files, and databases will be affected.

Scope of Migration As part of any migration project, it is important to understand all the components

As part of the infrastructure documentation listed in Table 2, the evaluation of the enables each of the individual objects for migration to be identified

the details such as:

(including domain name if a user, group or computer account)

Target name (especially if domain consolidation is part of the migration currently share the same name)

Current location (both physically and logically within the domain or NDS Tree)

Target destination (the Active Directory organisational unit (OU) to whichthe location of a server if a physical move of the server tak


Page 13

Along with the network diagram detailing the servers, it is also important to create a diagram that includes the

a prerequisite for an Active Directory design.


synchronisation between servers but also to the server operating system. For NT4


s, use tools such as DSTRACE and

Determine which servers are to be migrated or decommissioned. As part of this, understand which users,

As part of any migration project, it is important to understand all the components that are to be evaluation of the

be identified. This

(including domain name if a user, group or computer account)

and multiple objects

DS Tree)

ich the object will be server takes place)


5.3.1 Users

Different types of user accounts have different requirements aaccount can be placed into one of three categories

� IT administrator

� Service account

� Standard user

Migrating to a new Active Directory environmentappropriate administrative accounts are created. These administrative accounts are those used by members of the IT department or that are delegated certain permissions. These are not the day-to-day accounts for users, but rather the accounttasks.

Recommendations

Administrators, or those users being delegated administrative rights for certain job role functions, should not have administrative permissions account should be created with the appropriate rights as’ feature to carry out this portion of their responsibilities. For more information on the current practice method of using Run as, see the Windows Server 2003

The migration of user accounts

1. Administrative accounts

2. Service accounts

3. User accounts

If migrating from an NDS environment, a user is uniquely identified through the and not the common name (CN)could be specified as Anna, whereas another user existed in a different NDS organisational unit wian NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user account names must be unique across the whole domain, not just the

Note

The specific user account names

� Distinguished Name (DN)

� Relative Distinguished Name

� SamAccountName

If both users were to be migrated, the first user migrated would have the logon name Anna, but the second user would have the logon name Anna0. The information on naming conventions

Recommendation

If users exist with the same name, names of the users within NDS, to make them unique, prior to the migration.

The same process should be applied to users with the same name Windows NT or Active Directory domains

11 Using Run as {R11}: http://technet2.microsoft.com/windowsserver/en/library/8782f8ab


Different types of user accounts have different requirements and access needs. Typically, a user account can be placed into one of three categories:

igrating to a new Active Directory environment provides an ideal opportunity to ensure that counts are created. These administrative accounts are those

used by members of the IT department or that are delegated certain permissions. These are not users, but rather the accounts that should be used to run adminis

Administrators, or those users being delegated administrative rights for certain job role functions, should administrative permissions granted to their normal day-to-day accounts. Instead, a separate

with the appropriate rights and permissions. The user should then feature to carry out this portion of their responsibilities. For more information on the current

method of using Run as, see the Windows Server 2003 Product Help Web

The migration of user accounts should be carried out using the following order:

If migrating from an NDS environment, a user is uniquely identified through the (CN). For example, when creating a user in NDS, a common name whereas the NDS distinguished name could be Anna Bedecs. If

in a different NDS organisational unit with the common name of Anna, but with an NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user account names must be unique across the whole domain, not just the OU, as is the case in NDS.

names that need to be unique in Active Directory are:

Distinguished Name (DN)

Relative Distinguished Name

If both users were to be migrated, the first user migrated would have the logon name Anna, but the second user would have the logon name Anna0. The Active Directory Design Guideinformation on naming conventions, including users with the same name.

If users exist with the same name, it is recommended that a healthcare organisationn NDS, to make them unique, prior to the migration.

The same process should be applied to users with the same name that currently exist in different Windows NT or Active Directory domains that are being restructured into a single Active Directory domain.

http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx?mfr=true


Page 14

nd access needs. Typically, a user

provides an ideal opportunity to ensure that counts are created. These administrative accounts are those that are

used by members of the IT department or that are delegated certain permissions. These are not should be used to run administrative

Administrators, or those users being delegated administrative rights for certain job role functions, should day accounts. Instead, a separate

should then use the ‘Run feature to carry out this portion of their responsibilities. For more information on the current best

page Using Run as11.

If migrating from an NDS environment, a user is uniquely identified through the distinguished name, a common name

Anna Bedecs. If th the common name of Anna, but with

an NDS distinguished name of Anna Lidman, this is allowed. However, in Active Directory, user as is the case in NDS.

If both users were to be migrated, the first user migrated would have the logon name Anna, but the Active Directory Design Guide {R1} provides

a healthcare organisation change the logon

currently exist in different are being restructured into a single Active Directory domain.

7bfd130c21c01033.mspx?mfr=true



5.3.2 Groups

Groups are a common object found in all current server operating systems and must be catered for in the migration.

If migrating from NDS using MSDSSmigration will have a domain local securitysecurity groups will then be mapped to the corresponding NDS organi

In a Windows NT 4.0 environment, a local group is converted to a global group converts to a global security grouptheir groups is still required, Security Identification (SID) history must also be migrated. SID history migration is completed using ADMT v3, which can automatically configure thdomains as part of the installation and initial usage process.

Caution

A global group migration process can consume large amounts of network resourcesresources on the domain controller in the target domain. Therefore, a glocompleted outside of normal or peak working periods.

5.3.3 Computers

As with users, computers can

� Servers

� Desktops

� Portable computers

Each computer type will need environment. These computer types are discussed in more detail below.

5.3.3.1 Servers

Servers require particular focus and the amount of effort required to migrate them is highly dependent upon the current role they play

For example, a server running operating as an intranet Web site for users, could be However, a Novell NetWare server autcould require a lot more planning

Recommendation

Replacing existing directory-enabled services or applications with new Active Directoryis a task that should be performed independently of the migration of NetWare users, groups, distribution lists, organisational units, organisations, and files.


Groups are a common object found in all current server operating systems and must be catered for

using MSDSS, any NDS organization or NDS OU that will be part of the migration will have a domain local security group created in Active Directory. These domain local security groups will then be mapped to the corresponding NDS organisation or NDS OU.

In a Windows NT 4.0 environment, a local group is converted to a domain local security group and to a global security group. If migrating groups, and user membership

their groups is still required, Security Identification (SID) history must also be migrated. SID history migration is completed using ADMT v3, which can automatically configure the old and new domains as part of the installation and initial usage process.

A global group migration process can consume large amounts of network resourcesresources on the domain controller in the target domain. Therefore, a global group migration should be completed outside of normal or peak working periods.

As with users, computers can also be placed into their different categories such as:

Each computer type will need different considerations when being migrated to the new These computer types are discussed in more detail below.

Servers require particular focus and the amount of effort required to migrate them is highly dependent upon the current role they play within the existing infrastructure.

running Windows Server 2003 configured as a member serversite for users, could be migrated without many configuration changes.

However, a Novell NetWare server authenticating users and running an unsupported require a lot more planning to migrate and potentially to decommission.

enabled services or applications with new Active Directoryis a task that should be performed independently of the migration of NetWare users, groups, distribution lists, organisational units, organisations, and files.


Page 15

Groups are a common object found in all current server operating systems and must be catered for

will be part of the group created in Active Directory. These domain local

ation or NDS OU.

domain local security group and . If migrating groups, and user membership of

their groups is still required, Security Identification (SID) history must also be migrated. SID history e old and new

A global group migration process can consume large amounts of network resources, as well as local bal group migration should be

such as:

siderations when being migrated to the new

Servers require particular focus and the amount of effort required to migrate them is highly

configured as a member server, and configuration changes.

unsupported application

enabled services or applications with new Active Directory-enabled software is a task that should be performed independently of the migration of NetWare users, groups, distribution


5.3.3.2 Desktops

Desktops are commonly seen as one of the easiest objects to migratethat need careful consideration

For example, in an environment where a computer currently runs a small application that requires the Microsoft Windows® 98 operating systembetween the server and client computer, Extension (DSClient) to be installed. These computers will therefore require a resource to manuallytakes additional time and planning.

Recommendation

It is highly recommended that if Windows 98 or Microsoft Windows NTpart of the new Active Directory environment, the DSClient is installed between the server and client computer Authentication).

In a NetWare environment, a computer would Windows software installed. As part of the migrationremoved and the computer would then use the Windows client for user authentication to the new environment. This Client32 software can through a login script or batch command file.

As part of a migration from a Microsoft or Novell environment,place, all desktops will need to be configured with new domain membership to become part of the new environment.

Important

One of the most common failures during a migration of computer accounts is due to the desktop computer being switched off and, as suchto all computer users informing them that computers must b

5.3.3.3 Portable Computers

Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to ethe computer accounts for these computers are migrated to the new environmentbecause the computers are not connected to the network outside of normal working hoursusers take the computers home.

It is important to have a proceworkplace to have them migrated during normal working hours. Alternatively, location for users to leave them overnight, or during other periods outside of normal working

Recommendation

A migration project should contain a schedule of which computer will be migrated should be clearly communicated to users srequired to be connected to the network for allotted timeframe.


Desktops are commonly seen as one of the easiest objects to migrate. However, there areneed careful consideration and can sometimes be overlooked.

For example, in an environment where a computer currently runs a small application that requires operating system to operate, if secure communication is requi

between the server and client computer, the computer will require the Active Directory Client Extension (DSClient) to be installed. This is also the case for Windows NT 4.0 client computers. These computers will therefore require a resource to manually install the software requiredtakes additional time and planning.

It is highly recommended that if a healthcare organisation has computers with the Microsoft Windows 95or Microsoft Windows NT® Workstation 4.0 operating systems installed

new Active Directory environment, the DSClient is installed for more secure communication between the server and client computer (through the use of the NTLMv2 level of LAN Manager

are environment, a computer would typically have the Novell Client32 software installed. As part of the migration, the Client32 software would need to be

removed and the computer would then use the Windows client for user authentication to the new This Client32 software can either be removed manually or via a script

atch command file.

As part of a migration from a Microsoft or Novell environment, unless an in-place migration is taking place, all desktops will need to be configured with new domain membership to become part of the

ost common failures during a migration of computer accounts is due to the desktop computer as such, it cannot be migrated. It is important for a communication to be sent out

users informing them that computers must be left on for the duration of the migration.

Portable Computers

Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to e

for these computers are migrated to the new environmentbecause the computers are not connected to the network outside of normal working hoursusers take the computers home.

ss in place whereby users can bring their portable computers into the workplace to have them migrated during normal working hours. Alternatively, provide location for users to leave them overnight, or during other periods outside of normal working

A migration project should contain a schedule of which computer will be migrated and at what timeshould be clearly communicated to users so that they are aware when their portable computers are required to be connected to the network for successful migration and to help keep the project within the


Page 16

owever, there are areas

For example, in an environment where a computer currently runs a small application that requires if secure communication is required

computer will require the Active Directory Client This is also the case for Windows NT 4.0 client computers.

the software required, which

Microsoft Windows 95®, systems installed, which will become

more secure communication (through the use of the NTLMv2 level of LAN Manager

have the Novell Client32 or Novell Client for the Client32 software would need to be

removed and the computer would then use the Windows client for user authentication to the new be removed manually or via a script that is run

place migration is taking place, all desktops will need to be configured with new domain membership to become part of the

ost common failures during a migration of computer accounts is due to the desktop computer cannot be migrated. It is important for a communication to be sent out

e left on for the duration of the migration.

Migrating portable computers is a similar process to that involved in migrating desktops but with one additional complication. Due to the nature of portable computers, it can be difficult to ensure

for these computers are migrated to the new environment. This is typically because the computers are not connected to the network outside of normal working hours, as

ss in place whereby users can bring their portable computers into the provide a secure

location for users to leave them overnight, or during other periods outside of normal working hours.

and at what time. This that they are aware when their portable computers are

help keep the project within the


5.3.4 Printers

Printers are an important resource to users and access to them mustthe migration.

Important

If all printers used in a Novell environment are required to be migrated to the new environment, ethat the printers can be printed to using TCP/IP and not just IPX.

If migrating from a Windows-based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4Microsoft Windows 2000 or Microsoft Windows Server 2003

The Print Migrator Tool 3.1 can be downloaded from the Microsoft

A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded froDownload Web site13.

In a Novell environment, print queues made available through a NetWare server can still be through the Client Service for NetWare environment. For more information Server 2003 Product Help Web page

5.3.5 Data

In Novell environments, the File Migration Utility (FMU)using MSDSS, it is possible to complete a migration that incloption creates a migration log that the FMU can use to maintain users

In Microsoft environments, use a backup and restore method to migrate the data and such as Robocopy to ensure that any files updated by users during the backup and restore process are kept up to date. Shared folders 2003 Resource Kit tool (Permcopy.exepath to a target share path.

5.3.6 Login Scripts

Login scripts can currently take the form of batch files, such as a .(commonly referred to as a KIX script), or other proprietary scripting within a NetWare environment.into an Active Directory environment.

Active Directory provides the ability to specify a batch file (configured in the user properties) as thlogin script for individual usersPolicy objects (GPOs). Using GPOs, and shutdown scripts, providing

12 Print Migrator Tool 3.1 {R12}: http://download.microsoft.com/download/4/5/2/452d431e

13 Microsoft Print Migrator 3.1 {R13}: http://download.microsoft.com/download/2/e/5/2e57d536a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc

14 Client Service for NetWare {R14}: http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b


Printers are an important resource to users and access to them must be maintained at all stages of

used in a Novell environment are required to be migrated to the new environment, eprinters can be printed to using TCP/IP and not just IPX.

based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4

Microsoft Windows Server 2003.

The Print Migrator Tool 3.1 can be downloaded from the Microsoft Download Web site

A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded fro

In a Novell environment, print queues made available through a NetWare server can still be Client Service for NetWare (CSNW), until the printers are migrated to the new

For more information on the CSNW, see the Client Service for NetWare Web page14.

In Novell environments, the File Migration Utility (FMU), which is part of SfN, can be usedusing MSDSS, it is possible to complete a migration that includes an option for a file migration. This option creates a migration log that the FMU can use to maintain users’ access rights to their data.

In Microsoft environments, use a backup and restore method to migrate the data and ensure that any files updated by users during the backup and restore process

Shared folders cannot be migrated, so a tool such as the WiPermcopy.exe) can be used to copy the permissions from a sour

Login scripts can currently take the form of batch files, such as a .cmd or .bat file, a KiXtart script (commonly referred to as a KIX script), or other proprietary scripting languages

in a NetWare environment. Migration of these scripts requires careful planning when migratinto an Active Directory environment.

Active Directory provides the ability to specify a batch file (configured in the user properties) as thlogin script for individual users. It also provides the batch file processing method

bjects (GPOs). Using GPOs, a healthcare organisation can specify startup, logon, logoff providing a very precise control over when the scripts are

http://download.microsoft.com/download/4/5/2/452d431e-5a5c-43bd-b398-6fc27208e001/printmig.exe

http://download.microsoft.com/download/2/e/5/2e57d536-2bb5a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc

http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-503439f6d1271033.mspx?mfr=true


Page 17

be maintained at all stages of

used in a Novell environment are required to be migrated to the new environment, ensure

based environment, the Microsoft Windows Server 2003 Print Migrator tool can be used to migrate printers from a print server running Microsoft Windows NT 4.0,

Web site12.

A technical document providing detailed information around planning, deploying and managing Windows based print servers using the Print Migrator tool can be downloaded from the Microsoft

In a Novell environment, print queues made available through a NetWare server can still be used until the printers are migrated to the new

Client Service for NetWare Windows

can be used. When udes an option for a file migration. This

access rights to their data.

In Microsoft environments, use a backup and restore method to migrate the data and use a tool ensure that any files updated by users during the backup and restore process

a tool such as the Windows Server can be used to copy the permissions from a source share

file, a KiXtart script s typically found

Migration of these scripts requires careful planning when migrating

Active Directory provides the ability to specify a batch file (configured in the user properties) as the the batch file processing method when using Group

can specify startup, logon, logoff are run.

6fc27208e001/printmig.exe

2bb5-40f1-b52d-

503439f6d1271033.mspx?mfr=true


http://download.microsoft.com/download/2/e/5/2e57d536-2bb5-40f1-b52d-a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc




5.4 Migration ProcessTwo options exist for a migration process; a manual migration, or an automated migration the use of tools. The option use

� The size of the migration

� Whether the objects that exist ininvalid object is when a user account exist

� The configuration of objects such as access control lists

5.4.1 Manual Migration

A manual migration process is one that involves regroup membership, and the securing of files and folders environment.

This option is typically used in an environment where:

� The number of objects to migrate is relatively small

� The objects need extensive

� The information to be migrated

� The investment in learning, installing and using the migration tools could take longer than the manual migration process itself

5.4.2 Automated Migration

An automated migration process uses tools to populate the new environment with information and data taken from the current environment. This option is typically used in situations where a large number of objects and files need to be migrated and these already exist in the current environment.

Recommendation

A healthcare organisation should use an automated migration procestypically found within the environment and

The tools available to use as part of the migration depend upon the platform migrated. The freely-available tools provimigrate to Active Directory in a migration.

5.5 Migration Tools AvailableA number of tools are available to assist in the migration to Active Directorshould be used is dependent on whether the migration is from a Microsoft or Novell environment, and the object that is migrated.

5.5.1 Migrating from Microsoft Operating Systems

When migrating from a Microsoftthe migration. Depending on what objects within the current environment the extent of control needed over these objects andtechnical abilities) can influence


Migration Process Two options exist for a migration process; a manual migration, or an automated migration the use of tools. The option used is mainly dependent upon the following:

size of the migration (number of objects to migrate)

that exist in the current environment are valid or not (a user account exists for a user that has left employment

configuration of objects such as access control lists (ACLs) of files and so on

Manual Migration

A manual migration process is one that involves re-entering user accounts, computer accounts and the securing of files and folders that are copied across to the new

used in an environment where:

number of objects to migrate is relatively small

extensive updating due to inaccuracy of the objects’ properties

to be migrated is out of date and no longer required

ent in learning, installing and using the migration tools could take longer than the manual migration process itself

Automated Migration

An automated migration process uses tools to populate the new environment with information and ent environment. This option is typically used in situations where a large

number of objects and files need to be migrated and these already exist in the current environment.

should use an automated migration process due to the number of objects typically found within the environment and the data security already put in place.

The tools available to use as part of the migration depend upon the platform from which available tools provided by Microsoft enable a healthcare organisation

in a much faster and more efficient manner than using

Migration Tools Available A number of tools are available to assist in the migration to Active Directory. The specific tool that should be used is dependent on whether the migration is from a Microsoft or Novell environment, and the object that is migrated.

Migrating from Microsoft Operating Systems

When migrating from a Microsoft-based environment, a number of tools can be used to automate epending on what objects within the current environment are to

over these objects and the resources available (including their influence which tool is used.


Page 18

Two options exist for a migration process; a manual migration, or an automated migration through

or not (an example of an has left employment)

(ACLs) of files and so on

entering user accounts, computer accounts and are copied across to the new

properties

ent in learning, installing and using the migration tools could take longer than

An automated migration process uses tools to populate the new environment with information and ent environment. This option is typically used in situations where a large

number of objects and files need to be migrated and these already exist in the current environment.

s due to the number of objects

from which objects are a healthcare organisation to

using manual

y. The specific tool that should be used is dependent on whether the migration is from a Microsoft or Novell environment,

can be used to automate are to be migrated, both

including their


5.5.1.1 Active Directory Migration Tool

ADMT v3 is the free Microsoft tool downloaded from Microsoft Download Center

ADMT can be used to migrate Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory environment. ADMT also allows for the translation of security from the

ADMT can also be used to restructure domains currently in place. The Guide {R1} recommends the implementation of a single domain Active Directory fohealthcare organisation. Based upon this recommendationmultiple Windows NT 4.0 domainsrestructure these domains into

Important

When restructuring domains, the target native level or Windows Server 2003

ADMT can also be used to restructure infrastructure. Two types of restructuringintraforest.

An interforest restructure, as shown in Directory forests; typically faced organisations amalgamating and complexity and overhead:

Figure 7: Active Directory Interforest Restructure using ADMT

15 Active Directory Migration Tool v3.0 http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b


Active Directory Migration Tool

is the free Microsoft tool that is available on a Windows Server 2003 CD or downloaded from Microsoft Download Center15.

can be used to migrate users, groups, service accounts, computers and trusts Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory

also allows for the translation of security from the old to the new environment.

be used to restructure domains currently in place. The Active Directory Design recommends the implementation of a single domain Active Directory fo

. Based upon this recommendation, an environment that multiple Windows NT 4.0 domains, such as account and resource domains, can

into a single domain Active Directory forest.

When restructuring domains, the target Active Directory domain functional level must be Windows Server 2003 level.

ADMT can also be used to restructure domains if migrating from an existing Active Directory . Two types of restructuring exist for Active Directory domains: interforest and

, as shown in Figure 7, involves migrating objects between forests; typically faced in a merger between organisations, such as two

s amalgamating and combining the IT infrastructure to reduce administrative

: Active Directory Interforest Restructure using ADMT

Active Directory Migration Tool v3.0 {R15}: http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en


Page 19

is available on a Windows Server 2003 CD or that can be

users, groups, service accounts, computers and trusts from a Windows NT 4.0 domain, or a Windows 2000 Server or Windows Server 2003 Active Directory

to the new environment.

Active Directory Design recommends the implementation of a single domain Active Directory forest for a

that currently has can use ADMT to

domain functional level must be at Windows 2000

ctive Directory interforest and

involves migrating objects between Active a merger between organisations, such as two healthcare

the IT infrastructure to reduce administrative

aff85ad3d212&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-aff85ad3d212&DisplayLang=en


An intraforest restructure involves migrating objects between multiple domains within the same Active Directory forest as shown in

Figure 8: Active Directory Intraforest Restructure using ADMT

A major difference that can influence the decision fully understood:

� Objects during an intraforest environment.

� Objects in an interforest restructure are cloned, and place. In this case, a healthcare organisationan environment that could be rolled back to, should an issue occur.

Recommendation

A healthcare organisation migrating from a current Active Directory infrastructure shoulinterforest restructure migration method to ensure that the new environment contains only the required objects and has been designed according to the guidelines set out within the Guide {R1}. This provides the additional benefit of keeping the old environment intact should a rollback be required.

Only consider an intraforest restructure if the current Active Directory is in a managed collection of objects that are known to be up to datefollows the Active Directory Design Guide

ADMT can be run by using thre

� ADMT console

� Command line

� A script

When using ADMT through a command line, The option file contains the appropriate answers to the options availablemigrated. The include file contains the place.


An intraforest restructure involves migrating objects between multiple domains within the same as shown in Figure 8:

: Active Directory Intraforest Restructure using ADMT

can influence the decision between these types of restructuring should be

an intraforest restructure are migrated and no longer exist

Objects in an interforest restructure are cloned, and therefore the original objects remain in a healthcare organisation would have the immediate benefit of having could be rolled back to, should an issue occur.

migrating from a current Active Directory infrastructure shoulinterforest restructure migration method to ensure that the new environment contains only the required

and has been designed according to the guidelines set out within the Active Directory Design This provides the additional benefit of keeping the old environment intact should a rollback be

Only consider an intraforest restructure if the current Active Directory is in a healthy state with a well managed collection of objects that are known to be up to date, and the design of the Active Directory

Active Directory Design Guide {R1} recommendations and/or is well documented.

ree different methods:

When using ADMT through a command line, both an option file and an include file the appropriate answers to the options available for the type of object being

contains the names of those objects to include when migration takes


Page 20

An intraforest restructure involves migrating objects between multiple domains within the same

these types of restructuring should be

restructure are migrated and no longer exist in the old

the original objects remain in would have the immediate benefit of having

migrating from a current Active Directory infrastructure should use the interforest restructure migration method to ensure that the new environment contains only the required

Active Directory Design This provides the additional benefit of keeping the old environment intact should a rollback be

healthy state with a well and the design of the Active Directory

is well documented.

and an include file can be specified. for the type of object being

names of those objects to include when migration takes


Recommendation

For a healthcare organisationEdition (VBScript), it is recommended that the command line methodand an include file. This provides the easiest methodbeing migrated, and in running the final migration.

By default, ADMT uses the Microsoft store. It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard2000 SP4 Enterprise Edition, or

Recommendation

It is recommended that healthcare organisationsconfigured during the installation of ADMT.

5.5.1.2 Password Export Server

The Password Export Server (PES) servicepasswords between the current and new environments. The PES service domain controller in the source domain to enable password m

For password migration to take place using the PES service, both the computer installed and the computer thatThis encryption is standard on domain controllers runServer Service Pack 3 (SP3) or required on a computer that does not currently support 128pack is available for download

For Windows 2000 Server, obtain Microsoft Download Center.

For Windows NT 4.0, if Microsoft Internet Explorerencryption. If not, Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is requiredwhich is available from the Microsoft Download Center

5.5.1.3 Third-Party Tools

Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require healthcare organisation to provenvironments.

Other migration tools are available for purchase from other companies, for example, QuestSoftware® has a Domain Migration Wizard product focusing on migrations from Windows NT,the Migration Manager for Active Directory product, for migrations and domain restructuring from Active Directory.

These tools can provide enhanced benefits such as:

� Complete rollback capabilities

� Directory synchronisation

� Post-migration clean-up of

� Detailed statistics of the migration

16 Windows 2000 High Encryption Pack (128http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A09DCAB4DA1C63&displaylang=en

17 Internet Explorer High Encryption Pack 4.0


a healthcare organisation that does not have in-house expertise in Microsoft Visual Basic, it is recommended that the command line method is used, combined with an option file. This provides the easiest method to test a migration; it aids in documenting the objects

running the final migration.

Microsoft SQL Server® 2000 Desktop Engine (WMSDE) as its data It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard

Enterprise Edition, or Microsoft SQL Server® 2005.

healthcare organisations use the default WMSDE database storeconfigured during the installation of ADMT.

Password Export Server Service

The Password Export Server (PES) service, part of the ADMT download, allows the migration of passwords between the current and new environments. The PES service needs to be installed on a domain controller in the source domain to enable password migration.

For password migration to take place using the PES service, both the computer that will have the PES service installed require 128-

This encryption is standard on domain controllers running Windows Server 2003Server Service Pack 3 (SP3) or Windows 2000 Server Service Pack 4 (SP4). If installation is required on a computer that does not currently support 128-bit high encryption, a high encryption pack is available for download from Microsoft.

obtain the Windows 2000 High Encryption Pack (128

if Microsoft Internet Explorer® 5.5 is installed, this includes 128Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is required

icrosoft Download Center17.

Party Tools

Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require

to provide extra resource in planning, developing and migrating between

Other migration tools are available for purchase from other companies, for example, Questhas a Domain Migration Wizard product focusing on migrations from Windows NT,

the Migration Manager for Active Directory product, for migrations and domain restructuring from

These tools can provide enhanced benefits such as:

Complete rollback capabilities

Directory synchronisation

up of resources

Detailed statistics of the migration

Windows 2000 High Encryption Pack (128-bit) {R16}: http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3-

Internet Explorer High Encryption Pack 4.0 {R17}: http://go.microsoft.com/fwlink/?LinkId=76038


Page 21

house expertise in Microsoft Visual Basic® Scripting combined with an option file

aids in documenting the objects

2000 Desktop Engine (WMSDE) as its data It is also possible to configure ADMT to use SQL Server 2000 SP4 Standard, SQL Server

use the default WMSDE database store, as installed and

allows the migration of needs to be installed on a

For password migration to take place using the PES service, both the computer that has ADMT -bit high encryption.

ning Windows Server 2003, Windows 2000 . If installation is

bit high encryption, a high encryption

the Windows 2000 High Encryption Pack (128-bit)16 from the

5.5 is installed, this includes 128-bit high Internet Explorer 4.1 plus Internet Explorer High Encryption Pack 4.0 is required,

Whilst ADMT provides an extensive array of options when migrating from Windows NT 4.0 or Active Directory, for large complex environments, some limitations of ADMT could require a

ide extra resource in planning, developing and migrating between

Other migration tools are available for purchase from other companies, for example, Quest has a Domain Migration Wizard product focusing on migrations from Windows NT, and

the Migration Manager for Active Directory product, for migrations and domain restructuring from

http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3-9DCAB4DA1C63&displaylang=en


http://go.microsoft.com/fwlink/?LinkId=76038


For more details on the tools available from Quest Software, visit the Directory Web page18.

Note

The information provided here on Quest Software tools is neither a recommendation norfor its use within a healthcare organisationtheir Active Directory migration project, careful assessment, planning and testing of the migration must still take place.

5.5.2 Migrating from Novell NetWare Operating Systems

When migrating from a Novell-the migration to Active Directory

5.5.2.1 Microsoft Services for NetWare

Microsoft Services for NetWare 5.03 (SfN) enables Server 2003 servers into an existing Novell NetWare networkNDS-based environment, and carry out a phased migration running the the NetWare environment in parallel.

SfN includes Microsoft Directory Services Synchroniz(FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT administrators to migrate and Microsoft Active Directory and a Novell NetWare Directory Service (NDS).

SfN also provides tools to aid in troubleshooting connectivity, login scripts and password synchronisation issues, as well as monitoring network traffic.writing this document, can be downloaded from the Microsoft

Note

SfN requires the installation opage.

File and Print Services for NetWare (FPNW) is a tool appear to be a NetWare 3.x server to client machines. FPNWsame Web page as SfN19.

18 Migration Tools for Active Directory

19 Microsoft Services for NetWare 5.03 SP2 and FPNW http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d

20 Novell Downloads {R20}: http://download.novell.com/index.jsp


For more details on the tools available from Quest Software, visit the Migration Tools for Active

The information provided here on Quest Software tools is neither a recommendation nora healthcare organisation. If a healthcare organisation wishes to consider these tools for

their Active Directory migration project, careful assessment, planning and testing of the migration must still

Migrating from Novell NetWare Operating Systems

-based environment, a number of tools are available to help automate the migration to Active Directory, as described in this section.

Microsoft Services for NetWare

ces for NetWare 5.03 (SfN) enables a healthcare organisation to integrate Windows Server 2003 servers into an existing Novell NetWare network, whether this is a Bindery or

, and carry out a phased migration running the Windows environmin parallel.

ft Directory Services Synchronization (MSDSS) and the File Migration Utility (FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT

synchronise objects, and offer basic interoperability betweenMicrosoft Active Directory and a Novell NetWare Directory Service (NDS).

tools to aid in troubleshooting connectivity, login scripts and password as well as monitoring network traffic. SfN, version 5.03 SP2

writing this document, can be downloaded from the Microsoft Download Center

SfN requires the installation of the Novell Client for Windows available from the Novel

File and Print Services for NetWare (FPNW) is a tool that can make a Windows Server 2003 server a NetWare 3.x server to client machines. FPNW is available to download

Migration Tools for Active Directory {R18}: http://www.quest.com/active-directory/migration.aspx

Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}: http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en

http://download.novell.com/index.jsp


Page 22

Migration Tools for Active

The information provided here on Quest Software tools is neither a recommendation nor an endorsement wishes to consider these tools for


Migrating from Novell NetWare Operating Systems

based environment, a number of tools are available to help automate

to integrate Windows whether this is a Bindery or

Windows environment and

ation (MSDSS) and the File Migration Utility (FMU). These tools, coupled with the necessary protocols used within a NetWare network, allow IT

basic interoperability between, a

tools to aid in troubleshooting connectivity, login scripts and password SfN, version 5.03 SP219 at the time of Download Center.

available from the Novell Downloads20 Web

can make a Windows Server 2003 server is available to download from the

directory/migration.aspx

82a6a3af4be8&DisplayLang=en

http://www.quest.com/active-directory/migration.aspx

http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en



5.5.2.2 Microsoft Directory Services Synchronisation

MSDSS enables bidirectional synchronisation between Active Directory and NDS or eDirectory directory services. With MSDSS, synchronisation between the different directory servicesaccounts, to be updated in Active Directory; these updates are then synchronise

Table 3 describes in detail the following types of synchronisation

Synchronisation Type Description

Forward synchronisation A forward synchronisation is the process of synchronising data from Active Directory to Novell

(whether this is NDS, eDirectory or Bindery). The forward synchronisation process queries

Active Directory for new objects or existing objects th

been created, only this new object and its attributes are synchronised. If an existing object has

changed, then only the changes are synchronised, not the entire object.

Reverse synchronisation A reverse synchronisation is the process of synchronising data from Novell to Active Directory.

This type of synchronisation is less efficient than a forward synchronisation as MSDSS

compares all objects in NDS against those existing in Active Directory. I

changed or new ones created, they are synchronised in their entirety. Due to the way a reverse

synchronisation takes place, an increase in network traffic could be expected. Reducing the

frequency of synchronisation could help reduc

effect

out

One-way synchronisation A one

Novell environment and manage the directory service objects from Active Directory while

ensuring that the Novell

completed through an initial reve

synchronisations.

Two-way synchronisation A two

objects can be created and existing objects altered from

directory service. This is typically useful in environments where both Active Directory and NDS

are

Scheduled synchronisation A scheduled synchronisation ensures that changes are replicated from one directory service to

the other. By default, a forward synchronisation is carried out every 15 minutes, 24 hours a day.

A reverse synchronisation is carried out

increased network traffic caused by this type of synchronisation. If two

use, a different schedule can be configured for each direction.

Manual synchronisation A manual synchronisation can be initiated by an IT administrator to synchronise changes

immediately between one directory service and the other. This can be useful in situations where

a migration activity has taken place and a password change or disabled u

be synchronised

Password synchronisation A password synchronisation process can only take place if the passwords are changed from

Active Directory. A password sy

takes place, a user account is created in NDS as part of a two

password is changed in Active Directory.

It is not possible to synchronise passwords from a Novell directo

password scheme is used if either an

are

for the first logon. The user is then

Table 3: MSDSS Synchronisation Types

Recommendation

It is recommended that a healthcare organisationway forward synchronisations occurred, objects should be managed through Active Directory and any changeswill be synchronised to NDS.


Microsoft Directory Services Synchronisation

enables bidirectional synchronisation between Active Directory and NDS or eDirectory y services. With MSDSS, a healthcare organisation can configure a one

synchronisation between the different directory services. This allows objects, such as user to be updated in Active Directory; these updates are then synchronise

describes in detail the following types of synchronisation that can occur as part of MSDSS

Description

A forward synchronisation is the process of synchronising data from Active Directory to Novell


Active Directory for new objects or existing objects that have been changed. If a new object has



A reverse synchronisation is the process of synchronising data from Novell to Active Directory.


compares all objects in NDS against those existing in Active Directory. I



frequency of synchronisation could help reduce the network utilisation, but can have an adverse

effect on the data held within Active Directory and potentially cause Active Directory to

out of date.

A one-way synchronisation allows a healthcare organisation to introduce Active Directory into a


ensuring that the Novell directory service is kept up to date. This method of synchronisation is

completed through an initial reverse synchronisation followed by subsequent forward

synchronisations.

A two-way synchronisation is the same as a one-way synchronisation

objects can be created and existing objects altered from within Active


are to be maintained.

A scheduled synchronisation ensures that changes are replicated from one directory service to


A reverse synchronisation is carried out every hour from 00:00 (midnight) to 06:00

increased network traffic caused by this type of synchronisation. If two

use, a different schedule can be configured for each direction.

A manual synchronisation can be initiated by an IT administrator to synchronise changes


a migration activity has taken place and a password change or disabled u

be synchronised immediately, rather than waiting for the next scheduled synchronisation.

A password synchronisation process can only take place if the passwords are changed from

Active Directory. A password synchronisation occurs when an initial reverse synchronisation

takes place, a user account is created in NDS as part of a two-way synchronisation, or a

password is changed in Active Directory.

It is not possible to synchronise passwords from a Novell directory service to Active Directory.

password scheme is used if either an initial reverse synchronisation

are created in NDS. A password scheme is then used to determine what the password will be

for the first logon. The user is then prompted to change it once successfully logged on.

a healthcare organisation uses an initial reverse synchronisation, followed by oneway forward synchronisations configured with a default schedule. Once the initial synchronisation has occurred, objects should be managed through Active Directory and any changes, including passwords

ll be synchronised to NDS.


Page 23

enables bidirectional synchronisation between Active Directory and NDS or eDirectory can configure a one-way or two-way

such as user to be updated in Active Directory; these updates are then synchronised across to NDS.

can occur as part of MSDSS:

A forward synchronisation is the process of synchronising data from Active Directory to Novell


at have been changed. If a new object has



A reverse synchronisation is the process of synchronising data from Novell to Active Directory.


compares all objects in NDS against those existing in Active Directory. If any objects have been



e the network utilisation, but can have an adverse

cause Active Directory to become

to introduce Active Directory into a


date. This method of synchronisation is

followed by subsequent forward

way synchronisation except that additional

within Active Directory or the Novell


A scheduled synchronisation ensures that changes are replicated from one directory service to


midnight) to 06:00, due to the

increased network traffic caused by this type of synchronisation. If two-way synchronisation is in

A manual synchronisation can be initiated by an IT administrator to synchronise changes


a migration activity has taken place and a password change or disabled user account needs to

rather than waiting for the next scheduled synchronisation.

A password synchronisation process can only take place if the passwords are changed from

initial reverse synchronisation

way synchronisation, or a

ry service to Active Directory. A

initial reverse synchronisation is completed or new users

used to determine what the password will be

prompted to change it once successfully logged on.

an initial reverse synchronisation, followed by one-with a default schedule. Once the initial synchronisation has

including passwords,


For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require extending. The Active Directory schema extensions enable

� Migration

� One-way synchronisation

� Two-way synchronisation

The NDS directory schema extensions

Note

As the recommendation is to use a onewithout the need to extend the NDS directory schema.

MSDSS provides the ability to migrate passwords from Active Directory to NDS, Bindery or eDirectory; however, it is not possible to migrate passwords from a Novell environment to Active Directory.

For this reason, when synchronising users during an initial scheme is used to specify what the password should be for new users in Active Directory. Four possible options are available,

Password Scheme Description

Set passwords to blank When this option is selected, users are created with a blank password

first time, the user will have to create a password.

Set passwords to the user name When

When logging on for the first time, the user will have to change this password.

Set passwords to random values When this option is selected, users are created with a

eight characters in length. When logging on for the first time, the user will have to change this

password.

This option is the most secure password scheme available. The random values are written to a

text file

Set all passwords to the following When this option is selected, users are created with a password that is specified within the fields

available in the Password Synchronisation Opti

the user will have to change this password.

Table 4: MSDSS Password Schemes

The following example text has been extracted from avalue password option:

Session 1: {21AD8B68- 2A42

Started: 01-31- 2008 08:21

jonathan jNA$3mR_h7

sagiv X.kQ#tu68B

jacqueline WJr+66Ru.e

rich +bq-I2ZxM4

ivo T%?Db3vZ2b

The first line provides the session identification and the second line synchronisation started. All subsequent lines synchronised followed by a randomly generated password.provides the most secure password scheme bucommunication of the new passwords to the


For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require extending. The Active Directory schema extensions enable the following features

way synchronisation

isation

The NDS directory schema extensions are only required for a two-way synchronisation.

As the recommendation is to use a one-way synchronisation, it is possible to carry out the migration without the need to extend the NDS directory schema.

S provides the ability to migrate passwords from Active Directory to NDS, Bindery or it is not possible to migrate passwords from a Novell environment to Active

For this reason, when synchronising users during an initial reverse synchronisation, a password scheme is used to specify what the password should be for new users in Active Directory. Four

, as detailed in Table 4:

Description

When this option is selected, users are created with a blank password

first time, the user will have to create a password.

When this option is selected, users are created with a password that matches their user name.


When this option is selected, users are created with a password that is set to a random value,


password.


text file that members of the Administrators group on the domain controller can access.

When this option is selected, users are created with a password that is specified within the fields

available in the Password Synchronisation Options dialog box. When logging on for the first time,

the user will have to change this password.

text has been extracted from an MSDSS generated file

2A42-459e-BD29-F082F47E71B2}

2008 08:21

The first line provides the session identification and the second line displays the time and date the synchronisation started. All subsequent lines contain the username of the user account being

a randomly generated password. Choosing the random value option provides the most secure password scheme but also requires the most planning regarding the communication of the new passwords to the migrated users.


Page 24

For the full functionality of MSDSS, both the Active Directory and NDS directory schemas require the following features:

way synchronisation.

way synchronisation, it is possible to carry out the migration

S provides the ability to migrate passwords from Active Directory to NDS, Bindery or it is not possible to migrate passwords from a Novell environment to Active

reverse synchronisation, a password scheme is used to specify what the password should be for new users in Active Directory. Four

When this option is selected, users are created with a blank password. When logging on for the

this option is selected, users are created with a password that matches their user name.


password that is set to a random value,



members of the Administrators group on the domain controller can access.

When this option is selected, users are created with a password that is specified within the fields

ons dialog box. When logging on for the first time,

MSDSS generated file using the random

the time and date the the username of the user account being

Choosing the random value option t also requires the most planning regarding the


Recommendation

It is recommended that a healthcare organisationbecause all other options would gain access to data and other resources

A communication should be created for all users, informing them new environment and any changes to the logon processand so on. This communication can also be used to relay what the userexample, creating a mail-merge document while uscommunications to be created directly

5.5.2.3 Microsoft File Migration Utility

The FMU enables the migration of files between a NetWare server and a Windows Server 2003 server, including the security permissions of those files. It also allows users to continually access the files during migration.

Prior to the use of the FMU, a migration of directory service objects must take place to enable the translation of file system rightspermissions in the NTFS file system. When available. Selecting this option creates a log fileensure users’ and groups’ effective rights permissions in the Windows environment.

Note

It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and folders can be granted to users, groups, organisational unitspermissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.

Using FMU, it is possible to view migration maps to see which objects from NDS are being mapped to the corresponding objects in Active Directory. The following maps are available to view:

� NDS organisational units and organisations to Active Directory group

� NDS group to Active Direc

� NDS user to Active Directory user

Using these migration maps allows an IT administrator to confirm the translation NDS to the corresponding objects in Active Directory.

When using the FMU, the source must always be a volume or ditarget must be a shared folder on a Windows Server 2003 or Windows 2000 allows for a single source to be mapped to multiple targets or multiple targets mapped to a single source.


a healthcare organisation uses the option of setting passwords to random valueall other options would enable any user to logon using any other user’s migrated account and

and other resources to which they normally would not have access.

A communication should be created for all users, informing them of the time they will be migrated to changes to the logon process, as well as any new location

. This communication can also be used to relay what the user’s new password will be. For merge document while using the password file as a data source,

be created directly, focusing on the individual user.

Microsoft File Migration Utility

The FMU enables the migration of files between a NetWare server and a Windows Server 2003 including the security permissions of those files. It also allows users to continually access

a migration of directory service objects must take place to enable the translation of file system rights and permissions when migrating to the equivalent rights and permissions in the NTFS file system. When migrating using MSDSS, an option

this option creates a log file, which is then used by FMU as a mapping file to effective rights on the NetWare files are translated correctly to the

permissions in the Windows environment.

It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and

to users, groups, organisational units and organisations. It is not possible to specify permissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.

to view migration maps to see which objects from NDS are being mapped in Active Directory. The following maps are available to view:

NDS organisational units and organisations to Active Directory group

NDS group to Active Directory group

NDS user to Active Directory user

Using these migration maps allows an IT administrator to confirm the translation NDS to the corresponding objects in Active Directory.

When using the FMU, the source must always be a volume or directory on an NDS server and the target must be a shared folder on a Windows Server 2003 or Windows 2000 Server

o be mapped to multiple targets or multiple targets mapped to a single


Page 25

the option of setting passwords to random values migrated account and

they normally would not have access.

they will be migrated to the as well as any new location for storing their data,

s new password will be. For ing the password file as a data source, allows

The FMU enables the migration of files between a NetWare server and a Windows Server 2003 including the security permissions of those files. It also allows users to continually access

a migration of directory service objects must take place to enable the and permissions when migrating to the equivalent rights and

, an option to migrate files is which is then used by FMU as a mapping file to

the NetWare files are translated correctly to the

It should be noted that the FMU cannot be used without the use of MSDSS because the relationship between NDS and Active Directory objects must be translated. Within NDS, permissions to files and

and organisations. It is not possible to specify permissions on a file in Windows to an organisational unit. In this case, MSDSS maps an NDS organisational unit or organisation to an Active Directory domain local security group.

to view migration maps to see which objects from NDS are being mapped in Active Directory. The following maps are available to view:

Using these migration maps allows an IT administrator to confirm the translation of objects from

rectory on an NDS server and the Server. The FMU

o be mapped to multiple targets or multiple targets mapped to a single


5.5.2.4 Third-Party Tools

SfN provides a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require organisation to provide extra resource in planning, developing and migratenvironments.

Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or Bindery services to Active Directory.

NDS Migrator can provide enhanced benefits such as:

� A single tool for migration of both objects and data

� Does not require additional software installed on a domain controller

� Simple exclusion of unused, disabled or locked

� Supports a rollback facil

For more details on the NDS Migrator tool available from Quest Software, visit the Directory Services to Active Directory

Note

The information provided here on Quest Software tools is neither a recommendation nor an endorsement for its use within a healthcare organisationtheir Active Directory migration project, cartake place.

21 Migrate Novell Directory Services to Active Directory


Party Tools

es a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require

to provide extra resource in planning, developing and migrating between

Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or Bindery services to Active Directory.

Migrator can provide enhanced benefits such as:

A single tool for migration of both objects and data

Does not require additional software installed on a domain controller

Simple exclusion of unused, disabled or locked-out accounts

Supports a rollback facility of specific migrated objects

For more details on the NDS Migrator tool available from Quest Software, visit the Directory Services to Active Directory Web page21.

The information provided here on Quest Software tools is neither a recommendation nor an endorsement a healthcare organisation. If a healthcare organisation wishes to consider these tools for


Migrate Novell Directory Services to Active Directory {R21}: http://www.quest.com/nds-migrator


Page 26

es a set of freely available tools and utilities when migrating from Novell NetWare. However for larger, more complex environments, some limitations of SfN could require a healthcare

ing between

Other migration tools are available for purchase from other companies, for example, Quest Software has developed NDS Migrator; a tool specifically designed to aid in migrating from NDS or

For more details on the NDS Migrator tool available from Quest Software, visit the Migrate Novell

The information provided here on Quest Software tools is neither a recommendation nor an endorsement wishes to consider these tools for

eful assessment, planning and testing of the migration must still

http://www.quest.com/nds-migrator


6 DEVELOP

During the Develop phase, the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the stabilisation phase.

Figure 9 acts as a high-level checklist, illustrating the sequence of events IT Architect need to determine when planning for organisation.

This section is split into two distinct areas, each focusing on the the old environment.

Figure 9: Sequence for Developing an Active Directory Migration

If migrating from a Windows NT Server 4.0 or Active Directoryfrom a NetWare environment, see section

Recommendation

The steps, scripts and processes provided in this section should be thoroughly tested before any large-scale live migrations are performed

6.1 Windows NT 4.0As detailed within the Plan phaseor Active Directory domain migration. current and new environments, completing installing the tools needed for a migration to take place.

6.1.1 ADMT Prerequisites

There are a number of prerequisites for the migra

� Installation of high encryption

� Creating trust relationships

� Creating migration accounts

� Configuring domains for SID history migration

� Configure the target domain OU structure


the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the

level checklist, illustrating the sequence of events that the IT Manager and IT Architect need to determine when planning for an Active Directory migration

t into two distinct areas, each focusing on the server operating systems

: Sequence for Developing an Active Directory Migration

If migrating from a Windows NT Server 4.0 or Active Directory domain, see section NetWare environment, see section 6.2.

The steps, scripts and processes provided in this section should be thoroughly tested before any scale live migrations are performed, to ensure they work as expected.

.0 Domain or Active Directory Migrationlan phase (section 5), the ADMT can be used for either

or Active Directory domain migration. This section provides the information required to prepare both current and new environments, completing the configuration necessary for password migration and

for a migration to take place.

equisites

There are a number of prerequisites for the migration of accounts and resources

ncryption software

elationships

Creating migration accounts

Configuring domains for SID history migration

Configure the target domain OU structure


Page 27

the solution components are built based on the planning and designs completed during the earlier phases. Further refinement of these components will continue into the

the IT Manager and an Active Directory migration within a healthcare

server operating systems in use in

domain, see section 6.1. If migrating

The steps, scripts and processes provided in this section should be thoroughly tested before any

Domain or Active Directory Migration , the ADMT can be used for either a Windows NT 4.0

rmation required to prepare both configuration necessary for password migration and

tion of accounts and resources:


6.1.1.1 Installation of High Encryption Softwar

High encryption software is required to enable the migration of passwords using the PES service from either a Windows NT Server details of the download locations

The instructions in Table 5 relate to the installation Pack on a Windows 2000 Server4.0 Server.

Step Description

1. On the Windows 2000 Server,

run the downloaded file

Encpack_Win2000_En.exe and

click Yes in the Microsoft

Windows 2000 High Encryption

(128-bit) Capability dialog box to

start the installation.

2. Read the license agreement, and

if applicable, click Yes to accept.

3. Once the files have finished

copying, click Yes to restart the

computer, or No if the computer

is to be restarted later.

Table 5: Microsoft Windows 2000 High Encryption Pack

6.1.1.2 Creating Trust Relationships

Trust relationships need to be

The following instructions in Table a Windows NT 4.0 domain and a new Windows Server 2003 Active Directory environment. instructions require that a name resolution mechanism is in placedomain can communicate with the Active Directory domain. a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory environment, the steps outlined below only differ slightly and as such can be used as a reference.


Installation of High Encryption Software

is required to enable the migration of passwords using the PES service Server 4.0 or a Windows 2000 Server domain. Section

details of the download locations for the High Encryption Packs available.

relate to the installation of the Microsoft Windows 2000 High Encryption on a Windows 2000 Server, but can also be used as a guide for installation on a Windows NT

Screenshot

Windows 2000 High Encryption

dialog box to

Read the license agreement, and

to accept.

if the computer

: Microsoft Windows 2000 High Encryption Pack Installation

Creating Trust Relationships

Trust relationships need to be created between the source and target domains.

Table 6 provide the steps involved in creating a twoomain and a new Windows Server 2003 Active Directory environment.

a name resolution mechanism is in place, so that the Windows NT 4.0 domain can communicate with the Active Directory domain. If creating a trust relationship between a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory

steps outlined below only differ slightly and as such can be used as a reference.


Page 28

is required to enable the migration of passwords using the PES service 4.0 or a Windows 2000 Server domain. Section 5.5.1.2 provides

of the Microsoft Windows 2000 High Encryption be used as a guide for installation on a Windows NT

rget domains.

the steps involved in creating a two-way trust between omain and a new Windows Server 2003 Active Directory environment. These

that the Windows NT 4.0 If creating a trust relationship between

a Windows 2000 Server Active Directory domain and a new Windows Server 2003 Active Directory steps outlined below only differ slightly and as such can be used as a reference.


Step Description

1. On the Windows NT Server 4.0

computer, click Start on the

taskbar and select Programs >

Administrative Tools

(Common) and open User

Manager for Domains.

Click the Policies menu and

select Trust Relationships.

2. In the Trust Relationships

dialog box, click Add next to the

Trusted Domains: box.

3. In the Add Trusted Domain

dialog box, enter the NetBIOS

name of the Windows Server

2003 Active Directory domain in

the Domain text box and the

password that will be used to

establish the trust in Password,

and click OK.

4. A User Manager for Domains

information message displays

stating the trust relationship could

not be verified. Click OK to

continue.


dialog box, click Add next to the

Trusting Domains: box.


Screenshot

next to the


stating the trust relationship could

next to the


Page 29


Step Description

6. In the Add Trusting Domain

dialog box, enter the NetBIOS

name of the Windows Server


the Trusting Domain box. Enter

the password that will be used to

establish the trust in the Initial

Password field and the Confirm

Password field, and click OK.


dialog box, the Windows Server

2003 Active Directory domain will

be shown as both a Trusted and

Trusting Domain. Click Close.

8. On the Windows 2003 Server,

open Active Directory Domains

and Trusts located in Start >

Programs > Administrative

Tools.

Right-click the domain name in

the left pane and select

Properties.

9. In the domain Properties dialog

box, select the Trusts tab and

click New Trust.


Screenshot


box. Enter

will be used to

Confirm

dialog box, the Windows Server

2003 Active Directory domain will

be shown as both a Trusted and

Active Directory Domains

dialog


Page 30


Step Description

10. The New Trust Wizard starts.

Click Next to continue.

11. Type the name of the Windows

NT 4.0 domain in the Name box

and click Next.

12. Click Two-way as the direction of

trust and click Next.


Screenshot

box

as the direction of


Page 31


Step Description

13. Click Domain-wide

authentication for the outgoing

trust authentication level and click

Next.

14. In the Trust password and

Confirm trust password boxes,

type the password entered in

step 3 and click Next.

15. Click Next in the Trust Selections

Complete page.


Screenshot

for the outgoing

trust authentication level and click

boxes,

in the Trust Selections


Page 32


Step Description

16. Click Next in the Trust Creation

Complete page.

17. Click Yes, confirm the outgoing

trust and click Next.

18. Click Yes, confirm the incoming

trust and type the administrative

credentials for the Windows NT

Server 4.0 domain in the User

name and Password boxes, then

click Next.


Screenshot

Yes, confirm the outgoing

incoming

and type the administrative

then


Page 33


Step Description

19. Once the trust relationships have

been confirmed, click Finish, to

complete the New Trust Wizard.

20. An Active Directory dialog box

will display stating security

identifier (SID) filtering is enabled.

Click OK to close the dialog box.

21. The newly-created trust

relationships will be shown in the

domain Properties dialog box.

Click OK to close.

Table 6: Creating Trust Relationships


Screenshot

Once the trust relationships have

, to

dialog box

identifier (SID) filtering is enabled.

to close the dialog box.

in the


Page 34


6.1.1.3 Creating a Migration Account

When running the migration, aan IT administrator’s individual account. This of the migration is not granted migration. It also ensures that if the account is used in a script, an individuaare not shared.

Recommendation

A healthcare organisation should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in the source domain and made a member of the Administrators domain to allow the migration of

6.1.1.4 Configuring Domains for

To allow SID history migration, both the source and target domains require configfollowing configuration is required:

� A local group is created

� TCP/IP client support is enabled

� Auditing is enabled in the Windows Server 2003 Active Directory domain

� Auditing is enabled in the Windows NT 4.0 domain

Recommendation

While the configuration listed above can be manually run and sets them if not configuredADMT to automatically configure these items.

6.1.1.5 Configure the Target Domain O

Before the migration of objects can take place, the OU structure to be created. Detailed information the Group Policy for Healthcare

Recommendation

A healthcare organisation should review the recommendations for OUs provided within the for Healthcare Desktop Management create a structure that is easy to administer, yet meets the business and technical healthcare organisation.

6.1.2 Installing ADMT

The installation of ADMT is a simple process involving only a few steps, 7. The installation requires that recommended in section 5.5.1.1

Important

If ADMT v2 has been installed, Control Panel, otherwise the installation will fail. Any database created as part of a previous installation can be imported into ADMT during t

ADMT v3 cannot be installed

22 Group Policy for Healthcare Desktop Management http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


Migration Account

, a specific migration account should be created and used, individual account. This ensures that an IT administrator tasked with a portion granted permissions that would not normally be provided

It also ensures that if the account is used in a script, an individual’s account credentials

should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in

made a member of the Administrators domain local security allow the migration of SID history for user accounts and global groups.

Configuring Domains for Security Identifier History Migration

To allow SID history migration, both the source and target domains require configconfiguration is required:

is created in the Windows NT 4.0 domain to allow auditing

is enabled on the source domain PDC

enabled in the Windows Server 2003 Active Directory domain

enabled in the Windows NT 4.0 domain

While the configuration listed above can be manually set, ADMT checks for these options the first time it is and sets them if not configured. It is therefore recommended that healthcare organis

ADMT to automatically configure these items.

Configure the Target Domain Organisational Unit Structure

Before the migration of objects can take place, the OU structure that will house the objects needs Detailed information on OUs, specific to healthcare organisations

Healthcare Desktop Management22 document.

should review the recommendations for OUs provided within the Desktop Management {R22} document. This will help keep an OU design simple and

create a structure that is easy to administer, yet meets the business and technical requirements of the

Installing ADMT

The installation of ADMT is a simple process involving only a few steps, which requires that a Windows Server 2003 server has been built,

5.5.1.1, ADMT will use the default database installation.

been installed, this must first be removed using Add or Remove Programs from within the otherwise the installation will fail. Any database created as part of a previous installation

can be imported into ADMT during the installation.

installed on Windows Server 2003 64-bit.

Group Policy for Healthcare Desktop Management {R22}: http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


Page 35

migration account should be created and used, rather than ensures that an IT administrator tasked with a portion

provided outside of the account credentials

should create a single account in the source domain to simplify administration for the migration of all objects. This account should then be provided domain administrator credentials in

l security group in the target

History Migration

To allow SID history migration, both the source and target domains require configuration. The

in the Windows NT 4.0 domain to allow auditing

enabled in the Windows Server 2003 Active Directory domain

, ADMT checks for these options the first time it is healthcare organisations allow

Structure

will house the objects needs healthcare organisations, is available within

should review the recommendations for OUs provided within the Group Policy This will help keep an OU design simple and

requirements of the

which are detailed in Table and as

, ADMT will use the default database installation.

must first be removed using Add or Remove Programs from within the otherwise the installation will fail. Any database created as part of a previous installation

http://www.microsoft.com/industry/healthcare/technology/hpo/desktop/grouppolicy.aspx


Step Description

1. While logged onto the Windows Server

2003 server with administrative

credentials, run the downloaded

Admtsetup.exe file to start the Active

Directory Migration Tool Installation

Wizard.

Click Next on the Welcome page

2. Read the license agreement, and if

applicable, click I Agree and click

to continue.

3. The Microsoft SQL Server Desktop

Engine (WMSDE) will install.

Note

This will install even if using an

existing Microsoft SQL Server. If

choosing an existing SQL database,

ADMT will disable WMSDE.


Screenshot

While logged onto the Windows Server

, run the downloaded

Active

Migration Tool Installation

page.

Read the license agreement, and if

and click Next

The Microsoft SQL Server Desktop

if using an

existing Microsoft SQL Server. If

choosing an existing SQL database,


Page 36


Step Description

4. As recommended in Section 5.5.1.1

click Use Microsoft SQL Server

Desktop Edition (Windows) and click

Next.

5. Click No, do not import data from an

ADMT v2 database (Default) and click

Next.

6. Click Finish to complete the

installation.

Table 7: Active Directory Migration Tool Installation


Screenshot

5.5.1.1,

Use Microsoft SQL Server

and click

No, do not import data from an

and click

Installation


Page 37


6.1.3 Enabling Password Migration

To allow the migration of passwords, the PES service requires configuration in the source domain. As part of this process, an encryption key is required, which is created within the target domain using ADMT.

To create an encryption key, at thethe following:

C:> admt key /option:create /sourcedomain:/keypassword:*

Where:

� <DomainName> is the name of the source domain

� <KeyFilePath> is the full path including file name of the encryption key to be created

This encryption key file needs to share, to the domain controller in the source domain where the PES service will be installed.

Step Description

1. Log on to the Windows Server 2003

server in the target domain.

Open a Command Prompt window

type the command to create the

encryption key file.

When prompted, type the password

and type it again to confirm.

2. Log on to the Windows NT 4.0

domain controller in the source

domain.

Run the Pwdmig.msi file in the default

folder location of

%systemroot%\Windows\ADMT\

on the Windows Server 2003 server

where ADMT in installed. The ADMT

Password Migration DLL Setup

installation wizard starts.


Note

The Pwdmig.msi file can be run in

two ways:

� Connect to the hidden drive

share and run the file.

� Copy the PES folder and run the

file locally on the Windows NT

Server 4.0 computer.


Enabling Password Migration

To allow the migration of passwords, the PES service requires configuration in the source domain. process, an encryption key is required, which is created within the target domain

at the command prompt on the server where ADMT is installed

admt key /option:create /sourcedomain:<DomainName> /keyfile:<KeyFilePath

is the name of the source domain

is the full path including file name of the encryption key to be created

needs to then be made available, either on a removable disk or network to the domain controller in the source domain where the PES service will be installed.

Screenshot

Windows Server 2003

window and

type the command to create the

assword,

in the source

file in the default

\PES

on the Windows Server 2003 server

ADMT

e run in

Connect to the hidden drive

Copy the PES folder and run the

file locally on the Windows NT


Page 38

To allow the migration of passwords, the PES service requires configuration in the source domain. process, an encryption key is required, which is created within the target domain

command prompt on the server where ADMT is installed, type

KeyFilePath>

is the full path including file name of the encryption key to be created

either on a removable disk or network to the domain controller in the source domain where the PES service will be installed.


Step Description

3. Click Browse and locate the

encryption key file created in step 1,

and click Next.

4. Type the password supplied during the

creation of the encryption key file in

step 1 into the Password and Confirm

text boxes.


5. Click Next to start the installation.


Screenshot

encryption key file created in step 1,

Type the password supplied during the

creation of the encryption key file in

Confirm

to start the installation.


Page 39


Step Description

6. Provide the migration account details

using the domain\username format

the Log on as text box and type

password for this account in the

Password and Confirm password

text boxes.

Click OK to continue.

7. Click OK to close the information

message box.

8. Click Finish to exit the installation

wizard.

9. Click Yes in the Installer Information

dialog box to restart the server to

complete the installation of the PES

service, or click No to restart the

computer later.


Screenshot

Provide the migration account details

username format in

e the

password for this account in the

Confirm password

the information

to exit the installation

Installer Information

dialog box to restart the server to

complete the installation of the PES

to restart the


Page 40


Step Description

10. Once the Windows Server 2003

has restarted, log on with

administrative credentials and open the

Services window by clicking Start

Control Panel > Services.

The Password Export Server Service

is set to a Manual Startup mode.

Important

This service should only be started

when a password migration is about

to be carried out and should be

stopped once the password

migration is complete.

Table 8: Password Export Server installation

6.1.4 Configuring ADMT

Once ADMT has been installedcompleted to enable the migration of SID history. This can be accomplished by running a test migration, which will then prompt to automatically complete the6.1.1.4.

Important

This activity needs to be carried out while logged in using the migration account

Step Description

1. On the Windows Server 2003

computer, open the Active

Directory Migration Tool located

in Start > All Programs >

Administrative Tools.

Right-click Active Directory

Migration Tool and select Group

Account Migration Wizard.


Screenshot

Windows Server 2003 server

administrative credentials and open the

Start >

Password Export Server Service

is set to a Manual Startup mode.

This service should only be started

a password migration is about

should be

ADMT

been installed, the configuration of the source and target domains needs to be completed to enable the migration of SID history. This can be accomplished by running a test

which will then prompt to automatically complete the configuration items

be carried out while logged in using the migration account created in section

Screenshot

located

Group


Page 41

the configuration of the source and target domains needs to be completed to enable the migration of SID history. This can be accomplished by running a test

items listed in section

created in section 6.1.1.3.


Step Description

2. In the Group Account Migration

Wizard, click Next to continue.

3. In the Domain Selection page,

select the Domain and Domain

Controller for the Source.

In the Target section, select the

target Domain and Domain

Controller.


4. Click Select groups from

domain, and click Next.


Screenshot

Domain


Page 42


Step Description

5. In the Group Selection page, click

Add and select some test groups

to migrate from the source domain.

It is not important which groups are

chosen, as this process is for the

configuration to take place, not the

actual migration.


6. In the Organizational Unit

Selection page, enter the OU to be

used as the target for the migrated

groups in Target OU, or click

Browse to locate and select the

required OU.


7. In the Group Options page, clear

the Fix membership of group

check box and select Migrate

group SIDs to target domain, as

shown in the screenshot.



Screenshot

, click

and select some test groups

to migrate from the source domain.

It is not important which groups are

as this process is for the

configuration to take place, not the

page, enter the OU to be

used as the target for the migrated

to locate and select the

clear

, as


Page 43


Step Description

8. At this point, ADMT will check for

the appropriate configuration

options necessary and offer to

enable them, if required.

Click Yes to enable auditing on the

source domain.

9. Click Yes to enable auditing on the

target domain.

10. Click Yes to create the local group.

11. Click Yes to add the

TcpipClientSupport registry key.

12. Click Yes to reboot the source

domain PDC.

13. Once the source domain PDC has

restarted, click OK to continue.

14. In the User Account page, supply

the credentials for the migration

account (the creation of which was

recommended in section 6.1.1.3

and click Next.


Screenshot

ADMT will check for

on the

to enable auditing on the

to create the local group.

Once the source domain PDC has

, supply

migration

was

),


Page 44


Step Description

15. In the Conflict Management page

ensure Do not migrate source

object if a conflict is detected in

the target domain is selected and

click Next.


wizard and initiate the migration of

the groups added in step 5.

17. The Migration Progress dialog

box displays. Click View Log, if

required, and click Close to

complete the configuration of

ADMT.

Table 9: Active Directory Migration Tool Configuration


Screenshot

page,

object if a conflict is detected in

is selected and

wizard and initiate the migration of

dialog

: Active Directory Migration Tool Configuration


Page 45


Once the steps above have been completed, the configuration of ADMT checking that:

� A local group has been created in the source domain named <DomainName> is the name of the source domain.

� The TcpipClientSupport registry PDC in the HKEY_LOCAL_MACHINEthe value is set to 1.

� Auditing has been enabled for account management in both the source and target domains.

Information

Auditing can be verified on a Windows NT Server 4.0 computer In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.

6.1.5 ADMT Option File and

The ADMT option file and include file were introduced in section healthcare organisation uses these two files when running ADMT from a cosection provides an example of both files and an example of command prompt to use them.

6.1.5.1 Option File

The option file provides the options options are available depending on the objects that are to be migrated, for example, users, groups, computers, and so on.

The text below is an example options file used to migrate user accounts from a server named ADMIG-NT4 in a test Windows NT 4.0 domain named NWindows Server 2003 Active Directory domain named named ADMIG-2K3-MS. The users would be migrated to an OU named Knowledge Based Users and have their passwords migrated using the PES s

[Migration]

IntraForest=No

SourceDomain="NT4DOMAIN"

SourceDomainController="ADMIG

;SourceOu="Source Organisational Unit Name"

TargetDomain="AD HealthOrg

TargetDomainController="ADMIG

TargetOu="LDAP://ad healthorgUsers,OU=Users,OU= Healthcare Organisation

PasswordOption=Complex

PasswordServer="ADMIG- NT4"

;PasswordFile="Password File Name"

ConflictOptions=Ignore

;UserPropertiesToExclude="Prop

;InetOrgPersonPropertiesToExclude="Property1,Proper ty2,Property3"

;GroupPropertiesToExclude="Property1,Property2,Prop erty3"

;ComputerPropertiesToExclude="Property1,Property2,P roperty3"


Once the steps above have been completed, the configuration of ADMT can be verified by

A local group has been created in the source domain named <DomainNameis the name of the source domain.

The TcpipClientSupport registry DWORD entry has been created on the source domain KEY_LOCAL_MACHINE\System\CurrentControlSet\Control

Auditing has been enabled for account management in both the source and target domains.

Auditing can be verified on a Windows NT Server 4.0 computer through User Manager for Domains. In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.

Option File and Include File

ADMT option file and include file were introduced in section 5.5.1.1, recommending that uses these two files when running ADMT from a command line. This

section provides an example of both files and an example of the commands that can be run from a command prompt to use them.

The option file provides the options that will be used when running the ADMT command. Different depending on the objects that are to be migrated, for example, users, groups,

The text below is an example options file used to migrate user accounts from a server named NT4 in a test Windows NT 4.0 domain named NT4DOMAIN. The target domain

Windows Server 2003 Active Directory domain named ADHealthOrg, using a domain controller MS. The users would be migrated to an OU named Knowledge Based Users

and have their passwords migrated using the PES service installed on the ADMIG

SourceDomainController="ADMIG -NT4"


HealthOrg "

TargetDomainController="ADMIG -2K3-MS"

healthorg .contoso.com/OU=Knowledge Based Healthcare Organisation ,DC=adhealthorg,DC= contoso

NT4"

;PasswordFile="Password File Name"

;UserPropertiesToExclude="Prop erty1,Property2,Property3"



;ComputerPropertiesToExclude="Property1,Property2,P roperty3"


Page 46

can be verified by

DomainName>$$$, where

on the source domain Control\LSA subkey, and

Auditing has been enabled for account management in both the source and target domains.

User Manager for Domains. In Active Directory, auditing can be verified within the Default Domain Controllers Policy accessed through Active Directory Users and Computers or the Group Policy Management Console.

, recommending that a mmand line. This

commands that can be run from a

will be used when running the ADMT command. Different depending on the objects that are to be migrated, for example, users, groups,

The text below is an example options file used to migrate user accounts from a server named . The target domain is a , using a domain controller

MS. The users would be migrated to an OU named Knowledge Based Users ervice installed on the ADMIG-NT4 server.

contoso ,DC=com"



[User]

DisableOption=EnableTarget

SourceExpiration=None

MigrateSIDs=Yes

TranslateRoamingProfile=No

UpdateUserRights=No

MigrateGroups=No

UpdatePreviouslyMigratedObjects=No

FixGroupMembership=Yes

MigrateServiceAccounts=No

UpdateGroupRights=No

The example option file above has a Migration secGroup, Computer and Security can all be specified within the same option file. When run, depending upon the command given, migration it is running. For example, if running a user migration, the TranslateRegistry option for a computer will be ignored. For a full list of available options in an example option file, see APPENDIX B.

Note

The TargetOU line is wrapped onto the following line in this document but text file for use during the migration.

If a line begins with a semi-colon (;), ignores it and uses the default value for that option.

For details of the options available for use with ADMT, type the following

C:> admt /?

Further help can be displayed on the options for objects that can be migrated. For example, for a user, type the following at the command prompt

C:> admt user /?

The ‘user’ parameter can be substituted with to obtain specific help on the options for each of these objects.

Recommendation

The service, computer and security objects of an ADMT migration can all use the PreCheckOnly optionwithin the option file. Healthcare organisationsmigration will be successful or not before the actual migration takes place.

Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in troubleshooting, if issues occur.

Type the following at the command pro

C:> admt config logging /LogAttributes=Yes






The example option file above has a Migration section and a User section. Other sections such as Group, Computer and Security can all be specified within the same option file. When run, depending upon the command given, ADMT will determine which options are relevant for the

xample, if running a user migration, the TranslateRegistry option for a For a full list of available options in an example option file, see

The TargetOU line is wrapped onto the following line in this document but must not be when creating the text file for use during the migration.

colon (;), or an option has not been specified within the option file, ADMT and uses the default value for that option.

available for use with ADMT, type the following at the

d on the options for objects that can be migrated. For example, for a user, type the following at the command prompt:

parameter can be substituted with ‘group’, ‘computer’, ‘security’, ‘serviceoptions for each of these objects.

The service, computer and security objects of an ADMT migration can all use the PreCheckOnly optionealthcare organisations should use this to gather information about wh

migration will be successful or not before the actual migration takes place.

Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in issues occur.

command prompt to enable verbose logging:

admt config logging /LogAttributes=Yes


Page 47

tion and a User section. Other sections such as Group, Computer and Security can all be specified within the same option file. When run,

will determine which options are relevant for the xample, if running a user migration, the TranslateRegistry option for a

For a full list of available options in an example option file, see

not be when creating the

r an option has not been specified within the option file, ADMT

at the command prompt:

d on the options for objects that can be migrated. For example, for a

service’ or ‘password’

The service, computer and security objects of an ADMT migration can all use the PreCheckOnly option should use this to gather information about whether the

Verbose logging should also be enabled to ensure the maximum amount of data is recorded to aid in


6.1.5.2 Include File

As with the option file, the contents of the include file depend upon but all objects follow the same basic syntaxinclude file used in the test migration above. This include file provides ADMT with the list of users to be migrated with the options file provided above

SourceName,TargetName

Jesper.Aaberg,Jesper.Aaberg

Lene.Aalling,Lene.Aal ling

Syed.Abbas,Syed.Abbas

Kim.Abercrombie,Kim.Abercrombie

Lina.Abola,Lina.Abola

Hazem.Abolrous,Hazem.Abolrous

Sam.Abolrous,Sam.Abolrous

Luka.Abrus,Luka.Abrus

Ahmad.Abu- Dayah,Ahmad.Abu

Humberto.Acevedo,Humberto.Acevedo

Gustavo.Achong,Gustavo.Achong

Pilar.Ackerman,Pilar.Ackerman

The first row (header row) contains the headings SourceName and TargetName separated by a comma. Beneath the header row, each subsequent row contains the name of the user account to be migrated, once for the source and once for

An include file can also be used to rename specifies a new target User Principal Name (UPN)

SourceName,TargetUPN

EAndersen,Elizabeth.Andersen

ErAndersen,Erik.Andersen @

HAndersen,Henriette.Andersen

MAndersen,Mary.Andersen@ contoso.com

TAndersen,Thomas.Andersen

NAnderson,Nancy.Anderson @

The target can also be the TargetRDNTargetSAM, which specifies the security accounts manager name for the object. All three options can be specified in the header row of

SourceName,TargetUPN,TargetSAM,TargetRDN

Important

The TargetName option in the include file cannot be used with the TargetUPN,

The TargetUPN option can only be used with user accounts.

The TargetRDN option can contain commas, but each comma must be preceded by a back slash (example, ‘CN=surname\, firstname


file, the contents of the include file depend upon the objects but all objects follow the same basic syntax. The text below is the first few lines of an example include file used in the test migration above. This include file provides ADMT with the list of users to be migrated with the options file provided above:

Jesper.Aaberg,Jesper.Aaberg

ling

Kim.Abercrombie,Kim.Abercrombie

Hazem.Abolrous,Hazem.Abolrous

Sam.Abolrous,Sam.Abolrous

Dayah,Ahmad.Abu -Dayah

Humberto.Acevedo,Humberto.Acevedo

Gustavo.Achong,Gustavo.Achong

ilar.Ackerman,Pilar.Ackerman

The first row (header row) contains the headings SourceName and TargetName separated by a . Beneath the header row, each subsequent row contains the name of the user account to

be migrated, once for the source and once for the target.

An include file can also be used to rename the objects to be migrated. The example User Principal Name (UPN) for each user:

EAndersen,Elizabeth.Andersen @contoso.com

@contoso.com

HAndersen,Henriette.Andersen @contoso.com

contoso.com

TAndersen,Thomas.Andersen @contoso.com

@contoso.com

TargetRDN, which specifies the relative distinguished namewhich specifies the security accounts manager name for the object. All three options

the header row of a single include file, for example:

SourceName,TargetUPN,TargetSAM,TargetRDN

The TargetName option in the include file cannot be used with the TargetUPN, TargetSAM or TargetRDN.

The TargetUPN option can only be used with user accounts.

The TargetRDN option can contain commas, but each comma must be preceded by a back slash (, firstname’. The TargetRDN option must include the text ‘CN=


Page 48

that are migrated, first few lines of an example

include file used in the test migration above. This include file provides ADMT with the list of users to

The first row (header row) contains the headings SourceName and TargetName separated by a . Beneath the header row, each subsequent row contains the name of the user account to

be migrated. The example below

which specifies the relative distinguished name, or which specifies the security accounts manager name for the object. All three options

TargetSAM or TargetRDN.

The TargetRDN option can contain commas, but each comma must be preceded by a back slash (\). For CN=’.


6.1.5.3 ADMT Command Line

If both an option file and an include file are created that contain both the objects to be migrated and how they should be migrated, ADMT can be run from a command

The example below uses an option file named OPTIONS.TXT and an include file nameUSERS.TXT to migrate a set of users

C:> admt user /O:OPTIONS.TXT /F:USERS.TXT

Note

If the location of the option file or include file is not in the current specified. If the path name contains spaces, enclose the full path and file name in double quotation marks (“).

6.2 Novell NetWare MigrationThis section focuses on migratDirectory environment using SfN. It covers the tasks to complete to prepare the environments the installation of the tools and synchronisation of objects using MSDSS.

6.2.1 Microsoft SfN Prerequi

There are two prerequisites for the migration of accounts and resources when using

� Permissions given to the credentials to be used to change the schema for both the Microsoft and Novell environment

� Installation of the Novell Client for Windows

6.2.1.1 Creating a Migration Account

When running the migration, a migration account should be created and used, rather than an IT administrator’s individual accountmigration is not granted permisalso ensures that if the account is used in a script, an individual’s account credentials are not shared.

The installation of SfN will attempt to extend the Active Directory schema andcredentials are required.

Recommendation

A healthcare organisation should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the follgroups:

� Domain Admins

� Enterprise Admins

� Schema Admins

Important

Due to the permissions gained through these a member, it is important to ensure that complete, the migration account


ADMT Command Line

If both an option file and an include file are created that contain both the objects to be migrated and , ADMT can be run from a command prompt to start the migration.

The example below uses an option file named OPTIONS.TXT and an include file nameto migrate a set of users:

/O:OPTIONS.TXT /F:USERS.TXT

on file or include file is not in the current working directory, the full path should be specified. If the path name contains spaces, enclose the full path and file name in double quotation marks

NetWare Migration This section focuses on migrating from a NetWare environment to a Windows Server 2003 Active Directory environment using SfN. It covers the tasks to complete to prepare the environments the installation of the tools and synchronisation of objects using MSDSS.

Microsoft SfN Prerequisites

There are two prerequisites for the migration of accounts and resources when using

Permissions given to the credentials to be used to change the schema for both the Microsoft and Novell environment

the Novell Client for Windows

reating a Migration Account

When running the migration, a migration account should be created and used, rather than an IT administrator’s individual account. This ensures that an IT administrator tasked with a portion of the

permissions that would not normally be provided outside of the migration. It also ensures that if the account is used in a script, an individual’s account credentials are not

The installation of SfN will attempt to extend the Active Directory schema and, as such

should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the foll

permissions gained through these security groups, of which the migration account will be made a member, it is important to ensure that auditing is carried out on this account. Also, once the migration is complete, the migration account must be removed from these security groups.


Page 49

If both an option file and an include file are created that contain both the objects to be migrated and to start the migration.

The example below uses an option file named OPTIONS.TXT and an include file named

the full path should be specified. If the path name contains spaces, enclose the full path and file name in double quotation marks

ing from a NetWare environment to a Windows Server 2003 Active Directory environment using SfN. It covers the tasks to complete to prepare the environments for

There are two prerequisites for the migration of accounts and resources when using SfN:

Permissions given to the credentials to be used to change the schema for both the

When running the migration, a migration account should be created and used, rather than an IT . This ensures that an IT administrator tasked with a portion of the

outside of the migration. It also ensures that if the account is used in a script, an individual’s account credentials are not

as such, appropriate

should create a single account in the target domain for the installation of SfN and the migration of all objects. This account should then be made a member of the following security

the migration account will be made auditing is carried out on this account. Also, once the migration is


6.2.1.2 Installing the Novell Client for Windows

The steps in Table 10 provide the details needed to install Windows Server 2003 Active Directory domain controller.in use in the NetWare environmentenvironment is using it.

Note

At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be downloaded from the Novell Downloads Web page

Step Description

1. Log on to the Windows Server 2003

domain controller using the migration

account.

Run Novell Client 4.91 SP4

English.exe to extract the necessary

files to install the software.

Once extracted, run the Setupnw

located, by default, in C:\Novell\Novell

Client 4.91 SP4 English.


applicable, click Yes to continue.

2. Click Custom Installation and click

Next.

23 Novell Downloads {R20}: http://download.novell.com/index.jsp


Installing the Novell Client for Windows

provide the details needed to install the Novell Client for WindowsWindows Server 2003 Active Directory domain controller. The installation steps assume that IPX is in use in the NetWare environment. The IPX protocol should only be installed if the NetWare

At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be downloaded from the Novell Downloads Web page23.

Screenshot

to the Windows Server 2003

domain controller using the migration

to extract the necessary

Setupnw.exe

Novell


to continue.

and click



Page 50

the Novell Client for Windows on a The installation steps assume that IPX is

rotocol should only be installed if the NetWare

At the time of writing this document, the latest Novell Client for Windows is version 4.91 SP4. This can be



Step Description

3. Ensure Novell Client for Windows

(Required) is selected. Click Next

continue.

4. Clear any additional products that

selected and click Next.

5. Click IP and IPX and click Next.


Screenshot

Novell Client for Windows

Next to

that are


Page 51


Step Description

6. Click NDS (NetWare 4.x or later)

click Next.

Note

If migrating from a NetWare 3.x

environment, click Bindery

(NetWare 3.x).


installation options and start the file

copy process.

8. Once the installation is complete, the

Windows Server 2003 domain

controller needs to be restarted.

Click Reboot to restart the server.

Table 10: Novell Client for Windows Installation


Screenshot

NDS (NetWare 4.x or later) and

If migrating from a NetWare 3.x

installation options and start the file

Once the installation is complete, the

to restart the server.

nstallation


Page 52


6.2.2 Installing Microsoft S

This section focuses on the installation of been downloaded from Microsoft Services for Netware 5.03 SP2 and FPNWWeb site.

Step Description


computer, run the downloaded SFN

5.03 SP2.MSI file and when the


(version 5.03) Setup wizard displays

click Next to continue.

2. Read the license agreement, and if

applicable, click I accept the terms in

the License Agreement and click

Next to continue

24 Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2

http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d


Installing Microsoft Services for Netware

This section focuses on the installation of SfN and the instructions below assume SfN has already Microsoft Services for Netware 5.03 SP2 and FPNW24 on the

Screenshot

SFN

file and when the


displays,

license agreement, and if

I accept the terms in

click

Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW {R19}: http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-82a6a3af4be8&DisplayLang=en


Page 53

SfN and the instructions below assume SfN has already on the Microsoft




Step Description

3. Type a User Name and Organiz

into the relevant boxes and click

Note

The user name specified here is for

personalising the software

installation and therefore does not

need to be a valid domain account.

4. Click Custom setup type and click

Next.

5. In the Custom Setup page, all features

will be installed by default. Click

to continue.


Screenshot

Organization

and click Next.

The user name specified here is for

installation and therefore does not

need to be a valid domain account.

setup type and click

all features

lick Next


Page 54


Step Description

6. Click Next to begin the installation.

7. Click OK to allow the setup process to

extend the Active Directory schema.

8. Click Finish to exit the wizard.

9. Click Yes to restart the server and

complete the installation, or click

restart the computer later.

Table 11: Microsoft Services for NetWare Installation


Screenshot

to begin the installation.

to allow the setup process to

extend the Active Directory schema.

to restart the server and

click No to

Installation


Page 55


6.2.3 Directory Synchronisation

Once the Novell Client for Windows and SfN hacan take place. This is initiated througrecommended in section 5.5.2.2synchronisation. This is detailed in the steps

The steps provided below will synchronise an Active Directory domain. If synchronise are similar and, therefore,

These steps can be used as a reference for configuring multiple synchronisations for varying objects in the old environment. Once all the objects environments, the NDS or Bindery servers can be decommissioned because Active Directory takeover the provision of user access to the required resources

Step Description


computer, select Start > All

Programs > Administrative

Tools > Directory

Synchronization to open

MSDSS.

Right-click MSDSS

(<DomainName>) and select

New Session.

2. The New Session Wizard starts.



Directory Synchronisation Using MSDSS

Once the Novell Client for Windows and SfN have been installed, an initial reverse synchronisation This is initiated through the creation of a one-way synchronisation, as

5.5.2.2, and selecting the option to perform an initial reverse iled in the steps provided in Table 12.

The steps provided below will synchronise a set of users from a Netware 6.5 NDS environment to an Active Directory domain. If using other NetWare versions, such as 4.x, 5.x or 6.x, the steps

therefore, Table 12 can be used as a reference.

ed as a reference for configuring multiple synchronisations for varying objects in the old environment. Once all the objects have been synchronised between the two

the NDS or Bindery servers can be decommissioned because Active Directory takeover the provision of user access to the required resources.

Screenshot

The New Session Wizard starts.


Page 56

been installed, an initial reverse synchronisation way synchronisation, as

, and selecting the option to perform an initial reverse

users from a Netware 6.5 NDS environment to such as 4.x, 5.x or 6.x, the steps to

ed as a reference for configuring multiple synchronisations for varying between the two

the NDS or Bindery servers can be decommissioned because Active Directory takes


Step Description

3. Choose Novell Directory

Services (NDS) from the Select

NDS or Bindery drop-down and

click One-way synchronization

(from Active Directory to NDS

or Bindery).


4. Type the name of the Active

Directory container in the

relevant text box, or click Browse

to locate and select the container

Ensure the Domain Controller

box is populated with the server

name currently in use.


5. Type the name of the NDS

container in the relevant text box

or click Browse to locate and

select the container.

Type the User name and

Password of the Novell

administrator account to be used

for the synchronisation in the

relevant boxes.



Screenshot

Select

down and

way synchronization

(from Active Directory to NDS

Browse

the container.

the server

relevant text box,

administrator account to be used


Page 57


Step Description

6. In the Initial Reverse

Synchronization page, ensure the

Run this session when I close

this wizard check box is selected

and click Perform an initial

reverse synchronization.

Click Password Options.

7. The Password Synchronization

Options dialog box displays.

By default, the Set passwords to

a random value option is

selected. Click OK to continue.

Click Next when the Initial

Reverse Synchronization screen

displays again.

8. In the Object Mapping Scheme

page, click Default in the Object

Mapping section and click Next.

Note

If the synchronised objects will

reside in directory structures

that are not identical, the

Custom Object Mapping option

must be selected and an Object

Mapping Table needs to be

used to map Active Directory

objects to corresponding NDS

objects.

Filters can also be used to

exclude specific objects such

as administrative accounts

when synchronising between

environments.


Screenshot

, ensure the

Run this session when I close

selected

Password Synchronization

Set passwords to

screen

Object

objects will

Object Mapping option

and an Object

NDS

such


Page 58


Step Description

9. To identify this synchronisation

session in the MSDSS window,

type a Session Name, or accept

the default name, and click Next


wizard and start the

synchronisation.

11. The Synchronize dialog box

opens and displays the progress

of the synchronisation. Click OK

close the dialog box.

Note

To open the MSDSS Event

Viewer, click the View Logs

button.

Table 12: Directory Synchronisation Using MSDSS


Screenshot

or accept

Next.

the progress

to

: Directory Synchronisation Using MSDSS


Page 59


Once the synchronisation session has been created, it is displayed in the MSDSS window. The session can then be managed

� View Logs – Opens the MSDSS Event viewer

� Clone Session – Runs the New Session Wizard and prethose used in the selected session

� Synchronize Changes

� Update Status – Refreshes the status shown in the MSDSS window

� Disable Session – Pauses the synchronisation

� Properties – Displayscredentials used, level of detail logged, and password options

6.2.4 Password Synchronisation

As part of the synchronisation session created using the New Session Wizard, a dialog box is provided to choose how passwords Directory. During the steps detailed in section was selected.

Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file be opened using Notepad by members olocation is written to the MSDSS event log, with an event identification of 0 (zero).shown in Figure 10 provides the name and path of the file containing users and their password

Figure 10: MSDSS Event Properties Displaying Password File Location

Once the initial reverse synchronisation has completed, all users logging ontdomain for the first time must change their passwords. When a password change occurs in Active Directory, MSDSS initiates a forward synchronisation.

Any password changes made within Active Directory overwrite the existing NDS passworpassword is changed in NDS, user to have to enter two different passwordsenvironments. If this occurs, the user can initiate rectify the situation.


Once the synchronisation session has been created, it is displayed in the MSDSS window. The be managed. Right-click the session name to select a number of tasks such as

pens the MSDSS Event viewer

uns the New Session Wizard and pre-populates the field values with those used in the selected session

Synchronize Changes - Forward – Forces a forward synchronisation

efreshes the status shown in the MSDSS window

auses the synchronisation of objects within the selected session

Displays the session properties, such as synchronisation schedule, Novell credentials used, level of detail logged, and password options

Password Synchronisation Using MSDSS

As part of the synchronisation session created using the New Session Wizard, a dialog box is w passwords will be handled when users are first synchronised to Active

detailed in section 6.2.3, the Set passwords to a random value

Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file

by members of the Administrators and MSDSS Admins group. The file is written to the MSDSS event log, with an event identification of 0 (zero).

provides the name and path of the file containing users and their password

Displaying Password File Location

Once the initial reverse synchronisation has completed, all users logging onto the Active Directory domain for the first time must change their passwords. When a password change occurs in Active Directory, MSDSS initiates a forward synchronisation.

Any password changes made within Active Directory overwrite the existing NDS passworpassword is changed in NDS, it is not synchronised to Active Directory and will therefore cause the user to have to enter two different passwords when trying to access resources on the different

. If this occurs, the user can initiate a password change within Active Directory


Page 60

Once the synchronisation session has been created, it is displayed in the MSDSS window. The the session name to select a number of tasks such as:

populates the field values with

the selected session

such as synchronisation schedule, Novell

As part of the synchronisation session created using the New Session Wizard, a dialog box is synchronised to Active

et passwords to a random value option

Selecting this option creates a random password for each user synchronised to Active Directory during the initial reverse synchronisation. The passwords generated are stored in a text file that can

f the Administrators and MSDSS Admins group. The file is written to the MSDSS event log, with an event identification of 0 (zero). The dialog box

provides the name and path of the file containing users and their passwords:

o the Active Directory domain for the first time must change their passwords. When a password change occurs in Active

Any password changes made within Active Directory overwrite the existing NDS passwords. If a is not synchronised to Active Directory and will therefore cause the

when trying to access resources on the different a password change within Active Directory to


7 STABILISE

The Stabilise phase involves testing the solution components whose features are complete, resolving and prioritising any issues that are found. Testing during this phase and operation of the solution components under realistic environmental conditions.

This involves testing and acceptance of

Figure 11 acts as a high-level checkresponsible for stabilising the Active Directory migration

Figure 11: Sequence for Stabilising an Active Directory Migration

7.1 Migration Test ProcessThe migration test process is the part of the Active Directory migration solution that the migration will be successful. It should also include the process of testing the rollbacto be implemented if issues are migration.

Also, the scripts and processes developed for the migration should be thoroughly tested before any large-scale live migrations are performed

7.1.1 Pilot

As part of the pilot, all aspects of the migration solution will be carried out on a selected number of users. These users will be expected to carry out their dayadditional responsibility of feeding back any issues regarding accessavailable prior to the migration.

The typical basic steps involved

� Identifying the pilot users, their computers and the data access

� Migrating or synchronisscripts

� Migrating computer accounts to Active Directory, including the removal of any Novell Client for Windows in a NetWare environment

� Migrating data and other resources that are part of the migration with other production environment users.and server-based applications

During the pilot, focus on the following areas:

� Check that all the users and their permissions to files and folders were migrated as expected


phase involves testing the solution components whose features are complete, resolving and prioritising any issues that are found. Testing during this phase emphasises usage and operation of the solution components under realistic environmental conditions.

involves testing and acceptance of the Active Directory migration solution.

level checklist, illustrating the critical components that Active Directory migration needs to determine.

ing an Active Directory Migration

Test Process The migration test process is the part of the Active Directory migration solution

the migration will be successful. It should also include the process of testing the rollbacare encountered that are deemed too serious to continue with the

Also, the scripts and processes developed for the migration should be thoroughly tested before any scale live migrations are performed, to ensure they work as expected.

all aspects of the migration solution will be carried out on a selected number of . These users will be expected to carry out their day-to-day activities as normal

additional responsibility of feeding back any issues regarding access to resources that were available prior to the migration.

The typical basic steps involved in a pilot include:

Identifying the pilot users, their computers and the data to which they require continued

or synchronising these user accounts, including group membership and login

computer accounts to Active Directory, including the removal of any Novell Client for Windows in a NetWare environment

data and other resources that are part of the migration but that with other production environment users. This includes maintaining access to shared data

based applications for the pilot users

on the following areas:

Check that all the users and their permissions to files and folders were migrated as


Page 61

phase involves testing the solution components whose features are complete, and emphasises usage

and operation of the solution components under realistic environmental conditions.

the Active Directory migration solution.

an IT professional

The migration test process is the part of the Active Directory migration solution that needs to verify the migration will be successful. It should also include the process of testing the rollback plan

are deemed too serious to continue with the

Also, the scripts and processes developed for the migration should be thoroughly tested before any

all aspects of the migration solution will be carried out on a selected number of day activities as normal, but with the

resources that were

they require continued

including group membership and login

computer accounts to Active Directory, including the removal of any Novell Client

but that do not interfere This includes maintaining access to shared data

Check that all the users and their permissions to files and folders were migrated as


� Note the time taken to perform migration for the

� Note the network bandwidth used during migrationaffected

Once the pilot has been completednecessary.

7.2 Reviewing Log FilesWhether migrating from a Windows or Novell environment, log files are crucial censuring a successful migration. ADMT utilises log files stored in utilises the MSDSS Event Log

7.2.1 Microsoft Migration Logs

ADMT keeps a detailed log of Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT. Examine the migration log after a migration is complete to verify that all tasks were completed successfully.

Important

As it is important to complete the steps of the migration in migration log after each step, s

The log files can be viewed from within the ADMT console, or prompt using the task parameter.

7.2.2 Novell Migration Logs

The logs relating to MSDSS can be accessed through the MSDSS Event Viewer.MSDSS Event Viewer, right-click any item in the left pane of the MSDSS window and select Logs.

Figure 12 shows the events logged during a number of migration tasks

Figure 12: MSDSS Event Log


Note the time taken to perform migration for the number of users taking part in the pilot

Note the network bandwidth used during migration and ensure that other live users are not

Once the pilot has been completed, document the findings and rework the migration processes as

Reviewing Log Files Whether migrating from a Windows or Novell environment, log files are crucial censuring a successful migration. ADMT utilises log files stored in the ADMT database

Log to provide feedback on the status of tasks being carried out.

Microsoft Migration Logs

ADMT keeps a detailed log of the actions that it performs when migrating resources between Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT.

ation log after a migration is complete to verify that all tasks were completed

As it is important to complete the steps of the migration in the order specified in this documentmigration log after each step, so that any failures discovered can be fixed.

can be viewed from within the ADMT console, or by running ADMT the task parameter.

Novell Migration Logs

The logs relating to MSDSS can be accessed through the MSDSS Event Viewer.click any item in the left pane of the MSDSS window and select

shows the events logged during a number of migration tasks:


Page 62

of users taking part in the pilot

and ensure that other live users are not

document the findings and rework the migration processes as

Whether migrating from a Windows or Novell environment, log files are crucial components in the ADMT database while SfN

provide feedback on the status of tasks being carried out.

that it performs when migrating resources between Windows NT 4.0 and Active Directory domains. Whilst errors that occur during the migration process are written to the migration log, they may not produce a warning message in ADMT.

ation log after a migration is complete to verify that all tasks were completed

this document, check the

ADMT at the command

The logs relating to MSDSS can be accessed through the MSDSS Event Viewer. To open the click any item in the left pane of the MSDSS window and select View


APPENDIX A The tables in this Appendix provide details of resources available. This list is not exhaustive; there are many thirdThe resources listed are those provided by Microsoft

PART I Microsoft Active Directory 2003For further information on Active Directory

Skill or Technology Area Resource Location

Active Directory Design, including

DNS design

http://technet2.microsoft.com/WindowsServer/en/Libr

ary/c283b699

865443d7ea4b1033.mspx

OU design As above

Table 13: Microsoft Active Directory 2003 Skills and Training Resources

PART II Active Directory MigrationFor further information on Active Directory migration, see us/interopmigration/bb380225.aspx

Skill or Technology Area Resource Location

Upgrading from Windows NT

Server 4.0 to Windows Server

2003

http://www.microsoft.com/windowsserver2003/upgra

ding/nt4/default.mspx

Upgrading from Windows 2000

Server to Windows Server 2003


ding/w2k/default.mspx

Resources for Interoperability and

Migration of NetWare and

Windows

http://technet.microsoft.com/en

us/interopmigration/bb380216.aspx

Table 14: Active Directory Migration Skills and Training Resources


SKILLS AND TRAINING RESOURCES

The tables in this Appendix provide details of the suggested training and skill assessment resources available. This list is not exhaustive; there are many third-party providers of such skills. The resources listed are those provided by Microsoft.

Microsoft Active Directory 2003 Active Directory, see http://www.microsoft.com/activedirectory

Resource Location Description

http://technet2.microsoft.com/WindowsServer/en/Libr

ary/c283b699-6124-4c3a-87ef-

865443d7ea4b1033.mspx

Links to sections on designing Active

Directory

As above As above

: Microsoft Active Directory 2003 Skills and Training Resources

Active Directory Migration For further information on Active Directory migration, see http://technet.microsoft.com/enus/interopmigration/bb380225.aspx

Resource Location Description


ding/nt4/default.mspx

Links to various resources on migrating

from Windows NT 4.0


ding/w2k/default.mspx


from Windows 2000 Server Active

Directory

http://technet.microsoft.com/en-

us/interopmigration/bb380216.aspx

Links to various resources on

from Novell NetWare NDS or Bindery

: Active Directory Migration Skills and Training Resources


Page 63

ESOURCES

the suggested training and skill assessment party providers of such skills.

http://www.microsoft.com/activedirectory

Description

Links to sections on designing Active

http://technet.microsoft.com/en-

Description


from Windows NT 4.0


from Windows 2000 Server Active


from Novell NetWare NDS or Bindery

http://www.microsoft.com/activedirectory

http://technet2.microsoft.com/WindowsServer/en/Library/c283b699-6124-4c3a-87ef-865443d7ea4b1033.mspx



http://technet.microsoft.com/en-us/interopmigration/bb380225.aspx


http://www.microsoft.com/windowsserver2003/upgrading/nt4/default.mspx

http://www.microsoft.com/windowsserver2003/upgrading/nt4/default.mspx

http://www.microsoft.com/windowsserver2003/upgrading/w2k/default.mspx

http://www.microsoft.com/windowsserver2003/upgrading/w2k/default.mspx




APPENDIX B The text below represents an example option file including all the available options that can bspecified for the migration of users, groups, computers, security and service accounts

[Migration]

IntraForest=No

SourceDomain="NT4DOMAIN"

SourceDomainController="ADMIG


TargetDomain="ADANYTRUST"

TargetDomainController="ADMIG

TargetOu="LDAP://ad healthorgUsers,OU=Users,OU= Healthcare Organisation

PasswordOption=Complex

PasswordServer="ADMIG- NT4"

;PasswordFile="Password File Nam

ConflictOptions=Ignore

;UserPropertiesToExclude="Property1,Property2,Prope rty3"



;ComputerPropertiesToExclude="Property1,Property2

[User]



MigrateSIDs=Yes


UpdateUserRights=No

MigrateGroups=No





[Group]



MigrateSIDs=Yes

MigrateMembers=No





ADMT SAMPLE OPTION FILE

The text below represents an example option file including all the available options that can bspecified for the migration of users, groups, computers, security and service accounts

SourceDomainController="ADMIG -NT4"


TargetDomain="ADANYTRUST"

TargetDomainController="ADMIG -2K3-MS"

healthorg .contoso.com/OU=Knowledge Based Healthcare Organisation ,DC=adhealthorg,DC= contoso

NT4"

;PasswordFile="Password File Nam e"

;UserPropertiesToExclude="Property1,Property2,Prope rty3"



;ComputerPropertiesToExclude="Property1,Property2 ,Property3"








Page 64

ILE

The text below represents an example option file including all the available options that can be specified for the migration of users, groups, computers, security and service accounts.

contoso ,DC=com"



[Computer]

PreCheckOnly=No

TranslationOption=Replace

TranslateFilesAndFolders=No

TranslateLocalGroups=No

TranslatePrinters=No

TranslateRegistry=No

TranslateShares=No

TranslateUserProfiles=No

TranslateUserRights=No

RestartDelay=5

AutoPreCheckRetry=No

AutoPreCheckRetryInterval=30

AutoPreCheckRetryNumber=48

AutoPostCheckRetry=No

AutoPostC heckRetryInterval=5

AutoPostCheckRetryNumber=2

[Security]

PreCheckOnly=No



TranslateLocalGroups=No

TranslatePrinters=No

TranslateRegistry=No

TranslateShares=No

TranslateUserProfiles=No

TranslateUserRights=No

SIDMappingFile=”SID Mapping File Path”




[Service]

PreCheckOnly=No









heckRetryInterval=5

AutoPostCheckRetryNumber=2



SIDMappingFile=”SID Mapping File Path”






Page 65


APPENDIX C

PART I Terms and Abbreviations

Abbreviation Definition

ACL Access Control List

ADMT Active Directory Migration Tool

BDC Backup Domain Controller

CN Common Name

CSNW Client Service for NetWare

DNS Domain Name System

FMU File Migration Utility

FPNW File and Print Services for NetWare

GPO Group Policy object

IP Internet Protocol

IPX Internetwork Packet Exchange

IT Information Technology

LAN Local Area Network

MOF Microsoft Operations Framework

MSDSS Microsoft Directory Synchronisation Services

MSF Microsoft Solutions Framework

NAT Network Address Translation

NDS NetWare Directory Service

NTLM NT LAN Manager

OU Organisational Unit

PDC Primary Domain Controller

PES Password Export Server

RDN Relative Distinguished Name

SAM Security

SfN Service for NetWare

SID Security Identifier

SP Service Pack

TCP/IP Transport Core Protocol/Internet Protocol

UPN User Principal Name

WAN Wide Area Network

WMSDE Microsoft

Table 15: Terms and Abbreviations


DOCUMENT INFORMATION

Terms and Abbreviations

Definition

Access Control List

Active Directory Migration Tool

Backup Domain Controller

Common Name

Client Service for NetWare

Domain Name System

File Migration Utility

File and Print Services for NetWare

Group Policy object

Internet Protocol

Internetwork Packet Exchange

Information Technology

Local Area Network

Microsoft Operations Framework

Microsoft Directory Synchronisation Services

Microsoft Solutions Framework

Network Address Translation

NetWare Directory Service

NT LAN Manager

Organisational Unit

Primary Domain Controller

Password Export Server

Relative Distinguished Name

Security Accounts Manager

Service for NetWare

Security Identifier

Service Pack

Transport Core Protocol/Internet Protocol

User Principal Name

Wide Area Network

Microsoft SQL Server 2000 Desktop Engine


Page 66


PART II References

Reference Document

R1. Active Directory Design Guide


R2. Microsoft Download Center:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b


R3. Microsoft TechNet: Microsoft Operations Framework

http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx


http://www.microsoft.com/downloads/details


R5. Microsoft TechNet: Windows Server TechCenter:

Services:

http://technet2.microsoft.com/windowsserver/en/library/d2ff1315


R6. Microsoft Download Center

http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770


R7. Microsoft Windows Server 2003 R2:

Migrating Novell NetWare to Windows Server 2003



NetWare to Windows Server 2003


R9. Microsoft TechNet: Solution for Migrating File, Print, and Directory Services from Novell NetWare to

Windows Server 2003:

http://technet.microsoft.com/en

R10. Microsoft Windows Server 2003 R2:


R11. Microsoft TechNet: Microsoft Windows Server TechCenter:

http://technet2.microsoft.com/windowsserver/en/library/8782f8ab



http://download.microsoft.com/download/4/5/2/452d431e


http://download.microsoft.com/download/2/e/5/2e57d536

a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc

R14. Microsoft TechNet: Microsoft Windows Server TechCenter:

http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b



http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b


R16. Microsoft Download Center: Windows 2000 High Encryption Pack (128

http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0

9DCAB4DA1C63&displaylang=en


References

Active Directory Design Guide:


Microsoft Download Center: Microsoft Solutions Framework Core Whitepapers:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-


Microsoft Operations Framework: MOF Executive Overview:


Microsoft Download Center: Migrating Windows NT Server 4.0 Domains to Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?familyid=E92CF6A0-76F0-4E25-8DE0-


Microsoft TechNet: Windows Server TechCenter: Designing and Deploying Directory and Security

http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc-


Center: ADMT v3 Migration Guide:

http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC


rosoft Windows Server 2003 R2: NetWare to Windows Server 2003 Migration Planning Guide

Migrating Novell NetWare to Windows Server 2003 Microsoft Word document (SFNmig.doc):


Microsoft Download Center: Solution for Migrating File, Print, and Directory Services from Novell

NetWare to Windows Server 2003: Microsoft Word document:


Solution for Migrating File, Print, and Directory Services from Novell NetWare to


Windows Server 2003 R2: Services for NetWare 5.03 White Paper:


Microsoft TechNet: Microsoft Windows Server TechCenter: Using Run as:

http://technet2.microsoft.com/windowsserver/en/library/8782f8ab-9538-4111-8a68-


nter: Print Migrator Tool 3.1:


Microsoft Download Center: Microsoft Print Migrator 3.1:

http://download.microsoft.com/download/2/e/5/2e57d536-2bb5-40f1-b52d-

a11f5aae2e22/Microsoft%20Print%20Migrator%203.1.doc

Microsoft TechNet: Microsoft Windows Server TechCenter: Client Service for NetWare:

http://technet2.microsoft.com/windowsserver/en/library/eda1cc2b-c3cc-4845-add0-


Microsoft Download Center: Active Directory Migration Tool v3.0:

http://www.microsoft.com/downloads/details.aspx?FamilyID=6f86937b-533a-466d-a8e8-


Center: Windows 2000 High Encryption Pack (128-bit):

http://www.microsoft.com/downloads/details.aspx?FamilyID=C10925A0-AC66-4C44-B5C3

9DCAB4DA1C63&displaylang=en


Page 67

Version


1.0.0.0

Domains to Windows Server 2003:

Deploying Directory and Security

-

NetWare to Windows Server 2003 Migration Planning Guide:

(SFNmig.doc):

Solution for Migrating File, Print, and Directory Services from Novell

Solution for Migrating File, Print, and Directory Services from Novell NetWare to

6fc27208e001/printmig.exe

B5C3-



























Reference Document

R17. Microsoft Download Center: Internet Explorer High Encryption Pack 4.0


R18. Quest Software, Migration Tools for Active

http://www.quest.com/active


http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d


R20. Novell Downloads: Novel


R21. Quest Software, Migrate Novell Directory Services to Active Directory

http://www.quest.com/nds

R22. Group Policy for Healthcare


Table 16: References


Microsoft Download Center: Internet Explorer High Encryption Pack 4.0:


Quest Software, Migration Tools for Active Directory:


Microsoft Download Center: Microsoft Services for NetWare 5.03 SP2 and FPNW:

http://www.microsoft.com/downloads/details.aspx?FamilyID=a819838d-acb2-4794-87eb-


Novell Client for Windows:


Quest Software, Migrate Novell Directory Services to Active Directory:


Healthcare Desktop Management:



Page 68

Version

1.0.0.0








Documents

Active Directory Migration Guide