Upload
amie-newton
View
233
Download
3
Tags:
Embed Size (px)
Citation preview
DEP313Active Directory Restructuring with ADMT v-2Lothar ZeitlerSnr. ConsultantMicrosoft Services Germany
AgendaRestructuring scenariosADMT v-2Restructuring processInter-Forest migrationIntra-Forest migrationSummary
What is RestructuringProcess that moves users between domainsDomains can be in different forest or same forestSingle users, organizational unit or entire domainIncludes moving additional objects with usersGroups needed to access resourcesWorkstationsResource servers
Restructuring ScenariosMergers and Acquisitions / Spin-offsOne-off projectMulti-forest deploymentsUser moves happen on a regular basisCollapsing domains to reduce number of domainsI.e., after network upgrade
Inter-forest vs. Intra-forestSourceTarget
Restructuring: Alternative SolutionsMulti-forest deploymentTwo or more forests with user accounts and resourcesResource access through trust relationshipsGC synchronization through MMSSeparate or unified DNS namespaceEasier with Windows 2003Cross-forest trustsKerberos between forestsUPN routhingDNS: conditional forwardingSynchronized Exchange forestsExchange resource forestMigrate Exchange mailboxes only
Restructuring vs. Multi-ForestReasons for restructuringM&A: IT of acquired company fully integratedLong-term acquisitionHigh level of collaboration requiredSpin-off from single forest deploymentLowering TCO for AD deploymentReasons for multi-forest deploymentIndependent IT organizationsM&A: Results in independent business unitAcquisition might not be long termCollaboration might be restricted to messaging and calendaringAvoid higher cost attached to restructuringReview Chapter 2 of Windows 2003 Deployment Kit
Business Goals for RestructuringNo service impactLittle end user impactRoll-back planLow TCO for restructuring operation
ADMT v-2 OverviewSingle tool to perform all migration operationsUser, group, computer movesSecurity translationsProfile translationsMultiple user interfacesGraphical wizardsScripting interfaceCommand line interfacePassword migrationNew delegation modelAttribute exclusion listSID mapping file for security translationsAnd many more
User Migration BackgroundUser Security ID (SID) tied to domainSID used to grant access to resourcesMost resource access happens through group membershipsUser accounts grouped in Global GroupsLocal Groups protect resourcesGlobal Groups added to Local Groups to grant access rights to resourceLocal Groups store SIDs of Global GroupsBusiness goal: Preserve user access to resourcesSID history accomplishes thisSIDs need to be migrated for users and groups
How sIDHistory WorksBobs Access Token on HB-RES-MEM:User: hb-acct\Bob SIDGroups: HB-ACCT-ROW\Bob HB-RES-MEM\TechEditors SIDHB-RESWC-WS1sIDHistory:HB-ACCT-ROW\Bob
User Moves: ProfilesLocal profilesRoaming profilesOptions for profile managementUnmanagedRoaming profilesMigrate local profilesCombine migration with hardware refresh
Migration ScenarioStarfleetStarfleet.comSanFrancisco.Starfleet.comDS9.Starfleet.comDelta QuadrantDeltaQ.comVoyager.DeltaQ.comStep 1: Create target domainsStep 2: Migrate users and resourcesStep 3: Decommission source domains / forest
User
user
User
user
User
user
User
user
User Migration with SID History demo
SID FilteringRiskTrusted domain DC returns SIDs during authenticationTrusting domain DC accepts all SIDsCannot check that SIDs are legitimateAttack needsService admin rights in trusted forest, orPhysical access to domain controller in trusted forestSolutionSID filteringSystem builds authoritative list of Domain SIDsAuthenticationFail authN if users account domain NOT in listRemove SIDs not relative to listConfigurable on all trust relationships
When to use SID FilteringSteady-state multi-forest deploymentIf reason for multi-forests deployment is data or service isolation, use SID FilteringIf forests are managed by the same administrators, or DCs are located in same locations, SID Filtering does not provide additional valueMergers and AcquisitionUsually admin staff from one forest takes over other forestNo more requirement for security isolationNo need for SID Filtering
Migration And SID FilteringFabrikam, Inc.corp.fabrikam.commf.corp.fabrikam.comrd.corp.fabrikam.comna.corp.contoso.comContoso, Ltd.corp.contoso.comap.contoso.corp.comjpn.ap.contoso.corp.comSolution 2: External trustSolution 3: Perform Security Translation on ResourceSolution 4: Migrate resources with users (closed set)SIDHistory filteredSolution 1: Disable SID filtering on cross-forest trust
User
user
User
user
Migration And SID FilteringFabrikam, Inc.corp.fabrikam.commf.corp.fabrikam.comrd.corp.fabrikam.comna.corp.contoso.comContoso, Ltd.corp.contoso.comap.contoso.corp.comjpn.ap.contoso.corp.comSolution 2: External trustSolution 3: Perform Security Translation on ResourceSolution 4: Migrate resources with users (closed set)Solution 1: Disable SID filtering on cross-forest trust
User
user
Migration with SID Filtering demo
Process for Large Scale MigrationsLarge migrations require planningSpecial care for local profile migrationUsers should not logon with new account before local profile is migratedWorkstation should be in same domain as userSmartcard logons, wireless networksSynchronize group policiesApplication deploymentClient side caching
Restructuring Process Inter Forest
Restructuring Process Inter Forest
Restructuring Process Inter Forest
Restructuring Process Inter Forest
Restructuring Process Inter Forest Migrating Users without SID Filtering between Forests
Restructuring Process Inter Forest Migrating Users with SID Filtering between Forests
Restructuring Process Inter Forest
Restructuring Process Inter Forest
Intra Forest RestructuringExample: Reducing number of domains in a forestDifferent from Inter Forest restructuringObject moved instead of copiedDifferent APIs usedInter-forest: New object is createdIntra-forest: LDAP_move() replicates object
Restructure ComparisonInter-forest vs. Intra-forestInter-forest migration like object cloningNon-destructiveSource object still exists = fallbackIncremental migration straightforwardPreserves old SID in sIDHistoryDoesnt preserve GUID (Windows 2000, XP)Multiple security principals with same SID
Restructure ComparisonInter-forest vs. Intra-forestIntra-forest migration like object moveDestructiveSource object moved = no fallbackIncremental migration hard (closed sets)Preserves old SID in sIDHistoryPreserves GUIDUnique SID
Restructure Considerations Intra-forestClosed setsResource access granted through groupsUser -> GG -> LG -> resourceUsers and Global Groups must be in same domainResources and local groups must be in same domainMigration Tools support scenarioADMT automatically changes Global Group to Universal Group if members are in different domainsUniversal Group automatically migrated back to Global Group once all members are in target domainPermissions on resources can be translated if resource and local group cannot be migrated together
Intra-Forest Migration demo
Restructuring Process Intra-Forest
Restructuring Process Intra-Forest
Restructuring Process Intra-Forest
Restructuring Process Intra-Forest
SummaryEvaluate options in M&A scenariosRestructure or multi-forestADMT v-2 supports all restructuring tasksInter-forest restructuring has easier fall-backProcesses for large-scale restructurings documented in the Windows 2003 Deployment KitADMT v-2 on Windows 2003 CDWeb downloadhttp://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en
Community ResourcesCommunity Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluations
2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002TechEd 2002