1

SLAC Windows Migration

Bob Cowles

Presented for the SLAC Windows Migration Project

HEPNT, Fermilab

October 24, 2002

2

Overview

Project Objectives Present NT Environment AD Environment Upgrade Path Related Projects Migrating Users

3

Project Objectives Provide a more stable and secure Windows environment

for our user community

More efficient administration– Simplified domain structure– Delegation of privileges– Enhanced distribution of software and policy (GPOs) – Integrated directory services (including Exchange

2000)

4

Project Objectives

Provide new functionality for users– Better support for portables– Better networking support (VPN, wireless)– Better multimedia support– Better communications (OWA)

Easier to support– Better support tools (Remote Assistance for

Help Desk and local admins)

5

High-level view

One domain with OUs representing mission, administrative and funding boundaries

Desktops to have Windows XP and Office XP Exchange 2000 for all messaging Project to be completed Dec 2003 Other related projects

– New storage project– SMS and GPO’s for software distribution– Monitoring project

6

Current NT EnvironmentDescription Sept. 2002

Windows NT/2K domain machines on site ~1400

% PC’s purchased as standard Dell HW

(80% of current SLAC PC’s are now standard Dell HW)

91%

Windows NT user accounts 3600

Exchange 5.5 user accounts 1500

Windows NT/2K central servers 119

Windows NT/2K central file servers data 2000GB

WinNT workstations supported by central computing 1000 (roughly 70%)

Compliance for system fixes, anti-virus, etc. 90%

Other desktops

Linux RedHat Desktops 450

WinNT Workgroup,Win9x (not supported) ~60

Windows 3.1/DOS (not supported) 0

Macintosh (not supported) <100

7

Current NT Environment Master domain with 10 resource domains Laptops are W2K; better support for hardware and remote

access Desktops are NT4; limiting W2K on the desktop due to the

need for admin privilege for running many applications. Fileservers 2 TB data

60% user home directory, 40% groups directoryRate of growth: doubling every 12 months.

Storage of user data on central servers is encouraged (there is no backup of workstations provided by SCS). Department servers are discouraged.

8

Current NT Domain Environment

SLAC

SSRL CONTROLS

SLD-NT

Ragamuffin

MFD-HUB MDCAD

KLYSTRON

ESH

BSDHUB1BABAR

9

Current NT Environment

Print services reside on local domains Central account domain in SLAC Machine accounts in local domains Centralized WINS Servers DNS hosted on UNIX Bind systems Remote access via PPTP/VPN and ICA/Citrix

10

Current NT Environment

Monitoring via network “ping” Anti-virus on all machines with InoculateIT.

Updates downloaded from central server E-mail anti-virus scans via Sybari Antigen Veritas BackupExec used with DLT and LTO

libraries to back up

11

Active Directory Environment

SLAC

SSRL CONTROLS

BSDHUB1

Single forest and domain with multiple domain controllers (DC). FSMO roles

reside in SLAC’s DC’s.

12

Windows Active Directory Environment

Print services reside on central print servers Exchange 5.5 going to Exchange 2000 Central account domain in SLAC Machine accounts in department OU’s Centralized WINS Servers Delegated DNS zone win.slac.stanford.edu

running as “Integrated Zone” on DC’s Remote access via PPTP/VPN and ICA/Citrix

13

Four Options As Upgrade Path

1) Migration tools and SID historypros: clean install of server infrastructure

by going to ‘Native mode’, reversible. cons: migration tools were buggy.

2) Double ACL all resourcespros: clean install of server infrastructure

by going to ‘Native mode’, reversible.

cons: need to re-ACL all resources, confusing.

14

Four Options As Upgrade Path

3) Re-ACL to new domain and cutoverpros: clean install of server infrastructure

by going to ‘Native mode’, short time.

cons: not reversible, re-ACL resource domains, disruptive for users

15

Four Options As Upgrade Path

4) In-place Upgradepros: Easier for administrators and users

– No re-ACL– No new domain– No migration tools– No SID History– Less likely to break– Less overhead

Upgrade went smoothly, recommended by Microsoft.

16

Related Projects - SMS

Utilize for security updates, hotfixes and service packs

Currently rolled out to half of lab (~700 workstations)

New SMS rollout coincide with W2K/XP rollout Delegate abilities to OU Admin’s

17

Related Projects - GPO’s

Use GPO’s for main policies– security policies– disabling services (Internet Connection Sharing, …)– authentication standards

Ultimately use GPO’s to co-exist with SMS and boot floppy to rollout registry changes, software, hotfixes and service packs

18

Related Projects

Implement new monitoring solution.

Implement new backup solution.

Upgrade Citrix Metaframe 1.8 on NT TSE to Citrix XPe on Windows 2000 over the coming year

19

Migrating Users

Migration to Windows XPOffice XPExchange 2000

Clean install of 1600 client computers

20

Migrating Users-timeline

Alpha migration, August 2002Windows administrators

Beta migration, September 2002All central computing users, and power users from each department

Pilot migration, November 20025% representative sample across all departments

General migration, December 2002-December 2003

21

Challenges

Tight budget limits hardware upgrades– 4 yr. replacement cycle not always followed– XP needs 3 GB hard disk & 256 MB of memory– Older hardware works, but may run slower

Limited resources and budget– Freeze Windows NT except for security

Interoperability with SLAC UNIX environment– Samba gateway, AFS– Mitigated somewhat by WTS, WinSCP

Varied missions, administration and funding